I just upgraded my RedHat 9 server with a clean installation of Fedora Core 2. This machine acts as a gateway to the other computers in my house but is no longer routing traffic since the upgrade. Here's what I've checked so far:

I have "net.ipv4.ip_forward = 1" set in /etc/sysctl.conf.
echo 1 > /proc/sys/net/ipv4/ip_forward
ipt_MASQUERADE module is loaded
I've tried this with iptables off

Here's my current /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

eth0 is my trusted interface, eth1 is the one hooked up the the Internet. I can get out from my Fedora box, I can ssh into it from a remote computer but hosts on my internal network can not get out. Pinging from an internal host resolves the name but the ping never makes it out.

Any help is greatly appreciated!

umm I think you need to add the actual masquerading to the iptables rules...something like this could do:

/sbin/iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT

try that out

Yeah, I tried that before (and again right now) and it didn't work :-( It worked find in RH9. I can't help but think I'm missing something stupid. Here's the output of "iptables -L"
------------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- 127.127.1.0 anywhere udp spt:ntp dpt:ntp
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
------------------------------------------

It looks like it should be forwarding all input... I have no idea where to go from here.

hmm...odd. mine worked like a magic, when I first set up the ethernet so I could ping others and then just set the masquerade- and forward-iptables-rules..and of course set the /proc/sys/net/ipv4/ip_forward to 1.

I really can't imagine a solution now..I'll post here if I get an idea. so the pings don't work either?

Pings work from my linux box itsel but not from any other hosts on my network (using it as a gateway). Do I need to add the lines you recommended from a specific location in my /etc/sysconfig/iptables?

I'm really at a loss here. Don't know where else to turn :-)

I think you need to add the MASQUERADE rule too.
#iptables -nvL

would give a more detailed output.

Well, I'm almost embarrassed to admit it. I knew it would be something stupid! I upgraded the firmware on two of my routers last week. Apparently this turned DHCP back on (both of them, Linksys AND Netgear) and they were feeding incorrect information to my clients. Once I turned them both back off, my clients picked up the correct information from my "real" DHCP server and were able to find their gateway :-)

Interesting though... my dhcpd.leases is empty....

Thanks everyone!!

Just goes to show you, sometimes you _have_ to ask the obvious questions (is the power on?!) :-P

heh - well, good you got it working