How to set up iptables for local router machine?

Solution 1:

Well, you configuration seems to be a bit short. I'm attaching the configuration of my router as a working example.

Also, you are using '-m state' to track related and established connections, while I usually utilise '-m conntrack'.

What you can try - to log dropped packets and see what and why is getting dropped by iptables. I'm writing my configuration (with logging and also including default ACCEPT policy for OUTPUT chain) below. To enable it, save it to file (e.g., 'iptables_test_rules.txt') and apply them using 'iptables-restore iptables_test_rules.txt'. See 'iptables -L -v' for rules overview and your syslog for dropped connections (attention: you syslog could grow very fast!).

*filter

# 1. Logging.
# 1.1. logdrop chain
-N logdrop                                                                   
-A logdrop -j LOG --log-prefix "dropped: "
-A logdrop -j DROP

# 2. Set default policies for INPUT, OUTPUT and FORWARD chains
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

# 3. INPUT CHAIN
# 3.0. Allow loopback
-A INPUT -i lo -j ACCEPT
# 3.1. Allow already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
# 3.2. log and drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j logdrop
# 3.3. Allow DHCP renew on eth0
-A INPUT -p udp -m udp --dport 68 -i eth0 -j ACCEPT
# 3.4. Allow any connections from lan
-A INPUT -i eth1 -j ACCEPT
# 3.5. Log and drop the rest
-A INPUT -j logdrop

# 4. Forwarding
# 4.0. Allow forwarding from lan to wan
-A FORWARD -i eth1 -o eth0 -j ACCEPT
# 4.1. Allow forwarding from lan to lan
-A FORWARD -i eth1 -o eth1 -j ACCEPT
# 4.2. Allow forwarding from wan to lan, but only for already established connections
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# 4.4. log and drop the rest in FORWARD chain
-A FORWARD -j logdrop

COMMIT

*nat

# Set default NAT policies to accept
-P PREROUTING ACCEPT                                           
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT

# 5. NAT
# 5.1. Enable NAT                                                                    
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*raw
COMMIT

Solution 2:

The client has no default route via your router box. Try

route add -net default gw a.b.c.d

on the client, where a.b.c.d is the client-facing address of the firewall.