Yet another router/firewall question

My goal: Linux box connects to the internet via modem. PC is  able to share that connection to access the internet.

I'm almost there! (I think)

Here is my config atm:
Redhat 7.2 Linux box: Netgear FA311 and Generic connexant modem

eth0      Link encap:Ethernet  HWaddr 00:A0:CC:E1:16:9F
          inet addr:  Bcast:  Mask:
          RX packets:113 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:13041 (12.7 Kb)  TX bytes:8170 (7.9 Kb)
          Interrupt:11 Base address:0x7000

ppp0      Link encap:Point-to-Point Protocol
          inet addr:  P-t-P:  Mask:
          RX packets:474 errors:1 dropped:0 overruns:0 frame:0
          TX packets:564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:374941 (366.1 Kb)  TX bytes:70964 (69.3 Kb)

Windows XP PC: Built in network card

Ethernet adapter:
Connection-specific DNS suffix: NONE
IP Address:
Subnet Mask:
Default Gateway:

With this config I am able to ping my linux box( from my PC( And vice-versa.

Then I began to read some posts about IPTABLES so I found a prebuilt iptables configuration script and configured it so it would run on boot (by calling it from rc.local). Its kind of long but I'll post it for completeness.


# You could either run this simple script or do the long way and recompile your kernel with IPTABLES.

# Turn off/flush IPCHAINS
/sbin/ipchains -F

# Remove IPCHAINS mod
#/sbin/rmmod ipchains

# Insert IPTABLES mod
#/sbin/insmod ip_tables
#/sbin/insmod iptable_filter

# Clear out any existing firewall rules, and any chains that might have been created
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X

# Setup our policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# This enables ip forwarding, and thus by extension, NAT. Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the ppp0 or eth0 (external) interface to be the given IP. If you have a dynamic IP or a DHCP IP that changes semi-regularly then comment this and uncomment the 2nd line.
# Remember to change the ip address to your static ip

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to

# Use this for dhcp assigned IP addresses (ppp0=1st modem/ eth0=1st nic which is your external connection to the internet.
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Now, our firewall chain. We use the limit commands to cap the rate at which it alerts to 15 log messages per minute.
/sbin/iptables -N firewall
/sbin/iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
/sbin/iptables -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter
/sbin/iptables -N dropwall
/sbin/iptables -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
/sbin/iptables -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain
/sbin/iptables -N badflags
/sbin/iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
/sbin/iptables -A badflags -j DROP

# And our silent logging chain
/sbin/iptables -N silent
/sbin/iptables -A silent -j DROP

# Accept ourselves (loopback interface), 'cause we're all warm and friendly
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Drop those nasty packets! These are all TCP flag combinations that should never, ever occur in the wild.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j firewall

# Lets do some basic state-matching. This allows us to accept related and established connections.
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. We don't like that netbios stuff, and it's way too spammy.
/sbin/iptables -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
/sbin/iptables -A INPUT -j dropwall
#######END OF RC.FIREWALL#############

I also after reading another post manually changed the IP forwarding option, in some file I can't recall the name of any longer.

Anyway, after all of this, >>>I can't access the internet on my PC<<<. Also I just noticed that I can no longer ping out from my linux box (i can still ping my pc), probably due to a firewall option?

So thats my life, I would appreciate any and all help. I see a couple places that I can toy with in my firewall script that I will do now.

Thanks and sorry for the huge post.
Who is Participating?
jeordstaConnect With a Mentor Commented:

It is probably a good idea to get an idea of what your firewall script actually does before whacking it all on your system! That way you can progressively make your firewall more complicated to suit you needs. So, start with a clean system. Make sure you restart without the firewall script in your rc.local.

Basically you need to perform three steps:
1) make sure that your interfaces are working. So in your case you need to bring up both your interfaces. You can probably do this by calling:
/etc/rc.d/init.d/network restart
then do an:
and make sure that you have your ppp and ethernet links up.

2) Do some basic firewalling. To test initially all that it is necessary to do is:
iptables -t nat -A POSTROUTING -i ppp0 -j SNAT --to
This will ensure that all outgoing packets from your pc get SNATed to

3) Enable ip forwarding. This is done by:
echo 1 > /proc/sys/net/ipv4/ip_forward

You then should be able to connect to the internet from your pc.
jaredb0tAuthor Commented:
I figured out my problem yesterday.  It turned out that I really did have access to the internet on my windows pc, I could ping static IPs, telnet to static IPs, the problem was that I didn't have a DNS server entered.  I figured that It would automatically be assigned like everything else when with dialup.  Anyway, I looked up the DNS servers in /etc/resolv.conf and just added those to the settings of my windows nic and everything is GTG.

Thanks for the reply though.
Hey Jared,

If you've got the time and the patience, you could set up a DHCP server on your linux box for your windows box, and set DNS servers and stuff.  Then your windows machine WOULD automatically find this stuff out, and you may even notice a decrease in startup-speed (windows is a real pig when it can't find a DCHP server, so it just sits there awhile until the timeout period expires, and then gives itself the typical 169.254.x.x APIPA).  If you're interested, I can offer some tips.

PS. That iptables script you used is about the longest thing I have ever seen.... including defining its own tables!!  Overkill!
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
All Courses

From novice to tech pro — start learning today.