A few general comments on your setup: You don't have any policy statements. The built-in chains default to policy ACCEPT, which is probably not what you want. True, the last statement of your block chain is effectively the same as setting policy to DROP for INPUT and FORWARD, but I always like to see it specified right at the top of your firewall setup. Second, I also like to see rules crafted as explicitly as possible: include incoming and outgoing interfaces wherever applicable. It seems to me you have a slightly befuddled view of this setup: you -j ACCEPT some things and -j DROP other things based on what you think you need. I have found that an easy way to get a relatively secure setup is to start with policy drop on all chains and then simply add rules for only what you want to allow. My first impression of your ruleset is that it should work and should do what you want it to do. You won't have any incoming connections made from the outside world (ssh included). I know the old saying about giving a man a fish and teaching a man to fish, so let me try to talk you though the way I'd approach this setup. #!/bin/sh # I find it easier to avoid catastrophic typographical errors and # allow for easy maintenance by using some definitions at the top; # something like this: IPTABLES=/sbin/iptables INTERNAL_IFACE=eth1 EXTERNAL_IFACE=eth0 INTERNAL_IP=192.168.1.1 INTERNAL_NETWORK=192.168.1.1/27 # no EXTERNAL_IP definition because you're presumedly using a dynamic # address (hence MASQUERADE, right?) # These definitions also make the script portable; you can use it on # your machine just by changing the definitions above and not mess # with the rules below. # Start with policy. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # clean up $IPTABLES -F $IPTABLES -X $IPTABLES -Z # Remember that separate tables need separate statements entirely! # You're implicitly saying -t filter above, and it doesn't affect # (clean up) the nat table. $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t nat -Z # Enable nat $IPTABLES -t nat -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK \ -o $EXTERNAL_IFACE -j MASQUERADE # Filtering section # INPUT chain # We want to allow ONLY: # 1. local (loopback) traffic # 2. traffic from our LAN hosts # 3. traffic from the Internet that is part of an existing connection # (no new connections) $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -s $INTERNAL_NETWORK -i $INTERNAL_IFACE -j ACCEPT $IPTABLES -m state -A INPUT -s ! $INTERNAL_NETWORK \ -i $EXTERNAL_IFACE --state ESTABLISHED,RELATED -j ACCEPT # FORWARD chain # We want to forward only for hosts on our LAN. This means 2 rules: # 1. outgoing traffic # 2. reply traffic $IPTABLES -A FORWARD -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK \ -i $INTERNAL_IFACE -o $EXTERNAL_IFACE -j ACCEPT $IPTABLES -m state -A FORWARD \ -s ! $INTERNAL_NETWORK -d $INTERNAL_NETWORK \ -i $EXTERNAL_IFACE -o $INTERNAL_IFACE \ --state ESTABLISHED,RELATED -j ACCEPT That's it! I'm not sure I explained it too well, and my intention was not just to do it for you, so please, if you have any questions about the setup itself *or* about how I came up with it, please don't hesitate to ask. Also notice that in this setup I have just let the OUTPUT policy remain ACCEPT. This should be acceptable for most purposes, unless you really want to enforce that the gateway system is not to converse with the Internet, or some such thing. If you did want to do that, it would be like this: # change the output policy line above to this: $IPTABLES -P OUTPUT -P DROP # Add this to the filtering section: # OUTPUT chain: # only allow outgoing traffic: # 1. to loopback # 2. to LAN $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNAL_IFACE -d $INTERNAL_NETWORK -j ACCEPT Note that this practically disconnects the gateway machine from the Internet, which is probably not what you want. It can still be used to forward/filter for your LAN, but it will be impossible to, for instance, use apt-get from the machine (horrors!). I hope you see what I mean about setting a policy and then only adding rules for scenarios that go against policy. This approach should keep your setup cleaner, which will make it easier to troubleshoot/modify in the future. Vineet P.S. IANAG. YMMV.
Attachment:
pgpGdjqpZaL3U.pgp
Description: PGP signature