LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-19-2007, 11:00 PM   #1
peteryu
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Rep: Reputation: 0
Gateway Computer Problem


Server Time problem when accessing http://192.168.1.x (i.e. the Gateway Computer)

Below is the listing from /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Wed Jun 20 11:11:44 2007
*nat
:PREROUTING ACCEPT [10:3288]
:POSTROUTING ACCEPT [995:56227]
:OUTPUT ACCEPT [1016:59584]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 20 11:11:44 2007
# Generated by iptables-save v1.3.5 on Wed Jun 20 11:11:44 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 7741 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 465 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 636 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1863 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1863 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 6891 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 6891 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 6900 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 6900 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 3389 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 28000:28809 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 28000:28809 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 7741 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 631 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 143 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 445 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p tcp -m tcp --sport 139 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Jun 20 11:11:44 2007

Below is listing from iptables -nvL; iptables -t nat -nvL

Chain INPUT (policy DROP 249 packets, 54783 bytes)
pkts bytes target prot opt in out source destination
1108 154K ACCEPT all -- lo * 127.0.0.0/8 127.0.0.0/8
514 28560 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
136 26654 ACCEPT all -- eth1 * 192.168.1.0/24 192.168.1.0/24
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:80
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:443
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:3128
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:7741
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:631
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:53
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:110
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:143
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:445
0 0 ACCEPT tcp -- eth1 * 192.168.1.0/24 192.168.1.0/24 tcp dpt:139
4277 2987K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:25
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:465
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:443
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:636
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:636
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:993
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:110
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:143
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1863
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1863
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6891
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6891
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6900
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6900
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3389
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:3389
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:28000:28809
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:28000:28809

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 12 packets, 720 bytes)
pkts bytes target prot opt in out source destination
1108 154K ACCEPT all -- * lo 127.0.0.0/8 127.0.0.0/8
1020 42728 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
136 26654 ACCEPT all -- * eth1 192.168.1.0/24 192.168.1.0/24
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:80
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:443
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:3128
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:7741
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:631
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:53
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:110
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:143
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:445
0 0 ACCEPT tcp -- * eth1 192.168.1.0/24 192.168.1.0/24 tcp spt:139
5927 937K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 85 packets, 11271 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1337 packets, 98976 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1349 packets, 99696 bytes)
pkts bytes target prot opt in out source destination

Please help !!

Thanks in advance !!!
 
Old 06-20-2007, 04:54 PM   #2
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Are you going to ask a question, or do you expect us to figure out what your problem might be by ourselves?

"Please help !!" is not a very good problem description.

(And, please, enclose such long listings in CODE tags!)
 
Old 06-20-2007, 06:09 PM   #3
peteryu
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Gateway Computer Problem

Quote:
Originally Posted by rupertwh
Are you going to ask a question, or do you expect us to figure out what your problem might be by ourselves?

"Please help !!" is not a very good problem description.

(And, please, enclose such long listings in CODE tags!)
Sorry for all the fuss I caused. I plan to hook up my linux and Windows computers together through networking. At this moment, they can surf the Internet. I am new to iptables programming. With a gateway computer configuration, everything is under the control of firewall.

192.168.1.3 Fedora Server (Gateway Computer)
192.168.1.5 Fedora Workstation

When i surf the web server(i.e. http://192.168.1.3) , I got Server Timeout problem. Seems to me the packet is forwarded out to the Internet. Believe there is something wrong with the programming.
Below is the listing for my iptables
#!/bin/sh
#
# Firewall Script

###############################################################
### Define interfaces here
EXT_DEV=eth0
INT_DEV=eth1
INT_NET=192.168.1.0/24

### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

### Set the default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

# New INTERNAL Connection: HTTP (Plain and SSL)
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 80 -j ACCEPT

iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 443 -j ACCEPT

# New INTERNAL Connection: Squid Proxy
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 3128 -j ACCEPT

# New INTERNAL Connection: LISA
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 7741 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 7741 -j ACCEPT

# New INTERNAL Connection: Internet Printing Protocol
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 631 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 631 -j ACCEPT

# New INTERNAL Connection: DNS
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 53 -j ACCEPT

# New INTERNAL Connection: pop3
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 110 -j ACCEPT

# New INTERNAL Connection: imap
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 143 -j ACCEPT

# New INTERNAL Connection: Windows Shares
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 445 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 445 -j ACCEPT

iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -p tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -p tcp --sport 139 -j ACCEPT

###############################################################
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

###############################################################
### MASQUERADING: All packets from the internal network will
### appear as if they had originated from the firewall.
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE

###############################################################
### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT


#
### INBOUND Rules: Allow ONLY NEW packets on these ports.
#

# New INBOUND Connection: FTP (with TLS)
#iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 20 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 21 -j ACCEPT

# New INBOUND Connection: Secure Shell
# iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 22 -j ACCEPT

# New INBOUND Connection: SMTP and SMTPS (over TLS/SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 465 -j ACCEPT

# New INBOUND Connection: HTTP (Plain and SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 80 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT

# New INBOUND Connection: LDAPS Server (over SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 636 -j ACCEPT

# New INBOUND Connection: IMAPS Email Clients (over SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 993 -j ACCEPT

# New INBOUND Connection: domain (over DNS)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

# New INBOUND Connection: pop3
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT

# New INBOUND Connection: imap
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 143 -j ACCEPT

# New INBOUND Connection: mysql
# iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT

# New INBOUND Connection: MSN
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 1863 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 1863 -j ACCEPT

# New INBOUND Connection: MSN (over File Transfer)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 6891 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 6891 -j ACCEPT
# New INBOUND Connection: MSN (over File Transfer)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 6900 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 6900 -j ACCEPT

# New INBOUND Connection: Microsoft Office
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 3389 -j ACCEPT

# New INBOUND Connection: MSN Internet Games Server
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --dport 28000:28809 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 28000:28809 -j ACCEPT

Thanks in advance !!!
 
Old 06-20-2007, 09:28 PM   #4
ArcLinux
Member
 
Registered: Apr 2005
Location: Fargo, ND
Distribution: Slackware, CentOS
Posts: 87

Rep: Reputation: 20
If I'm not mistaken, I don't see a rule to forward local traffic.
You may want to add a few rules to log what traffic is being dropped. This will help you correct and create the correct rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing SuSe 10.1 on an old gateway computer SVwander Suse/Novell 14 09-14-2006 11:25 PM
Private server with main computer as gateway? Banyon Linux - Networking 5 05-12-2006 11:30 PM
Odd problem: Gateway unreachable after certain amount of time (Win XP Gateway) SocialEngineer Linux - Networking 2 08-13-2004 12:54 AM
Linux gateway computer can't resolve names krsnendu Linux - Networking 4 12-17-2003 09:30 AM
Want to have a computer be gateway w\xp clients chingasman Linux - Networking 4 10-06-2003 02:28 AM


All times are GMT -5. The time now is 04:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration