Results 1 to 2 of 2
Distro: CentOS 5.3 External IP (eth0): Static assigned by ISP via DHCP Internal IP (eth1): 10.0.0.1 Services running: Apache, BIND, ProFTP, Samba, DHCP3, MySQL, PHP Hello. I must preface this ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 06-23-2009 #1
- Join Date
- Jun 2009
CentOS router/firewall/nat iptables setup [SOLVED: Shorewall FTW]
Distro: CentOS 5.3
External IP (eth0): Static assigned by ISP via DHCP
Internal IP (eth1): 10.0.0.1
Services running: Apache, BIND, ProFTP, Samba, DHCP3, MySQL, PHP
Hello. I must preface this by saying I know little about iptables. This is my first attempt at building my own router, having previously used Smoothwall.
The CentOS box in this instance is also my website and DNS server. I have simply built on top of my existing server setup, enabling port forwarding and installing dhcpd.
All outgoing connections accepted, i.e. use should be transparant to a user within my network.
Incoming connections only accepted if forwarded (I think I know how to accomplish this, having nabbed a port forward example when I searched), I currently do not have any of these.
Existing services on the router continue to work.
My web and name server currently work, as does FTP and samba access.
The internet works on my client computer (10.0.0.2 Static via DHCP), however I have trouble accessing some services outside my own network. For example if I FTP to an external server I get:
500 I won't open a connection to 10.0.0.2 (only to PUBLIC IP WAS HERE)
I don't think my internal IP should be making it out there.
Here's my iptables script, cobbled together from various sources:
# Dont shut myself out in case something doesn't work iptables -F iptables -P INPUT ACCEPT # FTP iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Webmin iptables -A INPUT -p tcp --dport 10000 -j ACCEPT # DNS iptables -A INPUT -p udp --dport 53 -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # DHCP iptables -A INPUT -p tcp --dport 67 -j ACCEPT # Nagios iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT # Ping iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT # Default policies iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Routering... iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT service iptables save
- 06-24-2009 #2
- Join Date
- Jun 2009
Never mind, Shorewall to the rescue!