How to set up iptables for local router machine?

iptables routing ubuntu-14.04

Solution 1:

Well, you configuration seems to be a bit short. I'm attaching the configuration of my router as a working example.

Also, you are using '-m state' to track related and established connections, while I usually utilise '-m conntrack'.

What you can try - to log dropped packets and see what and why is getting dropped by iptables. I'm writing my configuration (with logging and also including default ACCEPT policy for OUTPUT chain) below. To enable it, save it to file (e.g., 'iptables_test_rules.txt') and apply them using 'iptables-restore iptables_test_rules.txt'. See 'iptables -L -v' for rules overview and your syslog for dropped connections (attention: you syslog could grow very fast!).

*filter

# 1. Logging.
# 1.1. logdrop chain
-N logdrop                                                                   
-A logdrop -j LOG --log-prefix "dropped: "
-A logdrop -j DROP

# 2. Set default policies for INPUT, OUTPUT and FORWARD chains
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

# 3. INPUT CHAIN
# 3.0. Allow loopback
-A INPUT -i lo -j ACCEPT
# 3.1. Allow already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
# 3.2. log and drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j logdrop
# 3.3. Allow DHCP renew on eth0
-A INPUT -p udp -m udp --dport 68 -i eth0 -j ACCEPT
# 3.4. Allow any connections from lan
-A INPUT -i eth1 -j ACCEPT
# 3.5. Log and drop the rest
-A INPUT -j logdrop

# 4. Forwarding
# 4.0. Allow forwarding from lan to wan
-A FORWARD -i eth1 -o eth0 -j ACCEPT
# 4.1. Allow forwarding from lan to lan
-A FORWARD -i eth1 -o eth1 -j ACCEPT
# 4.2. Allow forwarding from wan to lan, but only for already established connections
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# 4.4. log and drop the rest in FORWARD chain
-A FORWARD -j logdrop

COMMIT

*nat

# Set default NAT policies to accept
-P PREROUTING ACCEPT                                           
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT

# 5. NAT
# 5.1. Enable NAT                                                                    
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*raw
COMMIT

Solution 2:

The client has no default route via your router box. Try 

route add -net default gw a.b.c.d

on the client, where a.b.c.d is the client-facing address of the firewall.

Related

how do I stop protocol 41 unreachable packets from being sent?
CentOS6.6 + Postfixadmin 2.3rc5 + PHP5.3, upgrade to PHP5.4
How does 'virsh' determine (iscsi) unit names and can they be changed?
User profile service failed the logon - Accounts besides domain administrator cannot log on
MYSQL user datable mess up
Configure Nginx global error page
Access Domain over Wireless
Production deployment strategies
Why the system information message when accessing an Ubuntu server doesn't match free -m?
Mysql-Server-5.1 upgrade problem
Bizzare routing: EITHER accepts emails OR sends depending if NetworkManager is running
porblem in Mod rewrite url editing [duplicate]