<div dir="ltr">I reworked the network setup to use the new IPADDR0, IPADDR1, IPADDR2
format for vip's. I even let NetworkManager run things. No changes. The
internal 192.168.1.12 address is not reachable from the outside over
it's external IP nor can it reach the outside. Everything else is
SNAT'ed/DNAT'ed just fine.<br><div><br>iptables -L -n -t nat<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination <br>DNAT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 13.160.95.6 to:192.168.1.12<br><br><br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination <br>SNAT all -- 192.168.1.12 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> to:13.160.95.6<br><br>iptables -L -n <br>Chain INPUT (policy DROP)<br>target prot opt source destination <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://127.0.0.0/24" target="_blank">127.0.0.0/24</a> <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED<br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:500<br>ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22<br>ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:4500<br>ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT ah -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> policy match dir in pol ipsec udp dpt:1701<br>ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80<br><br>Chain FORWARD (policy DROP)<br>target prot opt source destination <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED <br>ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.1.12 tcp dpt:22<br>ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.1.12 tcp dpt:80<br>ACCEPT all -- <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 16, 2015 at 8:51 AM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">I'm on my phone at the moment. I'll get on a keyboard and pull data shortly.</p>
<p dir="ltr">It does show rules so its running. I'll include the setup rules for clarity.</p>
<p dir="ltr">Oh. NetworkManager is not controlling the process at all. In RHEL7 it's supposed to be able to do many, many things that could only be done with manual tricks. But the new process is far more complicated than doing it manually for the simple setup I have.</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Feb 16, 2015 8:42 AM, "Alex Carver" <<a href="mailto:agcarver%2Bale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What are the current rules as listed by iptables -n -L and iptables -n<br>
-L -t nat?<br>
<br>
On 2015-02-16 05:35, Jim Kinney wrote:<br>
> I've got a firewall/router running centos 7. I've disabled firewalld and<br>
> enabled iptables instead while I learn the new firewalld.<br>
><br>
> The box has a WAN nic with 3 IPs. One for itself and the other 2 for other<br>
> systems. I'm using nat and have pre and post routing rules to do the<br>
> translation.<br>
><br>
> Now for the weirdness.<br>
><br>
> One works and the other doesn't.<br>
><br>
> The rules are identical except for IPs. The rest of the LAN is simply nat<br>
> translated outbound. They all work. One server, the :2 on the nic can't get<br>
> outside at all if one the static translate. The :1 machine is fine.<br>
><br>
> Doing a tcpdump shows ping to WAN gateway going out and returning to<br>
> outside nic but it then gets lost in the redirect.<br>
><br>
> There are explicit forward rules for needed ports but I opened it to all<br>
> ports for the troubled machine.<br>
><br>
> It's a new machine that passed a full memtest+ run.<br>
><br>
> I'm stumped.<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div></div>
</div>