[CentOS] setup firewall with 3 nic cards
Dominik Zyla
gavroche at gavroche.pl
Mon May 10 22:27:40 UTC 2010
On Mon, May 10, 2010 at 06:10:02PM -0400, Jerry Geis wrote:
> I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
> Everything is working on eth2 cable. External NAT is working just fine for eth2.
> However external address 74.x.x.x on eth1 is not working.
>
> Below is my iptables information.
>
> I setup eth1 same as eth2 just a different IP address of course. What did I miss that
> eth1 and NAT is not working?
>
> Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
>
>
> Thanks,
>
> Jerry
>
> ---------------
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80
>
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
>
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2
> 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
> 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
You need to make source routing on 74.223.8.176 and eth1. Please, read
this: http://linux-ip.net/html/adv-multi-internet.html
--
Dominik Zyla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20100511/e5aeef6d/attachment.sig>
More information about the CentOS
mailing list