My network diagram :
+++Internet+++--------------+++Modem+++---------++eth0||||eth1++----------+Lan+--
My server has have roles: Linux gateway, DHCP, Squid proxy, DNS.
This is the rc.firewall script:
==============================================
#
# eth0: Localnet
# eth1: Internet
#
# Enable ip masquerading in the kernel
echo > 1 /proc/sys/net/ipv4/ip_forward
#
# Run iptables depend your locations
IPTABLES=/sbin/iptables
#
# prepare module necessary for iptables
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# no need at that time
#
#/sbin/mod_probe ipt_owner
#/sbin/mod_probe ipt_REJECT
#/sbin/mod_probe ipt_MASQUERADE
#/sbin/mod-probe ip_contrack-irc
#/sbin/mod_probe ip_nat_ftp
#/sbin/mod_probe ip_nat_irc
#
# Flush all rule in iptables
iptables -F
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t nat --flush
#
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
#
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
#
iptables -t nat -A POSTROUTING -d ! 192.168.0.0/16 -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
=========================================================
with the script above, my firewall will allow all trafic in local network. With traffic wants go outside Internet, they will reach SQUID proxy (policy internet applied here). However i get the problems:
- When the rc.firewall script is applied, nothing will work: Client can't access Internet, can't ping linux gateway (DHCP server), however client can ping together (client is assigned IP from DHCP server)
.
- In case, i flush all rule in my iptables, exclude the "
=====
iptables -t nat -A POSTROUTING -d ! 192.168.0.0/16 -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
======
It still isn't work.
I only want my client can access Internet to check mail POP3, web surfing. All will be drop. And full permission in local network.
Please help me solve the problem.