Setup CentOS 5.5 as Linux gateway

I am a linux newbie, so please bear with me.

Trying to setup a linux gateway. I have installed CentOS 5.6 and thats ok.
The Pc has 2 network adaptors
eth0 connects to the WAN and eth1 connects to LAN
eth1 is static -

I can access the web on the linux machine.

I have setup dhcp on the linux machine:
yum -y install dhcp
I have also changed this file : /etc/sysconfig/dhcpd   and set the following:

I have then typed the following commands:
#echo 1 > /proc/sys/net/ipv4/ip_forward

# /sbin/iptables -P FORWARD ACCEPT
# /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save

# chkconfig dhcpd on
# service network restart
# service dhcpd restart

Machines on the LAN are now getting the IP addresses correctly.
If I try and ping the internet, I can only ping IP addresses NOT domain names
On the LAN machines, the DNS assigned by the DHCP server is  (OpenDNS)
On the LAN machine if I set the DNS manually, I still cannot ping domain names, but I can ping IP addresses on the web.

If I restart the Linux machine, I cannot ping anything, unless I retype the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward

Then I can ping IP addresses.

Can anyone help me sort this out, so that I can access domain names?


Who is Participating?
farzanjConnect With a Mentor Commented:
Ok.  So it doesn't appear to be a DHCP issue since your clients are Windows AND they are getting valid addresses.

Somehow, you are either blocking DNS port.  It is not passing through your gateway server.  You  may need an entry in your iptables.

Something like
iptables -A FORWARD -i eth1 -s -j ACCEPT
iptables -A FORWARD -m state -s --state ESTABLISHED,RELATED -j ACCEPT
svgmucConnect With a Mentor Commented:
Edit /etc/sysctl.conf

Edit the “net.ipv4.ip_forward” line and set it to 1
you can check out how to set your box as a DNS server or just add any DNS server in your resovl.conf file
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

If I restart the Linux machine, I cannot ping anything, unless I retype the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/sysctl.conf to include the line

This would make it prevail after the reboot.

Have you set the route correctly on the LAN machines?

route -n
Your default route should be your gateway machine.

IP addresses for each of the LAN machines is static also?
So you must set the DNS and route on each one of them.
satshahAuthor Commented:
svgmuc & farzanj - thanks the sysctl.cong change works so I can still ping out after the linux machine reboots.

But I still cannot ping out to domain names from the LAN machines, only to IP.

e.g. on the LAN machine, ping responds OK, but ping does not repsond at all.
Obviously I cannot use a web browser to access websites from the LAN machine.

The linux gateway machine is OK accessing websites.
The lab machines have DNS issue.

CHeck their /etc/resolv.conf files.  What is the

server <ADDRESS>

They have?
Does your DHCP server communicate a DNS server address to the clients? You may need to configure that in the DHCP config.
satshahAuthor Commented:
The LAN machines are windows XP.

They are set to obtain IP and DNS automatically. They get the IP and DNS correctly.

This is what my dhcpd.conf file looks like:

# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample  

ddns-update-style interim;
ignore client-updates;

subnet netmask {

# --- default gateway
      option routers        ;
      option subnet-mask  ;

      option nis-domain            "";
      option domain-name            "";
      option domain-name-servers;

      option time-offset            -18000;      # Eastern Standard Time
#      option ntp-servers  ;
#      option netbios-name-servers;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#      option netbios-node-type 2;

      range dynamic-bootp;
      default-lease-time 21600;
      max-lease-time 43200;

      # we want the nameserver to appear at a fixed address
      host ns {
            hardware ethernet 12:34:56:78:AB:CD;

I just worked with the default dhcpd.con file. Is there something wrong in the file?
Check /etc/resolv.conf on the clients... if it has no server statement, the DHCP server doesn't communicate it.

You might try putting the address in curly brackets.

option domain-name-servers {;}
satshahAuthor Commented:
SVGMUC  - The client PC's are windows XP - so do not have resolv.conf in them.

On the linux gateway, the resolv.conf looks like this:

; generated by /sbin/dhclient-script
search localdomain

In your dhcp file, you have option for only one nameserver.  Please include both.
Sorry, I missed that line about XP.

I'd follow farzanj's approach next.
Maybe you can run tcpdump on the gateway to figure out where the packets are not passing through.
satshahAuthor Commented:
farzanj  - I did the iptables entry but still no luck

This is what mt iptables file in etc/sysconfig looks like:
# Generated by iptables-save v1.3.5 on Tue Apr 19 15:01:33 2011
:OUTPUT ACCEPT [2738:2184002]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -s -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
# Completed on Tue Apr 19 15:01:33 2011
# Generated by iptables-save v1.3.5 on Tue Apr 19 15:01:33 2011
:PREROUTING ACCEPT [1094:118217]
:OUTPUT ACCEPT [316:22154]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
# Completed on Tue Apr 19 15:01:33 2011
satshahAuthor Commented:
Farzanj - the problem was with the firewall - when I p[osted the iptables file I saw the FIREWALL entries.
so I disabled the firewall in System / Administration, and I can now ping domain names.

thank you.
Did it work?

What I see is that you are doing PREROUTING for port 80 but NOT port 53 (DNS)
Could you also add a rule for port 53,   That may work.
satshahAuthor Commented:
Farzanj - It does work
Great.  Good to know.  Thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.