iptables woes

turumbar · n00b Joined: 09 Apr 2004 Posts: 20 Location: gdl.mx

I've been trying to setup iptables to share an internet connection.
I can get the latop and the server to ping to each other, samba is working, and dhcp server on the home lan is working.

I have followed the steps here:
https://forums.gentoo.org/viewtopic.php?t=159133&highlight=kernel+options+iptables
and no luck so far.

This is what I'm doing:
Wre eth0 is the connection to the cable modem, and eth1 is the connection to the local net.

manywele · l33t Joined: 12 Jul 2003 Posts: 743 Location: Inside

If you're using a 2.6.x kernel then you need to turn on forwarding by typing

turumbar · n00b Joined: 09 Apr 2004 Posts: 20 Location: gdl.mx

it is on.
Sorry I forgot to mention it.

Nossie · Apprentice Joined: 19 Apr 2002 Posts: 181

Maybe you can try the monmotha firewall script (it's in portage). I don't know if it will solve anything though.

Floog · Tux's lil' helper Joined: 29 Nov 2002 Posts: 116

Turumbar, are you certain that iptables is running the firewall rules upon startup? Reboot your machine and see if the iptables service starts successfully upon boot. I forget the message you see upon initialization and I can't reboot right now to check it out cuz i'm compiling OpenOffice from source.

Make sure you are giving enough statements to tell linux where to locate, start, and run iptables. Here's some of my /etc/conf.d/iptables:

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

$DEPMOD -a
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp

#echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

#echo " Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on eth0"
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Floog

turumbar · n00b Joined: 09 Apr 2004 Posts: 20 Location: gdl.mx

yes, I'm certain iptables is getting enought info to start.

in fact, most of the time I don't even reboot, I just try to configure it on the comand line... no luck so far.

Floog · Tux's lil' helper Joined: 29 Nov 2002 Posts: 116

I believe you've got ..... -i eth1 -o eth0 -m state --state ESTABLISHED ....... backwards.

Try my iptables lines. My setup uses eth0 as the connection to the cable modem and eth1 connecting to the LAN just as you want to do. Try this:

$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

Restart iptables with these rules in place. It can't hurt. Your MASQUERADE line looks fine to me.

HTH,
Floog