IP Forwarding problem

I am sure there is a simple fix to my problem but I have looked on the net
and I have not found it.

I have a RedHat 9 system set up. I am connecting to the Internet via an
ISDN modem. The connection works fine. I now want to have the Windows
boxes on the LAN connect to the Internet via the Linux box. I set up IP
Forwarding. I am able to see the Linux box from the Windows machines on
the network. However, I am not able to get out onto the Internet from the
Windows machines. I ran tcpdump and I see that the requests from the
Windows machine are going out but they are showing up as coming from
192.168.0.4 instead of as from the IP assigned from my ISP.

It seems like the NAT is not working but I don't know how to fix it. The
routing table seems to be OK. Below is what is reported by route -n:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ippp0
0.0.0.0 62.219.193.1 0.0.0.0 UG 0 0 0 ippp0

The RedHat 7.3 system that I had in the past that performed this function
used ipchains. RedHat 9 uses iptables. I don't know if the problem
relates to a bad configuration for iptables. I used the RedHat tool for
defining the iptables rules (Medium Security with the LAN as a trusted
interface). Below is what I get from iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- kd2.bezeqint.net anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- dnsmail2.bezeqint.net anywhere udp spt:domain dpts:1025:65535
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Can someone tell me what I need to change to get the Windows machines to
see the Internet? Any pointers to documentation that addresses this
specific problem? I have read a bunch of documentation but I haven't
found a way to solve this problem.

thanks,
David Suna
(E-Mail Removed)

Yes, It's very simple problem. First you have to remove default rule set
that Redhat supported.
- iptables -F
- iptables -t nat -F

and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
or -j SNAT --to your real IP.

Maybe Redhat's default firewall rule set made you confused.




"David Suna" <(E-Mail Removed)> wrote in message
newsan.2004.04.26.09.56.00.76741@davidsconsultan ts.com...
> I am sure there is a simple fix to my problem but I have looked on the net
> and I have not found it.
>
> I have a RedHat 9 system set up. I am connecting to the Internet via an
> ISDN modem. The connection works fine. I now want to have the Windows
> boxes on the LAN connect to the Internet via the Linux box. I set up IP
> Forwarding. I am able to see the Linux box from the Windows machines on
> the network. However, I am not able to get out onto the Internet from the
> Windows machines. I ran tcpdump and I see that the requests from the
> Windows machine are going out but they are showing up as coming from
> 192.168.0.4 instead of as from the IP assigned from my ISP.
>
> It seems like the NAT is not working but I don't know how to fix it. The
> routing table seems to be OK. Below is what is reported by route -n:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ippp0
> 0.0.0.0 62.219.193.1 0.0.0.0 UG 0 0 0
ippp0
>
> The RedHat 7.3 system that I had in the past that performed this function
> used ipchains. RedHat 9 uses iptables. I don't know if the problem
> relates to a bad configuration for iptables. I used the RedHat tool for
> defining the iptables rules (Medium Security with the LAN as a trusted
> interface). Below is what I get from iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Lokkit-0-50-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Lokkit-0-50-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Lokkit-0-50-INPUT (2 references)
> target prot opt source destination
> ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp
dpt:ntp
> ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp
dpt:ntp
> ACCEPT udp -- kd2.bezeqint.net anywhere udp spt:domain
dpts:1025:65535
> ACCEPT udp -- dnsmail2.bezeqint.net anywhere udp
spt:domain dpts:1025:65535
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT tcp -- anywhere anywhere tcp
dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:nfs
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp
dpts:0:1023 reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp dpt:nfs
reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:xfs
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
>
> Can someone tell me what I need to change to get the Windows machines to
> see the Internet? Any pointers to documentation that addresses this
> specific problem? I have read a bunch of documentation but I haven't
> found a way to solve this problem.
>
> thanks,
> David Suna
> (E-Mail Removed)
>

Thanks. That worked and the Windows boxes are now able to access the
internet. Two follow up questions:
1. What do I have to add to not allow external connections (from anything
other than my LAN) to my Linux box?
2. How can I make these changes permanent so I don't have to redo them
every time I connect / reboot?

Thanks again,
David Suna
(E-Mail Removed)

On Mon, 26 Apr 2004 19:26:57 +0900, ya wrote:

> Yes, It's very simple problem. First you have to remove default rule set
> that Redhat supported.
> - iptables -F
> - iptables -t nat -F
>
> and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> or -j SNAT --to your real IP.
>
> Maybe Redhat's default firewall rule set made you confused.

I am glad that you was able to solve the problem.

Regarding your first question, you should change the source target in
iptables 's nat table. It's very easy.
Replace "-s 192.168.1.0/24" with "-s your virtual ip".
Regarding your second question, you can use "rc.local" file located in
"rc.d" directory.
Write bash-command concerned with iptables on "rc.local" file. For example,
" iptables -F, iptables -t nat -F, iptables -t nat -A POSTROUTING ...... "

If you wish to find more information about iptables, I advertise you to use
google.
Googling is a best way to solve the problem.

p.s. My English is poor, so I am wondering that my meaning can be correctly
delivered to you. Now I am learning English, so If I have a wrong grammar
in this article, please inform me of it. And it will be greatly appreciated
if you contact me by ICQ(200030453).

"David Suna" <(E-Mail Removed)> wrote in message
newsan.2004.04.26.11.44.01.314459@davidsconsulta nts.com...
> Thanks. That worked and the Windows boxes are now able to access the
> internet. Two follow up questions:
> 1. What do I have to add to not allow external connections (from anything
> other than my LAN) to my Linux box?
> 2. How can I make these changes permanent so I don't have to redo them
> every time I connect / reboot?
>
> Thanks again,
> David Suna
> (E-Mail Removed)
>
> On Mon, 26 Apr 2004 19:26:57 +0900, ya wrote:
>
> > Yes, It's very simple problem. First you have to remove default rule set
> > that Redhat supported.
> > - iptables -F
> > - iptables -t nat -F
> >
> > and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> > or -j SNAT --to your real IP.
> >
> > Maybe Redhat's default firewall rule set made you confused.
>