REDHAT 7.3 NAT

Can your workstation get to the net in any other way than through squid ?

If not, then, your gateway is not routing or is not NAT-ing.

From one of the workstations, try :

1) ping 216.239.59.104

If it does not work, then your NAT is not working.

Please, send the output of the following commands :

cat /proc/sys/net/ipv4/ip_forward

iptables -L -n -v

2) If it works, then, try :

nslookup www.google.com

If it does not work, then your workstations DNS is not correctly set.
Check your network config

Please, check all this already, and we can take it from here.

[root@hksrv root]# cat /proc/sys/net/ipv4/ip_forward
1                                                                              

[root@hksrv root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 236K packets, 508M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 66 packets, 5496 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 236K packets, 619M bytes)
 pkts bytes target     prot opt in     out     source               destination


[root@hksrv root]# nslookup www.google.com
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:         202.88.231.2
Address:        202.88.231.2#53

Non-authoritative answer:
www.google.com  canonical name = www.google.akadns.net.
Name:   www.google.akadns.net
Address: 66.102.7.99
Name:   www.google.akadns.net
Address: 66.102.7.104                                                          

The nslookup should have been done on the workstations. But it would not have worked :-)

You'd need to do a real firewall config, thus reading a lot :-), or installing fwbuilder (www.fwbuilder.org), which will allow you to build clean rules.

I suggest you try the following :

iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

But, be careful. Even if it might work, it's no protection at all.

I  tried the procedures u said.That doesnt work
I am able to ping the DNS server configured by the internet service provider (202.88.231.2) from the server machine.But i cant ping it from workstations.If NAT is configured whether i can ping DNS server from workstations.I am not an experienced guy so please help me to configure this condition.I dont know how this problem can be solved and if the NAT is configured whether i can access the mail provided by the internet provider in the workstations.Please help me.

These are my configurations in the server machine

[root@hksrv root]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:07:E9:93:3F:58
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1466399 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1493175 errors:0 dropped:0 overruns:4 carrier:6
          collisions:605630 txqueuelen:100
          RX bytes:1451569443 (1384.3 Mb)  TX bytes:1577988855 (1504.8 Mb)
          Interrupt:11 Base address:0x6000

[root@hksrv root]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:07:E9:93:3F:59
          inet addr:202.88.242.155  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219925 errors:0 dropped:0 overruns:0 frame:0
          TX packets:98275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:90394025 (86.2 Mb)  TX bytes:13256910 (12.6 Mb)
          Interrupt:11 Base address:0xb000


[root@hksrv root]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME='hksrv.hkekm.com'
#GATEWAY=192.168.1.1
GATEWAYDEV=eth1
NISDOMAIN=hkekm.com

root@hksrv root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE='eth0'
ONBOOT='yes'
BOOTPROTO='none'
TYPE='Ethernet'
USERCTL='no'
IPADDR='192.168.1.1'
NETMASK='255.255.255.0'
NETWORK='192.168.1.0'
BROADCAST='192.168.1.255'
#GATEWAY='192.168.1.1'
GATEWAYDEV='eth1'

[root@hksrv root]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE='eth1'
BOOTPROTO='dhcp'
ONBOOT='yes'
TYPE='Ethernet'
USERCTL='no'

[root@hksrv root]# cat /etc/resolv.conf
nameserver 202.88.231.2
nameserver 202.88.231.10

[root@hksrv root]# netstat -r
Kernel IP routing table
Destination     Gateway                       Genmask              Flags   MSS   Window   irtt      Iface
192.168.1.0     hksrv.hkekm.com      255.255.255.0     UG       40        0              0         eth0
192.168.1.0     *                                    255.255.255.0     U         40         0              0         eth0
202.88.242.0   *                                    255.255.254.0     U         40         0              0         eth1
127.0.0.0          *                                    255.0.0.0               U        40         0              0          lo
default               202.88.242.1              0.0.0.0                   UG      40         0             0          eth1


[root@hksrv root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.1.1     hksrv.hkekm.com hksrv   localhost
192.168.1.3     hk3.hkekm.com   hk3
192.168.1.4     hk4.hkekm.com   hk4
192.168.1.5     hk5.hkekm.com   hk5
192.168.1.6     hk6.hkekm.com   hk6
192.168.1.7     hk7.hkekm.com   hk7
192.168.1.8     hk8.hkekm.com   hk8
192.168.1.9     hk9.hkekm.com   hk9
192.168.1.10    hk10.hkekm.com  hk10
192.168.1.11    hk11.hkekm.com  hk11
192.168.1.12    hk12.hkekm.com  hk12

Please help me these are the main configuration files in my server machine.

IPTABLES FILE

[root@hksrv root]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.5 on Fri Apr  2 13:09:32 2004
*filter
:INPUT ACCEPT [21248:9165310]
:FORWARD ACCEPT [64:5376]
:OUTPUT ACCEPT [21236:8429535]
COMMIT
# Completed on Fri Apr  2 13:09:32 2004
# Generated by iptables-save v1.2.5 on Fri Apr  2 13:09:32 2004
*nat
:PREROUTING ACCEPT [1811:102733]
:POSTROUTING ACCEPT [243:15255]
:OUTPUT ACCEPT [240:15003]
[0:0] -A POSTROUTING -p tcp -m tcp --dport 25 -j MASQUERADE
[0:0] -A POSTROUTING -p tcp -m tcp --dport 110 -j MASQUERADE
COMMIT
# Completed on Fri Apr  2 13:09:32 2004

I am using the iptables for the first time.Please specify how to delete the old rules and insert new one to configure iptables.

Sorry. I had a typo in my commands.

Please, try the following :

iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

This should work.

If it does, then, you should change your /etc/sysconfig/iptables accordingly.

i had done all the settings accordingly u said,but this too didnt work

One stupid question :

What's in /proc/sys/net/ipv4/ip_forward ?

cat /proc/sys/net/ipv4/ip_forward

If there's a "0" there, it can not work. Do :

echo 1 > /proc/sys/net/ipv4/ip_forward

AT LAST I GOT IT CORRECT.I GOT THE ANSWER FROM linuxforum.com
This is how i had done.

This is a how-to about sharing the internet via a linux box to the rest of your internal network.

In windows this is know as ICS (Internet Connection Sharing).
In linux it is called NAT (Network Address Translation).

1. On the linux box (that is directly connected to the internet, and is supposed to do the internet sharing), start a terminal. Run the command su and then type the root password to become root.

2. Open the file /etc/rc.d/rc.local in your favorite text editor and add this on a new line at the bottom
/etc/rc.d/rc.ipmasq and save the file.

3. Then, create a new file called rc.ipmasq in the /etc/rc.d/ directory and open this file in a text editor and add these lines

#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward



Save this file.

This script assumes that eth0 is the ethernet adaptor connected to the internet (say, thru a DSL/cable modem). Change it depending on your configuration (eth1, eth2 and so on). If the connection to the internet is not thru an ethernet device (as in the case of ordinary dialup or USB modem), you have to use ppp0 (or ppp1, ppp2 and so on).
The network connections to the internet and intranet should already be up (how to do that is outside the scope of this document).

4. Make this script file executable by running chmod 755 /etc/rc.d/rc.ipmasq

5. Then run the command /etc/rc.d/rc.ipmasq to enable the internet sharing.

6. Now you can stop being root by running exit

The above script will work after the following have been already done:

Set up the network on all the computers in the LAN. Make sure every computer can be reached from another computer by "ping".
On each client computer, set the gateway to the internal IP address of the linux computer that is connected directly to the internet. Under DNS put in the primary and/or secondary DNS IP addresses of your ISP (Internet Service Provider).

Now you should be able to browse the internet from the other computers on your internal network.

It is strongly recommended that you also use a firewall on the linux gateway. This above script will work with the firewall script without any changes being required.