the_y_man, your iptables script only routes for eth1; you don't have any routing rules for eth2. I think that tuxguy's suggestion of assigning EXTIF="eth1 eth2" is giving you the syntax error.
Also, more importantly, you've reversed EXTIF and INTIF. eth0 is your interface to the external world, and eth1/eth2 face your internal LAN. Not that the variable names make much difference, but your script has the following errors:
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
-- if INTIF is eth0 and EXTIF is eth1, then you're basically accepting ALL traffic from the internet into your LAN. This kind of negates your firewall. It's probably why you can browse from the eth1-connected box even though the following rule is incorrect:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
-- again, the masquerading rule should be applied on the external interface, namely eth0 in your case. However, since you assigned eth1 to EXTIF, the masquerading isn't functional.
My slackbox is also routing for two computers, eth1 and eth2. This is what I have:
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# forward LAN traffic from eth1 to Internet interface eth0
$IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from eth2 to Internet interace eth0
$IPTABLES -A FORWARD -i eth2 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on eth0
$IPTABLES -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
I didn't bother assigning eth0/eth1/eth2 to variables; of course, you can, however. Test your firewall with nmap (but be careful with this tool, since you might accidentally scan your ISP which would get you into lots of trouble), or go to a website like www.dshield.org
BTW, although Linux, and iptables in particular, requires more reading and research, I find that once learned, Linux is much simpler and more elegant than Windows. I started my home network with Windows98 Internet Connection Sharing. Since Windows ICS was very poorly documented, I did everything by trial-and-error. And I had to remove and reinstall and reboot ICS many times (and there is only one magic way to do it properly too). Then the ICS server crashed about once per week. I never figured out how to serve more than one workstation from ICS either; I suspect you have to purchase a multi-node licence for ICS.
I switched my ICS server to Linux (Red Hat at first) with the goal of using it to do the internet firewall/gateway thing. Yes, iptables was very difficult at first, and I scoured google for all tutorials and references. I found some sample iptables scripts here on linuxquestions.org to get me started. Now, I can't think of doing it any other way.
Also, there are alternatives to editing the iptables script directly. You could try using guarddog
, which is a utility for iptables configuration.