Lan to Wan reprise

[Claude Jones]

Claude Jones wrote:

> The web server works.
> The box has internet access.
> Machines on the Lan are getting DHCP assigned IP addresses. They are 
> also able to see my lone web page.
> However, the machines on the Lan can't get past the firewall. It's not 
> a DNS problem because it doesn't go away if you put an IP address in. 
> I can ping the Wan NIC from the LAN but nothing further than that.
> I've reviewed the procedures over and over  that I used successfully, 
> and I can't find the problem.
> DHCPD loads without errors.
> I've checked and rechecked the firewall and SELinux settings, and they 
> appear to be the same as at the office.
> I've reviewed the network settings for my NICs twenty times.
> IP forwarding and masquerade have been set up.
>       

I add the following detail in case someone has the time to pore through 
it. I continue to be stuck. The above conditions still hold.
The following is my firewall script:


#!/bin/bash
# An enhanced stateful firewall for a workstation, laptop or router that 
isn't
# running any network services like a web server, SMTP server, ftp 
server, etc.
#change this to the name of the interface that provides your "WAN"
#(connection to the Internet)
WAN="eth0"
#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"
ROUTER="yes"
#change this next line to the static IP of your WAN interface for static 
SNAT,
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT 
to ""
#disable it.
NAT="66.225.207.87"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 eth1"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${WAN} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i ${WAN} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${WAN} -j REJECT --reject-with 
icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to 66.225.207.87
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi


This is my dhcpd.conf:

ddns-update-style interim;
ignore client-updates;

subnet 192.168.2.0 netmask 255.255.255.0 {
   
# --- default gateway
    option routers            192.168.2.1;
    option subnet-mask        255.255.255.0;

#    option nis-domain        "domain.org";
    option domain-name        viewridgeproductions;
    option domain-name-servers    64.202.97.2, 69.31.31.2;

    option time-offset        -18000;    # Eastern Standard Time
#    option ntp-servers        192.168.1.1;
#    option netbios-name-servers    192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this 
unless
# -- you understand Netbios very well
#    option netbios-node-type 2;

    range dynamic-bootp 192.168.2.128 192.168.2.254;
    default-lease-time 21600;
    max-lease-time 43200;

    # we want the lan router to appear at a fixed address
    host viewridgeproductions {
        hardware ethernet 00:C0:F0:49:79:31;
        fixed-address 192.168.2.1;
    }
}

Both of these can be started and stopped without error messages. I've 
visited and revisited NIC configurations, and they are fine. I'm 
mystified. If one of you has the time to pour through all this and see a 
problem, thanks in advance.