Hi i have designed my network with iptables script that i write but there is a problem if i make policy's default behaviour drop then my firewall doesnt work.
Let me first explain why i need it?
I have a host machine with ip adress(192.168.2.2-eth0) this network interface connected to adsl modem and in same machine i have another network interface (10.0.0.1-eth2) and i have a web server machine with ip (10.0.0.3-gateway:10.0.0.1)
and my iptables script make this web server machine connect to internet and also the web page requests directly forwarded to it
but for effective iptables script i have to be able to make default policys drop but when i write iptables -P FORWARD DROP web server's internet connection is failing
here is my script
Code:
#!/bin/sh
#Temizle
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -F
iptables -t nat -X
iptables -t filter -F
iptables -t filter -X
# NAT Kuralları
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p tcp -m multiport --dports 25,80,110 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 25,80,110 -j DNAT --to 10.0.0.3
#DNS AYARLARI
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p tcp --dport 53 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p udp --dport 53 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to 10.0.0.3
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 10.0.0.3
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p tcp --dport 53 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p udp --dport 53 -o eth0 -j ACCEPT
# Filtering kuralları
iptables -P FORWARD ACCEPT
# LAN -> Internet erisim izinleri
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p tcp --dport 80 -o eth0 -j ACCEPT
#Internetten Lana Erişim
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports 25,80,110 -d 10.0.0.3 -j ACCEPT
# Tüm gelen bağlantıları yasakla
iptables -P INPUT ACCEPT
# Loopback'den gelen bağlantıları kabul et
iptables -A INPUT -i lo -j ACCEPT
# SSH bağlantılarını yerel ağdan kabul et
iptables -A INPUT -i eth2 -j ACCEPT
# Internet yönünden gelen SSH bağlantılarını kabul et
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#Pingleri kapatir
iptables -A INPUT -p icmp -j DROP
#Ataklara karsi korur
iptables -A INPUT -p tcp -m hashlimit --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name http --dport 80 -m state --state NEW -j ACCEPT
as you see all chains have default accept policy so this doesnt mean anything.
By the way i forgot to mention that i'm using suse 10.0 on my host comp and suse 10.1 on my web server comp both o.s 's default firewalls and apparmor is disabled
Thanks