------- ifconfig ------
eth0 Link encap:Ethernet HWaddr 00:04:5A:82:632
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4238 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:920 dropped:0 overruns:0 carrier:1840
collisions:0 txqueuelen:100
RX bytes:537541 (524.9 Kb) TX bytes:0 (0.0 b)
Interrupt:9 Base address:0xa400

-------- rc.inetd1 ---------
# Edit these values to set up your first Ethernet card (eth0):
IPADDR="192.168.1.1" # REPLACE with YOUR IP address!
NETMASK="255.255.255.0" # REPLACE with YOUR netmask!
# Or, uncomment the following lines to set up eth0 using DHCP:
#USE_DHCP=yes
# If your provider requires a DHCP hostname, uncomment and edit below:
#DHCP_HOSTNAME="CCHOSTNUM-A"

# Edit these values to set up your second Ethernet card (eth1),
# if you have one. Otherwise leave it configured to 127.0.0.1,
# or comment it out, and it will be ignored at boot.
IPADDR2="127.0.0.1" # REPLACE with YOUR IP address!
NETMASK2="255.255.255.0" # REPLACE with YOUR netmask!
# Or, uncomment the following lines to set up eth1 using DHCP:
USE_DHCP2=yes

--------- dhcpd.conf --------
ddns-update-style interim;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.6;
default-lease-time 86400;
max-lease-time 86400;
option routers 192.168.1.1;
option ip-forwarding off;
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
option domain-name-servers *.*.22.67;
option domain-name "none.org";
option netbios-name-servers 192.168.1.1;
option netbios-dd-server 192.168.1.1;
option netbios-node-type 8;
option netbios-scope "";
}

-----------lsmod -------------------
Module Size Used by Not tainted
ipt_MASQUERADE 1176 1 (autoclean)
ipt_LOG 3128 1 (autoclean)
ipt_state 568 1 (autoclean)
iptable_filter 1672 1 (autoclean)
ip_nat_ftp 2896 0 (unused)
iptable_nat 12536 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack_irc 2464 0 (unused)
ip_conntrack_ftp 3168 0 (unused)
ip_conntrack 12568 4 [ipt_MASQUERADE ipt_state ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
ip_tables 10360 7 [ipt_MASQUERADE ipt_LOG ipt_state iptable_filter iptable_nat]

-----------------------------------------------

I'm trying to setup internet sharing with slackware 8.1, but none of the computers on the LAN can ping anything outside the LAN, they can ping both NIC cards, and eachother but nothing else.....can anyone see where I went wrong

Well, perhaps I may venture here to assist. From the ifconfig section you are only configuring a single NIC. But in the rc.inet1 file, it appears that a second NIC is requested as dhcp configuration. (USE_DHCP2=Yes) If eth1 does not exist then only an error message will display

In the dhcpd.conf file for the workstations dhcp assignments, I do not know what the netbios stuff does at all. I never use any of them at all in my dhcpd.conf files. The domain-name-servers assignment needs to be a valid IP assignment, like your own server 192.168.1.1 if named is running at least as a DNS cache server. Or you can use your ISP DNS server assignments. The domain-name assignment of "none.org" I think should be left out or empty quotes. It can include multiple domains by using a space as a separator inside the quotes. But none.org is an actual real domain that is registered, unless of course it is your domain and you really want your wokstations to search that domain. I also do not know what the option ip-forwarding set to off is for, so you might want to remove it as well.

Now you stated that all your machines can actually ping each other, etc. That would indicate a fairly good net setup, cabling, NICs, etc. But you didn't specify where the actual internet connection is provided above. I have to assume here probably dialup on ppp0 on the linux box that the config above is displayed.

I don't know about the modules for iptables and MASQ. I only use kernel built options, but it would appear that you probably have enough though.

However, there is one piece of the puzzle if you will, that you did not post and that part may be what is missing and preventing any traffic to the outside. I am assuming here that a dialup connection is made on the linux gateway and that server is fully functional on the internet but the workstations are not. The missing info is in regarding to the iptables scripting to enable the forwarding of packets from the workstations and the configuration of the NAT table to perform the MASQ operation. These tables are initialized as empty and the default policies I believe would prevent the packets from being forwarded until they are modified.

This configuration would normally be located in a script called /etc/rc.d/rc.firewall and if it is present with the execute bits enabled, then the Slack init system will call it automatically. But since you are using modules, it would need to be after the modules are loaded. So you might prefer to call it something else and then call it from the /etc/rc.d/rc.local script to insure that all the modules are loaded. For some examples you could search here on LQ using "rc.firewall" and restrict to the Slack forum. If you desire a broad search then I recommend searching "iptables".

Perhaps it has been of some help.

for my ifconfig I didn't paste the eth1 stuff, as I didn't think it would be needed,
and the dns server is *.* cause I didn't want to post the actual ip, there is an ip there. My rc.firewall is takin straight from the linux ip masq howto for now, untill I can get it working.

eth1 Link encap:Ethernet HWaddr 00:80:C6:F9:91:61
inet addr:*.*.*.244 Bcast:*.*.*.255 Mask:255.255.255.128
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:338 errors:0 dropped:0 overruns:0 frame:0
TX packets:381 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:100
RX bytes:109775 (107.2 Kb) TX bytes:61581 (60.1 Kb)
Interrupt:5 Base address:0xa000

I revised my dhcpd.conf with your sugestions, but still no luck

Fair enough on the IP issues. So the ISP link is on eth1 and that is setup using DHCP. I understand. After the changes were made to dhcpd.conf, then dhcpd has to be restarted or machine rebooted as well as the workstation would need to be rebooted to read the new values.

OK, I think I located in the HOWTO the script you are using. (I had never seen it before.) The script for 2.4 kernels that is iptables based. It includes the commands to load all the modules.

Have you checked the tables to verify the correct info is actually loaded?

iptables -L -n Will print the forward, output and input tables

iptables -L -n -t nat Will print the prerouting, postrouting, and output tables.

The forward and postrouting tables are the tables mostly concerned with here as they pertain to the network workstations.

The postrouting output should be something like:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0

And the forward should look something like:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.1.0/24
ACCEPT all -- 192.168.1.0/24 0.0.0.0/0

Your forward table should be a little different I think because the script that I saw was using state evaluation. My example output above does not. Also, the script uses the NIC interface name (eth0, eth1) as the input to the iptables command, I always use the IP addresses with a mask. That way it doesn't matter what interface it is on as far as the firewall script is concerned.

If your tables do not have any of the configured info then your problems are in the rc.firewall script. Also, It looks like the script was based on a reverse config on the NIC's. The script was based on the eth0 as the ISP and eth1 as the local network. Yours is reversed with ISP on eth1 and local net on eth0.

The script also has the default location for iptables as /usr/local/sbin and provides and alternate location in /sbin but in Slack 8.1 it is actually located in /usr/sbin.

Perhaps some of this will help narrow down the problem.

http://www.tldp.org/HOWTO/IP-Masquer...FIREWALL-2.4.X
theres a link to the one I use....except I believe I had to switch the external and internal interfaces...and yes I did restart dhcpd, and run it in foreground, and it seems to be working fine

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_tables.o
ip_conntrack, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_conntrack.o
ip_conntrack_ftp, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
ip_conntrack_irc, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
iptable_nat, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/iptable_nat.o
ip_nat_ftp, Using /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_nat_ftp.o
----------------------------------------------------------------------
Done loading modules.

Enabling forwarding..
Enabling DynamicAddr..
Clearing any existing rules and setting default policy..
FWD: Allow all connections OUT and only existing and related ones IN
Enabling SNAT (MASQUERADE) functionality on eth0

theres the output when I run the script, it looks right to me

From the output you just posted it appears the configuration is reversed. The script is setting eth0 as the external (ISP) interface and eth1 as your internal (local) net.

Original rc.firewall script excerpt:

EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

Change your rc.firewall script to:

EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

Then run the script again. You will probably receive errors on the module loads because they are loaded but the rest of the script run OK.


BTW: I also run dhcpd using the interface as an argument. (dhcpd eth0) That way I force it to operate on only the single local net interface. I mention it because the eth1 config you posted earlier is on a broadcast with a 25 bit subnet. You wouldn't want other subscribers to find your dhcp server instead of the ISP's.