View Full Version : Gateway won't let client out

02-01-2006, 01:37 PM
hey guys,

got my dialup connection working right, but now I can't gateway to it from my main box.

The gateway box is a fc3 console, and the main box is an opensuse 10 desktop.

Routing tables are as follows:

fc3 gateway box ( * UG ppp0 * U eth0 * U eth0 UH ppp0

os10 main box ( UH eth0 U eth0 U eth0 U lo UG eth0

domain: site

Can ping everything locally, can ping externally from gateway but can't ping externally from desktop box... => => => =X

ipforwarding is enabled in /etc/sysctl.conf
eth0 is set to trusted device in system-config-securitylevel

Anyone know whats going on?


02-01-2006, 03:56 PM
umm... help?

02-01-2006, 06:51 PM
What are your iptables rules?

Do a search by my name, i posted a short .sh script you can run which will FWD the connections for you... I believe it was in reply to Personthingy's post... Have a look through my history anyways :)

03-01-2006, 03:45 PM
can't find it anywhere dude...

neither the vbulletin or google search finds it...

and you have a ****eload of posts....

04-01-2006, 01:18 PM
nevermind... on the right track now :D


05-01-2006, 08:57 AM
For future reference to anyone:
Save this as a script or run the commands by hand.


# Block all traffic by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all traffic on eth0
iptables -A INPUT -i etho -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT

# Allow the server to route packets externally (activate NAT)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Allow http and https
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Save settings to file
service iptables save

If you want to allow other services such as pop3 (port 110), smtp (25), and ftp (21) you'll have to add sport and dport like the others are with their respective ports.

service iptables save will only work with fedora core (and redhat?) that i've seen. I think the generic command would be /etc/init.d/iptables save.

hope this helps someone.

05-01-2006, 09:12 AM
My debian router doesn't need to masquerade because it's behind an ADSL modem, which itself provides NAT functionality. Hence I only need it to a) block all ports and b) forward ones I like.

So if you want to forward ports, use this syntax:

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 49995:50000 -j DNAT --to Here I have forwarded all incoming traffic on ports in the range 49995 to 50000 from interface eth1 (internet side) to local machine's corresponding ports.

05-01-2006, 12:28 PM
Not using stateful capabilities of iptables? Tsk tsk...

05-01-2006, 01:23 PM
stateful capabilities? i think i touched on that but it looked very complicated... will look again soon...