Me & Iptables dont work

arrruken · 03-20-2004, 03:00 PM

Trying to set up a router, I like to do one thing at a time though, so here's my question: Forgetting about security, and NAT for right now, All I want to do is have my PC's on the internal side of the router be able to ping the modem.
The setup is:
DSL-Modem(192.168.1.254)---->(192.168.1.1)eth0/Gentoo\eth1(192.168.0.1)---->switch--->PC's(192.168.0.x)
Im sure my kernel looks good, I know that /proc/sys/net/ipv4/ip_forward is set to "1", and is so everytime I boot, I know the iptables config file in /etc/conf.d/iptables has ip forwarding enabled.
With all that said, these basic rules should allow me to ping the router correct?
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I dont see why I would need anything else to just ping the router. Please tell me if Im missing something or you see something wrong. RIght now its timing out every time.

atlesn · 03-20-2004, 03:15 PM

echo 1 > /proc/sys/net/ipv4/ip_forward

To enable forwarding

arrruken · 03-20-2004, 03:31 PM

Quote:

Originally posted by arrruken

Im sure my kernel looks good, I know that /proc/sys/net/ipv4/ip_forward is set to "1", and is so everytime I boot, I know the iptables config file in /etc/conf.d/iptables has ip forwarding enabled.

I know, is there anything else that would cause this not to work?

atlesn · 03-20-2004, 03:43 PM

Sorry for skipping that part, must have read your post too fast.

Try

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

if your LAN iface is eth0. This at least works for me.

arrruken · 03-20-2004, 04:01 PM

Well that worked for some reason, I didnt think I would need NAT to just ping, but I guess I did. I really appreciate the help.
Now that that is working, am I gonna need this line:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Or better question, would I have any problems with any services on the PC's right now?

atlesn · 03-20-2004, 04:08 PM

Nat is needed when the two ifaces are not on the same subnet.

Just nice to help.

atlesn · 03-20-2004, 04:28 PM

Not on your gentoo, but here is how to open ports to other comps behind it:

(one line)
iptables -A FORWARD -i eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 80 --to-destination 192.168.0.x

This redirects to a webserver with the tcp protocol