* Heusden, Folkert van (f.v.heusden@ftr.nl) [011022 03:18]: > Hi, > > I have this very simple firewallscript which should a couple of ports to a > system on the intranet. Symptom; it doesn't work. > Anyone have a clue what I'm doing wrong here? > $1 is the interface to the internet (ppp0) > eth1 is the intranet > > /usr/sbin/iptables -F INPUT > /usr/sbin/iptables -F OUTPUT > /usr/sbin/iptables -F FORWARD > /usr/sbin/iptables -P INPUT ACCEPT > /usr/sbin/iptables -P FORWARD DROP > /usr/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/23 -d 0/0 -j ACCEPT > /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport > 25 -j ACCEPT > /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.25 --dport > 80 -j ACCEPT > /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport > 110 -j ACCEPT > /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport > 10000 -j ACCEPT > /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport > 10001 -j ACCEPT > > /usr/sbin/iptables -A FORWARD -i eth1 -o $1 -j ACCEPT > /usr/sbin/iptables -A FORWARD -o eth1 -i $1 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > /usr/sbin/iptables -A INPUT -i $1 -d 192.168.0.0/24 -j DROP > /usr/sbin/iptables -A INPUT -i $1 -s 192.168.0.0/24 -d 0/0 -j DROP > /usr/sbin/iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j DROP > /usr/sbin/iptables -t nat -A POSTROUTING -o $1 -s 192.168.0.0/24 -j > MASQUERADE > > /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 25 -j DNAT > --to-destination 192.168.0.101:25 > /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 80 -j DNAT > --to-destination 192.168.0.25:80 > /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 110 -j DNAT > --to-destination 192.168.0.101:110 > /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10000 -j > DNAT --to-destination 192.168.0.101:80 > /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10001 -j > DNAT --to-destination 192.168.0.101:443 > You're not allowing the incoming DNAT traffic to pass through your FORWARD chain. Try adding these: /usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 25 -j ACCEPT /usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.25 --dport 80 -j ACCEPT /usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 110 -j ACCEPT /usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 80 -j ACCEPT /usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 443 -j ACCEPT > p.s. what line should I add if i want to shield the other ports? (1-1023, > not 25,80,110 and ssh) I'm not sure what you mean by this; Incoming packets on other ports will either be demasqueraded to an internal host or DROPped in your INPUT chain. good times, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpY7hngD_uhx.pgp
Description: PGP signature