I thought I knew some fundamentals of using iptables, but no more.
It's been a while since I've set up a new linux router/firewall box.

What does function:

1. I can ssh into the box from the internet and/or from the LAN.
2. I can ping the gateway from LAN clients.
3. I can ping the ISP DNS servers' addresses from LAN clients.

What does not function:

1. LAN clients cannot access any http sites.

- - - -
I thought my configs. so far have a completely open setup for traffic, only limiting incoming traffic from the internet on eth0 by RELATED,ESTABLISHED; everything else (I thought) was ready to accept all traffic in/out.

iptables -nvL:

root@joejoe:/# iptables -nvL
Chain INPUT (policy DROP 114 packets, 31643 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
30 3192 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 935 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 290 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 192.168.195.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
24 4200 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
1 576 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

- - - -
I'm running a very simple dhcp server on eth1 (LAN-facing interface).
The config. follows:
# dhcpd.conf
#
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# This is a very basic subnet declaration.
subnet 192.168.195.0 netmask 255.255.255.0 {
range 192.168.195.10 195.195.195.200;
default-lease-time 720;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option routers 192.168.195.1;
option domain-name-servers 68.87.71.230;
option domain-name-servers 68.87.73.246;

}

- - - - -

When client machines start, they receive ip addresses successfully from the dhcp server on eth1
- - - - -
The router box itself is an HP 1u server with 2 Gigabit NIC's.
They both have different MAC identifiers and the TIGON3 drivers load with no problems.
- - - - -

So I'm stumped.
My error must be staring me in the face but I can't see it.
Thanks for reading.

p.s. - please let me know if you need to see my iptables rules; left those out so not to run on too long.

did you turn on ip forwarding? echo 1 > /proc/sys/net/ipv4/io_forward (can usually be permanently set in sysctl.conf)

you'll probably also need a masquerade or snat rule, something like

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.195.0/24 -j MASQUERADE

The LAN clients can ping outside? Like ping www.website.com, is the IP addresses resolving ?

Anyway, the solution above presented by estabroo should solve your problem.

Yes - cat /proc/sys/net/ipv4/ip_forward
produces result "1"

Yes, I have the following:
# External Network Interface
SKYWAY="eth0"
# Internal Network Interface
LAN1="eth1"
# Internal Subnet
SUBNET1="192.168.195.0/24"

$IPT -t nat -A POSTROUTING -o $SKYWAY -s $SUBNET1 -j MASQUERADE

I have not tried that, will do so and report back in a few mins.

Test results yield successful ping of the following:

www.distrowatch.com
www.yahoo.com
www.google.com
www.linuxquestions.org

When I try "links http://www.distrowatch.com" I see "request sent" at the bottom of the screen, but the site (and the others too) will not load.

Here's the iptables:

#!/bin/bash

# Location in which iptables initscript will save set rules on
# service shutdown
#IPTABLES_SAVE="/var/lib/iptables/rules-save"
# Options to pass to iptables-save and iptables-restore
#SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
#SAVE_ON_STOP="yes"

# External Network Interface
SKYWAY="eth0"
# Internal Network Interface
LAN1="eth1"
# Internal Subnet
SUBNET1="192.168.195.0/24"

IPT="/usr/sbin/iptables"
MPROBE="/sbin/modprobe"

echo "Flush any/all rules previously existing."
echo "Set policies."
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

echo "Reload necessary modules."
$MPROBE ip_tables
$MPROBE nf_conntrack
$MPROBE nf_conntrack_ipv4
$MPROBE nf_nat
$MPROBE xt_state
$MPROBE xt_tcpudp
$MPROBE ipt_REJECT
$MPROBE ipt_LOG
$MPROBE ipt_state
$MPROBE ipt_MASQUERADE
$MPROBE ip_conntrack
$MPROBE ip_conntrack_ftp
$MPROBE iptable_mangle
$MPROBE iptable_nat
$MPROBE iptable_filter

echo "lo"
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT

echo "input"
$IPT -t filter -A INPUT -i $SKYWAY -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -i $SKYWAY -p tcp -m state --state NEW --dport 22 -j ACCEPT
$IPT -t filter -A INPUT -i $LAN1 -j ACCEPT
$IPT -t filter -A INPUT -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "ouput"
$IPT -t filter -A OUTPUT -o $SKYWAY -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN1 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "forward"
$IPT -t filter -A FORWARD -i $LAN1 -j ACCEPT
$IPT -t filter -A FORWARD -o $LAN1 -j ACCEPT
$IPT -t filter -A FORWARD -i $SKYWAY -j ACCEPT
$IPT -t filter -A FORWARD -o $SKYWAY -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -s $SUBNET1 -j ACCEPT
$IPT -t filter -A FORWARD -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "prerouting/postrouting"
$IPT -t nat -A POSTROUTING -o $SKYWAY -s $SUBNET1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Netfilter framework is set."

If you switch your default policy to ACCEPT does it work? That would let you know if you need more rules to fix the issue

Will test and try to get back in a few mins.
Thanks for your time and patience.

try
If client works fine after that, means there is a problem with iptables.
If doesn't, start iptables and search for other flaws.

No, does not work.
Changed INPUT, OUTPUT, and FORWARD policy (-P) to ACCEPT and no success.
LAN client can ping previously listed sites, but browser requests are not returned.

Thanks for the suggestion.
I'm running out of time for today.....have a meeting shortly.
Will test tomorrow morning and see if progress can be made.

Heh, was able to get out of meeting early.

Tested iptables stop - and still no go.
The same as before -- I can ping anything on the net, but cannot retrieve web pages to LAN clients in a browser.

Could it be that your LAN clients are configured to use some non-existent proxy server?

I don't think so.
At first, I tested with Win XP Pro clients connected to eth1 (LAN interface) by a switch.
But since the initial failures, I've used my linux notebook directly plugged into the CAT5 cable running from eth1 on the routerbox.

The notebook has Slackware 13 and is set to use dhcp for acquiring ip adddress.

Is it possible a proxy is installed on the routerbox, or am I simply missing a proper iptables rule to FORWARD port 80 requests?
Where can I look and what should I be looking for regarding possible proxy on the routerbox?
Routerbox is using Slackware 13 too - fresh install about 2 weeks ago - installed almost everything except X, X apps., and KDE.

Thanks for your time and help.