I got a problem here... i want to setup my internet cafe to use a linux server to host our site and for an irc server... i'm using aDSL on my internet connection and got to ethernet cards.

I installed redhat 8 and tried some tweaking... my clients can't access the internet but the clients can ping the server anyways... i'm new to linux and don't know how to fix this problem.

Now here's the point... I want a linux server using redhat 8.0 then use windows 98SE on client computers... so how can i make redhat 8 share its internet connection to my clients...

any help will be appreciated... anyone who could help things up will get a free shell account for use with anything: eggdrop, web, bnc, etc...

I also want to run ssh and ftp for us to access the server outside the local network...

hi,

can your rh8 server access the net or simple ping a valid IP from the net?

if yes, check your the /etc/sysctl.conf file or your firewall.

or maybe you turned-off the http access

you can check marquerading howto's for detailed help.

hi again,

also check the gateway address of your win98SE, it should be the IP addr of your rh8, usually the eth1

the server can browse the net... the clients can ping the server... but the clients can't ping an address on the net. gateway is correct (192.168.0.1 - 255.255.255.0)

i think its a problem with the iptables or what so ever

have you got ipmasquerading turned on on the server?
this is what i have done (found it somewhere on the net.. can't remember where but kudo's to whoever did it!):

edit sysctl.conf, put this in:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
#
#
#Disable IP spoofing attacks
#net.ipv4.conf.all.rp_filter = 2

#Don't respond to broadcast pings (Smurf Amplifier Protection)
net.ipv4.icmp_echo_ignore_broadcasts = 1
#Ignore all pings?
net.ipv4.icmp_echo_ignore_all = 0

#Block source routing
#net.ipv4.conf.all.accept_source_route = 0

#Kill timestamps
net.ipv4.tcp_timestamps = 0

#Enable SYN cookies
net.ipv4.tcp_syncookies = 1

#Kill Redirects
net.ipv4.conf.all.accept_redirects = 0

#Enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

#Log martians (packets with impossible addresses)
net.ipv4.conf.all.log_martians = 1

#Reduce DoS'ing ability by reducing timeouts
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 2400
net.ipv4.tcp_windows_scaling = 0
net.ipv4.tcp_sack = 0

edit to your particular needs then run this script (I think I found this here somewhere... can't seem to find it anymore more, kudo's to the author):
--/begin script/--
#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save the
# running config with 'iptables-save' for RedHat to reinstate at the next boot
# IP fordarding must be enabled by other than this script for production use.
# That's best done by editing /etc/sysctl.comf and setting:
#
# net.ipv4.ip_forward = 1
#
#
#
#
#
#
#
#
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# /etc/init.d/iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When /etc/init.d/iptables
# executes it will see the file and restore the rules. I find it easier to modify this file
# and run it (make sure it is executable with 'chmod +x iptables-init') to change the
# rulesets., rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
INSIDE=eth+

# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
#
$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 5/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP
#
# If running wireless this is a really simple way of logging people trying to get in that shouldn't be..
$IPTABLES -N internal
$IPTABLES -A internal -m limit --limit 5/minute -j LOG --log-prefix Internal:
$IPTABLES -A internal -j DROP
#
$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 5/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# Examples of Port forwarding. you will need to change ip addresses to your particular settings...
#
# The first forwards HTTP traffic to 192.168.42.1
# The second forwards SSH to 192.168.42.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.42.1
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.42.1
# I can't remember what this port does.. maybe https?
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 443 -j DNAT --to 192.168.42.1
# $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 400 -j DNAT --to 192.168.42.1
# this bit allows icq to work if you want it.
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5190 -j ACCEPT
# $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 443 -j ACCEPT
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to access.
# And remember to change the IP to be that of the INSIDE interface of the firewall.
#
# $IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT
#
#
# this is a simple attempt to restrict access to only a few ip addresses on the internal network
# I am running a RH router with a couple of network cards in it, one of which is wireless. this is in
# no way an effective means of stopping people hacking a wireless network!
#
$IPTABLES -A INPUT -i $INSIDE -s 192.168.42.8 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.43.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j internal
#
# If you are running a DHCP server on the firewall uncomment the next two lines
#
# $IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT
# $IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop and SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 400 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5190 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 443 -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPTABLES -A INPUT -j firewalled
--/ end script/--
for ftp I would recomend using sftp, much safer... I don't know what port it uses but, possibly 21 as ftp does? you will need to add a line similar to the one allowing ssh in.

Hope this helps!
If anyone else is reading this and know's the author or where to find the original scripts I'ld love to know..

still can't get it to work... are there any GUI software to automate this?

i have a problem similar with you
i have a adsl to internet. my redhat8 can to internet ,but the client win2000 cant.
i modify /etc/rc.d/rc.local :
echo 1>/proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE


SOME HELP ME!
my msn is xuezh2001@hotmail.com

hmmmmmm what do you mean by masquerading or ipmasquerading?

GUI? ha! First off, Haxor, have you checked to see if your config is similar to Smerk's post or have you dismissed it because it isn't GUI?

If not, nevermind and let's try a different solution, but asking for a GUI right off the bat seems like "Holy sh*t, look at all that config file. Where's my windows!"

As for Xzh2001, your internal network is 192.168.0.x, right? /24 is subnetted such that 192.168.0.1-254 is included, not a class B if that was your intent, if not.. next issue;

Do you have a FORWARD chain? If so, put the rule there instead of POSTROUTING.

xzh2001
if adsl you are using a modem connected to ethernet card/port no?
I presume your ip address is dynamic?

if so I suggest change:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

to

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
note eth0 used, this may be something else depends on what your network configuration is. ie in this case eth0 is connection to adsl modem, eth1,2,whatever is connection to internal network. not 100% on this cause I've only got 56k modem not adsl..