okay, i've read through a huge number of posts on the subject and i'm still having no luck.... here's what i've got so far:

1) dhcpd is configured and running

2) eth0 is connected to aDSL and working (ppp0 is the interface)

3) eth1 is 192.168.1.1 and serving the local area network. dhcp is working on internal machines and i can ping from router to internal and internal to router just fine.

4) i have downloaded firestarter and have tried to configure it (its pretty straight forward, so i'm not sure why it isn't working.) but have had no luck so far.

5) i followed Linnov's instructions quoted below:

"iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

iptables -t nat -A POSTROUTING -s $INTLAN -o $EXTIF -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

Replace $INTLAN with your network range example 192.168.0.0/24

Replace $EXTIF with the external interface name example ppp0"

6) all goes in just fine until i get to the -j MASQUERADE line .... from the shell it returns:

Warning: wierd character in interface `-j' (No aliases, :, ! or *). Bad argument `MASQUERADE'


i dont get it., i've read through the man page for iptables and MASQUERADE is a valid arrgument... i'm so confused... any help would be great

Tim

Try something like this...

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

i typed:

$IPTABLES -t nat -A POSTROUTING -o $ppp0 -j MASQUERADE

shell returned:

bash: -t: command not found

what now?

Tim

use gShield for the firewall and forwarding/NATing - http://muse.linuxmafia.org

Very well documented config file, easy to use.

I keep forgetting that you may be doing this from the command line and not just editing a script. :)

From the command line it would look like...
/sbin/iptables -t nat -A POSTROUTING -o $ppp0 -j MASQUERADE

copied the above exactly (copy/paste) in the shell, and it returned:

Warning: wierd character in interface `-j' (No aliases, :, ! or *). Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.

Something strange for sure. The fact that Firestarter didn't work is probably related to that problem also. :(

Try this entire script... Copy and paste into a text file with no extensions like maybe firewall and run it with the command: sh firewall

_________________________________________________

#!/bin/sh
#
# The location of the iptables binary file on your system.
IPTABLES="/sbin/iptables"

# The Internet interface. For ADSL or Dialup users, this should be "ppp0".
# For a cable modem connection, this will probably be "eth0".
EXT="ppp0"

# Out with the old stuff.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

# These will setup our policies.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Use this for NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

# This rule protects your fowarding rule.
$IPTABLES -A FORWARD -i $EXT -m state --state NEW,INVALID -j DROP

# Port forwarding looks like this.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 25 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 53 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 53 -j DNAT --to 192.168.0.50
# These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 2300:2400 -j DNAT --to 192.168.0.50

# This rule will accept connections from local machines.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

# DROP bad packets.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# DROP icmp, but only after letting certain types through.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP

# To open up port 22 (SSH Access) to various IP's edit the IP's below
# and uncomment the first line.
# To enable SSH access from anywhere, uncomment the second line only.
#$IPTABLES -A INPUT -i $EXT -s 200.123.10.2 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Some basic state-matching.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to DROP port 137 netbios packets silently.
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

# So we don't get silent DROPs.
$IPTABLES -A INPUT -j DROP

that returned nothing, sh fw and then it droped to a new line.

i changed all 192.168.0.x to 192.168.1.x so as to not have to change my dhcp setup. its not working from my client machines, but i can still ping the router. could that change have caused the problem?

Tim

Returned nothing is good!
I was hoping that you would catch the subnet difference.

Type: iptables -L to see what things look like.

Maybe a line in the resolv.conf pointing to the linux box...
nameserver 192.168.1.1 and a line in dhcpd.conf pointing to that server....
option domain-name-servers 192.168.1.1;

Other than that, I'm fresh out of ideas. :(

returned:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID,NEW

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


side note: i was looking in webmin running on my router and noticed when i looked a "Linux Firewall" it says:

Webmin has detected 2 IPtables firewall rules currently in use, which are not recorded in the save file /etc/sysconfig/iptables. These rules were probably setup from a script, which this module does not know how to read and edit.

if there are two sets in use is their a way to remove them, (i would assume firestarter is one which i thought was turned off "service firestarter stop" and i'm not sure what the other one is.) and is it possible that this is part (or all) of my problem?

Tim

btw, thanks for all the help homey, i love this forum! i haven't found anywhere faster at getting replies out to people. thanks

You are welcome for the feeble attempt to help :)

Check to make sure that Firestarter is stopped or even removed. Then I would do a command: iptables -F to clear things out. Then run the script again.

Did you notice the edit from before about dhcpd.conf and resolv.conf

i'm attemping to remove firestarter now (downloading/installing ximian red carpet)

i noticed after my last post the dhcp/resolv notes... already had the name server in dhcpd.conf and added a line to resolv.conf, but on reboot it disapeared and was replaced by my dsl name servers. strange.

Tim

Well I'm out of ideas for now :( Gotta go offline until later tonight.

Hope you get it going.

okay, i can ping out from my network clients, but only with IP addresses. domain names aren't working. any thoughts? (finally getting close)

Tim

/etc/dhcpd.conf needs to specify the dns server with

option domain-name-servers 193.169.1.1;

where 193.196.1.1 is replaced with your server.

sorry tcarradine, you need to modify /etc/init.d/dhcpd

dhcp listens to eth0 by default.
you need to find a line that looks like

daemon /usr/sbin/dhcpd ${DHCPDARGS}

and change it to

daemon /usr/sbin/dhcpd eth1 ${DHCPDARGS}

in order to get it to listen to the right nic.
dont`t forget to restart dhcpd.

i figured it out! i put my own ip address 192.168.x.x as a dns server in my dhcpd conf file instead of the name server of my isp. i hadn't even tried pinging the ip of an outside source, but when i did it was working. it was easy to figure there was a problem with the name servers after that! thanks to everyone for their help!!

Tim