When I added the last section with the source and destination specified
to eth2 the iptable would not load. It just said try typing iptables -h
or -help.
without the added section all runs ok and internal traffic gets access
to the internet via eth1. I noticed an extra space in the destination
line but after removing it i still got the same message back!
maybe i need to change something elsewhere but am having difficulty
finding any info on suggested setups for a similar senario.
Chris Lowth wrote:
> SHALLAM wrote:
> > Hi new to groups so bear with me.
> > Got a red hat 8 server. 3 network cards.
> > using iptables and nat and masquerading.
> > Can get eth0 ( internal facing network card) and eth1 (external network
> > card) working fine.
> > Need to add eth2 as second external facing card to allow only two
> > internal ip addresses (from the same range of addresses that use eth1)
> > to access the internet with masquerading.
> > iptable as follows
> > # Firewall Gateway system IP address is 10.2.*.* using Ethernet
> > device eth1
> > # Firewall Gateway system IP address is 10.65.*.* usning Ethernet
> > device eth2
> > # Private network address is 172.16.0.0 using Ethernet device eth0
> > # turn off IP forwarding
> > echo 0 > /proc/sys/net/ipv4/ip_forward
> > # Flush chain rules
> > iptables -F INPUT
> > iptables -F OUTPUT
> > iptables -F FORWARD
> > # set default (policy) rules
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > # IP spoofing, deny any packets on the internal network that has an
> > extenal source address.
> > # iptables -A INPUT -j LOG -j eth0 \! -s 172.16.0.0/24
> > # iptables -A INPUT -j DROP -i eth0 \! -s 172.16.0.0/24
> > # iptables -A FORWARD -j DROP -i eth0 \! -s 172.16.0.0/24
> > # IP spoofing, deny any outside packets (any not on eth0) that have
> > the source address of the internal network
> > iptables -A INPUT -j DROP \! -i eth0 -s 172.16.0.0
> > iptables -A FORWARD -j DROP \! -i eth0 -s 172.16.0.0
> > # IP spoofing, deny any outside packets with localhost address
> > # (packets not on the lo interface (any on eth0 or eth1) that have the
> >
> > source address of localhost)
> > iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
> > iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
> > # allow all incoming messages for users on your firewall system
> > # iptables -A INPUT -j ACCEPT -i lo
> > # allow established and related outside communication to your system
> > # allow outside communication to the firewall, except for ICMP packets
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p \!
> > icmp -j ACCEPT
> > # prevent outside initiated connections
> > iptables -A INPUT -m state --state NEW -i eth1 -j DROP
> > iptables -A FORWARD -m state --state NEW -i eth1 -j DROP
> > # allow all local communication to and from the firewall on eth0 from
> > the local network
> > iptables -A INPUT -j ACCEPT -p all -i eth0 -s 172.16.0.0/24
> > # set up masquerading to allow internal machines access to outside
> > network
> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> > # Accept ICMP ping (0 and 8) and Destination unreachable (3) messages
> > # Others will be rejected by INPUT and OUTPUT DROP policy
> > iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type echo-reply -d
> > 10.*.*.*
> > iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type echo-request
> > -d 10.*.*.* iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type
> > destination-unreachable -d 10.*.*.*
> > # Turn on IP Forwarding
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > tried adding the following lines but it would not work
> > # set up masquerading to allow a specified machine access to the
> > outside network on second card
> > iptables -t nat -A PREROUTING -d 10.*.*.* \ --to-destination
> > 172.16.2.107
> > -j DNAT
> > iptables -t nat -A POSTROUTING -s 172.16.2.107 \ --to-source 10.*.*.*
> > -j
> > SNAT
> > anyone able to help?
> >
>
> Can you be more specific about "it doesnt work"? Do you mean the
> iptables commands report errors, or that the traffic doesnt flow. If the
> latter, which nics work and which dont.
>
> If it's just the eth2 that isnt working, let's have a look at the
> routing table too.
>
> Chris
> --
> http://www.lowth.com/rope - packet matching filters written in a
> lightening-fast scripting language that runs in the kernel.
Similar Threads
Linear Mode
