LinuxQuestions.org - iptables: about FORWADING and nat

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - iptables: about FORWADING and nat (https://www.linuxquestions.org/questions/linux-networking-3/iptables-about-forwading-and-nat-322920/)

fei	05-12-2005 07:43 PM

iptables: about FORWADING and nat

I have been thinking about how to solve one problem for a long time. Then, finally decided to ask on the forum.

I want to use iptables to build a firewall. The current network infrastucture is

Internet
172.16.0.2
|
|
eth2 - 172.16.0.1(172.16.0.1/30)
Router (firewall)
eth0 - 192.168.1.1(192.168.1.1/24)
|
|
192.168.1.11
Internel Ethernet

What I want to do is to configure the firewall, so the router can forwad the Ethernet request to the Internet. For example, the Ethernet can ssh to the Internet through the firewall. My questions are: (1) how to use FORWARD to implement this? (2) Do I need to use nat (PREROUTING and POSTROUTING) for this case? If no, When should I use nat for forwarding packets?

Thanks!

win32sux

05-12-2005 07:53 PM

Re: iptables: about FORWADING and nat

Quote:

Originally posted by fei
I have been thinking about how to solve one problem for a long time. Then, finally decided to ask on the forum.

I want to use iptables to build a firewall. The current network infrastucture is

Internet
172.16.0.2
|
|
eth2 - 172.16.0.1(172.16.0.1/30)
Router (firewall)
eth0 - 192.168.1.1(192.168.1.1/24)
|
|
192.168.1.11
Internel Ethernet

What I want to do is to configure the firewall, so the router can forwad the Ethernet request to the Internet. For example, the Ethernet can ssh to the Internet through the firewall. My questions are: (1) how to use FORWARD to implement this? (2) Do I need to use nat (PREROUTING and POSTROUTING) for this case? If no, When should I use nat for forwarding packets?

Thanks!

you just need FORWARD and POSTROUTING...

to allow SSH from your LAN to the Internet, something like this should do the trick:

Code:

iptables -P FORWARD DROP



iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



iptables -A FORWARD -p TCP -i eth0 -o eth2 --dport 22 -s 192.168.1.1/24 \

-m state --state NEW -j ACCEPT



iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.16.0.1

just my :twocents:...

fei	05-12-2005 08:17 PM

Re: Re: iptables: about FORWADING and nat

Thanks for your reply. It saves me a lot time. One more thing: What if I had a wireless LAN, and I only wanted to allow Ethernet to access the Internet. How could I apply this rule to the firewall?

Fei

win32sux

05-12-2005 08:29 PM

you mean like if you had a wireless router connected to the switch on eth0??

win32sux

05-12-2005 08:39 PM

Quote:

Originally posted by win32sux
you mean like if you had a wireless router connected to the switch on eth0??

if so, then a simple way to make sure the rule only applies to the ethernet clients is by creating a rule blocking any packets coming from the external IP of the wireless router... if the wireless router was using IP (for example) 192.168.1.254 then this would do the trick (effectively blocking that IP from starting ANY connections through eth2):

Code:

iptables -P FORWARD DROP



iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



iptables -A FORWARD -i eth0 -o eth2 -s 192.168.1.254 \

-m state --state NEW -j DROP



iptables -A FORWARD -p TCP -i eth0 -o eth2 --dport 22 -s 192.168.1.1/24 \

-m state --state NEW -j ACCEPT



iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.16.0.1

fei	05-12-2005 08:41 PM

Quote:

Originally posted by win32sux
you mean like if you had a wireless router connected to the switch on eth0??

I mean another wireless lan, say on eth2 on router. I think your rules only allow forwarding from eth0. So It already force the forwarding connections only from Ethernet. Sorry for asking this.

win32sux

05-12-2005 08:47 PM

sorry, i'm not sure i understand what you're asking... :confused:

fei	05-12-2005 08:53 PM

Sorry. I was out of my mind. I was trying to say that if there was another networking interface, eth3, on the router, that connects to a wireless lan. And I only want packets been forwarded if they come from eth0. So, ther ethernet can ssh to internet, but wireless lan cann't.

win32sux

05-12-2005 08:58 PM

oh, okay... well, the rules i posted would NOT allow anything coming from eth3 to go out... the rules specify the packets must come in through eth0 and go out through eth2... anything coming from eth3 would be met with the default policy of DROP... you'd need to add rules for packets coming from eth3 so they could get forwarded...

so basically the rules as posted do what you want... :)

fei	05-12-2005 09:16 PM

I realised that after I asked the question. Anyway, Thanks a lot.

Fei

fei	05-13-2005 03:46 AM

I tried the code. It won't work. On a machine with IP 192.168.1.11 on Ethernet, I tried to ssh to the Internet using IP 172.16.0.2. Is something wrong with the code?

win32sux

05-13-2005 03:49 AM

do you have forwarding enabled??

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

fei	05-13-2005 04:11 AM

I have ip_forward enabled. The code is not working. How can I test the firewall, using tcpdump?

win32sux

05-13-2005 04:16 AM

please post the output of these:

Code:

iptables -L

Code:

iptables -t nat -L

fei	05-13-2005 04:16 AM

Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.

After that, the output of ssh 172.16.0.2 is :
ssh: connect to host 172.16.0.2 port 22: Connection refused

have any idea what's wrong?

win32sux

05-13-2005 04:17 AM

you can test the wall by adding a LOG rule to the end of the FORWARD chain and then monitoring the logfile when you attempt to SSH to the outside from within the LAN...

fei	05-13-2005 04:19 AM

Output for iptables -L:

Code:

Chain INPUT (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    icmp --  anywhere            anywhere            state NEW,RELATED,ESTABLISHED

ACCEPT    udp  --  anywhere            ralf.localdomain    udp dpts:bootps:bootpc

ACCEPT    udp  --  anywhere            ralf.localdomain    udp dpt:domain

ACCEPT    tcp  --  anywhere            anywhere            tcp spt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http



Chain FORWARD (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    tcp  --  192.168.1.0/24      anywhere            tcp dpt:ssh state NEW

REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    icmp --  anywhere            anywhere            state NEW,RELATED,ESTABLISHED

ACCEPT    udp  --  ralf.localdomain    anywhere            udp spts:bootps:bootpc

ACCEPT    udp  --  ralf.localdomain    anywhere            udp spt:domain

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp spt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp spt:http

output for iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)

target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

target    prot opt source              destination

SNAT      all  --  anywhere            anywhere            to:172.16.0.1

SNAT      all  --  anywhere            anywhere            to:192.168.1.1

SNAT      all  --  anywhere            anywhere            to:172.16.0.1

SNAT      all  --  anywhere            anywhere            to:172.16.0.1

SNAT      all  --  anywhere            anywhere            to:172.16.0.1



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

win32sux

05-13-2005 04:24 AM

Quote:

Originally posted by fei
Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.

are you using slackware?? let me know if you are...

Quote:

After that, the output of ssh 172.16.0.2 is :
ssh: connect to host 172.16.0.2 port 22: Connection refused

this means you are getting a REJECT from 172.16.0.2, and since the policy on the wall is DROP it would seem the packet isn't getting stopped by the wall but by whatever is at 172.16.0.2, which would be beyond me... if the wall was giving a DROP to the 22/TCP packets then you'd get a "Connection timed out" instead of a "Connection refused" AFAIK...

Quote:

have any idea what's wrong?

not yet, i'm looking at the output you just posted...

fei	05-13-2005 04:27 AM

YES, I'm using slackware for doing the firewall. IS this a problem of slackware.

win32sux

05-13-2005 04:29 AM

Quote:

Originally posted by fei
YES, I'm using slackware for doing the firewall. IS this a problem of slackware.

no, it's not a slackware issue... please post your rc.firewall...

win32sux

05-13-2005 04:32 AM

Quote:

Originally posted by fei
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:192.168.1.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1

there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...

i'd like to look at your rc.firewall to see what's going on here...

fei	05-13-2005 04:32 AM

my rc.firewall

Code:

#!/bin/sh



# Abort execution on error

set -e



PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin



# You can use this version if you don't want logging

#IPTABLES="/sbin/iptables"

# Use this version to log firewall startup output

IPTABLES=iptables_log



fwlog=/var/log/firewall_start.log

# Clear out the contents of the log file

> $fwlog

iptables_log() {

    # Append IPTables command (arguments) to the log

    echo "$*" >> $fwlog

    # Run the command and log any output

    /usr/sbin/iptables $* 2>&1 | tee -a $fwlog 

}







# You should always refer to useful names. It eases verification.

EthernetIface=eth0

WirelessIface=eth1

InternetIface=eth2



# IP range

EthernetIPs="192.168.1.1/24"

WirelessIPs="192.168.2.1/24"

InternetIPs="172.16.0.1/30"



#

# Bring up the firewall

#

start() {

    # Flush the chains

    $IPTABLES -F

    $IPTABLES -X



    # Turn on packet forwarding

    echo "1" > /proc/sys/net/ipv4/ip_forward



    # Accept lo interface always

    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    $IPTABLES -A INPUT -i lo -j ACCEPT



    # Set default policies for major chains

    # TODO Are these suitable policies?

    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -P INPUT DROP

    $IPTABLES -P FORWARD DROP



    # accept icmp, so ping can work

    $IPTABLES -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT





    # Ethernet to Internet -> This is FORWARDING using nat

    $IPTABLES -P FORWARD DROP



    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG



    $IPTABLES -A FORWARD -p TCP -i eth0 -o eth2 --dport 22 -s 192.168.1.1/24 -m state --state NEW -j LOG



    $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.16.0.1





    # Ethernet to Router

    # allow DHCP from Ethernet to Ralph

    $IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 67:68 -j ACCEPT

    # allow DHCP from Ralph to Ethernet

    $IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 67:68 -j ACCEPT    

    # allow DNS from Ethernet to Ralph

    $IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 53 -j ACCEPT

    # allow DNS from Ralph to Ethernet

    $IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 53 -j ACCEPT

    # allow ssh from ralf to client1

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT

    # allow ssh from client1 to ralf

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22  -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT

    # allow www from client1 to ralf

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 80  -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 80 -j ACCEPT

        



    



    # Set up NAT - SNAT outgoing connections

    # TODO

    

    # Port forwarding - DNAT incoming connections

    # TODO



    # Set up connection tracking

    # TODO



    # Create chains

    # TODO



    # Link chains together

    # TODO



    # Fill in each chain

    # TODO



    # FORWARD chain

    echo 0 > /proc/sys/net/ipv4/ip_forward

    $IPTABLES -A FORWARD -j REJECT

    $IPTABLES -P FORWARD DROP

}



#

# Take down the firewall, throwing the system wide open

#

stop() {

    $IPTABLES -F

    $IPTABLES -X

    $IPTABLES -P INPUT ACCEPT

    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -P FORWARD ACCEPT

}



case "$1" in

  start|restart)

        echo -n "Starting IPTables firewall"

        start

        echo "."

        ;;

  stop)

        echo -n "Stopping IPTables firewall"

        stop

        echo "."

        ;;

  *)

        echo "Usage: /etc/rc.d/rc.firewall {start|stop|restart}" >&2

        exit 1

        ;;

esac



exit 0

fei	05-13-2005 04:37 AM

Found one thing: I should disable "echo 0 > /proc/sys/net/ipv4/ip_forward" at the end. That's why "echo 1 > ..." didn't work

win32sux

05-13-2005 05:02 AM

try this cleaned-up version i made of your script :):

Code:

#!/bin/sh



IPTABLES="/usr/sbin/iptables"



EthernetIface="eth0"

WirelessIface="eth1"

InternetIface="eth2"



EthernetIPs="192.168.1.1/24"

WirelessIPs="192.168.2.1/24"

InternetIP="172.16.0.1"



echo "0" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians



$IPTABLES -F

$IPTABLES -F -t nat

$IPTABLES -F -t mangle



$IPTABLES -X

$IPTABLES -X -t nat

$IPTABLES -X -t mangle



$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP



$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT



$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP



$IPTABLES -A INPUT -p ICMP --icmp-type 8 \

-m state --state NEW -j ACCEPT



$IPTABLES -A INPUT -p UDP -i $EthernetIface \

--dport 67 --sport 68 -j ACCEPT

  

$IPTABLES -A INPUT -p UDP -i $EthernetIface -s $EthernetIPs --dport 53 \

-m state --state NEW -j ACCEPT



$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 22 \

-m state --state NEW -j ACCEPT



$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 80 \

-m state --state NEW -j ACCEPT



$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPTABLES -A FORWARD -p TCP -i $EthernetIface -o $InternetIface \

--dport 22 -s $EthernetIPs -m state --state NEW -j ACCEPT



$IPTABLES -t nat -A POSTROUTING -o $InternetIface \

-j SNAT --to-source $InternetIP



echo "1" > /proc/sys/net/ipv4/ip_forward



echo "So let it be written. So let it be done."

fei	05-13-2005 05:04 AM

Quote:

Originally posted by win32sux
there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...

i'd like to look at your rc.firewall to see what's going on here...

Actually, to remove multiple "172.16.0.1" lines, I need to flush the net table every time I start firewall again. so is:

Code:

iptables -t nat -F

win32sux

05-13-2005 05:08 AM

i had missed the ESTABLISHED,RELATED rule in the FORWARD chain of the script i just posted and i just added it so please make sure you are using the latest one when you try...

fei	05-13-2005 05:10 AM

sorry. Can you post the latest version again. Just want to make sure I'm using the right one

win32sux

05-13-2005 05:11 AM

http://www.linuxquestions.org/questi...70#post1640370

fei	05-13-2005 05:14 AM

sorry still the same, connection refused

Code:

root@client1:~# ssh 172.16.0.2

ssh: connect to host 172.16.0.2 port 22: Connection refused

fei	05-13-2005 05:17 AM

I think some thing wrong the the server 172.16.0.2, not your fault. I'll try to fix it.

Seriously, Thanks for your help. It might took me forever to do it. It's so hard to understand how iptables works. Especially, FORWARD and nat.

win32sux

05-13-2005 05:19 AM

since there's no REJECT rules in the script, i'd have to say i believe the issue is at 172.16.0.2 (maybe there isn't even an ssh daemon running at that address)...

if the packet was getting dropped by this script you'd be getting a timeout and not a refusal...

win32sux

05-13-2005 05:24 AM

Quote:

Originally posted by fei
I think some thing wrong the the server 172.16.0.2, not your fault. I'll try to fix it.

Seriously, Thanks for your help. It might took me forever to do it. It's so hard to understand how iptables works. Especially, FORWARD and nat.

yeah, i had figured that: http://www.linuxquestions.org/questi...28#post1640328 :)

hehe... still, the script you had was a mess, i know the one i posted will work much better for you, and it's much cleaner so you'll be able to understand it better... let me know if you have any questions about the script (or about iptables in general) and i'll be glad to do my best and answer them to help you get the hang of iptables...

good luck...

fei	05-13-2005 05:28 AM

Some thing is wrong with 172.16.0.2. It should work at the first time you gave the code, if I could enabled ip_forward. There are so many things I need to know to solve a single prolbem. If I don't know enought, I cann't even find out what causes the problem.

One last thing. I'm really like playing with firewall. Do you know any good resource to learn iptables. (not doc on the http://netfilter.org. all the docs are leaking details of explanation for what's really going on).

win32sux

05-13-2005 05:34 AM

well, this tutorial is a very popular link here at LQ:

http://iptables-tutorial.frozentux.n...-tutorial.html

personally i haven't read it, but it's always recommended by folks here at LQ...

feel free to ask me any iptables questions you want... i'll be back online when i wake-up, i'm going to sleep now... take care buddy... buh-bye...

win32sux

05-13-2005 05:41 PM

i've added a few things to the script which i accidentally left-out yesterday cuz i was so sleepy:

- added input rule for loopback interface (very important)...

- added "--sport 68" to the dhcp input rule cuz that's what dhcp packets look like, they come from port 68 and into port 67...

- added "new not syn" input rule to drop any packets of state NEW which aren't SYN...

you can get the updated script at the same place:

http://www.linuxquestions.org/questi...70#post1640370

fei	05-22-2005 08:35 PM

Hi, win32sux. I've got the forward and nat working properly. BUT, There is still one thing bothering me for a long time.

Code:

    # (1) allow ssh from ralf to client1

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT

    

    # (2) allow ssh from client1 to ralf

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22  -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT

The above code is the partial code I wrote originally by myself. In order to allow ssh from ralf to client1, I need to specify the first rule in the firewall. The thing I can only check it's tcp and with source port 22, but I cann't check destination port 22. So the code will be like this:

Code:

    # (1) allow ssh from ralf to client1

    $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 --dport 22 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 --sport 22 -j ACCEPT

If I specify the rule like this, then both of the rules will be the same. This doesn't seem right.

I don't know if I explained clearly.

The question is how I can know when to check source port only and when to check destination port only??

Thanks.

win32sux

05-22-2005 10:30 PM

Quote:

Originally posted by fei
Hi, win32sux. I've got the forward and nat working properly. BUT, There is still one thing bothering me for a long time.

Code:

# (1) allow ssh from ralf to client1 $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT # (2) allow ssh from client1 to ralf $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT

The above code is the partial code I wrote originally by myself. In order to allow ssh from ralf to client1, I need to specify the first rule in the firewall. The thing I can only check it's tcp and with source port 22, but I cann't check destination port 22. So the code will be like this:

Code:

# (1) allow ssh from ralf to client1 $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 --sport 22 -j ACCEPT

If I specify the rule like this, then both of the rules will be the same. This doesn't seem right.

I don't know if I explained clearly.

The question is how I can know when to check source port only and when to check destination port only??

Thanks.

you aren't specifying any host on any of those rules, so i'm not sure where "ralf" is... the rule i placed in the script would allow SSH coming into $EthernetIface, but (at least) it would check to make sure it was coming from an IP in subnet $EthernetIPs:

Code:

$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 22 \

-m state --state NEW -j ACCEPT

if you need to specify the IP of the host you want to allow to connect via SSH just use the host's IP instead of the subnet, like:

Code:

$IPTABLES -A INPUT -p TCP -i $EthernetIface -s 192.168.1.104 --dport 22 \

-m state --state NEW -j ACCEPT

also, you don't need to include any OUTPUT rule when the policy is ACCEPT - it's pointless...

BTW, these rules you've posted aren't checking for the packet's state, kinda defeats the purpose of having a packet-state filtering firewall... those rules are part of the ones i erased when i cleaned-up your script as they didn't make any sense...

as for the source ports: it depends, some connection types always use the same source port, some don't... you need to read docs in order to know which... for example, DHCP will use source port 68 by standard, but SSH won't use any specific source port so using a "--sport 22" in your SSH rules will give you nothing but headaches...

All times are GMT -5. The time now is 11:44 PM.