Migrating my old FreeBSD Router to Linux, Having some issues with the iptables firewall.
The box is connected to the net through ppp0 (dynamic IP) and to the lan with eth0 (192.168.0.45). All boxes on the network is connected directly to the switch, and this box serves as the gateway for them all. The internal webserver is 192.168.0.254.
I have 2 problems:
[list=1][*]When I change my 'FORWARD' policy to 'DROP' instead of ACCEPT as I think it should be...the http forwarding doesn't work anymore. What rule do I need to add afterwards so the http requests still go through etc?[*]The port 80 / http forwarding works perfectly when trying to http to 192.168.0.45 from the internal network, however, from outside trying to http to ppp0's ip address, it doesn't work. Why not, and how can I make it?[/list=1]
This is my current firewall:
printf "\nExternal Interface: $EXTIF\nInternal Interface: $INTIF\n\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
echo "Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Set external IP Var
echo "Internal ip is $INTIP"
#Clearing any previous configuration
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# This is for forwarding http requests to the webserver.
# It's still kind off dodgy, but it works at the moment so thats good.
echo "Forwarding all http requests to $WEBSERVER"
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80
# Allow forwarded packets
iptables -A FORWARD -p tcp --dport 80 -d $WEBSERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP