Okay... I've tried and tried, read man pages, howto's, NHF's, RFUHF's, and just about everything else..
But the iptable gods still seem to hate me..

First of all, it seems that the firewall is blocking the DHCP server from working on the internal lan...
Second, port forwarding works fine from a port like 8088, but try to forward 22, or 80, and nope. no-go..

Here, for your your humor at my expense, and laughing pleasure, is my rc.firewall:

#!/bin/bash

NET='209.20.211.36/255.255.255.0'

echo "1" > /proc/sys/net/ipv4/ip_forward

#Delete and flush.
iptables --flush
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#Set Defaults
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

#iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

#Set up IP FORWARDING and Masquerading.
iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.0/24 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 209.20.211.36/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.0.0/24 -d 0/0 -j ACCEPT
iptables -t filter -A OUTPUT -s 192.168.0.0/24 -d 0/0 -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -s 192.168.0.0/24 -d 0/0 -j ACCEPT
#iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#guess it's not as easy as one line..

#forward hovelnet connection to proper places
#HIGHLY EXPERIMENTAL!!!
iptables -t nat -A PREROUTING -i eth1 -d 209.20.211.36 -p tcp --dport www -j REDIRECT --to-port 8080

#Internal LAN (eth1) rules
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 67:68 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT
#iptables -A OUTPUT -i eth1 -p tcp --dport 67:58 -j ACCEPT
#iptables -A OUTPUT -i eth1 -p udp --dport 67:68 -j ACCEPT

#######################
#External (eth0) rules#
#######################

#Allow connections to this machine.
iptables -A INPUT -s $NET -p tcp --dport 22 -j ACCEPT

#Forwards from external (eth0) to internal (eth1)
iptables -A PREROUTING -t nat -p tcp -d $NET --dport 8088 -j DNAT --to 192.168.0.100:80
iptables -A PREROUTING -t nat -p tcp -d $NET --dport 80 -j DNAT --to 192.168.0.101:80
iptables -A PREROUTING -t nat -p tcp -d $NET --dport 21 -j DNAT --to 192.168.0.100:21
iptables -A PREROUTING -t nat -p tcp -d $NET --dport 2222 -j DNAT --to 192.168.0.101:22

-----------------------------
So... All highly patched together from what I've been able to find, and pretty much experimental.
For some reason, that part to set up masquerading looks more complicated then it's supposed to be, and seems like something might be wrong with it.. But I just don't understand IPTABLES well enough to be able to figure it out..
At least I was able to put this much together on my own, eh? :)

Thanks in advance for any help/comments/criticism/laughing fits...

[ 17 August 2001: Message edited by: Joshie the CK ]

Okay, even though nobody seems to be reading, I'll keep asking. :)
never give up, right?

Because my default OUTPUT rule is set to ACCEPT, I shouldn't have problems with needing an output rule for http or DHCP, right?

Still trying to bend my mind around this whole thing..

There must be at least *ONE* person who has an idea? Any idea? I *KNOW* there's people out there who know IPTables..

C'mon.. pleeeeeeeeeaaaassseeee? :)

Hey Josh

Question where is all this located. Is the DHCP server on the same box as the firewall?

do this from the cli not in your script: "iptables -t nat -L" By your listing you should see 8 rules total. If you see more then you need to add "iptables -t nat -F" to flush them. My firewall needs this line.

The other thing is I see you defined the table filter but I dont see you creating it. When you create your custom table you will do this
Lets say eth0 is external connection to the web.
iptables -N filter
iptables -A filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now at this point in your rules filter is defined but cannot be used until:

iptables -A FORWARD -j filter
iptables -A INPUT -j filter

So when you get to these two ruules they jump to filter if and use the defined rules. So essentially you have done this:

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Just in a fashion that lets you run a set of rules by calling it once.

All those rules with iptables -A filter in your firewall script are not being used. Also i believe echo line needs to be at the bottom.

E-mail me and let me know your setup, if you dont want to show it here.

Huggy

[ 22 August 2001: Message edited by: HuggyBear ]

[ 22 August 2001: Message edited by: HuggyBear ]

actually the filter stuff worked.. :-) That wasn't the problem. And I've now gotten rid of it anyway, and made the masquerading part of the script work a lot easier.

The DHCP server *IS* located on the firewall box, yes. Should this pose any particular problems?

I don't know about the echo line being at the bottom. Most example scripts seem to have it at the top, and that part seems to work now.. :-)

I guess my current problem is this: "WHY the *heck* is my firewall blocking DHCP on the internal LAN?"
Other problems, such as "WHY the HECK won't port 80 work?" are currently being negotiated with my ISP. I think they may be at fault on this one.. heh..

Thanks for the help! Encouraging to know at least SOMEONE is reading. ;)

Try in another script. Or by CLI.

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -t nat -F


iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P -t nat POSTROUTING ACCEPT
iptables -P -t nat PREROUTING ACCEPT

then add you masquerade line.

This will let all things pass from, to and thru your firewall just like there is no firewall. See if your DHCP server works then.

Jamin

[ 23 August 2001: Message edited by: HuggyBear ]