Hi all,

I have an LFS 6.2 system I'm trying to set up as a router for my home network.

eth0 is connected to my cable modem running dhclient

eth1 is uplinked to my switch with a static IP running dhcpd

My Linux router is set up to masquerade between eth0 and eth1.

My internal network is able to pull IP's off of my DHCP server. All my boxes internally are able to ping one another. I am able to pull an IP from my ISP, however I cannot connect to anything. When I attempt to ping anything external from the console I get the following error:

ping: sendto: Operation not permitted

My first thought was that I borked my iptable configuration. I set the router to boot without loading iptables (iptables -L is blank), it is still unable to connect. I even went so far as to remove the eth1 network card and just boot with a single card. Still no dice. I tried looking at my route table, but it looks to be set properly. The default gateway is what is should be. I'm at a loss here. Does anyone have any idea why my box is refusing to see anything external?

I've attached several configuration files, if anyone needs additional information let me know and I'll be sure to post it.



# Begin /etc/dhcpd.conf

default-lease-time 72000;
max-lease-time 144000;
ddns-update-style ad-hoc;

subnet netmask
option broadcast-address;
option routers;

# End /etc/dhcpd.conf

# Begin /etc/dhclient.conf

interface "eth0"
prepend domain-name-servers;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, host-name;
require subnet-mask, domain-name-servers;

# End /etc/dhclient.conf

# Begin /etc/sysconfig/network-devices/ifconfig.eth0/dhclient

DHCP_STOP="-q -r"

# Set PRINTIP="yes" to have the script print
# the DHCP assigned address

# Set PRINTALL="yes" to print the DHCP assigned values for
# IP, SM, DG, and 1st NS. This requires PRINTIP="yes".

# End /etc/sysconfig/network-devices/ifconfig.eth0/dhclient

# Begin /etc/sysconfig/network-devices/ifconfig.eth1/ipv4


# End /etc/sysconfig/network-devices/ifconfig.eth1/ipv4

# Begin $rc_base/rc.iptables

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# remove all existing rules if script is rerun on the fly
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow DHCP
iptables -A INPUT -i eth0 -p udp -s --sport 67 -d --dport 68 -j ACCEPT

# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Forward traffic from internal network to external and masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Drop invalid packets
iptables -I INPUT -p tcp -m state --state INVALID -j DROP

# Block spoofed addresses
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP
iptables -A INPUT -i eth0 -s -j DROP

# End $rc_base/rc.iptables