my iptables seems conflicts with firefox

ixogn · 02-20-2004, 02:23 AM

when i run the following iptables scirpt,

my firefox can't work normally.

the thing is whenever i try to type something in address bar,

firefox becomes dead.

but if i do not use it, everything goes well with firefox.

i am a newbie, not know much about iptables,

can anybody help me to check if something goes wrong with the script?

(i do not write it myself, i just copy it from a forum, change it to my use)

ps: i have two ethernet card with my machine: eth0 connect to hub, eth1

connect to adsl modem.

Best Regards.

Code:

#!/bin/sh

# Enabling IP Forwarding......"
echo "Enabling IP Forwarding........"
echo 1 > /proc/sys/net/ipv4/ip_forward

# Non-Required proc configration
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Enabling iptables rules

# Internet Configuration.
INET_IF="ppp0"

#extranet interface
EXT_IF="eth1"

#intranet interface
LAN_IF="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
TRUSTED_TCP_PORT="22 25 53 80 110 143 443 3128 6000 6001 6002 7100"

# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
# Localhost Configuration.
LO_IF="lo"
LO_IP="127.0.0.1"

# Module loading.
echo "modprobe modules"
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Default DROP
echo "Enabling iptables rules"

# Reset the default policies in the tables
iptables -F
iptables -X
iptables -F -t mangle
iptables -X -t mangle
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT

# Allow ping LAN
iptables -A INPUT -p ALL -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IF -d $LAN_IP_RANGE -j ACCEPT

# Allow ppp0
iptables -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IF -j ACCEPT

# Creat userspecified chains
iptables -N allowed
iptables -N tcp_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets

# bad_tcp_packets chain
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
iptables -A allowed -p tcp --syn -j ACCEPT
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p tcp -j DROP

# ICMP rules
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain
# first bad_tcp_packets filter
iptables -A INPUT -p tcp -j bad_tcp_packets

# second icmp_packets filter
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets

# Open trusted ports
echo "Open trusted ports....."
iptables -N services
for PORT in $TRUSTED_TCP_PORT; do
iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed
done
iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets

# Allow BitTorrent connections
# modified for only ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT

# deny local cheat
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INET_IF -s 192.168.1.0/24 -j DROP
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP

# allow DHCP_packets from LAN
iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT

#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"

# FORWARD chain
# bad_tcp_packets filter
iptables -A FORWARD -p tcp -j bad_tcp_packets

#
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT

# same to above
#iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT

#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"

# PING
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

# DDOS

#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# allow UDP
iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT

# WWW to Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

## iptables END
#echo "Enabling Squid"
#/usr/local/squid/sbin/squid
echo "Enabling ADSL"
adsl-start

codedv · 02-20-2004, 04:51 AM

If your modem is connected to eth1 then your INET_IF variable should be set to eth1 and not ppp0.

You also do not need the extranet interface: EXT_IF and any rules that use it.