CentOS - May 2010 - setup firewall with 3 nic cards

I am trying to setup some rules on a box with 3 nic cards. Two internet 
connections and one office connection.

eth0 is office
eth1 is internet T1
eth2 is internet Cable

when I do "iptables -F" then iptables -L everything is gone as it
should be.

Then I do
iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 6550 -j DNAT --to 
$INTERNAL_ADDRESS:6550
iptables -t nat -A POSTROUTING -d $INTERNAL_ADDRESS -j SNAT --to $GWIP

then I do iptables -L again and the rule is not there. Am I missing 
something?
I have tried -I and -A both.

Thanks,

Jerry

On 8 May 2010 14:12, Jerry Geis <geisj at pagestation.com>
wrote:
> then I do iptables -L again and the rule is not there. Am I missing
> something?
Try iptables -t nat -L, though you may want to use the -n option
too.
>From the iptables manpage[1]:
"-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all
chains are listed. As every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L

Please note that it is often used with the -n option, in order to
avoid long reverse DNS lookups. It is legal to specify the -Z (zero)
option as well, in which case the chain(s) will be atomically listed
and zeroed. The exact output is affected by the other arguments given.
The exact rules are suppressed until you use
iptables -L -v"

Ben

[1] http://linux.die.net/man/8/iptables

Thanks for the "-t nat" suggetion.

How does someone debug iptables?
Seems like the local eth0 is working , eth2 is working but connections 
on eth1 dont seem to go anywhere.
How can I tell what is happening for eth1 and iptables?

Thanks,

Jerry

Hi Jerry,

Just a general remark.
When deploying a firewall, it is advisable to have (atleast for input, better
for all) to have the general policy set to drop, and only allow in what you
expect to be coming in. If you put a "-j log" line as a final line for
each section, you'll see every packet you forgot about...

Now the default is "allow", and only doing some SNAT and DNAT rules...

hw

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Jerry Geis
Sent: Tuesday, May 11, 2010 12:10 AM
To: CentOS ML
Subject: [CentOS] setup firewall with 3 nic cards

I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is
cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2.
However external address 74.x.x.x on eth1 is not working.

Below is my iptables information.

I setup eth1 same as eth2 just a different IP address of course. What did I miss
that
eth1 and NAT is not working?

Just looking for both public IP's incoming to NAT to the correct IP address.
Only 1 is working at this time.


Thanks,

Jerry

---------------

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:80
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:22
to:192.168.1.209:22
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:25
to:192.168.1.209:25
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:80
to:192.168.1.209:80
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:22
to:192.168.1.58:22
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:25
to:192.168.1.58:25
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:80
to:192.168.1.58:80


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.1.0/24       0.0.0.0/0           to:24.123.23.170 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
24.123.23.168   0.0.0.0         255.255.255.248 U     0      0        0 eth2
74.223.8.176    0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         24.123.23.169   0.0.0.0         UG    0      0        0 eth2

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de
geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are
not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages.