RE: Firewall / Internet Gateway Config Fails

From: Jason Staudenmayer (jasons_at_NJAQUARIUM.ORG)
Date: 08/10/03

  • Next message: T. Ribbrock: "Re: Trying to change SCSI cards" 
    To: "'redhat-list@redhat.com'" <redhat-list@redhat.com>
Date: Sun, 10 Aug 2003 09:26:44 -0400

    Yes and no, You need something to forward the packets through the gateway
    and at the same time in this case change the source address to something
    routable over the internet. That's what iptables does, it's a statefull
    packet filtering firewall. It takes the private IP address and wraps it up
    in the address of it's internet address so it can be routed on the net. It's
    called Network Address Translation(NAT). There are a load of How-To's on
    this google="iptables nat"

    -----Original Message-----
    From: Ken Plumley [mailto:ken_plumley@yahoo.com]
    Sent: Saturday, August 09, 2003 6:42 PM
    To: redhat-list@redhat.com
    Subject: RE: Firewall / Internet Gateway Config Fails

    Jason,

    For testing only, if the firewall/gateway is
    configured correctly shouldn't the lan clients be able
    to reach the internet with out a firewall?

    I haven't worked with iptables, how do I add the rules
    to an existing rule set or build a new rule set?

    Ken

    --- Jason Staudenmayer <jasons@NJAQUARIUM.ORG> wrote:
    > Yeah the NAT table is in the iptables. Test these
    > rules:
    >
    > iptables -t nat -A POSTROUTING -s
    > 192.168.1.0/255.255.255.0 -o eth1 -j SNAT
    > --to-source outside_address
    > iptables -t nat -A POSTROUTING -s
    > 192.168.1.0/255.255.255.0 -j MASQUERADE
    >
    > These should work.
    >
    >
    > -----Original Message-----
    > From: Ken Plumley [mailto:ken_plumley@yahoo.com]
    > Sent: Saturday, August 09, 2003 4:14 PM
    > To: redhat-list@redhat.com
    > Subject: RE: Firewall / Internet Gateway Config
    > Fails
    >
    >
    > Jason,
    >
    > Ok I will set GATEWAYDEV=eth0
    >
    > I replaced an existing RH 6.2 firewall/gateway
    > machine
    > with the new RH 8.0 machine. The new machine has
    > the
    > same name and IP number that the old machine did so
    > all the machines on the lan are already configured
    > to
    > point to the new firewall/gateway.
    >
    > Are NAT rules the firewall rules?
    >
    > I shutdown the iptables firewall before I started
    > testing but the lan clients still can not reach the
    > internet.
    >
    > Ken
    >
    > --- Jason Staudenmayer <jasons@NJAQUARIUM.ORG>
    > wrote:
    > > The first way is right. You have to set up NAT
    > rules
    > > and set the gateways on
    > > your clients to point to your
    > > router/gateway/firewall
    > >
    > > -----Original Message-----
    > > From: Ken Plumley [mailto:ken_plumley@yahoo.com]
    > > Sent: Saturday, August 09, 2003 3:37 PM
    > > To: Redhat List
    > > Subject: Firewall / Internet Gateway Config Fails
    > >
    > >
    > > I am trying to configure a red hat linux 8.0
    > > combination firewall/internet gateway that serves
    > a
    > > LAN.
    > >
    > > eth0 is used with dhcp to reach the internet
    > through
    > > a
    > > cable modem.
    > >
    > > eth1 is used with a static IP to reach the LAN.
    > >
    > > With the GATEWAYDEV set to eth0 the machine can
    > > reach
    > > the internet and the lan at the same time but will
    > > not
    > > provide access from the lan to the internet.
    > >
    > > With the GATEWAYDEV set to eth1, as I think it
    > > should
    > > be, the machine can NOT reach the internet but can
    > > reach the lan.
    > >
    > > What am I configuring wrong?
    > >
    > > Any help would be much appreciated.
    > >
    > > Thanks,
    > >
    > > Ken
    > >
    > > Below are the network file configurations:
    > >
    > > File:
    > > /etc/sysconfig/network
    > >
    > > NETWORKING=yes
    > > HOSTNAME=firewallgate
    > > FORWARD_IPV4="yes"
    > > GATEWAYDEV=eth1
    > > GATEWAY=0.0.0.0
    > >
    > >
    > > File:
    > > /etc/sysconfig/networking/devices/ifcfg-eth0
    > >
    > > USERCTL=yes
    > > PEERDNS=yes
    > > TYPE=Ethernet
    > > DEVICE=eth0
    > > BOOTPROTO=dhcp
    > > ONBOOT=yes
    > > HWADDR=(The HWADDR is correct)
    > >
    > >
    > > File:
    > > /etc/sysconfig/networking/devices/ifcfg-eth1
    > >
    > > USERCTL=yes
    > > PEERDNS=no
    > > TYPE=Ethernet
    > > DEVICE=eth1
    > > HWADDR=(The HWADDR is correct)
    > > BOOTPROTO=none
    > > NETMASK=255.255.255.0
    > > ONBOOT=yes
    > > IPADDR=192.168.1.3
    > > NETWORK=192.168.1.0
    > > BROADCAST=192.168.1.255
    > > GATEWAY=0.0.0.0
    > >
    > >
    > > File:
    > > /etc/sysconfig/networking/devices/eth0-route
    > >
    > > GATEWAY0=0.0.0.0
    > > NETMASK0=0.0.0.0
    > > ADDRESS0=0.0.0.0
    > >
    > >
    > > File:
    > > /etc/sysconfig/networking/devices/eth1-route
    > >
    > > GATEWAY0=0.0.0.0
    > > NETMASK0=255.255.255.255
    > > ADDRESS0=192.168.1.3
    > >
    > >
    > >
    > > __________________________________
    > > Do you Yahoo!?
    > > Yahoo! SiteBuilder - Free, easy-to-use web site
    > > design software
    > > http://sitebuilder.yahoo.com
    > >
    > >
    > > --
    > > redhat-list mailing list
    > > unsubscribe
    > >
    >
    mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > >
    > https://www.redhat.com/mailman/listinfo/redhat-list
    > >
    > >
    > > --
    > > redhat-list mailing list
    > > unsubscribe
    > >
    >
    mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > >
    > https://www.redhat.com/mailman/listinfo/redhat-list
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! SiteBuilder - Free, easy-to-use web site
    > design software
    > http://sitebuilder.yahoo.com
    >
    >
    > --
    > redhat-list mailing list
    > unsubscribe
    >
    mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > https://www.redhat.com/mailman/listinfo/redhat-list
    >
    >
    > --
    > redhat-list mailing list
    > unsubscribe
    >
    mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > https://www.redhat.com/mailman/listinfo/redhat-list

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com 

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: T. Ribbrock: "Re: Trying to change SCSI cards"

    Relevant Pages

    • Re: Internet Connection Firewall
      ... You actually might want to keep the firewall on in a lan environment. ... TCP 445 - SMB over TCP ... > The built-in firewall is designed to be used only on a direct> connection to the Internet, not on any internal LAN connections. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: RD works on LAN not across Internet
      ... RD works fine within my LAN but not across the ... I turned off Windows Firewall and NIS on all computers. ... >>> settings to fully use DHCP to access the Internet. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: Internet Connection Sharing AND networking?
      ... >> XP machine the same as that used on the windows 98 machine. ... I can get to the Internet through ... >I cannot disable the firewall for just the LAN connection. ...
      (microsoft.public.windowsxp.network_web)
    • RE: Firewall / Internet Gateway Config Fails
      ... Firewall / Internet Gateway Config Fails ... all the machines on the lan are already configured to ...
      (RedHat)
    • RE: Firewall / Internet Gateway Config Fails
      ... For testing only, if the firewall/gateway is ... configured correctly shouldn't the lan clients be able ... to reach the internet with out a firewall? ...
      (RedHat)