Thanks for your help so far- still no luck with the Host web browser. 1_ How should I enter that last -s !? #"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP " ...? 2_ Here's what I have done so far... a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1 successfully without packet loss. b) removed default gateway for router eth1 (thanks rodolfo paiz) c) edited /etc/hosts (thanks rodolfo paiz) d) flushed rules and reset, without the "-s !" # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT # iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT e) checked it worked # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited f) restart nw # /etc/init.d/network restart Shutting down interface eth0: [ OK ] Shutting down interface eth1: [ OK ] Shutting down loopback interface: [ OK ] Disabling IPv4 packet forwarding: [ OK ] Setting network parameters: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] Bringing up interface eth1: [ OK ] Result: Still no luck with web browser from Host. anything else I should try? Or go straight to another tool, as others have suggested? Thanks to all other suggestions, Chris <original message> Subject: Re: nat masquerade router To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> Message-ID: <1087321492.3543.75.camel@xxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29: > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not a 16 > bit ( 255.255.0.0 ) > It would be your firewall rules that are blocking you..... Right. > These two lines...... > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD > -d 192.168.0.0/16 -j ACCEPT > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP > > the ip's should be 192.168.1.0/24 not 192.168.0.0/16 > the way it's writen, you drop everthing on your subnet. No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24 net. He is just bit more permissive than it needs. But does no harm. What is causing the blocking is: iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP It drops all incoming traffic not being from the private address range. Thus packages from public internet are dropped. What you intend is better placed to the INPUT chain. > Michael Floyd Alexander </original message>
