Setting up XP machines for use with Redhat masquerading server : Part II

Hi everyone,

I am having difficulty getting my XP machine to access the internet through my masquerading Red Hat 7.1 box.  While experimenting, I did an ipconfig /displaydns on the XP machine, and got a short list of 8 URLs.  I can ping these URLs, however, *I cannot ping any other URLs.*

My setup is:

connection type: cable

Linux (two LAN cards): (eth1) and using DHCP for eth0.

XP:, using the Linux box as gateway.  An ipconfig /all in XP reveals that "IP Routing" is enabled, however, I do not see where to disable this.

The problem is, despite being able to connect to the ISP and ping any URLs from the Linux box, I cannot ping most internet sites from the XP machine.  The Linux and XP machines can ping each other without problem.

My Linux firewall settings (which are minimal for testing) are:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -P INPUT ACCEPT
iptables -A POSTROUTING -t nat -s -j MASQUERADE

I have no firewalls enabled on the XP machine.

Does anyone know what might be the problem?  This is related to an earlier question of mine, that I have not successfully worked through...

Many thanks,
C. Wang
Who is Participating?
PAQed with points refunded (100)

Community Support Moderator
Hi ChristopherWang

Have you tried this?

On windowsXP: set DNS address given from linux  /etc/resolv.conf
ChristopherWangAuthor Commented:
Hi Luxana,

Yes, I've given a primary and secondary DNS, which I got from the /etc/resolv.conf.  

C. Wang
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

ChristopherWangAuthor Commented:
Anyone have any other suggestions?  

I can get ping responses on the handful of URLs like "" and sites like or, which happen to be in my ipconfig /displaydns.

C. wang
Hallo  Christopher

It looks alright to me but I'm not expert in this case. That means Ithat I do not want to get you wrong. I'm also using forwarding for sharing internet. Check and try my if you want:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -I POSTROUTING -s -j MASQUERADE
/sbin/iptables -I FORWARD -s -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d -j DROP

I have one win98 and winXP clients on network both working perfectly including and .

ChristopherWangAuthor Commented:
Thanks, Luxana.

I've replaced my firewall script with your script above.  Unfortunately, now when I ping sites, I get:  

"From : Packet filtered"             ...and 100% packet loss.

Any other ideas?  Do I need to enter anything for "WINS server" in XP?  I've kept this blank.

Hallo Christofer

No you do not have to set up WINS on XP. All what we need is setup GATEWAY and DNS.

Filtered from Do you have firewall in linux enabled or what?
and then firewall settings

What is your DHCP range of IP's on eth0?
ChristopherWangAuthor Commented:
Hi Luxana,

Well, when I installed Red Hat originally, I selected "no firewall" in the graphical install.

I just ran setup now, and in the firewall section, it defaults to "high security", but did not seem to accept my change to "no firewall".  Is there a way to check if Linux is running another firewall script?

Also, where can I check the DHCP range?  

Many thanks,
Hallo Christofer

All what I'm wondering is what IP is this:
So just make it clear ! On your linux you are runnig DHCP service in eth0. If so the range of IP addresses you can see in /etc/dhcpd.conf.

And on your  eth1 you are connected to network?

Christofer I said that I do not want get you wrong I 'm not expert in this case I'm just comparing your situation with myone.

Hallo Christofer

can you please place here your


#netstat -r




#iptables -L


ChristopherWangAuthor Commented:
Hi Luxana,

Ok, firstly, I checked for the /etc/dhcpd.conf and did not find one.  I did a find on the whole system, and no dhcpd.conf was found.  There were two empty directories under /etc called "dhcpc" and "dhcpcd".  By the way, I connect to the net using a program called "BPALogin" which was designed to connect cable modems to my ISP while bypassing a regular "heartbeat" signal from the ISP.  BPALogin uses DHCP.  It does connect me, but I cannot find the "DHCP range".

Next, I ran the commands you asked me to run:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface      *            U     0      0        0 eth1    *            U     0      0        0 eth0         *                   U     0      0        0 lo
default                 UG    0      0        0 eth1
default      CPE-144-136-48-               UG    0      0        0 eth0
#netstat -r

Kernel IP routing table
Destination     Gateway         Genmask      Flags   MSS Window  irtt   Iface     *        U        40      0          0    eth1    *       U        40      0          0    eth0       *                U        40      0          0     lo
default         UG       40      0          0     eth1
default         CPE-144-136-48-       UG       40      0          0     eth0


eth0      Link encap:Ethernet  HWaddr 00:40:F4:6E:73:A6  
          inet addr:  Bcast:  Mask:
          RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:9 Base address:0x8f00

eth1    Link encap:Ethernet  HWaddr 00:40:F4:7C:04:74  
          inet addr:  Bcast:  Mask:
          RX packets:106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:12 Base address:0xae00

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0


iptables –L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain block (0 references)
target     prot opt source               destination        

The inet address for eth0 was automatically generated by my connection.

Thanks very much for any help,


Hi Christopher,
A couple questions for you.  Are you able to surf the web from the linux machine or can you just ping out?  Do you have anything in your hosts file under /etc?   What is the full contents of /etc/rc.d/rc.firewall?  What is the contents of /etc/rc.d/rc.local?  The reason I ask about rc.local is that I reference /etc/rc.d/rc.firewall in it.  Below is a clipping from my firewall.  Give it a shot and see if you can ping outside from the xp machine to somewhere other then the ones in your displaydns (i.e. ping
-----------------------Copy Below-------------------------------

ETHOUTSIDE="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo 0 > /proc/sys/net/ipv4/ip_forward

# Run modprobes
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Initial Flush of Rules
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# IP SPOOFING, Deny any packets on the internal network side
# that have an external source address
/sbin/iptables -A INPUT -i eth1 -s ! -j LOG --log-prefix "DENY SPOOF 1:"
/sbin/iptables -A INPUT -i eth1 -s ! -j DROP
/sbin/iptables -A FORWARD -i eth1 -s ! -j DROP

# IP Spoofing, Deny any outside packets with localhost address,
# packets not on the lo interface, any on eth0 and eth1, that have
# the address or localhost.
/sbin/iptables -A INPUT  -i ! lo -s -j LOG --log-prefix "DENY SPOOF 2:"
/sbin/iptables -A INPUT -j DROP -i ! lo -s
/sbin/iptables -A FORWARD -j DROP -i ! lo -s

# Accept internal Network to lo interface
#/sbin/iptables -A INPUT -j LOG -i lo
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A FORWARD -j ACCEPT -p all -i eth1
/sbin/iptables -A INPUT -j ACCEPT -p all -i eth1 -s

# Allow Established and related outside communication to your system
# Allow outside communication to the firewall except ICMP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p ! icmp -j ACCEPT

# Prevent Outside initiated connections
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG --log-prefix "DENY OUTSIDE CONNECTION:"
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j DROP

# Allow local internal network to access outside networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Accept ICMP ping (0 and 8) and destination unreachable (3) messages
# others will be rejected by INPUT and OUTPUT DROP policy
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d $ETHOUTSIDE
ChristopherWangAuthor Commented:
Thanks jsvor,

No, I have not tried surfing from Linux, and am not sure I have browsing software for my shell (I'm not using X Windows, and I didn't plan to surf from the Linux box.)  If it would help the troubleshooting, I would be glad to install a browser.  

Okay, under my /etc/hosts, I have:      localhost.localdomain    localhost

I have named my firewall "rc.firewall1" under /etc/rc.d.  I have tried two different firewall scripts:  The one in my original post above, and the following script that I got from Luxana:

 echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/iptables -t nat -I POSTROUTING -s -j MASQUERADE
 /sbin/iptables -I FORWARD -s -j ACCEPT
 /sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d -j DROP

My rc.local is as follows:

# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

if [ -f /etc/redhat-release ]; then
    R=$(cat /etc/redhat-release)

    arch=$(uname -m)
    case "_$arch" in
          _a*) a="an";;
          _i*) a="an";;
    NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
    if [ "$NUMPROC" -gt "1" ]; then
        SMP="$NUMPROC-processor "
        if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then

    # This will overwrite /etc/issue at every boot.  So, make any changes you
    # want to make to /etc/issue here or you will lose them when you reboot.
    echo "" > /etc/issue
    echo "$R" >> /etc/issue
    echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue

    cp -f /etc/issue /etc/
    echo >> /etc/issue
touch /var/lock/subsys/local
/etc/rc.d/init.d/bpalogin start
/bin/sh /etc/rc.d/rc.firewall1

Also, I tried your firewall clipping, and error messages followed:

: no such file or directoryoc/sys/net/ipv4/ip_forward
:command not foundll1
modprobe: can't locate module ip_tables    
modprobe: can't locate modeule iptable_filter
modprobe: can't locate module ip_conntrack
modprobe: can't locate module ip_conntrack_ftp
modprobe: can't locate module ip_nat_ftp
:command not foundll1
ip_tables (c)2000 Netfilter core team
iptables: No chain/target/match by that name
': tables does not exist  (do you need to insmod?)e 'nat
Perhaps iptables or your kernel needs to be upgraded
iptables: Bad policy name
iptables v1.2.1a: invalid target name 'DROP'

The other firewall scripts I have used (mentioned above) don't give any error messages, so I wonder if your script requires an iptables version > 1.2.1a. ?

C. Wang

Did you copy the whole clipping?  The first line of your error message seems like you missed the beginning of the script. My iptables version is 1.2.8.  Let me know about the clipping and in the mean time I'll look around for an older script I had.
ChristopherWangAuthor Commented:
Hi jsvor,

Sorry for the lull -- I've also been studying for an exam.  

Yep, I copied your entire clipping.

Many thanks for your help,

C. Wang
ChristopherWangAuthor Commented:
Can anyone suggest anything else I might try?  Even general principles that should be minded for networking with windows nodes.

Also, please note that I am not being lazy in asking for help with these configurations -- there are a lot of variables and modules to learn, and I've been reading a lot of the literature when I have the time.

Thanks for any help.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.