> 1) I am not able to connect to my Centos Server BOX through Secure CRT
> 2) I am not able to connect to my Centos using FTP.
Try configuring port forwarding on the router instead of DMZ. For SSH ,
forward port 22 to the 192.x address our centos machine is on.
Make sure iptables has 22 open in its firewall settings.
Vaneet Sharma wrote:> Dear All,
>
> I have one centos box ( centos 4.0 ) which is connected to MSI wireless
> router....... And which is connected to my ISP MODEM.
> I incorporated wireless router so that I can use my laptop from any of
> my rooms.
>
> Now this Centos 4.0 box is my home server machine.
>
> The MSI Wireless Router has DHCP server enabled. Wireless router has
> provided each address to my machines basically internal IP address like
> 192.168.1.xx TO 192.168.1.xx. The wireless router has an external IP
> which can be reached at : http://84.255.28.48:8080. I configured DMZ
> settings in wireless router...
> Which basically is mapping my Centos Box internal IP ( 192.168.1.XX ) to
> public IP ( 84.255.28.48 )
>
> Now the problem is the following:
>
> how will my centos machine listen to this public IP ? Do I have to set
> up firewall settings?> Ifconfig on centos gives me internal IP.
> I need to know what routing settings I need to do and where ?
>
> 1) I am not able to connect to my Centos Server BOX through Secure CRT
> 2) I am not able to connect to my Centos using FTP.
>
> Kind regards
> Vaneet
>
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Maciej Zenczykowski
> Sent: Friday, May 20, 2005 5:39 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Iptables - PREROUTING
>
>
> okay, first of all you shouldn't do it in a script,
> instead you should be modifying /etc/sysconfig/iptables
> and using /etc/init.d/iptables start/stop
>
> and add ip_nat_ftp to the proper spot (modules to load) in
> /etc/sysconfig/iptables-config
>
> next you need to rewrite the following for iptables-save/restore format
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
>
> [spot for nat rules]
>
> COMMIT
>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
>
> [spot for filter rules]
>
> COMMIT
>
>
> [in the filter rules:]
> -A INPUT -i lo -j ACCEPT
>
> # the following is _not_ nice
> -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP
>
> -A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT
> -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT
>
>
> [above in the nat spot]
> -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 -A
> PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443
>
>
> [again in the filter spot]
> -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT -A
> FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT
>
> -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT -A
> FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT
>
> You _DO_ _NOT_ WANT TO ACCEPT everything from port 53 - I can break
> through this firewall in 5 seconds.
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
>
> same here, plus squid doesn't use udp
> -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
>
> the default should be to drop
>
> -A INPUT -j LOG --log-level info
> -A OUTPUT -j LOG --log-level info
> -A FORWARD -j LOG --log-level info
>
> [in nat again]
> -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE
>
>
> this should be in /etc/sysctl.conf
>
>>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> do the above changes and repost with what you have and we'll go from
> there...
>
> Cheers,
> MaZe
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>
>
> Vaneet Sharma
> executive manager
> iDeasTank Limited
> an iwg business
> dolphins' court po 388
> valletta, m-malta/europe
> mobile: +356 9943 8263
> skype: CALLVANEET
> fax: +356 9952 8888
> phone: +356 9942 8888
>
> vaneet at iwg.info
> call me on www.skype.com - my ID is CALLVANEET
>
> Want a signature like this? - www.plaxo.com\signature
>
> iwg is a global e-mobile company creating, building and growing new
businesses. iwg founders are pioneers in creating multi-billion dollar mobile
and Internet businesses in Europe, Asia and the US.
>
> www.iWG.info
> www.countryprofiler.com/iWG
> www.visitmalta.com
> www.mfc.com.mt
>
>
> Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for delivery
of the message to such person), you may not copy or deliver this message to
anyone. In such case, you should destroy this message and kindly notify the
sender by reply email.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>