Claude Jones wrote:
The web server works.
The box has internet access.
Machines on the Lan are getting DHCP assigned IP addresses. They are also able to see my lone web page.
However, the machines on the Lan can't get past the firewall. It's not a DNS problem because it doesn't go away if you put an IP address in. I can ping the Wan NIC from the LAN but nothing further than that.
I've reviewed the procedures over and over that I used successfully, and I can't find the problem.
DHCPD loads without errors.
I've checked and rechecked the firewall and SELinux settings, and they appear to be the same as at the office.
I've reviewed the network settings for my NICs twenty times.
IP forwarding and masquerade have been set up.
I add the following detail in case someone has the time to pore through it. I continue to be stuck. The above conditions still hold.
The following is my firewall script:
#!/bin/bash
# An enhanced stateful firewall for a workstation, laptop or router that isn't
# running any network services like a web server, SMTP server, ftp server, etc.
#change this to the name of the interface that provides your "WAN"
#(connection to the Internet)
WAN="eth0"
#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"
ROUTER="yes"
#change this next line to the static IP of your WAN interface for static SNAT,
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to ""
#disable it.
NAT="66.225.207.87"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 eth1"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${WAN} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i ${WAN} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${WAN} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to 66.225.207.87
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
This is my dhcpd.conf:
ddns-update-style interim; ignore client-updates;
subnet 192.168.2.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.2.1;
option subnet-mask 255.255.255.0;
# option nis-domain "domain.org"; option domain-name viewridgeproductions; option domain-name-servers 64.202.97.2, 69.31.31.2;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp 192.168.2.128 192.168.2.254; default-lease-time 21600; max-lease-time 43200;
# we want the lan router to appear at a fixed address host viewridgeproductions { hardware ethernet 00:C0:F0:49:79:31; fixed-address 192.168.2.1; } }
Both of these can be started and stopped without error messages. I've visited and revisited NIC configurations, and they are fine. I'm mystified. If one of you has the time to pour through all this and see a problem, thanks in advance.