Guys and Gals,

I know this subject has been beaten to death, but I'm getting so frustrated I have to post.

I've read up on the other posts and tutorial at :

ww.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

I have basically used their firewall-2.4 script, only changing the external / internal variables to match my eth0 and eth1. I set FORWARD_IPV4=true in my /etc/sysconfig/network file.

As my network stands, Redhat 7.3 on the server, it hands out ip addresses to the clients. Everyone can ping each other without problems, but the client internet requests cant seem to get out of the server.

I tried firestarter but could not seem to get it to work properly so I uninstalled it.

Here's my firewall-2.4 script file (comments excluded):

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.74

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

EXTIF="eth0" #my external nic, hits the cable modem
INTIF="eth1" #my internal nic, hits the local network

echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

echo -en " loading modules: "

echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "ip_tables, "
$MODPROBE ip_tables

echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

echo -en "iptable_nat, "
$MODPROBE iptable_nat

echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

Anyone have any suggestions at all? I'm so at a loss...

Thanks,

Aaron (KowCiller)

Try changing:to:

david_ross,

Thanks very much for your post, however when I tried to change those lines, I got normal outputs until the changed lines.

Output ran as follows:

/** Normal stuff cut out above **/

FWD: Allow all connections OUT and only existing and related ones IN
iptables v1.2.5: Can't use -i with POSTROUTING

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Can't use -i with POSTROUTING

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
Enabling SNAT (MASQUERADE) functionality on eth0

rc.firewall-2.4 v0.74 done.

Any idea? I've been pounding my head on the desk for like 12 hours between yesterday and today

Thanks,

Aaron (KowCiller)

delte the forward rules all together and change the forwad policy to accept.
$IPTABLES -P FORWARD ACCEPT

if it still doesnt work, something else is wrong.



for security reasons you may also want to change the INPUT stuff

$IPTABLES -P INPUT DROP

and then add the rule:

$IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT


right now you box is wide open with a default policy of ACCEPT on INPUT.
also, doing this will not effect routing, but you wont be able to ping
the box unless you add a rule that allows for it. you could just add:

$IPTABLES -A INPUT -s $LAN -j ACCEPT

where LAN is the range of internal ip address like 192.168.0.1/24, that way the internal machines will be able to ping the box. LAN could also be a single ip address.