[CentOS] setup firewall with 3 nic cards

Mon May 10 22:27:40 UTC 2010
Dominik Zyla <gavroche at gavroche.pl>

On Mon, May 10, 2010 at 06:10:02PM -0400, Jerry Geis wrote:
> I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
> Everything is working on eth2 cable. External NAT is working just fine for eth2.
> However external address 74.x.x.x on eth1 is not working.
> 
> Below is my iptables information.
> 
> I setup eth1 same as eth2 just a different IP address of course. What did I miss that
> eth1 and NAT is not working?
> 
> Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
> 
> 
> Thanks,
> 
> Jerry
> 
> ---------------
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> 
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:22 to:192.168.1.209:22 
> DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:25 to:192.168.1.209:25 
> DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:80 to:192.168.1.209:80 
> DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:22 to:192.168.1.58:22
> DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:25 to:192.168.1.58:25 
> DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:80 to:192.168.1.58:80 
> 
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         
> SNAT       all  --  192.168.1.0/24       0.0.0.0/0           to:24.123.23.170 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
> SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
> 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 24.123.23.168   0.0.0.0         255.255.255.248 U     0      0        0 eth2
> 74.223.8.176    0.0.0.0         255.255.255.240 U     0      0        0 eth1
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
> 0.0.0.0         24.123.23.169   0.0.0.0         UG    0      0        0 eth2

You need to make source routing on 74.223.8.176 and eth1. Please, read
this: http://linux-ip.net/html/adv-multi-internet.html

-- 
Dominik Zyla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20100511/e5aeef6d/attachment-0005.sig>