# Can't ping the internet from inside my home network

## bassvandijk

I have a PC and two laptops. The PC has two NICs:

eth0 is connected to my cable modem and uses dhcp.

eth1 is connected to my internal network switch and has a static ip 10.0.0.1

The laptops are both connected to the switch.

/etc/conf.d/net (on the PC)

```

iface_eth0="dhcp"

dhcpcd_eth0="-N -h CP179741-A"

iface_eth1="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"

```

ifconfig (on the PC)

```

eth0      Link encap:Ethernet  HWaddr 00:50:BF:E3:37:89  

          inet addr:217.120.75.58  Bcast:217.120.75.255  Mask:255.255.254.0

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:6587 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6551 errors:0 dropped:0 overruns:0 carrier:0

          collisions:31 txqueuelen:100 

          RX bytes:6305555 (6.0 Mb)  TX bytes:888163 (867.3 Kb)

          Interrupt:10 Base address:0xb000 

eth1      Link encap:Ethernet  HWaddr 00:50:BF:32:A0:90  

          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:130837 errors:0 dropped:0 overruns:0 frame:0

          TX packets:143650 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:23946660 (22.8 Mb)  TX bytes:92353720 (88.0 Mb)

          Interrupt:11 Base address:0xd000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:222474 errors:0 dropped:0 overruns:0 frame:0

          TX packets:222474 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:95778552 (91.3 Mb)  TX bytes:95778552 (91.3 Mb)

```

I have dhcpd running on the PC so the laptops get dynamically configured.

/etc/dhcp/dhcp.conf

```

ddns-update-style ad-hoc;

option domain-name "vandijklan.org";

subnet 10.0.0.0 netmask 255.255.255.0 

{

        range 10.0.0.2 10.0.0.10;

        option subnet-mask              255.255.255.0;

        option broadcast-address        10.0.0.255;

        option domain-name-servers      10.0.0.1;

        option routers                  10.0.0.1;

        option ip-forwarding            on;

}

```

The PC can ping to the internet and to the laptops. 

But the laptops can only ping eachother and the PC but not to the internet.

Does this have something to do with the routing tables on the PC and laptops?

> route -n (on the PC)

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

217.120.74.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         217.120.74.1    0.0.0.0         UG    0      0        0 eth0

```

> route -n (on the laptops)

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

```

----------

## Salgar

First of all you could try to ping 216.239.59.99 and then www.google.de.

If the first thing works the laptops have a problems resolving dns-names.

If nothing works maybe you have forgotten to enable ip forwarding on your pc.

[edit]

Try

```

more /proc/sys/net/ipv4/ip_forward

```

on your PC, it should say 1

[/edit]

----------

## bmichaelsen

From:

Linux 2.4 NAT HOWTO

section 4.1:

```
# Load the NAT module (this pulls in all the others).

modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing

# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to

# MASQUERADE the connection (-j MASQUERADE).

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
```

 :Arrow:  You need NAT and forwarding on the box   :Idea:   :Exclamation: 

----------

## ozonator

Indeed, NAT and forwarding, should do the trick.  You'll need to emerge iptables, and have netfilter support in your kernel.  In addition to the items in the previous post, appropriate forwarding rules would be:

```

# Allow connections OUT and only existing and related ones IN

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

```

As for loading the modules, in my experience, iptables will load needed modules for you, if needed, when you issue an iptables command.

----------

## bassvandijk

OK I added the rules:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Now I can ping from my internal network to the internet! Thx guys!

----------

## digital diesel

I have nearly an identical network, so I followed your example almost exactly (except for the domain name basically) and I can not get DHCP to assign IP addresses to the clients nor can I route anything outside of the network. 

The only command i can't run is:

```

seattle root # iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

seattle root #

```

My /etc/dhcp/dhcpd.conf:

```

ddns-update-style ad-hoc;

option domain-name "altf8.net";

subnet 10.0.0.0 netmask 255.255.255.0

{

        range 10.0.0.2 10.0.0.255;

                option subnet-mask              255.255.255.0;

                option broadcast-address        10.0.0.255;

                option domain-name-servers      10.0.0.1;

                option routers                  10.0.0.1;

                option ip-forwarding            on;

}

```

My /etc/conf.d/dhcp

```

seattle root # cat /etc/conf.d/dhcp

# Copyright 1999-2002 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License, v2 or later

# $Header: /home/cvsroot/gentoo-x86/net-misc/dhcp/files/conf.dhcpd,v 1.4 2002/09/03 07:40:14 lostlogic Exp $

#configure which interface or interfaces to for dhcp to listen on

#list all interfaces space separated.

IFACE="eth1"

# Insert any other options needed

DHCPD_OPTS=""

seattle root #

```

My /etc/conf.d/net:

```

seattle root # cat /etc/conf.d/net

iface_eth1="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"

iface_eth0="dhcp"

seattle root #

```

My installed modules:

```

\seattle root # lsmod

Module                  Size  Used by    Not tainted

iptable_filter          1740   1  (autoclean)

ipt_MASQUERADE          1464   2  (autoclean)

8139too                17864   1

iptable_nat            18136   1  [ipt_MASQUERADE]

ip_tables              15136   5  [iptable_filter ipt_MASQUERADE iptable_nat]

ip_conntrack           21992   1  [ipt_MASQUERADE iptable_nat]

seattle root #

```

IPFORWARD:

```

seattle root # cat /proc/sys/net/ipv4/ip_forward

1

seattle root #

```

Ok, so I don't have a dns server setup on 10.0.0.1, but I shuold be able to get an IP lease on the clients right?  The clients are correctly set up for dhcp.  I have the DHCP service started on the host SEATTLE.

Also when I statically assign IP addresses to the clients that belong to the network, clients are accessible on the LAN, but they can't ping outside of the network to an IP address.  Something with forwarding, right?  But what?

Thanks for your help

----------

## ozonator

digital diesel, let me to deal with the iptables issue here -- looks like your kernel config didn't include the module for connection state matching (shows up as ipt_state in lsmod).  Check your kernel config; what you need is Networking options -> IP: Netfilter configuration -> Connection state match support.

It might be easier to just select most items in there to compile as modules, except for things you know you definitely won't need.  This is just in case you might need them later, if you ever start fiddling with iptables some more, and decide to try some fancier firewalling.   :Smile: 

Anyway, once you've got that module available, that iptables command with -m state should work, and traffic should be able to move between your LAN and the outside net.  I hope.    :Wink: 

As for dhcp, assuming you're only using the three rules specified in bassvandijk's previous post, you may need to add a firewall rule to explicitly accept dhcp traffic on eth1 as being destined for your dhcp server -- you don't want that forwarded to the outside net, after all. Something like this:

```
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
```

That's just off the top of my head; you might want to double-check somewhere to make sure that's right for allowing dhcp.  Whatever the rule for dhcp, load this rule before the forwarding rules.  Best of luck!

----------

## digital diesel

that did it!!! thanks  :Smile: 

----------

## KingTaco

Doesn't look like your laptops have a default route.  If you intend to use your desktop as a NAT server, you should do the following on your laptops:

```
# /sbin/route add -net default gw 10.0.0.1 dev eth0
```

This will give you a default route, and you could add it to rc.local or somthing, so you don't have to type it in every boot.

----------

