Hello,
I'm setting up a centos5 router for a friend. It will direct traffic to
an internal webserver, already in place, as well as run squid proxy. It
should do nat and have a firewall with iptables. I've set up routers before
for this purpose but always of the bsd type and using their firewalls. I
understand the concepts, nat, packet filtering, etc. but i'm not getting
iptales at all. If anyone is an expert on this i'd appreciate hearing from
you. I have what are probably basic questions, i've read the docs, but i am
lost.
Thanks.
Dave.
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.1 --destination-port 80 -j DNAT --to 192.168.0.2:80/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --destination-port 80 -j ACCEPT> From: dmehler26 at woh.rr.com> To: centos at centos.org> Date: Tue, 28 Aug 2007 12:27:08 -0400> Subject: [CentOS] centos5 iptables expert needed> > Hello,> I'm setting up a centos5 router for a friend. It will direct traffic to > an internal webserver, already in place, as well as run squid proxy. It > should do nat and have a firewall with iptables. I've set up routers before > for this purpose but always of the bsd type and using their firewalls. I > understand the concepts, nat, packet filtering, etc. but i'm not getting > iptales at all. If anyone is an expert on this i'd appreciate hearing from > you. I have what are probably basic questions, i've read the docs, but i am > lost.> Thanks.> Dave.> > _______________________________________________> CentOS mailing list> CentOS at centos.org> http://lists.centos.org/mailman/listinfo/centos _________________________________________________________________ Did you know you can now customize your mailbox with different colours to suit your mood with Windows Live Hotmail? http://get.live.com/mail/features -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070828/f4d4fe12/attachment.html>
You might try loading a copy of Webmim onto your linux box, there is a Firewall module that will make changing and setting up the routing very easy and quick to understand... www.webmim.com webmin-1.360-1.noarch.rpm There is a simple RPM install that works with Centos... john Dave wrote:> Hello, > I'm setting up a centos5 router for a friend. It will direct > traffic to an internal webserver, already in place, as well as run > squid proxy. It should do nat and have a firewall with iptables. I've > set up routers before for this purpose but always of the bsd type and > using their firewalls. I understand the concepts, nat, packet > filtering, etc. but i'm not getting iptales at all. If anyone is an > expert on this i'd appreciate hearing from you. I have what are > probably basic questions, i've read the docs, but i am lost. > Thanks. > Dave. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
On Tue August 28 2007 12:27, Dave wrote:> Hello, > I'm setting up a centos5 router for a friend. It will direct traffic > to an internal webserver, already in place, as well as run squid proxy. It > should do nat and have a firewall with iptables. I've set up routers before > for this purpose but always of the bsd type and using their firewalls. I > understand the concepts, nat, packet filtering, etc. but i'm not getting > iptales at all. If anyone is an expert on this i'd appreciate hearing from > you. I have what are probably basic questions, i've read the docs, but i am > lost.What does this network look like? How many NIC's in the router machine? I'm running a router/firewall here at home with 3 networks connected and I find the way I do things a lot better then any software setup out there. IPTABLES is simple. It works in a top to bottom flow. First rule it matches is executed. -- Regards Robert Smile... it increases your face value!
On Tuesday, August 28, 2007 12:27 PM -0400 Dave <dmehler26 at woh.rr.com> wrote:> I've set up routers before for this purpose but always of the bsd type > and using their firewalls. I understand the concepts, nat, packet > filtering, etc. but i'm not getting iptales at all. If anyone is an > expert on this i'd appreciate hearing from you. I have what are probably > basic questions, i've read the docs, but i am lost.Wikipedia has a decent introduction: <http://en.wikipedia.org/wiki/Iptables> There's a list of links to diagrams at the end to help in understanding the packet flow. Let us know what doesn't make sense there, so the article can be adjusted.
On 28 August 2007, John Plemons <john at mavin.com> wrote: <snip>> You might try loading a copy of Webmim onto your linux box, there is a > Firewall module that will make changing and setting up the routing > very easy and quick to understand... > > www.webmim.com > webmin-1.360-1.noarch.rpm > There is a simple RPM install that works with Centos...Three comments about webmin: (a) There is a huge (800 pages?) manual for webmin in .pdf format, available for download from the webmin web site. (b) I installed it on my Desktop (CentOS 5.0) a couple of weeks ago and I ran into a problem, because I have SELinux running in Permissive Mode. I first submitted to Bugzilla at Upstream and he tracked it down to Webmin, so I moved the bug to sourceforge: <https://sourceforge.net/tracker/?func=detail&atid=117457&aid=1781101&group_id=17457> This is what Jamie wrote:> Ok, thanks ... I see the problem. Webmin opens the log file > /var/webmin/miniserv.error and connects STDERR to it, then runs other > commands like iptables, which inherits the STDERR file descriptor. > This is generally a good thing, as any error output from the iptables > command will go to that log file. > > But with selinux enabled, this fails as iptables doesn't have the > security context needed to write to that file. > Is there a chcon option or other command that can allow a file to be > written by any process? If so, I should update Webmin to run that on > the error log file. >ASAP, I will get back to him and I'm sure he will solve the problem. :-) (c) It is my belief (others, with much more webmin experience can confirm or reject this thought), that webmin will be more reliable, when it changes configuration files, than many of the GUI's from Upstream.