Just installed Fedora 2 for use as firewall/email server/web server at home. Set up default firewall w/iptables. The firewall can talk to machines in the house (eth0) and to the internet (eth2). But internal machines can't seem to forward to the internet. Here is the iptables file I currently have - I've marked the 2 rules I added (using webmin, which also added the 2 sections at the bottom of the file to the original provided by the Fedora installation). Can someone tell me what I need to do to get forwarding working? I have modified the /proc/sys/net/ipv4/ip_forward file too...

Thanks,

nbc

====== IPTables file ====
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

# **** I added the following line to try to get pkts forwarded...
-A RH-Firewall-1-INPUT -m state -d 192.168.130.0/24 -i eth2 -o eth0 --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

# **** I added the following line to try to get pkts forwarded...
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

I'm guessing based on the rule you added that the internal machines all have private (non-routable) IP addresses (like 192.168.X.X). In that case you'll need to do some form of SNAT/IP Masquerading to allow the internal machines out to the internet. Which one you need depends on whether the firewall/router has a fixed IP address or is dynamically assigned (DSL/Cable/Dialup usually are).

Correct - the internal machines have fixed addresses (although I may start using dhcp inside as well and let the firewall be a dhcp server someday). The firewall uses DHCP but the address it gets has not changed in 3 years - I suppose it could change any day tho...

I managed to get it to work this afternoon by adding a MASQUERADE line to the NAT section of the iptables. The command is:

-A POSTROUTING -o eth2 -j MASQUERADE

And this seems to work. I think I need to spend some time with the filter stuff and make sure my machine is really locked down the way I want it to be... But this is a start.

nbc

If the firewalls IP is assigned through DHCP, then use masquerading (your rule looks fine).

In term of locking down the firewall, I would absolutely recommend changing the default INPUT and FORWARD policies to DROP. Also, I'd recommend ditching Redhats lokkit firewall and put together your own firewall script. You can use the rules you have currently as a guide. You're on the right track with the RELATED,ESTABLISHED rules although those don't have anything to do with forwarding.

If you need some HOWTOs, take a look at the netfilter website documentation section. If you have any questions about putting together a script, feel free to post a new thread, but you look like you're doing pretty well on your own so far.