[CentOS] Host Machine and Iptables problem
Barry Brimer
lists at brimer.org
Tue May 1 07:03:52 UTC 2012
> Yes, I thought the same but my confusion is that I don't see any rules of
> PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
>
> [root at VS01]# cat /etc/sysconfig/iptables
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j
> ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> But when I check the command iptables -L -t nat I can see the NAT rules
>
> [root at VS01]# iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports:
> 1024-65535
> MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports:
> 1024-65535
> MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
> MASQUERADE tcp -- 192.168.100.0/24 !192.168.100.0/24 masq ports:
> 1024-65535
> MASQUERADE udp -- 192.168.100.0/24 !192.168.100.0/24 masq ports:
> 1024-65535
> MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> am I missing something?
Maybe .. do you have IPv4 forwarding enabled? What is the output of
"cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit
/etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run
(as root) sysctl -p
More information about the CentOS
mailing list