# NAT Issues

## Kilian

Alright... after reading endless stacks of HOWTO's, searching these forums, evry other linux networking forum I can find, and google until my eyeballs are ready to fall out, I'm at a complete loss. It's not a difficult problem. All I want is for my gentoo box to function as a gateway.

I have two NIC's, eth1 points to the internet, eth0 to the inside. Both are static IP's and run flawlessly. All computers on the LAN can ping eth0, and the gateway can see the internet. Nothing on the inside can see the internet.

I have the following run on startup:

```

iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -d !192.168.0.0/24 -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -o eth1 -s ! 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -t filter -A FORWARD -j DROP

iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j SNAT --to-source 24.244.4.1

echo 1 >/proc/sys/net/ipv4/ip_forward

```

I'm stumped. If anyone can help me figure this out, or point me at some obscure resource I may have missed, I'd be very grateful.

----------

## Nitro

Try 

```
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
```

That will turn on basic NAT.  I suggest you drop that other POSTROUTING rule too.  While you are setting up your firewall, it might be easiest to leave your FORWARD policy to just accept, then you won't need the first 2 rules either, until you lock everything down.  Example 

```
iptables -P FORWARD ACCEPT
```

----------

## Kilian

I was feeling quite hopeful from your response that perhaps I had simply over-complicated things. Tried your suggestion. Begged, pleaded, and prayed. It still doesn't work. I can't come up with any logical reason for it not to work, and I've run out of places to check for problems. If anyone can shed some light on this, I'd be ecstatic.

----------

## Ozymandias

just don't do the REJECT and DROP things just jet, make sure it works first then make the firewall really fire-walling.

so do:

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

then do the masquerade thing, if you have a dymic ip on the internet side, use -j MASQUERADE otherwise use -j SNAT --to-source

greetz Ozy

----------

## hamletmun

HOWTO  - Make your Internet Connection Sharing to work

From ISP to GENTOO - (eth0:DHCP or STATIC IP)

From GENTOO to WINDOWS - (eth1:192.168.0.1)

1.

insmod iptables_nat

2. 

echo 1 >/proc/sys/net/ipv4/ip_forward

3.

iptables -F 

iptables -t nat -F 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD ACCEPT 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(if your linux uses eth0 to connect your isp)

4.

In the Windows Machine:

192.168.0.1 in the gateway

numbers from your /etc/resolv.conf in DNS server

----------

## Kilian

After several more hours of tinkering, I finially discovered the problem was not with my NAT policies at all, but was with my dhcp configuration. Once I got that resolved, everything worked fine with my original script. Thanks for all the help.

----------

