My internet lagged, this was a repost of the last reply.

Was this using my script?

Did you make the script completely in linux and not windoze, if you cut and paste from windows you can put errors in the script and it wont execute properly

No, this is lqorg_user's script, I appended it to my script and I got those errors.
It turns out that gvim put line breaks in the command so it didn't work.
All commands 'work' now, but forwarding still doesn't work.
Here is my revised script (mostly for testing as there is no protection):
#!/bin/sh
#modprobe iptable_nat
#echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
#iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
#changed for my protection.
iptables -t nat -A PREROUTING -p tcp -m tcp -d $MYREALIP --dport 80 -j DNAT --to 192.168.0.101:80
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.101 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.101 --dport 443 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

I run that on my dailup computer. Did I set the rp_filter correctly?

Here is the iptables -L output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.101 state NEW tcp dpt:http
ACCEPT tcp -- anywhere 192.168.0.101 state NEW tcp dpt:https

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

What's wrong?

Thank you for your help.

P.S. I set rp_filter to 0 on the internal computer, is that correct?

Ok there a several errors with your script, firstly you have the default policy set ACCEPT for all your INPUT,OUTPUT and FORWARD chains. The iptables script reads from top to bottom so it's important where the rules are go. By having the default policy set to ACCEPT this will be the first rule that iptables reads so it will pass the data packet on without reading you other rules further down the script.

Also to use the -m state rule you need to load the ipt_state module, unless you recompiled your kernel to include the module. so yo will need to have modprobe ipt_state in your script at the top. Also line breaks? are you referring to line gaps between the rules? it's ok to have gaps in the script I have many in mine and it works fine for me. Maybe incorporate some of my script to load some of the modules will help, i'll have a go at making a little script out of mine to suit what you have posted and see if that will work for you:


#######################################################################
#!/bin/sh

IPTABLES="/usr/sbin/iptables"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
#128 MB of RAM -> 8192 possible entries, 256 MB of RAM --> 16376 possible entries, etc...
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 15 > /proc/sys/net/ipv4/ipfrag_time
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

## Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

## Set default policies to DROP

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


#######################################################################
# lets forward to your web server

$IPTABLES -A INPUT -p tcp -i ppp0 --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 80 -m state --state NEW -j DNAT --to 192.168.0.101:80
$IPTABLES -A FORWARD -p tcp -o eth0 -d 192.168.0.101 --dport 80 -m state --state NEW -j ACCEPT

# lets forward secure web to your server

$IPTABLES -A INPUT -p tcp -i ppp0 --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 443 -m state --state NEW -j DNAT --to 192.168.0.101:443
$IPTABLES -A FORWARD -p tcp -o eth0 -d 192.168.0.101 --dport 443 -m state --state NEW -j ACCEPT

#######################################################################
# Genera Rules
#
# INTENET --> FIREWALL/LOCAL NETWORK
#
# allow connections to the router from the internet

$IPTABLES -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow routing traffic to machines on your local network

$IPTABLES -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#######################################################################
# FIREWALL/LOCAL NETWORK --> INTERNET
#
# lets allow all data from the internal network connect to the firewall

$IPTABLES -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# lets allow all data from the local network go out to the internet

$IPTABLES -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# lets masqureade all local traffic to have the ip address of your ppp0 device as it goes out to the internet

$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#######################################################################
exit 0
# End of Script
#######################################################################

This is a small script with no logging but it should get you out of trouble, let me know if it works

Nope, still doesn't seem to work.
I thank you for all your help so far tho.
I ran the script and everything looks good. When I try to connect over the net to my machine it just sits there saying connecting, so something must be right but it never connects.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http state
NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state
NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,E
STABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.101 tcp dpt:http state
NEW
ACCEPT tcp -- anywhere 192.168.0.101 tcp dpt:https state
NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,E
STABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Not connecting over the net do you mean coming from the internet to the router it's hanging and not forwarding throught to the web server or the web server is hanging connnecting to the router and not getting to the internet?

Also is the machine with the dialip modem being used as a workstation or just as a router?

Unfortunately I have had no experience with dialup modems in linux, I have been lucky and had cable or adsl so I pretty well hit and miss with this problem

I have 2 comptuers:
one is named Kruncher = dialup
the other is Test = lan http server

I have a router setup (a store bought, belkin) for my network.
When Kruncher connects to the internet it's just him connected, there is no hardware firewall, just that script up there that runs everytime I startup.

When I try to connect from the dialup machine (Kruncher) over the net to Kruncher it just sits there (in firefox) saying "connecting" but never connects or does anything.

I don't know why it doesn't work, but I do know for sure that my ISP does NOT block port 80 (I check that by running apache from Kruncher).

Thank you for your help so far.

Sorry to be a pain just want to be clear about your setup, your belkin router is it an adsl router not a 56 k dialup phone modem? how does the belkin connect to kruncher, is it through an ethernet cable (plugs into a network card) or an usb connnection? Just by the way you explaned you have a router in front of cruncher leads me to believe you have a adsl modem. When you said dialup I assumed you had an internal 56 k dialup modem ( the one your phone line connects too) in your machine this will make a differenace to the script slightly.

Here is a little diagram of my setup:

Kruncher is my desktop, nothing special about it other than it can connect to the internet.
Test is my test computer running a webserver for internal testing.

I just wanna be able to forward Tests server so I can use it for external testing (e.g. over the net).

Hope this clears it all up.

* I could use a switch but I want DHCP and also the ability later on to have Broadband.

Ok makes sense now, if you want to run dhcp for your test machine just use kruncher for that, it's really easy to setup dhcp server under linux. dhcp server uses the /etc/dhcpd.conf file for it's configuration here's an example:

authoritative;
ddns-update-style interim;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.50 192.168.0.60;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1; # gateway address for test machine eth0 ipaddress of kruncher
option domain-name-servers 192.168.0.1; # change 192.168.0.1 address to your ISP's dns servers seperate each by a space
}

# if you want to assign ipaddress to apecific machine use this option with the above

host test {
option host-name "test.example.com";
hardware ethernet 00:A1D:74:C3:F2;
fixed-address 192.168.0.101;
}

Then just type dhcpd in the command line and your server will start. Then to start the server at boot time just add the same to your /etc/rc.d/rc.local file

echo "dhcpd" >> /etc/rc.d/rc.local

That will do the forwarding?
I already have DHCP on the router, thats how my computers get there internal IPs.

I just thought if you would like to swap the belkin router for a switch you could just let kruncher do the dhcp addressing for you.

No, there would be no point. When I finally get broadband the router will come in handy, and with the way its set up now all I have to do is hookup the modem to it and im good to go. If I went your way I would have to redo everything. Thanks for the idea tho, I might use it later on.

So any ideas on how I can get the forwarding to work?

Thanks for your time.

Just going that script I wrote and I forgot to load the modules for the script this maybe why it's not working,
Sorry for getting back late have exams and stuff for uni.

#######################################################################
#!/bin/sh

IPTABLES="/usr/sbin/iptables"

dmesg -n 1 ## Kill copyright display on module load
dmesg -n 6
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_TOS
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mac

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
#128 MB of RAM -> 8192 possible entries, 256 MB of RAM --> 16376 possible entries, etc...
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 15 > /proc/sys/net/ipv4/ipfrag_time
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

## Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

## Set default policies to DROP

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


#######################################################################
# lets forward to your web server

$IPTABLES -A INPUT -p tcp -i ppp0 --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 80 -m state --state NEW -j DNAT --to 192.168.0.101:80
$IPTABLES -A FORWARD -p tcp -o eth0 -d 192.168.0.101 --dport 80 -m state --state NEW -j ACCEPT

# lets forward secure web to your server

$IPTABLES -A INPUT -p tcp -i ppp0 --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 443 -m state --state NEW -j DNAT --to 192.168.0.101:443
$IPTABLES -A FORWARD -p tcp -o eth0 -d 192.168.0.101 --dport 443 -m state --state NEW -j ACCEPT

#######################################################################
# Genera Rules
#
# INTENET --> FIREWALL/LOCAL NETWORK
#
# allow connections to the router from the internet

$IPTABLES -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow routing traffic to machines on your local network

$IPTABLES -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#######################################################################
# FIREWALL/LOCAL NETWORK --> INTERNET
#
# lets allow all data from the internal network connect to the firewall

$IPTABLES -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# lets allow all data from the local network go out to the internet

$IPTABLES -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# lets masqureade all local traffic to have the ip address of your ppp0 device as it goes out to the internet

$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#######################################################################
exit 0
# End of Script
#######################################################################