Find the answer to your Linux question:
Results 1 to 2 of 2
Distro: CentOS 5.3 External IP (eth0): Static assigned by ISP via DHCP Internal IP (eth1): 10.0.0.1 Services running: Apache, BIND, ProFTP, Samba, DHCP3, MySQL, PHP Hello. I must preface this ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2009
    Posts
    6

    CentOS router/firewall/nat iptables setup [SOLVED: Shorewall FTW]


    Distro: CentOS 5.3
    External IP (eth0): Static assigned by ISP via DHCP
    Internal IP (eth1): 10.0.0.1
    Services running: Apache, BIND, ProFTP, Samba, DHCP3, MySQL, PHP

    Hello. I must preface this by saying I know little about iptables. This is my first attempt at building my own router, having previously used Smoothwall.

    The CentOS box in this instance is also my website and DNS server. I have simply built on top of my existing server setup, enabling port forwarding and installing dhcpd.

    Objective:
    All outgoing connections accepted, i.e. use should be transparant to a user within my network.
    Incoming connections only accepted if forwarded (I think I know how to accomplish this, having nabbed a port forward example when I searched), I currently do not have any of these.
    Existing services on the router continue to work.

    My web and name server currently work, as does FTP and samba access.

    The internet works on my client computer (10.0.0.2 Static via DHCP), however I have trouble accessing some services outside my own network. For example if I FTP to an external server I get:

    500 I won't open a connection to 10.0.0.2 (only to PUBLIC IP WAS HERE)

    I don't think my internal IP should be making it out there.

    Here's my iptables script, cobbled together from various sources:

    Code:
    # Dont shut myself out in case something doesn't work
    iptables -F
    iptables -P INPUT ACCEPT
    # FTP
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    # Webmin
    iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
    # DNS
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    # HTTP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    # DHCP
    iptables -A INPUT -p tcp --dport 67 -j ACCEPT
    # Nagios
    iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
    # Ping
    iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
    # Default policies
    iptables -P INPUT DROP
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    # Routering...
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth1 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    service iptables save
    Any sugestions to make this... better? Or a tutorial for nubs. No GUI so CLI options only.

  2. #2
    Just Joined!
    Join Date
    Jun 2009
    Posts
    6
    Never mind, Shorewall to the rescue!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •