I have setup iptables using the script shown below. My 3 workstations can browse the internet, so the NAT and masquerading are working.
However, the server cannot browse the internet. The server can ping websites by IP address, but cannot pullup the site even if I put in the IP address instead of the website name.
If I turn the firewall off, the server can browse the internet but the workstations cannot.
Could someone please tell me what is missing in the script that prevents the sever from browsing?

Thanks.

# Flush and initialize tables
iptables -F
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain

# Accept all packets
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

# Loopback interface should accept all traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ping in and out
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow masquerading (NAT) -- eth0 connects to internet and eth1 to local LAN
iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -d 0/0 -j MASQUERADE
# Enable forwarding of NAT packets to internet
echo 1 > /proc/sys/net/ipv4/ip_forward

# Prior to masquerading, the packets are routed via the filter table's FORWARD
# chain.
# Allowed outbound: New, established, and related connections
# Allowed inbound: Established and related connections
iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS queries in and out of the firewall Port 53 is DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

# Allow all bi-directional traffic from the firewall to the LAN
iptables -A INPUT -j ACCEPT -p all -s 172.16.1.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 172.16.1.0/24 -o eth1

# Allow ssh from anywhere to server - Change to specific IP address to restrict
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j ACCEPT

# Drop all other packets
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

An assumption - this firewall/NAT box is the same machine as what you call 'your server'.

Welll, first off - your LAN is wide open with that script. You're not blocking *anything* at all come'n into your server/NAT box. That's typicly considered a 'bad idea(tm)'. Better Practice is to use a default DROP and specific allow scheme, ie set POLICies to DROP and then allow specific traffic only.

Traffic's not being NATed (masquaraded). You've set this script up to only MASQUERADE traffic going OUT eth0 that's ALSO sourced from your LAN IP range. I'll assume your WAN port isn't on the LAN's IP range (it shouldn't be at least) - so that kills NAT (masqurade) for your server right there.

So, that's what I see as to why it ain't working - but how to make that work? Well, I'm hesitant to - first cuz I'm not sure how (moment of honesty :shock: ) , but mostly it's considered another 'bad idea (tm)' to user your LAN's firewall box as a server. It'd be much better approach (simpler to setup too!) to dedicate a box to firewall/NAT duties and put your server on the LAN. Any ol Pentium box (antique even) will be more'n enough to do the job. I've been finding P-450s for as low as $10 - they're out there. And that's overkill for a home LAN NAT box.

Take a look at this site for some GREAT iptables/netfilter info:
http://www.netfilter.org/documentation/index.html#documentation-howto

One of the more helpful to me was this link from the Tutorials section:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Zotter, I think I may have been a little confusing. I have 2 ethernet cards in the "server". I am using eth0 for the WAN and eth1 for the LAN. Also, "server" is not really correct. The only purpose of the box is to act as a firewall and Internet access control. Also, I only had the policies set to ACCEPT in an attempt to get the box to browse the internet.
I have since got everything to work and have reset the policies to DROP. I only allow connections into my mailserver, webserver, and a Remote Desktop connection to my Windows server. I am using Squid for control of internet access and it works exactly the way I need it to. The only thing I cannot get to work is SSH.

SSH works fine on the LAN side but I cannot connect from outside the building. I have the following
command in my script:
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j ACCEPT

Once I am able to make it work from outside the LAN, I will change the -s 0/0 to a specific IP address that I will be using. However, so far I have been unable to get it to work.

Thanks for you comments, and if you have any ideas about the SSH problems, I would appreciated hearing them.

Cool, more info! Always a help.

Again, I may not be a lot of help in that I *know* it can be done, but I've not done this myself. Just finding the 'how to' in the links I already shared.

Here's a way to make it happen:

iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 22 -j DNAT --to-destination 192.168.1.10 (edited from origional)
from: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET

Maybe change it from using -d <IP> to -i eth0 instead. Basicly, "Anything sent to port 22, that comes in on the WAN port, gets sent to the web server"

I'd also assume you've static LAN IP's for your server boxen.

Mmm, there's a question - how'd a guy do this if the IPs were DHCP assigned? How to get the IP of that machine into that particular line of your firewall script......

Hmmmmmmm