Hi Jerry, Just a general remark. When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about... Now the default is "allow", and only doing some SNAT and DNAT rules... hw -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jerry Geis Sent: Tuesday, May 11, 2010 12:10 AM To: CentOS ML Subject: [CentOS] setup firewall with 3 nic cards I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data. Everything is working on eth2 cable. External NAT is working just fine for eth2. However external address 74.x.x.x on eth1 is not working. Below is my iptables information. I setup eth1 same as eth2 just a different IP address of course. What did I miss that eth1 and NAT is not working? Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time. Thanks, Jerry --------------- Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2 _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.