Yet another Internet Sharing Question...
Guys and Gals,
I know this subject has been beaten to death, but I'm getting so frustrated I have to post. I've read up on the other posts and tutorial at : ww.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html I have basically used their firewall-2.4 script, only changing the external / internal variables to match my eth0 and eth1. I set FORWARD_IPV4=true in my /etc/sysconfig/network file. As my network stands, Redhat 7.3 on the server, it hands out ip addresses to the clients. Everyone can ping each other without problems, but the client internet requests cant seem to get out of the server. I tried firestarter but could not seem to get it to work properly so I uninstalled it. Here's my firewall-2.4 script file (comments excluded): #!/bin/sh # # rc.firewall-2.4 FWVER=0.74 echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe EXTIF="eth0" #my external nic, hits the cable modem INTIF="eth1" #my internal nic, hits the local network echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en "ip_tables, " $MODPROBE ip_tables echo -en "ip_conntrack, " $MODPROBE ip_conntrack echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" Anyone have any suggestions at all? I'm so at a loss... Thanks, Aaron (KowCiller) |
Try changing:
Code:
echo " FWD: Allow all connections OUT and only existing and related ones IN" Code:
echo " FWD: Allow all connections OUT and only existing and related ones IN" |
david_ross,
Thanks very much for your post, however when I tried to change those lines, I got normal outputs until the changed lines. Output ran as follows: /** Normal stuff cut out above **/ FWD: Allow all connections OUT and only existing and related ones IN iptables v1.2.5: Can't use -i with POSTROUTING Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.5: Can't use -i with POSTROUTING Try `iptables -h' or 'iptables --help' for more information. iptables: No chain/target/match by that name Enabling SNAT (MASQUERADE) functionality on eth0 rc.firewall-2.4 v0.74 done. Any idea? I've been pounding my head on the desk for like 12 hours between yesterday and today :confused: Thanks, Aaron (KowCiller) |
delte the forward rules all together and change the forwad policy to accept.
$IPTABLES -P FORWARD ACCEPT if it still doesnt work, something else is wrong. for security reasons you may also want to change the INPUT stuff $IPTABLES -P INPUT DROP and then add the rule: $IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT right now you box is wide open with a default policy of ACCEPT on INPUT. also, doing this will not effect routing, but you wont be able to ping the box unless you add a rule that allows for it. you could just add: $IPTABLES -A INPUT -s $LAN -j ACCEPT where LAN is the range of internal ip address like 192.168.0.1/24, that way the internal machines will be able to ping the box. LAN could also be a single ip address. |
All times are GMT -5. The time now is 09:19 PM. |