Steve,
Your set-up gave me a headache trying to picture it so I had to draw it in the end.
Anyway I can see your mistake.
You have forgotten to let the input and output rules allow the forward MASQ option to work and packets to come back into the input chain.
Then they are forwarded to your MASQ setting.
Try this in your rc.firewall script instead.
I've added some setting to help speed up your connection and confuse OS fingerprint scans. "+ stop DOS attack etc etc"
#!/bin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
sysctl -w net.ipv4.vs.timeout_established=3600
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.vs.timeout_synack=60
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=3600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# only set this if you have more then about 400kb connection ie DSL
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 7200 10 60
# magic NAT setting for MASQing
ipchains -A forward -i eth1 -s 10.1.1.0/24 -j MASQ
-----------
Then you have to add some rules to stop people hacking your linux box. "i.e a good firewall with your NATwall"
example:
LAN = 192.168.0.1 "eth0"
External = 192.168.100.10 "eth0:0"
-------------- oooo ---------------
Now put this into your /etc/rc.d/firewall.sh script.
# firewall script by Raz
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F
# Deny all access to server secure mode enabled.
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 10 60
# magic NAT setting for MASQing
# only used so internal lan can use firewall as gateway to access internet etc.
ipchains -A forward -s 192.168.0.0/24 -j MASQ
# allows access to server from Internal and local only
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.0.0/24 -j ACCEPT
# stops spoof attacks and Windozes netbios crap
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A input -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A output -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0:0 -d 0.0.0.0 -j REJECT -l
# turns off tracerouting to you, EXTERNAL IP used
ipchains -A input -p udp -d 192.168.100.10 -s 0/0 33434:33600 -j DENY -l
# access allowed from internet to website port 80 only:
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 192.168.100.10 --dport 80 -j ACCEPT
ipchains -A output -p tcp -s 192.168.100.10 --sport 80 -d 0/0 -j ACCEPT
# dont know your DNS's address so lets call it 154.67.86.2 & 154.67.85.2
# DNS lookup allowed only
ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow
ipchains -A input -p tcp ! -y -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# DNS lookup udp allowed
ipchains -A output -p udp -s 192.168.100.10 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow UDP
ipchains -A input -p udp -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# allow your firewall to surf the net and internal users
# that use the firewall as a gateway.
# HTTP 80,https and proxy access
# also improve the speed with TOS on internet connections
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTP 8080 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 8080 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 8080 -d 192.168.100.10 1023:65535 -j ACCEPT
# example to allow users to use MSN
# MSN messenger
ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 192.168.100.10 1023:65535 -j ACCEPT
# allow your private windozes box on the internal lan SSH
# or telnet access, only 192.168.0.122 is the windozes
# example ip address you use to remotely connect to the firewall
# change 22 to 23 if you need telnet access.
ipchains -A input -p tcp -s 192.168.0.122 --sport 22 -d 192.168.0.1 1023:65535 -j ACCEPT -l
# logs all connections for you to check with an IDS script
ipchains -A output -p tcp -s 192.168.0.1 --dport 22 -d 192.168.0.122 -j ACCEPT
# now the fun bit to log people trying to scan the firewall
# also stops people pinging it etc etc etc etc
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 2 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 3 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 4 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 5 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 7 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8 -j REJECT -l
# that looks for counting scans and log to messages file
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 20 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 21 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 23 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 25 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 53 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 79 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 110 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 111 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 113 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 443 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8080 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6000 -j REJECT -l
# icmp pings and pongs etc
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
# deny ICMP requests for security
# change this and you screw up the point of icmp to manage packets
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# done
Have fun..
/raz