Can anyone please help me? I want to ask if my rules are correct.

Here's my setup:

IP ADD provided by the ISP: 121.x.x.133
ROUTER'S IP (ALSO AS GATEWAY): 192.168.1.1
External IP: 192.168.1.98 (ETH0)
Internal IP: 192.168.1.99 (ETH1)
Subnet Mask: 255.255.255.0

Here are my rules:

INPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and destination port is 80
ACCEPT if protocol is TCP and destination port is 22
ACCEPT if protocol is TCP and destination port is 53
ACCEPT if protocol is UDP and destination port is 22
ACCEPT if protocol is TCP and destination port is 20:21
ACCEPT if protocol is TCP and destination port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and destination port is 10000

FORWARD (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is ETH0 and output interface is ETH1
ACCEPT if input interface is ETH1 and output interface is ETH0

OUTPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if output interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and source port is 80
ACCEPT if protocol is TCP and source port is 22
ACCEPT if protocol is TCP and source port is 53
ACCEPT if protocol is UDP and source port is 22
ACCEPT if protocol is TCP and source port is 20:21
ACCEPT if protocol is TCP and source port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and source port is 10000

POSTROUTING (Default:ACCEPT)

SNAT if output interface is ETH0 (IP for SNAT is 121.x.x.133)

Rules above won't allow me to access any sites in my web browser. Also my email.

Thanks in advance.

Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).

I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?

This box is the gateway box. Here's the set up of the network

INTERNET >> ROUTER >> FIREWALL MACHINE >> SWITCH >> LAN

I also tried the MASQUERADE rule but it results to nothing.

If i ping using the firewall machine...it can and it also ping other sites but when i use any of the computers conencted to the LAN it cannot ping or browse any sites.

sorry, this is a typo error

this should be port 53 not 22

I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net.

what could be the problem? correct me if i'm wrong...i thought this has nothing to do with the iptables. but i wonder wht couold be the problem. I'm new with linux and i'm really having a hard time figuring out the problem.

Did you turn on forwarding?
check with cat /proc/sys/net/ipv4/ip_forward
set with echo 1 > /proc/sys/net/ipv4/ip_forward
and you can set it permanently in /etc/sysctl.conf (on most linux distros)

Can you a sample network setting from one of the LAN client PC'?

I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all.

you didn't have to go that far, you could have just done "/etc/init.d/iptables stop" to test if the problem was your firewall. However if you turn your firewall off and it still does not connect outwardly then the problem is not the firewall at all but your network settings. As said above do you have ipforwarding on?

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?

Yes, I did turn on the forwarding

This is the network config of one of the computers in lan:


ipadd: 192.168.1.107
netmask: 255.255.255.0
gateway: 192.168.1.1

Yes, I turned on the forwarding
Re gateway the network config of one of the computers in the is:

ipadd: 192.168.1.107
netmask: 255.255.255.0
gateway: 192.168.1.1

I'll try to change the gateway to 192.168.1.99

I'll post the result after changing the gateway.

Another question guys....

How would i check if what ports are open using the command prompt?

I want to know if i really opened up the ports needed.

hello guys! My firewall is working now....

I changed the gateway of the computers connected on the LAN, and then when I try browsing..it works.....

Thanks a lot guys!

I will now configure the squid proxy...I hope I can.

I'll keep posting what's the result re may configuration and will ask for your help/suggestions

guys, i had another question

This is regarding squid proxy...why can't i connect to internet if i set the proxy?

my default port for proxy is 8000

I added this rules on my iptables

ACCEPT if protocol is TCP and destination port is 8000 (INPUT RULE)
ACCEPT if protocol is TCP and source port is 8000 (OUTPUT RULE)

Please help me again

Thats not the default port for the squid. You set squid to work on 3128. So you need to tell the browser to connect to net through proxy by giving its ip address and the port 8000 that you have configured it to work on. It will not work by default. Another thing to ask, is your squid running in transparent mode? If yes then forget the browser settings. Also search the LQ forums for transparent squid.
You need not set the second rule. For web browsing port 80 is used. So you need to accept the connections originating from port 80 that you already have done.

Do I need to do some port redirection for the port used by squid?
I didn't set the squid in transparent mode...

Hi again! I made some rule setting in PREROUTING using DNAT and now i can browse the net using the proxy.
Here's the rule i used:

DNAT if the protocol is TCP and input interface is ETH0 and the destination port is 80. (wherein the destination ip is 192.168.1.99:8000)

My question is.....Does that rule will make my firewall secure?

Are all my rules will make our lan protected from any hacking.

Using a firewall and Nat does increase security alot but protecting against hacking is never 100% possible, effectively all you can do is make it as hard as you can and deter hackers as much as possible, you can use certain techniques like sacrifical machines that log all access to them and then block the associated ips as such... but I'd never ever say any machine connected to the internet is fully protected against hacking .

Thanks!!!