Difference between revisions of "Iptables"
From Bashlinux
(talk) |
|||
Line 1: | Line 1: | ||
__NOTOC__ |
__NOTOC__ |
||
= iptables = |
= iptables = |
||
+ | == Howto setup iptagles on CentOS/Fedora == |
||
− | |||
− | On GNU/Debian is used to handle it by issuing the `iptables` command, but CentOS/Fedora are going by the daemon way. |
||
− | |||
− | == CentOS/Fedora setup == |
||
Rules are always read from /etc/sysconfig/iptables, but if any "save" option is enable in /etc/sysconfig/iptables, the rules added from the command line are keep in memory, but won't be available on system reboot. |
Rules are always read from /etc/sysconfig/iptables, but if any "save" option is enable in /etc/sysconfig/iptables, the rules added from the command line are keep in memory, but won't be available on system reboot. |
||
Line 11: | Line 8: | ||
To make the system load our rules on reboot and everytime, you must ensure the rules that /etc/iptables.rules file does exist, an has the rules you just created. |
To make the system load our rules on reboot and everytime, you must ensure the rules that /etc/iptables.rules file does exist, an has the rules you just created. |
||
− | == GNU/Debian |
+ | == How to setup iptables on GNU/Debian == |
Flush tables |
Flush tables |
||
Revision as of 05:25, 12 June 2012
iptables
Howto setup iptagles on CentOS/Fedora
Rules are always read from /etc/sysconfig/iptables, but if any "save" option is enable in /etc/sysconfig/iptables, the rules added from the command line are keep in memory, but won't be available on system reboot.
It happens in Fedora that rules in /etc/sysconfig/iptables are overriden until iptables daemon is restarted.
To make the system load our rules on reboot and everytime, you must ensure the rules that /etc/iptables.rules file does exist, an has the rules you just created.
How to setup iptables on GNU/Debian
Flush tables
Setup a gateway with 2 Virtual NICs
For any given host with 2 virtual NICs (alias IP) the steps to setup the host as gateway are:
Let say:
- WAN = eth0 -> 10.11.12.10 - LAN = eth0:1 -> 192.168.10.10
- Add to iptables the proper nat rules in order to ensure SNAT through the "Out to the world" NIC.
*nat :PREROUTING ACCEPT [891:110412] :POSTROUTING ACCEPT [92:11129] :OUTPUT ACCEPT [241:27547] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j SNAT --to-source 10.11.12.10 COMMIT
- Because both network IPs are in the same NIC, then add to the filter section a forward in both directions:
-A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT
- Ensure ip forwarding on kernel by setting the proper parameter to "1" in /etc/sysctl
net.ipv4.ip_forward = 1
- Load the previous modification:
sysctl -p