[clug] Firewall rules for CentOS 4.4

Christopher Zhang u4123459 at anu.edu.au
Sat Mar 10 09:19:00 GMT 2007

Suppose you have eth0:, gateway
				   eth1:, gateway

and suppose you use CentOS as your gateway/router. so it will have  
two addresses, and

A machine connected to eth0 with a address won't be  
able to talk to the NFS server (assuming your NFS server is in subnet). This is because for a 'fake' 
(physically connected to eth0) to access outside its own subnet it  
needs to go through gateway whereas cannot  
be reached as it is on eth1.

In other words, as long as a machine is connected to eth0, it has to  
go through before it reaches other subnets.

I think your iptables rules can do what you want, but it may not be  

Or just a thought, maybe you can ask you router to do this: iptables - 
t nat -A POSTROUTING -o eth0 -s -j SNAT --to . this is to change the source address of the outgoing  
traffic through eth0 to if the source address is .

I have a whole bunch of assumptions but I hope the way you setup your  
network doesn't deviate too much from them.


On 10/03/2007, at 6:10 PM, Ben wrote:

> I have a CentOS 4.4 box with:
> eth0: 192.168.1.x subnet:
> eth1: 192.168.2.x subnet:
> I'm using NFS and restricting access by port range and I want
> to have access to stuff that doesn't.
> I thought that by having separate NICs on separate networks, each with
> their own subnet would address this issue, but if someone sets up a
> 192.168.2.x address on the same network as eth0 (and anyone could do
> this), I was told there might be a possiblity of them doing something
> to the NFS share intended for the subnet.
> I want to create an iptables rule that drops any packets coming in
> through eth0 that have anything to do with just to be
> on the safe side.
> After reading the man pages I've come up with the following, to be put
> at the top  of the rules in /etc/sys-config/iptables (just before the
> other rules starting with "-A RH-Firewall-1")
> -A RH-Firewall-1-INPUT -i eth0 -s -j DROP
> -A RH-Firewall-1-INPUT -i eth0 -d -j DROP
> Will this do what I want?
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list