Hi,

I'm attempting to rewrite my firewall script. As quite frankly, my old one is really really basic and it's causing me no amount of hassle.

I wanted to configure :

1) My ppp0 connection (broadband) to be shared with the other computers on my local network (eth0).

2) Drop everything by default, and only accept packets i want to accept.

So i did a bit of googling and came up with this (which i wrote myself) :

# Clear existing rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up gateway
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow the loopback interface to be used by local machine
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Allow established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Allow FTP Access
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 21 -j ACCEPT
# Allow SSH Access
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 22 -j ACCEPT
# Allow Apache Access
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 80 -j ACCEPT
# Allow Local Samba Connections
iptables -A INPUT -p tcp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 139 -j ACCEPT
# Allow IMAP Access
iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 143 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 143 -j ACCEPT
# Allow SMTP Access
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 25 -j ACCEPT
# DROP anything else
iptables -P INPUT DROP

It works in a way, as i can ssh from my local network to my server, i can get to my webserver LOCALLY only, and not from my domain name. And i can see my samba shares and access them. However it does not allow me to share the inetnet connection. And this is a pain in the arse. Any help appreciated. The four entries for each port number was my attempt to allow both local and remote (through the broadband from outside) access to services i have running.

cheers,
Ade

You missed a rules for returning (forwarded) packets. The rule allows only ougoing packets to be sent. You need: in place of used rule or additional rule for packets which are coming back.

Sorry to be a complete dumbass, but please elaboutate a little... Is my existing script ok?? Do i add that rule or replace one with it???

IPTables is still one of those things that get me down. I don't understand it, and I can't seem to be able to find a "Simple" walkthrough explaining how it works.

I'm by no means a linux noob, i've been at it for two years now, and have everything except security sorted. I run my own mail server, samba server, apache server, dns server, you name it... But it's all at a risk as my firewall script sucks.

All i want to do, is to share out my Internet connection (PPP0) and allow only those ports that I specify to be available from the outside, ie, port 80 for apache, port 22 for ssh connections. My local lan (eth0, 192.168.7.*) should be allowed full access to all services. I've a wireless laptop and my gaming desktop that i use, so those two would not need to be affected by the wall. I would like to drop ANY packets incoming from the internet other than those that i allow. From what i've read this is the best, most secure way of doing things.

Cheers,

Ade

As I wrote: you can replace your rule or add the second rule to the existing ones. If any doubts just write "iptables --append FORWARD -j ACCEPT" against yours "iptables --append FORWARD --in-interface eth0 -j ACCEPT"

This is my very first post on linuxquestions.org by the way

haha i like that one...
ANYWAYS!
just so you know, for startup scripting purposes it's very inefficient to have every single command typed out in a bash script like that. instead use
to save at shutdown and
to load at startup. *^*BE SURE*^* to disable read-write access for all other usrs but root to this saved rules file.

now for my question. in the man page of iptables, and in your script for that matter, there's a switch in there called --tcp-option ! 2. the manual does not tell you exactly what it does -- only how to use it. that's what you get for reading man pages so what the heck does it do anyway?

this part of yor script...
is redundant as iptables's defauld OUTPUT policy is ACCEPT.
and all of the times you let access of eth0 to certain ports, is there a really good reason why not just to give eth0 access to all of your ports? if not, then replace those rules with
so, as Tom Hanks once said, "That's all I have to say about that."