Does anyone know why after ive run my firewall script that I can no longer access anything through my external interface (eth0) on that machine... Everything else works fine. Connection sharing works fine, im able to connect the internet on my other machines that use it as a gateway...

Heres my script.

#!/bin/bash
#

IFACE_EXT="eth0"
IFACE_INT="eth1"

# Clear any previous iptables rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "All Tables and Rules Cleared..."

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Default Chain Policies Set..."

# Accept ssh connections on external interface
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
echo "Incoming SSH Connections Accepted..."

# Drop unwelcome connects
iptables -A INPUT -p tcp --syn -j DROP

# IP Masquerading
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state --state = ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT
iptables -A FORWARD -i $IFACE_INT -j ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE_EXT -j MASQUERADE
echo "IP Masquerading Running..."

# Port forwarding
iptables -A FORWARD -p tcp -i $IFACE_EXT -j ACCEPT
echo "Port Forwarding Enabled..."

#Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Packet Forwarding Enabled..."

Hey,

If I understand you correctly, you can see anything from your gateway itself, like you've ssh'd into it and can't ping anything from eth0 ?

your problem likely lies in this line

iptables -A INPUT -p tcp --syn -j DROP

try removing that line and see if it makes a difference.

-Kilka

Thats exactly what was the problem, thank you for ur help

-kilka

Based on the above script how would I open port 80 or other services on the router its self... Id like to be able to see my pages being served up using apache, but it seems I'm missing something and I cant view anything when trying to browse. The server is up... ssh seems to work... I tried using the same syntax used to open ssh but only on port 80 but still not working... any ideas.... also is there anything I could add to my script to help harden it... right now its pretty basic... id like to block all that bad stuff out there... any help as always is greatly appreciated..

So you've got this:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

but still can't see anything through the router ? I would guess it's some setting in the router that you've got to change. Remember that dropping all other connections should always be the last thing you do.

-Kilka

Ya im still figuring all this iptables stuff out... so its a trial by error type thing for me... I have a suspission that its to do with apache... I just found out even though installed with apt-get its proccess not running when checked with ps -A. So ive downloaded the source and im compiling apache myself, well see if this works now...