Ubuntu 11.10 firewall/gateway - no client internet access

1

I have read many other posts but cannot figure this out.

eth0 is my external connected to a Comcast modem. The server has internet access with no issues.

eth1 is internal and running DHCP for the clients. I have DHCP working just fine, all my clients can get an IP and ping the server but they cannot access the internet.

I am using ISC-DHCP-SERVER and have set /etc/default/isc-dhcp-server to INTERFACE="eht1"

Here is my dhcpd.conf file located in /etc/dhcp/dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 10.0.10.0 netmask 255.255.255.0 {
range 10.0.10.10 10.0.10.200;
option routers 10.0.10.2;
option subnet-mask 255.255.255.0;
option domain-name-servers 208.67.222.222, 208.67.220.220; #OpenDNS
#   option domain-name "example.com";
default-lease-time 21600;
max-lease-time 43200;

    authoritative;
}

I have made the net.ipv4.ip_forward=1 change in /etc/sysctl.conf

here is my interfaces file:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

iface eth1 inet static
address 10.0.10.2
netmask 255.255.255.0
network 10.0.10.0

auto eth1

And finally- here is my iptables.conf file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE
#-A PREROUTING -i eth0 -p tcp --dport 59668 -j DNAT --to-destination 10.0.10.2:59668
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A FORWARD -s 10.0.10.0/24 -o eth0 -j ACCEPT
-A FORWARD -d 10.0.10.0/24 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
#-A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 10.0.10.2 --dport 59668 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I am completely stuck. I cannot figure out why the clients cannot access the internet. Am I missing a service? Is a service not running? Any help would be greatly appreciated. I tried to be as thorough as possible but please let me know if I have missed something. Thank you!

Siriss

Posted 2011-10-12T22:26:17.320

Reputation: 282

I did it once with Shorewall, wasn't that complicated. This is the main tutorial you want to follow: http://www.shorewall.net/two-interface.htm

– slhck – 2011-10-12T22:32:36.130

This depends a bit on your external modem. Do you know whether the modem is connected in bridge mode or routed mode to the ubuntu box? – Paul – 2011-10-12T22:58:43.633

so I am sorry about the delayed response. I had to leave town unexpectedly. I am working with shorewall right now and I will let you know how it goes... Shorewall seems to be different than iptables... is it really a frontend for it or a separate system? Thanks! – Siriss – 2011-10-17T03:52:08.707

Answers

1

The issue lies in my iptables although I am not sure where. A clean sweep fixed it given to be my a gentleman on ubuntu forums.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
#
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

I hope this helps others! I now have to add each rule one by one again. Thank you all for the help.

Also, you should save your iptables iptables-save > /somewhere/iptables.conf(or some filename) and then add a pre-up iptables-restore < /somewhere/iptables.conf (or whatever) under eth0 in /etc/network/interfaces. This will make sure the rule list is loaded before the nic is active. Make sure to re-save when you make changes to iptables.

Siriss

Posted 2011-10-12T22:26:17.320

Reputation: 282