> $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP ^^^^^^^^^^^^^^^^^^^^ It's right here. This statement says that no amtter what rules you add after this, any new connections will be dropped in the FORWARD chain. This is sort of a "policy hack" -- you're using this type of rule instead of a policy of DROP, as a sort of "catch-all" to keep your FORWARD chain secure. That's fine, as long as you remember to first allow what you want to allow before your catchall drops it. If you want ports 1111 and 2222 to be allowed, make sure you do so BEFORE this line. I've added rules below that will work and be consistent with your current design. I still suggest that you make the rules a little more comprehensive by making all rules in your FORWARD chain include as much information as is applicable, including: source address, source port, incoming interface dest. address, dest. port, outgoing interface state (NEW,ESTABLISHED,RELATED,INVALID,etc.) Also, I think it's confusing the way you have -P INPUT ACCEPT at the top and later change that to -P INPUT DROP. It changes the whole attitude of the ruleset; it only makes sense for design to decide at the top which one you'll be using and stick with it. I'm also not sure why you have rules for ssh X-Forwarding; ssh traffic is ssh traffic, no matter if on the inside is tunneled shell traffic, X11 traffic, or other port forwards. That's the point of the tunnel. Vineet * S. Salman Ahmed (ssahmed@pathcom.com) [010705 11:34]: Content-Description: iptables firewall script #!/bin/sh # # $Id: firewall.sh,v 1.3 2001/07/03 07:17:05 ssahmed Exp $ # IPTABLES=/sbin/iptables # Loopback interface device LPDIF=lo # Loopback Device IP Address LPDIP=127.0.0.1 $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t nat $IPTABLES -F -t mangle # Disable response to broadcasts: we don't to become a Smurf amplifier echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. #echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing # tables, possibly to a bad end. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 22 -j DNAT --to 192.168.1.2 #VK: I added these 2 lines $IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 1111 -j DNAT --to 192.168.1.2 $IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 2222 -j DNAT --to 192.168.1.3 $IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -j ACCEPT #VK: I added these 2 lines. It is critical that they are placed before # the line that says NEW,INVALID -j DROP $IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 1111 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 2222 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -P INPUT DROP # Allow all ICMP traffic $IPTABLES -A INPUT -p icmp -j ACCEPT # The following rule is needed to make SSH X-Forwarding work $IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT $IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT $IPTABLES -A INPUT -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Kill malformed packets # Block XMAS packets $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP # Block NULL packets $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "BLOCKED: " echo "IPTables firewall started" Content-Description: .signature -- Salman Ahmed ssahmed AT pathcom DOT com
Attachment:
pgpjZEYiUHELR.pgp
Description: PGP signature