Please help me get iptables ver. 1.2.6a working on my routerbox. As of last night, I have spent 32 hours recompiling kernel 2.4.18 and re-installing iptables to try to get my firewall rules working, but still no go.

I've been all over netfilter.org and google.com/linux, but can't figure out what I am doing incorrectly.

Here's the error message upon booting routerbox, which is a p166 mhz, 64 megs. RAM, Slack 8, kernel 2.4.18, and iptables 1.2.6a:

iptables v1.2.6a: can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I have tried configuring the kernel with all the netfilter, nat, and iptables options built-in to the kernel itself. I have also tried doing configuration with all the iptables stuff as Modules.

Kernel recompile goes perfectly normal--- that's right, I sit and watch for hours to see if I can glean any warning or error messages.

eth0 is up and can access the dsl router/internet.
eth1 is recognized but not passing any packets back and forth to LAN clients because iptables is not functioning.

Here's the entirety of my rc.firewall file; it's pretty much wide open just to get things off the ground:

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

All thoughts and ideas are greatly appreciated.

Please help this tired and desperate fella.

Mike

Originally posted by Floog:
<STRONG>
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</STRONG>


Oh man! I can't believe my simple mistake. I just happened to take another look at my rc.firewall file and noticed that one of the "nat" entries was capitalized. I changed it to lower case letters and now iptables seems to initialize upon boot up of routerbox.

Now it's time to get some testing done. Uggh, how do these guys who program thousands of lines of code do it!?!!?

Mike

Still can't get a client box to reach the internet.

I just put a windows98 client box onto a Switch that runs back to eth1 on the routerbox.

In windows, I did Network Neighborhood---Properties---Highlighted TCP/IP Ethernet---Properties---changed the settings in the IP Address Tab from automatically detected settings to a static IP: 192.168.0.101 and a SubNet Mask: 255.255.255.0.

I kept DNS disabled on all the other tabs.

The win98 client (192.168.0.101) can successfully ping eth1 (192.168.0.100) on the routerbox.

The win98 client cannot successfully ping eth0 (192.168.1.100) on the routerbox

The routerbox can successfully ping the win98 client.

I still can't get win98 clients to reach the internet and access websites.

I tried the same series of tests with a linux client and got the same results.

What needs to be tested or modified to get client boxes to reach the dhcp server/dsl router-----&gt;internet.

Is it a firewall issue or is it hardware? I wonder if I have to use a Crossover cable from the Switch to eth1 on the routerbox instead of a regular Cat 5 cable.

I appreciate any help you can lend.

Thanks,

Mike

----quote---
The win98 client (192.168.0.101) can successfully ping eth1 (192.168.0.100) on the routerbox.

The win98 client cannot successfully ping eth0 (192.168.1.100) on the routerbox
------------

try at a prompt:

cat /proc/sys/net/ipv4/ip_forward

if it comes back 0, then you need to turn on forwarding with:

echo 1 &gt; /proc/sys/net/ipv4/ip_forward

if that fixes it for you, add the string to your script.

[ 22 June 2002: Message edited by: jumpedintothefire ]

Originally posted by jumpedintothefire:
try at a prompt:

cat /proc/sys/net/ipv4/ip_forward

if it comes back 0, then you need to turn on forwarding with:

echo 1 &gt; /proc/sys/net/ipv4/ip_forward

][/QB]

the routerbox answers back with a "1".

Yikes, I guess that's good?--- means ip-forwarding is on and doing what it's supposed to do?

What do you think I should try next?

Thank you for your help.

Mike

add:

IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

Don't forget to set the policy to drop, after the flush....