Linux Router Not Working - Not sure why...

I have recently installed SuSE 9.1 onto an old PMMX laptop that has two PCMCIA cards installed. One is assinged DHCP through my cable modem (eth1) and the other is configured as 192.168.111.254 (eth0). I turned on ip forwarding in the NIC management portion of YAST.

I have internet connectivity and LAN connectivity from the Laptop. The machines on the LAN can ping 192.168.111.254 but will not route through the interface to the internet. I have used several different iptables configs with no avail. Is the only commands/iptables entry I absolutely need to get the laptop to forward:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


When I try this I get "destination unreachable" from the LAN machines ping an internet ip.

I have disabled the SuSEfirewall2 service and used:  iptables -F; iptables -t nat -F; iptables -t mangle -F
to clean the iptables before trying the above mentioned commands.

What have I missed or done wrong? I know this should work, I had this same config running on this laptop until I tried recompiling the kernel to 2.6.9 and jacked it all up and had to reload. When I reloaded I upgraded to 9.1 (which installs a 2.6 kernel which I then upgraded to 2.6.9).




LVL 5
intreegAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pablouruguayCommented:
ok try this script i have the same like you and work great only change the eth in masquerade if you need


iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P POSTROUTING ACCEPT -t nat
iptables -P PREROUTING ACCEPT -t nat
iptables -P OUTPUT ACCEPT -t nat


modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -j ACCEPT -i eth0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -d 0/0
iptables -A OUTPUT -j ACCEPT -s 200.0.0.0/255.0.0.0  -d 0/0
iptables -A OUTPUT -j ACCEPT -s 192.168.111.0/255.255.255.0 -d 0/0
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21  --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 8080  -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
iptables -A INPUT -p icmp -m icmp -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT  -p tcp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -N dropwall
iptables -A dropwall -j DROP
iptables -A INPUT -j dropwall

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intreegAuthor Commented:
iptables -A OUTPUT -j ACCEPT -s 200.0.0.0/255.0.0.0  -d 0/0

This line defines the network that you ppp0 address is going to reside in? If so I am not sure what I should change this too, I have no idea what range my ip will be in for sure. I think it will start with 24.x.x.x but I couldn't say that it would stay that way.

Other than that I should be able to change ppp0 to eth1 and be set?
0
pablouruguayCommented:
yep i wrong in this line. 0/0

if your eth0 is your external nic. you need to replace ppp0 for eth0
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

intreegAuthor Commented:
So just to make sure, this is what my script should look like?
eth0 - 192.168.111.254
eth1 - DHCP from cable modem


-------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P POSTROUTING ACCEPT -t nat
iptables -P PREROUTING ACCEPT -t nat
iptables -P OUTPUT ACCEPT -t nat


modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -j ACCEPT -i eth0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth1-o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth0 -o eth1-d 0/0
iptables -A OUTPUT -j ACCEPT -s 0/0  -d 0/0
iptables -A OUTPUT -j ACCEPT -s 192.168.111.0/255.255.255.0 -d 0/0
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1-j ACCEPT
iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21  --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 8080  -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
iptables -A INPUT -p icmp -m icmp -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT  -p tcp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -N dropwall
iptables -A dropwall -j DROP
iptables -A INPUT -j dropwall
0
pablouruguayCommented:
yep... is ok.
0
intreegAuthor Commented:
Also, is this the bare minimum to get this config to work?

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward
0
pablouruguayCommented:
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward

yes is this the minimun to work but modprobe is if you compile your kernel with iptables mask in module format. i dont think this happend the best way to do this is compile the kernel with iptables included. not a module.
besides you need to accept traffic from eths forwards outside and inside

0
intreegAuthor Commented:
As it turns out, SuSEfirewall was not totaly disabled; after double checking my service settings and disabling all 3(!) entires for SuSEfirewall and rebooting, my firewall is now working with the minimum command set I  posted.

 modprobe ipt_MASQUERADE # If this fails, try continuing anyway
 iptables -F; iptables -t nat -F; iptables -t mangle -F
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward

Looks like I should recompile my kernel too, so I can remove the modprobe issue. I will be using the script you originally posted as my template when I work out my ruleset today. I really appreicate all of your help!

Thanks
Intreeg
0
pablouruguayCommented:
your welcome!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.