Hi all,

I have an LFS 6.2 system I'm trying to set up as a router for my home network.

eth0 is connected to my cable modem running dhclient

eth1 is uplinked to my switch with a static IP running dhcpd

My Linux router is set up to masquerade between eth0 and eth1.

My internal network is able to pull IP's off of my DHCP server. All my boxes internally are able to ping one another. I am able to pull an IP from my ISP, however I cannot connect to anything. When I attempt to ping anything external from the console I get the following error:

ping: sendto: Operation not permitted

My first thought was that I borked my iptable configuration. I set the router to boot without loading iptables (iptables -L is blank), it is still unable to connect. I even went so far as to remove the eth1 network card and just boot with a single card. Still no dice. I tried looking at my route table, but it looks to be set properly. The default gateway is what is should be. I'm at a loss here. Does anyone have any idea why my box is refusing to see anything external?

I've attached several configuration files, if anyone needs additional information let me know and I'll be sure to post it.

Thanks,

-Kibo
_____________________________________________________________________

# Begin /etc/dhcpd.conf

default-lease-time 72000;
max-lease-time 144000;
ddns-update-style ad-hoc;

subnet 10.8.2.0 netmask 255.255.255.0
{
range 10.8.2.41 10.8.2.240;
option broadcast-address 10.8.2.255;
option routers 10.8.2.1;
}

# End /etc/dhcpd.conf
_____________________________________________________________________

# Begin /etc/dhclient.conf

interface "eth0"
{
prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, host-name;
require subnet-mask, domain-name-servers;
}

# End /etc/dhclient.conf
_____________________________________________________________________

# Begin /etc/sysconfig/network-devices/ifconfig.eth0/dhclient

ONBOOT="yes"
SERVICE="dhclient"
DHCP_START="-q"
DHCP_STOP="-q -r"

# Set PRINTIP="yes" to have the script print
# the DHCP assigned address
PRINTIP="yes"

# Set PRINTALL="yes" to print the DHCP assigned values for
# IP, SM, DG, and 1st NS. This requires PRINTIP="yes".
PRINTALL="no"

# End /etc/sysconfig/network-devices/ifconfig.eth0/dhclient
_____________________________________________________________________

# Begin /etc/sysconfig/network-devices/ifconfig.eth1/ipv4

ONBOOT=yes
SERVICE=ipv4-static
IP=10.8.2.1
PREFIX=24
BROADCAST=10.8.2.255

# End /etc/sysconfig/network-devices/ifconfig.eth1/ipv4
_____________________________________________________________________

#!/bin/sh
# Begin $rc_base/rc.iptables

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# remove all existing rules if script is rerun on the fly
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow DHCP
iptables -A INPUT -i eth0 -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Forward traffic from internal network to external and masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Drop invalid packets
iptables -I INPUT -p tcp -m state --state INVALID -j DROP

# Block spoofed addresses
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/3 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP

# End $rc_base/rc.iptables