I’ve been trying to solve this problem for a long time now, but I have not been successful.
After a minimal install of CentOS 6.6 on my server, I’ve configured it as a DHCP server. Eth0 is set-up as DHCP, and eth1 is set-up as a static IP. Eth0 receives IP address from my Internet router, eth1 is directly wired to a LAN switch. I have Internet on the server, but not my LAN.
I have configured eth1 to be a trusted device as well as MASQUERADE device. I can successfully ping all Window clients, and Window clients can ping the server. I also replaced net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. I’ve set Selinux to disable and still no luck.
My Windows clients are wired to my LAN switch and all Windows clients get an IP address, but they do not have Internet access.

Here is my dhcpd.conf:
#
ddns-update-style interim;
subnet 172.16.1.0 netmask 255.255.255.0 {
option routers 172.16.1.1;
option subnet-mask 255.255.255.0;
option domain-name "cseproject.net";
option domain-name-servers 192.168.1.254,8.8.8.8,8.8.4.4;
option time-offset -25200, # Pacific Daylight Time
range 172.16.1.120 172.16.1.144;
default-lease-time 21600;
max-lease-time 43200;
}

What should I do?

Do you actually forward traffic from eth1 to eth0? You mention MASQUERADE, but still...
Do the windows clients have the correct routing table?
Anything in the log file on the server (/var/log/messages, usually)?
The router's log?

If you don't see anything obvious, do some network tracing. Wireshark is rather easy to operate, both on Windows and Linux. You also have the lighter-weight tcpdump on Linux. It's fun and instructive, too. Check DHCP traffic on eth1. If it looks ok, check packets that the clients want to send to the internet, on both eth0 and eth1. Perhaps your Centos server is correctly configured, but your router doesn't like the Client packets for dome reason.

Im only using two network interface cards. The first network interface card (NIC) eth0 will be connected to external network with dynamic IP addressing method (DHCP). External DHCP server will assign IP address for eth0. Network interface card eth1 will be connected with static IP addressing method. The IP address 172.16.1.1 will be assigned to eth1 with 255.255.255.0 subnet mask. The static IP address will be the gateway for the subnet.

Linux kernel has IP forwarding feature built in. The IP forwarding feature has Internet routing algorithm that determines which route a packet should be sent.

Firewall will be configured to allow IP forwarding and the network interface card eth1, and will be trusted and masqueraded.

The router will provide DHCP service to the internal networks (eth1). Even though, the router is the DHCP client itself (eth0). All the servers will use static IP addresses, but all other workstations will be the DHCP clients that configure network settings by DHCP server.

try to check the domain name of your ISP or the first DNS google name server on your dhcp server.

Even though the kernel is configured to forward packets and since you did not post your complete rule set I would guess the firewall is not. Does that mean it isn't yet?

One more: You can add logging rules to your netfilter ruleset. I.e. rules with a "-j LOG". Log those packets you are supposed to forward.

Hi michaelk,
Here's my /etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:380]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT

Also I ran a cat /var/log/messages as berndbausch suggested and I received this:
Jan 19 15:08:29 hadrian dhcpd: to which interface eth0 is attached. **
Jan 19 15:08:29 hadrian dhcpd:
Jan 19 15:08:29 hadrian dhcpd: Sending on Socket/fallback/fallback-net
Jan 19 15:08:30 hadrian abrtd: Init complete, entering main loop
Jan 19 15:09:58 hadrian dhcpd: DHCPREQUEST for 172.16.1.171 from f0:de:f1:7e:90: 18 (edgarWorkstatio) via eth1
Jan 19 15:09:58 hadrian dhcpd: DHCPACK on 172.16.1.171 to f0:de:f1:7e:90:18 (edg arWorkstatio) via eth1
Jan 19 15:10:02 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:10:02 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e th1
Jan 19 15:13:13 hadrian dhcpd: DHCPREQUEST for 172.16.1.171 from f0:de:f1:7e:90: 18 (edgarWorkstatio) via eth1
Jan 19 15:13:13 hadrian dhcpd: DHCPACK on 172.16.1.171 to f0:de:f1:7e:90:18 (edg arWorkstatio) via eth1
Jan 19 15:13:17 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:13:17 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e th1
Jan 19 15:14:44 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:14:44 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e

I'm still working on this issue. Also Window clients cannot ping my Internet router. They can ping eth0 and eth1, but ISP router.

You are forwarding from eth0 to eth1, but if I understand you right, your Windows clients are connected to eth1 and the router to eth0. Shouldn't the forward be the other way around? Or both ways?

Also you talk about Masquerading but I don't see any such rules.

Yes, thats correct. Windows clients are connected to eth1, and my Internet router is wired to eth0.
You mention that the forwarding be the other way around. I'll test forwarding from eth1 to eth0.


I re-applied the Masquerading settings and Windows clients continue to fail to access the Internet.
Heres my updated IPtables with forwarding from eth1 to eth0:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Admittedly I am just an apprentice wizard as far as iptables is concerned, so don't base your work only on what I am saying. However:

• If your router is connected to eth0, it doesn't seem correct that you are masquerading packets going out on eth1. eth0 seems more logical to me.
• On second thought (or look), your FORWARD rules don't look like they would work. Back to the drawing board I suppose, and find a good tutorial about setting up forwarding.
  E.g. here on Linuxquestions: http://www.linuxquestions.org/questi...routing-56453/

My other suggestion, tracing the packets from your windows client on eth0 and eth1, stands. I assume that your routing rules are wrong and nothing is forwarded in this server.

The postrouting masquerade rule should be your external interface.