Lee W wrote: > Feizhou wrote: > >> If your box has a link on 55.20.0.0/255.255.0.0 and then more >> physical links to 56.1.x.0/24 individually (machines on two separate >> physical networks) or one more physical link to 56.1.1.0/23 (all >> machines on one physical network and you are going to assign ips from >> 56.1.1.x and 56.1.2.x) then all you need is setup the default route >> of the box to 55.20.0.2, enable ip forwarding and then point the >> default route of all clients to the box's corresponding ip on their >> subnets (eg: two physical links, 56.1.1.1 and 56.1.2.1) or on their >> subnet (only one physical link, 56.1.1.1) >> >> If you want to control what packets get through the box, use the >> iptables -t filter FORWARD chain. >> > > That is what I thought, but it doesn't seem to be working. > > Here is the routing table of the Linux Router box > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.1.0 * 255.255.255.0 U 0 0 > 0 green > 192.168.8.0 * 255.255.255.0 U 0 0 > 0 red > 169.254.0.0 * 255.255.0.0 U 0 0 > 0 green > default 192.168.8.2 0.0.0.0 UG 0 0 > 0 red You have private ips. These are not routable on the Internet. > > I've given the real IP's this time as it is only a virtual machine. > The names probably say enought but to clarify 192.168.8.0 is the > Public facing subnet (what would be in the ISP Cloud I guess), with > 192.168.8.2 as the default gateway, this is pingable from the router. > 192.168.1.0 is the private subnet with 192.168.8.254 as the routers > internal IP. Workstations can ping the internal IP of the router but > not anything outside, nor does a traceroute work. Your ISP has not given you *any* routable ips. Any natting will have to be handled by your ISP. > > IP Forwarding has been enabled by: "sysctl -w net.ipv4.ip_forward = 1" > > The iptables rules are all clear as follows:- > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Here is the routing table from the client machine:- > > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.1.0 * 255.255.255.0 U 0 0 > 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 > 0 eth0 > default 192.168.1.254 0.0.0.0 UG 0 0 > 0 eth0 > > From what you have said this should work fine, but I'm clearly missing > something obvious that I just cannot see. > Yes, you are missing Internet routable ips. If your ISP says these are routable, the ISP is lying.