- This topic is empty.
-
Posts
-
Hello all,
Huge fan of Zeroshell. Great product, very surprised something like this is free!
I have two VLANs currently set up on this server. The Native VLAN, and VLAN20. I have a forwarding rule set up and it is as follows:
DROP all opt — in * out * 10.0.0.0/8 -> 192.168.1.0/24 (Active)
This doesn’t seem to work and I am not sure what I am missing. Any ideas as to why this isn’t working?
Any help would be greatly appreciated.
Thanks all,
I am going to redo this install on a different server. I’ll get that up and running and let you know. BRB
Try moving your restrictive rules to higher priorities, possibly the first ones.
Chances are you have other rules with higher priorities that are allowing the packets to go through.
Regards
@ppalias wrote:
What is the output of the command
iptables -L -vran on a shell?
Hey ppalias,
I got the system configured on a new server, the server we plan on going into production with. I got my DHCP Pools and VLAN’s set up. On question though, even before I worrie about firewall filtering, how do I make certain VLAN’s not NAT?
For example, VLAN 20, 30 and 70 need to be NAT’d, but VLAN 74 does not need to NAT’d. We have a /22 which is a direct allocation from ARIN and we do not need VLAN74 NAT’d.
Can you help me with this configuration?
@ppalias wrote:
Check my latter posts in this forum, another friend asked the same thing as you did.
Aw. So would it look something like this?
eth0 – 123.45.678
Eth1 – 10.0.0.1/24 (NAT’d with eth0)
eth1 (vlan74) 192.168.1.1/24iptables -t nat -I 1 POSTROUTING –src 192.168.1.0/24 -o eth1-74 -j MASQUERADE
Nope, not that. You don’t want to NAT vlan 74, so you will create rules for the rest of the networks.
@ppalias wrote:
Nope, not that. You don’t want to NAT vlan 74, so you will create rules for the rest of the networks.
I am assuming I want to put those commands into the scripting. Where do I want this script to run? Pre-Boot?
I put these commands in the “Pre-Boot” section of the script Editor.
iptables -t nat -l 1 POSTROUTING –src 172.30.0.0/16 -o eth1 vlan 20 -j MASQUERADE
iptables -t nat -l 2 POSTROUTING –src 192.168.1.0/24 -o eth1 vlan 30 -j MASQUERADE
iptables -t nat -l 3 POSTROUTING –src 152.93.0.0/16 -o eth1 vlan 70 -j MASQUERADEWe are getting the follow errors with the above commands.
iptables v1.4.0: Unknown arg _-l’
Try _iptables -h’ or ‘iptables –help’ for more information.
iptables v1.4.0: Unknown arg _-l’
Try _iptables -h’ or ‘iptables –help’ for more information.
iptables v1.4.0: Unknown arg _-l’
Try _iptables -h’ or ‘iptables –help’ for more information.[Pre Boot]: ERROR (2)
Thoughts?
This letter is a capital “i” not small “L”
Also the number should be after the chain, not before it, my wrong. You should also fix the interface and remove the “vlan 20”,
Eventually the command should look like that:iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o eth1.20 -j MASQUERADE@ppalias wrote:
This letter is a capital “i” not small “L”
Also the number should be after the chain, not before it, my wrong. You should also fix the interface and remove the “vlan 20”,
Eventually the command should look like that:iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o eth1.20 -j MASQUERADEAw, gotcha. Is this comman something that is run from the shell?
@ppalias wrote:
Yes you have to enter it in the shell, or in the pre-boot script.
Any pros or cons to doing it in the shell VS the pre-boot script?
Running from the shell will make it effective just until next reboot, adding it to the preboot scripts will make it to be run automatically on every reboot.
Chances are you’ll want to do both, on the shell to have the changes to take effect immediately and in the pre-boot scripts so that when you reboot they get executed again…
- You must be logged in to reply to this topic.