So, I've spent alot of time with some tutorials/man pages, and what I thought would work, doesn't.

I've got this setup:

|Internet|<-->(eth0)|Firewall|(eth1)<-->|Internal Network|

I want to give the internal network internet access, but I only want to let in specific ports from the internet, and later I want to direct them to specific ports on specific internal ip's. But that's for later. What I was trying to accomplish was giving the internal network internet access, and drop incoming new and invalid packets. Is anything incorrect/redundant?

My /etc/rc.d/rc.local contains the following part for iptables:

My nat table comes out looking like it should according to my script I think:

But my filter table comes out like:

My best guess would be that dhcpcd is adding this "RH-Lokkit-0-50-INPUT" chain (which I've tried deleting but reappears on reboot) and all the other stuff in there. I thought that this might be the reason my internal lan doesn't have internet access, so I flushed the filter and nat tables and then exceuted /etc/rc.d/rc.local again. The nat table obviously looked thet same, but the filter table looked like:

Still though, it didn't work. What's wrong here?

To stop the chain RH-Lokkit-0-50-INPUT from being recreated every time your restart the firewall, which is what happens when you reboot, append

FIREWALL_MODS=no

to /etc/sysconfig/network

As for the firewall,

iptables -t filter -A INPUT -m state --state NEW,INVALID -i eth0 -j DROP
iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP

the lower line probably won't match anything since

iptables -t filter -A INPUT -m state --state NEW,INVALID -i eth0 -j DROP

will get rid of the incoming SYN packets for you.

thanks hazza, I deleted "iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP" I guess because it wouldn't do anything, but FIREWALL_MODS=no didn't work. I added the line and rebooted, but it was still there. So I thought maybe I had to delete it first, so I deleted it then rebooted, it came back again. I ended up removing it because it seems to have no effect.

2 questions:
1) What's wrong with my setup? even when I fix by hand what "FIREWALL_MODS=no" in /etc/sysconfig/network was supposed to fix it doesn't work.
2) What is the chain RH-Lokkit-0-50-INPUT for? there has to be a purpose for it and what is creating it?

just a bump to the top... i'm still stuck in the mud with this thing

The RH-Lokkit-0-50-INPUT chain is used by the lokkit program that comes with RH9. The rules created by lokkit are put in there. It also uses it to "punch" through rules to allow your ISPs DNS servers to reply to you. You don't need those specific rules when your using a stateful firewall. After you configure your firewall the way you want the you don't want to run lokkit again. To be even safer you should remove it.

The only reference I was able to find of RH-Lokkit-0-50-INPUT under /etc was in /etc/sysconfig/network-scripts/ifup and /etc/sysconfig/network-scripts/ifup-post. When you bring a nework interface up the ifup-post script checks for the existance of the RH-Lokkit-0-50-INPUT chain and then adds the rules for the nameservers.

I removed the line "FIREWALL_MODS=no" from /etc/sysconfig/network and ran lokkit to bring back the RH-Lokkit-0-50-INPUT. I wasn't able to get that chain back without running lokkit. Now my firewall looks like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [59:5996]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.1 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT

Keep in mind that I'm testing this out not on the computer that I'm posting this from. My network setup looks a bit different but the procedure should be about the same. I've sshed into this box so I can find a procedure you'll be able to use even if you're not working directly on the firewall box. I'm going to call eth0 for my box $INT_IN. For your setup it should $INT_IN eth1 and $EXT_IN should be eth0. Next I did

# iptables -P INPUT DROP; iptables -F INPUT; iptables -I INPUT -j ACCEPT -i $INT_IN; iptables -I INPUT -j ACCEPT -i lo

Now this is all on one line so as to not break the ssh connection I'm using to connect to this box. This is what my INPUT chain looks like now:

# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
93 7108 ACCEPT all -- eth0 any anywhere anywhere

For you it should look something like this:

# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
93 7108 ACCEPT all -- eth1 any anywhere anywhere

Next you should add:

# iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED

I also add a rule to reject identd probes as it speeds up some ftp connections.

# iptables -A INPUT -j REJECT -p tcp --dport auth --reject-with tcp-reset

Now your INPUT chain should look something like this:

# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
501 38228 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset

The packet and byte counts may differ but that's nothing to worry about. Now you can remove the RH-Lokkit-0-50-INPUT chain. I've found that there is also a reference to this in the FORWARD chain as well so you have to remove that first.

# iptables -D FORWARD -j RH-Lokkit-0-50-INPUT
# iptables -F RH-Lokkit-0-50-INPUT
# iptables -X RH-Lokkit-0-50-INPUT

At this stage the entire filter table should look something like this:

# iptables -t filter -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
1016 76160 ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1218 packets, 134K bytes)
pkts bytes target prot opt in out source destination

You can see that the RH-Lokkit-0-50-INPUT chain is now gone. You'll want to make sure that the nat table still has the rule in there for masquerading. So it should look something like this:

# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth1 anywhere anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Now you'll be able to save this firewall setup with:

# service iptables save

Next I made sure that /etc/sysconfig looks like:

NETWORKING=yes
HOSTNAME=YOUR_HOSTNAME
FIREWALL_MODS=no

Just to be cautious, make sure there's a new line at the end of /etc/sysconfig/network. Now just to be safe, remove the packages lokkit and gnome-lokkit with

rpm -e lokkit gnome-lokkit

or

apt-get remove lokkit gnome-lokkit

if you have apt available.

Now you're ready to bring down the public interface and then bring it back up again to check if the RH-Lokkit-0-50-INPUT chain comes back.

# ifdown $EXT_IN
# ifup $EXT_IN

For my box the chain RH-Lokkit-0-50-INPUT did not come back. I rebooted my computer just to double check that the chain RH-Lokkit-0-50-INPUT does not come back. On my box

# iptables -t nat -vL; iptables -t filter -vL
Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any ppp0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
1775 134K ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1679 packets, 190K bytes)
pkts bytes target prot opt in out source destination

confirmed that the RH-Lokkit-0-50-INPUT chain did not come back.

I hope this helps.

Thanks so much hazza. I'll post again after I try it out.