# Home Gateway Server - IPTABLES not working

## Hose

I have a server that I'm trying to dedicate as a Home NAS/Router/Gateway. After getting the NAS working, I'm trying to setup the router part of it and after many google searches I made several attempts all failed. I suspect that is my NIC setup, but then again IPTABLES are complex and new to me.

After running "firewall.sh" I point my browser (in the Client) to the Google site http://74.125.19.99 and it fails to connect !!!

 Any HELP will be very welcomed !!!!

Server:

Qwest DSL modem (2-Wire 2700HG-D) ->  IP: 192.168.0.1

/etc/conf.d/net

```
# External (WAN) Internet

config_eth0=( "192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255" )

routes_eth0=( "default via 192.168.0.1" )

# Internal (LAN) Home

config_eth1=( "192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255" )
```

/etc/hosts

```
127.0.0.1   me.mydomain.lan me localhost
```

Firewall script

```
#! /bin/sh

#---------------#

# Setup aliases #

#---------------#

export WAN=eth0

export WAN_IP=192.168.0.2

echo "Internet:" ${WAN} "/" ${WAN_IP}

export LAN=eth1

export LAN_IP=192.168.1.1

echo "Internal:" ${LAN} "/" ${LAN_IP}

export IPT=/sbin/iptables

#------------------------------------------------------------------#

# Initialize all the chains by removing all the rules tied to them #

#------------------------------------------------------------------#

${IPT} -F

${IPT} -t nat -F

${IPT} -t mangle -F

${IPT} -X

 

#---------------------------------#

# Allow packets from loop adapter #

#---------------------------------#

${IPT} -A INPUT -i lo -j ACCEPT

${IPT} -A OUTPUT -o lo -j ACCEPT

#-----------------------#

# Allow outgoing trafic #

#-----------------------#

${IPT} -A OUTPUT -o ${WAN} -j ACCEPT

#----------------#

# Block spoofing #

#----------------#

# 

${IPT} -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

${IPT} -A INPUT -s ${WAN_IP} -j DROP

#------------------#

# stop bad packets #

#------------------#

${IPT} -A INPUT -m state --state INVALID -j DROP

#-------------#

# TCP allowed #

#-------------#

# pop3 / smtp

${IPT} -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

${IPT} -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# http / https

${IPT} -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

${IPT} -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#---------------------------------#

# Enable kernel for IP forwarding #

#---------------------------------#

echo 1 > /proc/sys/net/ipv4/ip_forward 
```

# iptables -L

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

DROP       all  --  loopback/8           anywhere            

DROP       all  --  192.168.0.2          anywhere            

DROP       all  --  anywhere             anywhere            state INVALID 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere          
```

Client:

/etc/conf.d/net

```
config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )

gateway=( "eth0/192.168.1.1" )
```

----------

## Knute

Your gateway is 192.168.0.1  not 192.168.1.1.

With your current setup, you are telling your web traffic to use your internal network, rather than going thru your modem.

----------

## cyrillic

This howto is a little bit old, but I found it very helpful when I was setting up my own home router.

http://www.gentoo.org/doc/en/home-router-howto.xml

----------

## Hose

Knute,

I tried my modem (192.168.0.1) and my internet NIC (192.168.0.2) with same results. In some of the tutorials that I've read, they mentioned using your server's internal NIC as the route on the clients. Made sense (to me) since IPTABLES would do the route to ETH0 and the internet.

Cyrilic,

That was where I actually started, not much help there... I also tried:

[url]

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Introduction[/url]

http://www.linux.org/lessons/advanced/x313.html

----------

## Knute

Ok, so what's the output of the route command?

----------

## Hu

If you do not run the firewall script, can the client use the Internet normally?

You may need to add a masquerade rule to that script.

----------

## Hose

Server "route"

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth1

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

loopback        me.domain.      255.0.0.0       UG    0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    3      0        0 eth0
```

Client "route"

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.160.0   *               255.255.255.0   U     0      0        0 vmnet8

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

172.16.180.0    *               255.255.255.0   U     0      0        0 vmnet1

loopback        me.domain       255.0.0.0       UG    0      0        0 lo
```

----------

## Hose

Hu,

Same result in the client, script or not

----------

## Knute

Ok,  if I get this right, you are trying to access the internet from one of your computers on the internal network, right??

What happens if you try to access the internet from your server?

Also,  I think that you need to go back and check your IP addresses to make sure that they are consistent.

I see one place (/etc/conf.d/net and your firewall script) where eth0 is 192.168.0.2 and another place (your server route command)  where eth0 is showing up as 192.168.0.0.

Now, unless you have eth0 setup for multi ip's,  and I don't think that's the case,  this would need to be changed.

Also, your client machine is set up the same way with different ip's for the same interface.   /etc/conf.d/net says 192.168.1.10 and route says that it's 192.168.1.0.

And from my understanding the gateway line in /etc/conf.d/net needs to be something to the effect of 

```
gateway_eth0="192.168.1.1"
```

Take a quick peek in your /etc/conf.d/net.example file and it will give you an example.

HTH

----------

## Hose

 *Quote:*   

> 
> 
> Ok, if I get this right, you are trying to access the internet from one of your computers on the internal network, right??

 

Yes you are correct ! *Quote:*   

> What happens if you try to access the internet from your server? 

 

Works fine, including DNS resolution.

 *Quote:*   

> Also, I think that you need to go back and check your IP addresses to make sure that they are consistent. I see one place (/etc/conf.d/net and your firewall script) where eth0 is 192.168.0.2 and another place (your server route command) where eth0 is showing up as 192.168.0.0. Now, unless you have eth0 setup for multi ip's, and I don't think that's the case, this would need to be changed. 

 

I'm certainly not (conscious) setting up for multi-IP/NIC . I did also noticed the "192.168.0.0" in the output of route, but I am being consistent where I assign "/etc/conf.d/net" and use "firewall.sh" static IP addresses in the Sever. Where's the "192.168.0.0" coming from ????

 *Quote:*   

> And from my understanding the gateway line in /etc/conf.d/net needs to be something to the effect of
> 
> Code:
> 
> gateway_eth0="192.168.1.1"

 I corrected this (no dif) which I had picked up from https://forums.gentoo.org/viewtopic-t-159133-highlight-fwbuilder.html however I tried using the "iface" notation on my system and that did not work at all, defaulted to DHCP for eth0.

----------

## Hose

Is this just a problem with my routing. Using just my client configuration:

Given a "/etc/conf.d/net":

```
config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )

gateway_eth0=( "192.168.1.1" )
```

And looking at the output of route:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

loopback        my.domain       255.0.0.0       UG    0      0        0 lo
```

Should'nt the destination for eth0 be "192.168.1.1" from "etc/conf.d/net" ???

----------

## Hose

Well, after googling some more I decided to experiment with the "/etc/conf.d/net" file and I found a working solution:

```
config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )

routes_eth0=( "default gw 192.168.1.1" )
```

This time the "route" command took a few seconds and returned:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

loopback        my.domain       255.0.0.0       UG    0      0        0 lo

default         192.168.1.1     0.0.0.0         UG    2      0        0 eth0
```

having that "default" route made the difference. However the "192.168.0.0" still shows up. Could this be a default for each NIC on the system ???

Thanks for all the suggestions, they drove me to the solution !!!

----------

