I didn't realize that I didn't specify that it was pppoe, sorry about that.
I have tried what you said, and it is the same. Linux machine works, Windows machine does not.
eth0 is 10.1.1.1
eht1 is 192.168.0.13
windows machine is 192.168.0.14 with gateway set to 192.168.0.13
the firewall is set to accept everything.
the firewall script I have running is:
#!/bin/bash
# This script is designed to be run as: /etc/dhclient-enter-hooks
###############################################################
# Copyright (C) 1997 - 2003 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
###############################################################
# Load the FTP connection state helper module.
modprobe ip_conntrack_ftp
# Load the FTP NAT module.
modprobe ip_nat_ftp
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
#
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
# Toggle firewall service rules on/off
NAT_ENABLE="2" # 0=disable; 1=SNAT; 2=MASQUERADE
DHCP_CLIENT="0"
LAN_ACCESS="1" # ssh & ftp access from firewall to lan
DNS_CACHE="1" # caching nameserver for LAN
ACCEPT_AUTH="0"
SMTP_SERVER="0"
SSH_SERVER="0"
FTP_SERVER="0"
WEB_SERVER="0"
NTP_CLIENT="0"
NTP_SERVER="0" # LAN server (not public)
MULTICAST_ENABLE="0" # must subscribe to multicast
INTERNET="eth0" # network interface to the DMZ
LAN="eth1" # network interface to the LAN
LOOPBACK_INTERFACE="lo" # however your system names it
INTERNET_IPADDR="172.31.255.247" # gateway firewall - public IP
LAN_ADDR="192.168.0.13" # LAN IP address
LAN_ADDRESSES="192.168.0.0/16" # LAN IP address range
LAN_NETWORK="192.168.0.0" # DMZ subnet base address
LAN_BROADCAST="192.168.0.255" # DMZ broadcast address
LAN_NETMASK="255.255.255.0"
NAMESERVER_1="198.41.0.4"
#MAIL_SERVER="any/0" # address of a remote mail gateway
#POP_SERVER="your.pop.server"
#NEWS_SERVER="your.news.server"
#TIME_SERVER="your.time.server"
DHCP_SERVER="any/0" # some ISPs tell you the address
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
UNPRIVPORTS="1024:65535" # unprivileged port range
###############################################################
# WARNING:
# The following section is written for dhclient.
# This section demonstrates what needs to be done
# to dynamically modify the IP address and name servers.
# See the "dhclient-script" man page
# and the "dhclient.conf" man page for details.
if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || [ x$reason = xREBIND ]; then
IPADDR=$new_ip_address
# Some ISPs use more than one DHCP server.
# In that case, you can leave DHCP_SERVER set to any/0,
# or you can hard-code duplicate DHCP rules that
# reference the specific server IP addresses.
DHCP_SERVER=$new_dhcp_server_identifier
elif [ x$reason = xPREINIT ] || \
[ x$reason = xEXPIRE ] || [ x$reason = xFAIL ] || [ x$reason = xTIMEOUT ]; then
IPADDR="any/0"
DHCP_SERVER="any/0"
fi
###############################################################
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log packets with impossible addresses.
# Includes Multicast src, Class E src/dst, Loopback src/dst,
# Zero net src/dst
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###############################################################
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Set the default filter table policy
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
# Create any user-defined chains
iptables -N tcp-state-flags
iptables -N log-tcp-state
iptables -N icmp-in
iptables -N icmp-out
# Unlimited traffic on the loopback interface
# Do immediately in case of firewall script errors!
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
###############################################################
# Enable Source NAT
if [ $NAT_ENABLE = "1" ]; then
iptables -t nat -A POSTROUTING -o $INTERNET \
-j SNAT --to-source $INTERNET_IPADDR
elif [ $NAT_ENABLE = "2" ]; then
iptables -t nat -A POSTROUTING -o $INTERNET \
-j MASQUERADE
fi
###############################################################
###############################################################
# Using Connection State to By-pass Rule Checking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###############################################################
###############################################################
# ICMP Control and Status Messages
iptables -A icmp-in -p icmp \
--icmp-type source-quench -j ACCEPT
iptables -A icmp-in -p icmp \
--icmp-type parameter-problem -j ACCEPT
iptables -A icmp-in -p icmp \
--icmp-type destination-unreachable -j ACCEPT
# Intermediate traceroute responses
iptables -A icmp-in -i $INTERNET -p icmp \
--icmp-type time-exceeded -j ACCEPT
# -----------------------------------------------------------
iptables -A icmp-out -p icmp \
--icmp-type source-quench -j ACCEPT
iptables -A icmp-out -p icmp \
--icmp-type parameter-problem -j ACCEPT
iptables -A icmp-out -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
# allow outgoing pings to anywhere
iptables -A icmp-out -p icmp \
--icmp-type echo-request \
-m state --state NEW -j ACCEPT
iptables -A icmp-out -o $LAN -p icmp \
--icmp-type destination-unreachable -j ACCEPT
# Donšt log dropped outgoing ICMP error messages
iptables -A icmp-out -o $INTERNET -p icmp \
--icmp-type destination-unreachable -j DROP
# -----------------------------------------------------------
iptables -A INPUT -p icmp -j icmp-in
# allow incoming pings from trusted hosts
iptables -A INPUT -i $LAN -p icmp \
--icmp-type echo-request \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j icmp-out
iptables -A FORWARD -o $LAN -p icmp -j icmp-in
iptables -A FORWARD -o $INTERNET -p icmp -j icmp-out
###############################################################
route -n is:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.31.255.247 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.31.255.247 0.0.0.0 UG 0 0 0 ppp0
iptables -L is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
icmp-in icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
icmp-in icmp -- anywhere anywhere
icmp-out icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
icmp-out icmp -- anywhere anywhere
Chain icmp-in (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain icmp-out (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere icmp destination-unreachable
Chain log-tcp-state (0 references)
target prot opt source destination
Chain tcp-state-flags (0 references)
target prot opt source destination
ifconfig is:
eth0 Link encap:Ethernet HWaddr 00:50:BA
6:23:AA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:241 errors:0 dropped:0 overruns:0 frame:0
TX packets:289 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:141100 (137.7 Kb) TX bytes:35737 (34.8 Kb)
Interrupt:11 Base address:0xf000
eth1 Link encap:Ethernet HWaddr 00:03:6D:16:B4:06
inet addr:192.168.0.13 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:183 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:16587 (16.1 Kb) TX bytes:674 (674.0 b)
Interrupt:10 Base address:0xb000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:100 (100.0 b) TX bytes:100 (100.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:68.165.60.3 P-t-P:172.31.255.247 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:324 (324.0 b) TX bytes:223 (223.0 b)
I did not remove the 10.1.1.1 from eth0, but in ifconfig it does not have that ip anymore due to the dhcp.
rc.inet1.conf is set like you said:
\# /etc/rc.d/rc.inet1.conf
#
# This file contains the configuration settings for network interfaces.
# If USE_DHCP[interface] is set to "yes", this overrides any other settings.
# If you don't have an interface, leave the settings null ("").
# Config information for eth0:
IPADDR[0]="10.1.1.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# Config information for eth1:
IPADDR[1]="192.168.0.13"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Config information for eth2:
IPADDR[2]=""
NETMASK[2]=""
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
# Config information for eth3:
IPADDR[3]=""
NETMASK[3]=""
USE_DHCP[3]=""
DHCP_HOSTNAME[3]=""
# Default gateway IP address:
GATEWAY="ppp0"
# Change this to "yes" for debugging output to stdout. Unfortunately,
# /sbin/hotplug seems to disable stdout so you'll only see debugging output
# when rc.inet1 is called directly.
DEBUG_ETH_UP="no"
I can ping the windows machine, or a web site from the linux box.
I can ping the linux machine from windows.
But I can't ping a web site from windows. And I am pinging the ip address, not the name. 198.182.196.56 is
www.linux.org
Still no clue what is stopping this from working.
This is why I am so frustrated with Linux. I have had four years of this. Everytime I try to set up another Linux box I can not get it to do a few simple things. This is actually the first time I have ever had the Linux box accessing the Internet, so it is actually a lot of progress. A computer that can't use the internet is pretty useless these days.
Any other suggestions?