From: "Navneet" <navneetkc@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Linux as router (Gateway Server)
Date: Wed, 19 Jan 2005 20:07:07 +0530 [thread overview]
Message-ID: <00a601c4fe34$5e74bd80$eaab9385@gagan> (raw)
Dear all,
I have a question,
"I only have a single network connection, but I would like all my computers
to have Internet access.
How is this possible?'
1.What i have?
My network configuration is as follows:-
eth1
(172.21.0.133/28)
|
|
AGNI {RedHat 9[Squid Proxy,Gateway ,firewall & FTP] }
|
|
|
(192.168.0.0/16)
eth0
|
---- SWITCH----------
|
|
|
LAN
where:-
eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
2.What i have done:-
a)Enabled IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
& added above line in /etc/rc.d/rc.local
b)Firewall rules as follows:-
# vi testWall
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT DROP [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
#allow echo-requests (pinging)
8 -A INPUT -s 192.168.0.0/16 -d 0/0 -p icmp --icmp-type echo-request -j
ACCEPT
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
21 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
24
25 # allow outgoing connections to web servers
26 -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 \
-i eth0 -j ACCEPT
28
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37
38 COMMIT
39
40 *nat
41
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j SNAT --to 172.21.0.133
44
45 COMMIT
PS: Copied from http://linuxgazette.net/103/odonovan.html
#iptables-restore </root/testWall
#iptables-save
3.What i got:-
a)users can able to browse internet via squid proxy (192.168.0.1:3128)
i.e http/https
b)But can't able to access mails (POP3/SMTP) from our ISP mailserver.
can't able to go beyond my RedHat (AGNI) server, while i do traceroute of my
ISP's mailserver.
What i am doing wrong? please suggest
Thanks & regards,
Navneet Choudhary
next reply other threads:[~2005-01-19 14:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-19 14:37 Navneet [this message]
[not found] ` <1106851960.14748.6.camel@localhost.localdomain>
2005-01-31 15:24 ` Linux as router (Gateway Server) [Revisited] Navneet
2005-01-31 16:37 ` Jason Opperisano
2005-02-01 13:09 ` Navneet Choudhary
2005-01-31 20:52 ` Michelle Konzack
[not found] <1dceb012050211233357e23dd4@mail.gmail.com>
2005-02-12 7:48 ` Fwd: Linux as router (Gateway Server) Navneet Choudhary
2005-02-12 8:15 ` Askar
2005-02-13 16:06 ` Navneet Choudhary
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='00a601c4fe34$5e74bd80$eaab9385@gagan' \
--to=navneetkc@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.