Gentoo Router 2 Nics

[Sum1]

Hi Group,

I'm perplexed. I have a mini-itx box at home that I use as a router. I previously had Slackware 12 on it running with solid uptime for 276 days, but I always seem to go back to Gentoo for most everything because of the wondrous power that is PORTAGE.

So I have eth1 wired to cable modem and eth0 is the LAN interface that goes to an 8-port switch and all the clients plug into the switch.
I have dhcpcd running on eth1 to scoop up a connection from the cable modem -- works.
I have dhcpd running on eth0 to provide dns and ip's to clients on the LAN -- works.

clients can ping the eth0 gateway fine.
clients can ping the eth1 internet nic fine.

But nothing can go out to the net even though I temporarily have the router firewall set to accept just about everything.
When I try to view any websites using the routerbox itself or any LAN clients, all I get is Host is Unreachable.

So I'm wondering if I'm missing something that is unique to Gentoo since I haven't used it in a while.

Here's my firewall:

# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/var/lib/iptables/rules-save"
# Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
SAVE_ON_STOP="yes"

# External Network Interface
SKYWAY="eth1"
# Internal Network Interface
LAN1="eth0"
# Internal Subnet
SUBNET1="199.201.13.0/24"

IPT="/sbin/iptables"
MPROBE="/sbin/modprobe"

echo "Flush any/all rules previously existing."
echo "Set chain policies."
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

echo "Reload necessary modules."
$MPROBE ip_tables
$MPROBE nf_conntrack
$MPROBE nf_conntrack_ipv4
$MPROBE nf_nat
$MPROBE xt_state
$MPROBE xt_tcpudp
$MPROBE ipt_REJECT
$MPROBE ipt_LOG
$MPROBE ipt_state
$MPROBE ipt_MASQUERADE
$MPROBE ip_conntrack
$MPROBE ip_conntrack_ftp
$MPROBE iptable_mangle
$MPROBE iptable_nat
$MPROBE iptable_filter

$IPT -t filter -A INPUT -i $SKYWAY -j ACCEPT
$IPT -t filter -A INPUT -i $LAN1 -j ACCEPT
$IPT -t filter -A OUTPUT -o $SKYWAY -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN1 -j ACCEPT

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -s $SUBNET1 -j ACCEPT
$IPT -t filter -A FORWARD -p tcp -i $SKYWAY -o $LAN1 -j ACCEPT
$IPT -t nat -A POSTROUTING -s $SUBNET1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Netfilter framework is set."

Here's my sysctl.conf

# /etc/sysctl.conf
#
# For more information on how this file works, please see
# the manpages sysctl( and sysctl.conf(5).
#
# In order for this file to work properly, you must first
# enable 'Sysctl support' in the kernel.
#
# Look in /proc/sys/ for all the things you can setup.
#

# Disables packet forwarding
net.ipv4.ip_forward = 1
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
#net.ipv4.tcp_ecn = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
net.ipv4.conf.all.rp_filter = 1

Here's my /etc/conf.d/net:

# This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).

config_eth1="dhcp"
dhcp_eth1="nodns nontp nonis"

config_eth0="199.201.13.200 netmask 255.255.255.0 brd 199.201.13.255"
routes_eth0="default via 199.201.13.200"

Here's my dhcpcd.conf:

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# dhcpcd-run-hooks uses these options.
option domain_name_servers, domain_name, domain_search, host_name

# Most distros have ntp support.
option ntp_servers

Here's my dhcpd.conf

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Use this to enble / disable dynamic dns updates globally.

ddns-update-style interim;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).

log-facility local7;

subnet 199.201.13.0 netmask 255.255.255.0 {
range 199.201.13.150 199.201.13.199;
default-lease-time 720;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 199.201.13.255;
option routers 199.201.13.200;
option domain-name-servers 68.87.71.226;
option domain-name-servers 68.87.73.242;

}


What arcane thing could I be missing?
I know all the correct modules are loading for iptables.......
I'm just stuck.

Any/all guidance is greatly appreciated.

[think4urs11]

[Sum1]