At 03:03 AM 10/2/02 -0700, Liu Mei wrote: >Well. Things become better. > >Now the eth0 (the external port) is 192.168.1.113, >which is assigned by running dhclient. > >The eth1 (the internal port) is 192.168.2.1, which is >assigned by myself. > >I can now ping the internet and LAN from my route. >I can also ping 2.1 from LAN > >But I can't ping the internet from LAN.
As I said before, "can't ping" is not an error report. Pings fail in many ways, and to get good help, you MUST characterize the ping failure more precisely than this. Looking at what you did tell us, my first thought is that you have a configuration error on the LAN host you are trying to ping from. Since you can ping 192.168.2.1, its local networking settings must be OK. But can it ping the router's external address (192.168.1.113)? If not, how does it fail (what error message) and what operating system is this client using (affects the wording of the usual error messages)? Does the LAN host know that 192.168.2.1 is its default gateway address? The second thought is that there appears to be a problem in your forward-chain ruleset. You have three rules in the chain, as follows: > 4 240 ACCEPT all ------ 0xFF 0x00 eth0 > 192.168.2.0/24 0.0.0.0/0 > n/a > 0 0 ACCEPT all ------ 0xFF 0x00 eth0 > 0.0.0.0/0 >192.168.2.0/24 n/a > 0 0 MASQ all ------ 0xFF 0x00 eth1 > 192.168.2.0/24 0.0.0.0/0 > n/a Only the first of these has seen any packets (the "4" and the "0"s tell us that) at the point when you listed the rule. That may be your problem. I no longer run ipchains here, so cannot quickly check this, but as I recall, the relevant interface to a forward-chain rule is the destination interface, not the source. Hence, your LAN packets get processed by rule 1 (an ACCEPT rule), instead of rule 3 (A MASQ rule). You need it to be the other way around, assuming you do need this router to NAT (MASQ) local traffic. Perhaps someone else here, who remembers ipchains and Eiger-Dynamic better than I do this morning can fill in the details for you (or correct me if I am remembering this part wrong). Third and last, it look to me like you have an output-chain rule that is blocking the traffic. It is this one: > 4 240 DENY all ------ 0xFF 0x00 eth0 > 192.168.2.0/24 0.0.0.0/0 The "4" here is surely no coincidence. This rule alone should be harmless, though, since once you fix the forward-chain problem, the output packets will be MASQ'd, so not have a 192.168.2.0/24 source when viewed by the output chain. (Unless, of course, you can use this LAN network without NAT. Then you need to leave the forward-chain rule alone but fix this output-chain rule.) >The follows are the things you may want to check > >Please help. [details deleted] -- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
