Hi all,
I'm having trouble getting the internal LAN connected via the RHL9 box to the internet. I've found a few archived posts and googled some articles, but to date nothing quite solves the problem. Here's the basic network topography (Red Hat Linux 9 = RHL9; Cat 5-e = <=>):
[ Cisco 678 DSL Router ] <=> [ External Hub ] <=> [ RHL9 eth0 ]
[ RHL9 eth1 ] <=> [ Internal Hub ] <=> [ WinXP Workstations ]
I currently also have an XP box (not shown above) sitting between hubs providing DHCP and NAT, but it keeps getting viruses, rebooted, blue screened, etc. -- so we need a Linux gateway instead, right? ;-).
DHCP looks like it's configured properly, in that /var/lib/dhcp/dhcpd.leases is current and shows actual clients' hostnames & MAC addresses, and IPTABLES looks correct in the service configuration also -- er, where exactly are the logs located? Furthermore, I'm using the rc.firewall script from a RHL7.2 box which worked without using DHCP with statically-addressed internal clients. The meat of the IPTABLES script I use is at the end of this post.
I can browse the internet from RHL9 box, and I can ping internal clients from the RHL9 box as well. Internal clients can ping the RHL9's eth1 and eth0 addresses, and the Internal clients can ping the Cisco678 DSL router's address. Also the WinXP box currently bridging the hubs can see everything. (BTW, I disable the XP internal NIC before I activate the RHL9's eth1 to switch DHCP servers from WinXP to RHL9 -- both are assigned 192.168.0.1/24, just not at the same time.)
However, the Internal clients cannot ping the external DNS servers past the Cisco, while simultaneously, the RHL9 box *IS* able to ping the same DNS servers. Is this some kind of routing problem with eth0 or is it IPTABLES? I have the Cisco as the default gateway for eth0 and have 0/0 mapped to the Cisco gateway (in the Route tab for eth0).
Anyway here's the IPTABLES script minus most comments; thanks muchly in advance for help on this one:
====================================================
#!/bin/sh
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
# Note: enabled both here and in /etc/sysconfig/network
# FORWARD_IPV4=true
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j
MASQUERADE
====================================================
I guess I should also mention how that loads, here's the relevant sections from /etc/rc.d/init.d/iptables after losing most comments (the OOTB Lokkit IPTABLES calls have been commented out in the script):
====================================================
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#[snip]
IPTABLES_CONFIG=/etc/sysconfig/iptables
#[snip]
start() {
#[snip]
echo -n $"Applying iptables firewall rules: "
$IPTABLES_CONFIG && success || failure
#[snip]
====================================================
Sorry about the long post; feel free to cut in replies.....
Cheerios,
Michael Oatman
Internet Convenience Store
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
