I'm running into an odd issue with a simple masqueraded network. I've browsed the posts here and the internet but can't seem to find anyone with a similiar issue.

My network setup is as follows: I have a cable modem plugged into a windows XP machine with 2 NICs. 1 receiving the internet IP and the other an internal LAN address (192.168.0.1) going to a hub with 2 other machines (192.168.0.2 and .3). I have just recently replaced the XP "router" with a linux box, pulled 1 of the interfaces out of the XP machine and reassigned its remaining NIC with the internal address to 192.168.0.4. My linux machine now has 2 interfaces, 1 with the external IP (assigned by my ISPs dhcp server) and the other with a 192.168.0.1 address.

I have applied the basic masquerading rules:

# start rules
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# stop rules

eth0 = external dynamic IP (24.170.170.xxx)
eth1 = lan IP (192.168.0.1)

I'm able to access the internet from my linux machine but cannot from my internal lan. However, I can ping my internal machines from my linux box and vise versa. I cannot ping on interface from the other though. For example, executing:

ping -I eth1 207.69.188.185

I get a Destination Host Unreachable.

However, pinging the same IP from eth0 returns results - so its definitely got a connection to the internet (I'm able to lynx to google). I'm also not able to ping eth0 from eth1 (same results).

Thought it might be a routing issue but everything looked fine. Default gateway is set when I bring up eth0. When I try to add a route for eth1 to use the gateway dhcp set in my /etc/resolve.conf (when I brought up eth0) I get a "Network is unreachable" error.

So I did a traceroute to see what my first hop was. Interesting it was a private IP: 10.107.192.1. However, the IP assigned to me when I bring up eth0 is NOT a private IP (24.170.170.186 currently).

<sigh>

XP seems to have no trouble sharing the connection but iptables is causing a log of frustration.

I'd be happy to provide any additional information you might need. Not quite sure where to go from here...

Thanks for any help!

You are getting too technical.Try to think simple.The hits from the internal network come to your gw (ie)internal ip.From there you have not routed the traffic to the external ip.(ie)from eth1 to eth0.Without which the packets comming inside your gateway will not know what is to be done.Correct me if iam wrong.

I've tried adding that route. Unless I am trying to add a route to the wrong IP....

What exactly should my route be?

eth0=24.170.170.186
eth1=192.168.0.1
default gateway=207.69.188.185

When I try to add a route from 192.168.0.0 traffic to 207.69.188.185 I get a "network is unreachable" error.

Have you enabled IPv6 forwarding?

here is a good site for you:
http://eressea.pikus.net/~pikus/plug...all/page0.html

I have a line like this in my firewall which may be of use to you.


# This rule will accept connections from local machines.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

As far as gateways go.... Your default gateway on the firewall should be set via DHCP from your internet provider. It should be an address in the same subnet as your external ip address. The default gateway for all your internal machines should be the firewall's internal address.

As far as iptables goes.... What is contained in your FORWARD table (iptables -L FORWARD) Packets coming in one interface and out the other hit the FORWARD table, so if the default is deny, you might be getting blocked there.

-Dewar

Thank you all for your replies! I really appreciate it.

I actually got it working. Kinda embarrassed...it turned out to be dns issues on my internal machines. Figured it out by noticing I could ping machines on the internet by their IP from my local machines. That was a giveaway.

Still don't know quite why I can't ping "pingable" internet machines from eth1 (my internal 192.168.0.1 interface) but can from machines within my lan. Oh well...not too worried about that.

Thanks again!