if this doesn't work--you have a problem unrelated to iptables: run 'service iptables stop'
that should reset everything then run: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward this will give you a box that's forwarding packets and NAT-ing your internal network running 'iptables -nL' should report: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination and running 'iptables -t nat -nL' should report: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination now, from your internal windows box: verify that you can ping the internal interface of the linux box verify that you can ping the external interface of the linux box verify that you can ping some internet host by IP (I usually use 199.72.1.1) verify that you can ping the DNS server configured on your internal windows box verify that you can ping some internet host by name (like www.yahoo.com) if all that works--you should be able to fire up your web browser of choice on that windows box and it should work. depending on where you see the break in functionality should make it painfully obvious what your issue is. jason -----Original Message----- From: Ron Darling [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 10:16 AM To: Jason Opperisano Subject: RE: HELP: I just want to see something work Jason, I entered your script did a service iptables stop ran iptables -L -n to make sure everything was flushed. Ran your script and still now browse from Win2k workstation. -----Original Message----- From: Jason Opperisano [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 8:13 AM To: Netfilter Mailing List Cc: 'Ron Darling' Subject: RE: HELP: I just want to see something work from: http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-5.htm l iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT iptables -A block -j DROP iptables -A INPUT -j block iptables -A FORWARD -j block for your case--i replaced ppp0, with eth0 (your external interface) in the above example you will also need a NAT rule... from: http://netfilter.samba.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE once again, i replaced ppp0 with eth0 in the above example for your situation now, enable ip forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward that's it. run 'service iptables stop' before issuing the above commands to reset everything the reason you can't access the internet from your internal hosts after running 'service iptables stop' is because it removes NAT and disables ip forwarding--this is by design hope this helps. jason -----Original Message----- From: Ron Darling [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 8:22 AM To: Netfilter Mailing List Cc: Scott Smith Subject: HELP: I just want to see something work I have a small home/office Microsoft/Novell based network. I have had an NT based proxy, NAT, email setup since 1996 sharing a modem and phone line. I have made a lot of money from this setup since 1996, it has worked fine and I have even gone out and setup the same configuration for a lot of small businesses. I just purchased a DSL connection and would like to replace the proxy with a Linux based box. I have a Linux box up and running Redhat 7.2, two NICS, IPTables 1.2.4. ETH0 is bound to my fixed Internet IP Address. ETH1 is bound to my internal IP 192.168.0.125. ================= I have learned to: Upgrade the kernel (Agent Update) Update IPTables (Agent Update) DISABLE IPChains. Reset IPTables to Default Settings - service iptables stop. I have a script that feeds new settings to IPTables. Got this from the book "Redhat Linux the Complete Ref - Richard Peterson" I can interrogate the new settings with iptables -L -n and see the difference in the output from running the script and having just stopped the service tables stop. ================= When I have just run - service iptables stop. >From the Linux box I can: ping the internet. Ping both nics on the Linux box. browse the internet and I suspect any other TCP/IP type function I want to Ping boxes on the internal network. Ping ETH1 on the Linux box from the internal boxes on network. I cannot browse the internet from internal boxes. ================= When I run the script: I cannot ping anything from the Linux box. I cannot browse the internet from the Linux box I cannot ping the Linux box from a internal network box I cannot browse the internet from an internal network box ***************** For the moment I would just like to be able to: Browse the internet from an internal network box with IPTables turned on with just enough rules to perform NAT and allow the http request to flow. Internal network box is Win2k. IP: 192.168.0.42 Gateway: 192.168.0.125 (ETH1 on Linux box). All proxy settings in IE6 have been disabled on the win2k box. Can someone point me to a simple script to just perform this. Ron Darling President Ix.sys, Inc. http://www.ixsys.com [EMAIL PROTECTED] 817.377.0925
