# iptables configuration problem[solved]

## wcw

Hi,guys!

I use iptables to let the PCs in the subnet to connect the internet outside.

And i write a simple script,but it doesn't work:

```

#!/bin/sh

iptables -F

#Define packets from Internet server to Intranet

iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT

#Define packets from Intranet to Internet

iptables -A FORWARD -s 198.168.1.0/24 -i eth1 -j ACCEPT

```

```

# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             198.168.1.0/24      

ACCEPT     all  --  198.168.1.0/24       anywhere            

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination  

```

The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21.

Is my configuration all right?

How to fix this problem?

Thanks in advanced!!Last edited by wcw on Tue May 15, 2007 6:54 am; edited 1 time in total

----------

## moocha

What you did there was forward the 192.168.1.0/24 subnet. In other words, packets from 192.168.1.0/24 will be forwarded by your router with the original source IP address to your default route, and packets originating from your upstream and having destination IPs in that subnet will be forwarded to your clients. This is not what you want, since IPs from the private address range are not routable on the Internet - in other words, your upstream will most likely silently drop packets originating from 192.168.1.0/24, and it will not forward packets to 192.168.1.0/24 to you.

What you need is SNAT - rewriting of the source IP address to the public IP address on your eth0 interface, and rewriting of the destination IP address when reply packets come in. Make sure to have the iproute2 package emerged, and use this script as a starting point:

```
#!/bin/bash

# MY_EXTERNAL_INTERFACE must contain the name of your external interface (typically eth0)

MY_EXTERNAL_INTERFACE="eth0"

# MY_EXTERNAL_IP must contain the primary IP address on your external interface (the IP with which the world "sees" you)

# It's autodetected by default.

MY_EXTERNAL_IP=$(ip a show dev ${MY_EXTERNAL_INTERFACE}|grep 'inet.*scope global'|head -n1|awk '{ print $2 }'|cut -d/ -f1)

# The above autodetection will fail if you don't have the iproute2 package installed,

# so comment it out, define the external IP manually below, and uncomment that line:

#MY_EXTERNAL_IP="11.22.33.44"

# Clear the chains

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

# Don't bother inspecting packets from the lo interface, that would be a waste of CPU cycles

iptables -A INPUT -i lo -j ACCEPT

# Let already established connections through

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop IP spoofing attempts coming in through the external interface

iptables -A INPUT -i ${MY_EXTERNAL_INTERFACE} -s 192.168.1.0/24 -j DROP

iptables -A INPUT -i ${MY_EXTERNAL_INTERFACE} -s 127.0.0/8 -j DROP

# Perform full SNAT for the 192.168.1.0/24 subnet

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ${MY_EXTERNAL_INTERFACE} -j SNAT --to-source ${MY_EXTERNAL_IP}
```

This will work well if your external IP doesn't change, i.e. if you have a static IP. If the IP address on your external interface is likely to change all of a sudden, then you need to replace the "-j SNAT --to-source ${MY_EXTERNAL_IP}" part above with "-j MASQUERADE".

You will need to have Connection tracking, Full NAT, SNAT and (if required) MASQUERADE target support compiled into your kernel Netfilter setup.

For a more detailed explanation of why it must be done this way, see the Network Address Translation Introduction  and SNAT target and MASQUERADE target chapters in the excellent iptables tutorial.

----------

## wcw

Thank you for your details!

I have tried,but still not work.

Here is the information after run your script:

```

# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

DROP       all  --  192.168.1.0/24       anywhere            

DROP       all  --  127.0.0.0/8          anywhere            

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

[root@localhost ~]# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

SNAT       all  --  192.168.1.0/24       anywhere            to:202.114.10.134 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

Then in my PCs,I still can't ping any website outside.

ps:

I change your some script here:

```

iptables -A INPUT -i ${MY_EXTERNAL_INTERFACE} -s 127.0.0/8 -j DROP 

```

to 

```

iptables -A INPUT -i ${MY_EXTERNAL_INTERFACE} -s 127.0.0.1/8 -j DROP 

```

----------

## moocha

Yes, sorry about the error, it was supposed to read 127.0.0.0/8 (your solution is perfectly fine too).

That's odd, it should have worked. Try running

```
tcpdump -n -i eth1 net 192.168.1.0/24
```

on the router while pinging an external host, to see what happens. Please make sure to ping that host by IP, so we can rule out DNS issues.

----------

## wcw

Here is the result:

```

# tcpdump -n -i eth1 net 192.168.1.0/24

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

17:08:20.730838 IP 192.168.1.63.4523 > 192.168.1.35.22: P 276983625:276983673(48) ack 1363913454 win 12560 <nop,nop,timestamp 344853 8356196>

17:08:20.731120 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1:49(48) ack 48 win 2576 <nop,nop,timestamp 8378028 344853>

17:08:20.731149 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 49 win 12560 <nop,nop,timestamp 344853 8378028>

17:08:20.872486 IP 192.168.1.63.4523 > 192.168.1.35.22: P 48:96(48) ack 49 win 12560 <nop,nop,timestamp 344867 8378028>

17:08:20.872675 IP 192.168.1.35.22 > 192.168.1.63.4523: P 49:97(48) ack 96 win 2576 <nop,nop,timestamp 8378042 344867>

17:08:20.872691 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 97 win 12560 <nop,nop,timestamp 344867 8378042>

17:08:21.055719 IP 192.168.1.63.4523 > 192.168.1.35.22: P 96:144(48) ack 97 win 12560 <nop,nop,timestamp 344885 8378042>

17:08:21.055903 IP 192.168.1.35.22 > 192.168.1.63.4523: P 97:145(48) ack 144 win 2576 <nop,nop,timestamp 8378060 344885>

17:08:21.055919 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 145 win 12560 <nop,nop,timestamp 344885 8378060>

17:08:21.221352 IP 192.168.1.63.4523 > 192.168.1.35.22: P 144:192(48) ack 145 win 12560 <nop,nop,timestamp 344902 8378060>

17:08:21.221544 IP 192.168.1.35.22 > 192.168.1.63.4523: P 145:193(48) ack 192 win 2576 <nop,nop,timestamp 8378077 344902>

17:08:21.221562 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 193 win 12560 <nop,nop,timestamp 344902 8378077>

17:08:21.344871 IP 192.168.1.63.4523 > 192.168.1.35.22: P 192:240(48) ack 193 win 12560 <nop,nop,timestamp 344914 8378077>

17:08:21.345051 IP 192.168.1.35.22 > 192.168.1.63.4523: P 193:241(48) ack 240 win 2576 <nop,nop,timestamp 8378089 344914>

17:08:21.345068 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 241 win 12560 <nop,nop,timestamp 344914 8378089>

17:08:28.155898 IP 192.168.1.63.4523 > 192.168.1.35.22: P 240:288(48) ack 241 win 12560 <nop,nop,timestamp 345595 8378089>

17:08:28.156162 IP 192.168.1.35.22 > 192.168.1.63.4523: P 241:289(48) ack 288 win 2576 <nop,nop,timestamp 8378770 345595>

17:08:28.156181 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 289 win 12560 <nop,nop,timestamp 345595 8378770>

17:08:28.963698 IP 192.168.1.63.4523 > 192.168.1.35.22: P 288:336(48) ack 289 win 12560 <nop,nop,timestamp 345676 8378770>

17:08:28.963903 IP 192.168.1.35.22 > 192.168.1.63.4523: P 289:337(48) ack 336 win 2576 <nop,nop,timestamp 8378851 345676>

17:08:28.963919 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 337 win 12560 <nop,nop,timestamp 345676 8378851>

17:08:28.965186 IP 192.168.1.35.22 > 192.168.1.63.4523: P 337:433(96) ack 336 win 2576 <nop,nop,timestamp 8378851 345676>

17:08:28.965200 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 433 win 12560 <nop,nop,timestamp 345676 8378851>

17:08:28.970557 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:29.970493 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:30.970439 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:31.970577 IP 192.168.1.35.22 > 192.168.1.63.4523: P 433:657(224) ack 336 win 2576 <nop,nop,timestamp 8379152 345676>

17:08:31.970595 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 657 win 12560 <nop,nop,timestamp 345977 8379152>

17:08:31.980384 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:32.980326 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:33.980268 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:34.980354 IP 192.168.1.35.22 > 192.168.1.63.4523: P 657:881(224) ack 336 win 2576 <nop,nop,timestamp 8379453 345977>

17:08:34.980366 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 881 win 12560 <nop,nop,timestamp 346278 8379453>

17:08:35.980159 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:36.980101 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:37.980041 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:38.980127 IP 192.168.1.35.22 > 192.168.1.63.4523: P 881:1105(224) ack 336 win 2576 <nop,nop,timestamp 8379853 346278>

17:08:38.980139 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1105 win 12560 <nop,nop,timestamp 346678 8379853>

17:08:39.979934 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:40.979875 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:41.979818 arp who-has 192.168.1.1 tell 192.168.1.35

17:08:42.979903 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1105:1329(224) ack 336 win 2576 <nop,nop,timestamp 8380253 346678>

17:08:42.979915 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1329 win 12560 <nop,nop,timestamp 347078 8380253>

17:08:43.262190 IP 192.168.1.63.4523 > 192.168.1.35.22: P 336:384(48) ack 1329 win 12560 <nop,nop,timestamp 347106 8380253>

17:08:43.262517 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1329:1505(176) ack 384 win 2576 <nop,nop,timestamp 8380281 347106>

17:08:43.262534 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1505 win 12560 <nop,nop,timestamp 347106 8380281>

17:08:43.262876 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1505:1569(64) ack 384 win 2576 <nop,nop,timestamp 8380281 347106>

17:08:43.262890 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1569 win 12560 <nop,nop,timestamp 347106 8380281>

17:08:43.262949 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1569:1649(80) ack 384 win 2576 <nop,nop,timestamp 8380281 347106>

17:08:43.262953 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1649 win 12560 <nop,nop,timestamp 347106 8380281>

17:08:58.895563 IP 192.168.1.63.4523 > 192.168.1.35.22: P 384:432(48) ack 1649 win 12560 <nop,nop,timestamp 348670 8380281>

17:08:58.895823 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1649:1713(64) ack 432 win 2576 <nop,nop,timestamp 8381844 348670>

17:08:58.895841 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1713 win 12560 <nop,nop,timestamp 348670 8381844>

17:08:59.199870 IP 192.168.1.63.4523 > 192.168.1.35.22: P 432:480(48) ack 1713 win 12560 <nop,nop,timestamp 348700 8381844>

17:08:59.200059 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1713:1761(48) ack 480 win 2576 <nop,nop,timestamp 8381875 348700>

17:08:59.200076 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1761 win 12560 <nop,nop,timestamp 348700 8381875>

17:08:59.201313 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1761:1857(96) ack 480 win 2576 <nop,nop,timestamp 8381875 348700>

17:08:59.201328 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 1857 win 12560 <nop,nop,timestamp 348700 8381875>

17:08:59.208858 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:00.208794 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:01.208738 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:02.208866 IP 192.168.1.35.22 > 192.168.1.63.4523: P 1857:2081(224) ack 480 win 2576 <nop,nop,timestamp 8382176 348700>

17:09:02.208889 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 2081 win 12560 <nop,nop,timestamp 349001 8382176>

17:09:02.218686 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:03.218628 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:04.218566 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:05.218649 IP 192.168.1.35.22 > 192.168.1.63.4523: P 2081:2305(224) ack 480 win 2576 <nop,nop,timestamp 8382477 349001>

17:09:05.218663 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 2305 win 12560 <nop,nop,timestamp 349302 8382477>

17:09:06.218461 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:07.218401 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:08.218342 arp who-has 192.168.1.1 tell 192.168.1.35

17:09:09.218428 IP 192.168.1.35.22 > 192.168.1.63.4523: P 2305:2529(224) ack 480 win 2576 <nop,nop,timestamp 8382877 349302>

17:09:09.218444 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 2529 win 12560 <nop,nop,timestamp 349702 8382877>

17:09:09.234324 IP 192.168.1.63.4523 > 192.168.1.35.22: P 480:528(48) ack 2529 win 12560 <nop,nop,timestamp 349703 8382877>

17:09:09.234953 IP 192.168.1.35.22 > 192.168.1.63.4523: P 2529:2721(192) ack 528 win 2576 <nop,nop,timestamp 8382878 349703>

17:09:09.234978 IP 192.168.1.35.22 > 192.168.1.63.4523: P 2721:2801(80) ack 528 win 2576 <nop,nop,timestamp 8382878 349703>

17:09:09.235104 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 2801 win 12560 <nop,nop,timestamp 349704 8382878>

17:09:21.205474 IP 192.168.1.63.4523 > 192.168.1.35.22: P 528:592(64) ack 2801 win 12560 <nop,nop,timestamp 350901 8382878>

17:09:21.205742 IP 192.168.1.35.22 > 192.168.1.63.4523: P 2801:2881(80) ack 592 win 2576 <nop,nop,timestamp 8384075 350901>

17:09:21.244142 IP 192.168.1.63.4523 > 192.168.1.35.22: . ack 2881 win 12560 <nop,nop,timestamp 350905 8384075>

```

192.168.1.63 is the machine having the internal ip.192.168.1.35 is PC in the subnet.192.168.1.1 is the gw.

And it's very weird that all the machine in my subnet can't ping through gw???

----------

## moocha

Try this to filter all the SSH packets and the ARP noise:

```
tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp
```

Also, please ping for example google.com by IP instead of by hostname, to rule out DNS issues:

```
ping 64.233.167.99
```

----------

## wcw

I switch from the Redhat to Gentoo and now the have a new problem.

When I execute your script,something error occur :

```

.........

.........

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables: No chain/target/match by that name

```

And I change the line

```

MY_EXTERNAL_IP=$(ip a show dev ${MY_EXTERNAL_INTERFACE}|grep 'inet.*scope global'|head -n1|awk '{ print $2 }'|cut -d/ -f1)

```

to 

```

MY_EXTERNAL_IP=202.114.10.134

```

That is my real ip.Because some error appear:   -bash: ip: command not found

Thank you!

----------

## moocha

 *wcw wrote:*   

> I switch from the Redhat to Gentoo and now the have a new problem.
> 
> When I execute your script,something error occur :
> 
> ```
> ...

 That means you didn't include connection tracking support in the kernel. You should. It won't work properly without it. *wcw wrote:*   

> And I change the line
> 
> ```
> 
> MY_EXTERNAL_IP=$(ip a show dev ${MY_EXTERNAL_INTERFACE}|grep 'inet.*scope global'|head -n1|awk '{ print $2 }'|cut -d/ -f1)
> ...

 That means you didn't read what I wrote above about emerging the iproute2 package or uncommenting the line provided expressly for this purpose...

Please make sure to read the iptables tutorial to which I linked above. Otherwise, even if it works, all you'd be doing is enter some magic commands without understanding their meaning or purpose, and then when you need to change something you won't know what to do and/or things will break.

----------

## wcw

```

That means you didn't include connection tracking support in the kernel. You should. It won't work properly without it.

```

Do you mean this option:

```

# grep CONFIG_IP_NF_CONNTRACK /usr/src/linux/.config

CONFIG_IP_NF_CONNTRACK_SUPPORT=y

CONFIG_IP_NF_CONNTRACK=y

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

```

And 

```

CONFIG_IP_NF_CONNTRACK - This module is needed to make connection tracking.

```

This is what iptables-tutorial says.

And the CONFIG_IP_NF_NAT option is also marked.

```

Please make sure to read the iptables tutorial to which I linked above. Otherwise, even if it works, all you'd be doing is enter some magic commands without understanding their meaning or purpose, and then when you need to change something you won't know what to do and/or things will break.
```

Thank you for your advice.I have read part of it.

----------

## gsoe

You also need the state module: CONFIG_NETFILTER_XT_MATCH_STATE=m. You find it under  Netfilter Xtables support:

Symbol: NETFILTER_XT_MATCH_CONNTRACK [=n]                                                                             

   Prompt: "conntrack" connection tracking match support                                                                 

     Defined at net/netfilter/Kconfig:418                                                                                

     Depends on: NET && INET && NETFILTER && NETFILTER_XTABLES && (IP_NF_CONNTRACK || NF_CONNTRACK)                      

     Location:                                                                                                           

       -> Networking                                                                                                     

         -> Networking support (NET [=y])                                                                          

           -> Networking options                                                                                         

             -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                         

               -> Core Netfilter Configuration                                                                           

                 -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])

----------

## wcw

Thank gsoe!I add CONFIG_NETFILTER_XT_MATCH_STATE and it work!

To moocha:

```

Gentoo-Server ~ # tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

22:39:56.522267 IP 192.168.1.46.137 > 192.168.1.255.137: UDP, length 50

22:39:57.271667 IP 192.168.1.46.137 > 192.168.1.255.137: UDP, length 50

22:39:57.553211 IP 192.168.1.46.138 > 192.168.1.255.138: UDP, length 201

```

192.168.1.46 is my another machine which has Windows running.

And 

```

Gentoo-f304-1-8 ~ # ping 64.233.167.99

PING 64.233.167.99 (64.233.167.99) 56(84) bytes of data.

From 192.168.1.35 icmp_seq=1 Destination Host Unreachable

From 192.168.1.35 icmp_seq=2 Destination Host Unreachable

From 192.168.1.35 icmp_seq=3 Destination Host Unreachable

From 192.168.1.35 icmp_seq=5 Destination Host Unreachable

From 192.168.1.35 icmp_seq=6 Destination Host Unreachable

From 192.168.1.35 icmp_seq=7 Destination Host Unreachable

From 192.168.1.35 icmp_seq=9 Destination Host Unreachable

From 192.168.1.35 icmp_seq=10 Destination Host Unreachable

.........

```

I also tried to replace your last command with "iptables --table nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE".But the result is all the same.

----------

## moocha

 *wcw wrote:*   

> Thank gsoe!I add CONFIG_NETFILTER_XT_MATCH_STATE and it work!
> 
> To moocha:
> 
> ```
> ...

 That shows that the client computer doesn't even try to send ICMP packets to outside your network - the problem isn't the script (it's fine), the problem is at the client end. The UDP traffic you're seeing is Windows file sharing name resolution. *wcw wrote:*   

> And 
> 
> ```
> 
> Gentoo-f304-1-8 ~ # ping 64.233.167.99
> ...

 That clearly shows that your client computer doesn't have a default gateway configured. If you're using DHCP to configure the client interfaces, don't forget to push

```
option routers 192.168.1.1;
```

to the clients. If you're not using DHCP (i.e. if you're using static IPs), then don't forget to configure 192.168.1.1 as the default gateway.

----------

## wcw

Now I fixed the gw problem,and the output of tcpdump now is as below:

```

 # tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

10:01:08.214160 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id 35391, seq 599, length 64

10:01:09.214014 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id 35391, seq 600, length 64

10:01:10.213899 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id 35391, seq 601, length 64

10:01:11.213792 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id 35391, seq 602, length 64

10:01:12.213676 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id 35391, seq 603, length 64

5 packets captured

5 packets received by filter

0 packets dropped by kernel

```

```

 # tcpdump -n -i eth0 net 202.114.10.134 and port not 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

```

Does it mean that eth1 receive the request but don't post forward it?

----------

## wcw

Oh,God!I think i found the point now!I have to enable forwarding by "echo  1 > /proc/sys/net/ipv4/ip_forward".

Now the PCs in my subnet can connect the internet!

Thank you all,guys!I have learned a lot!

----------

## moocha

Oh, I should have thought to mention that...

Anyhow, I'm glad to hear it's working properly now. Have fun!

----------

