heres my fw script, im trying to get ssl/irc/linknet working so i need port 113 let thru for identd. any solutions to help out a linux newbie ?








#!/bin/sh
### set up NAT host masquerading on eth0
iptables -t nat -A POSTROUTING -s 10.4.20.0/24 -o eth0 -j MASQUERADE
iptables -N block
iptables -F block
# allow localhost network access
iptables -A block -i lo -p all -j ACCEPT
iptables -A block -o lo -p all -j ACCEPT
# allow established and related conections from outside
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow all connections on all interfaces EXCEPT eth0 (external)
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# allow inbound FTP, SSH, HTTP
iptables -A block -p tcp --dport http -j ACCEPT
iptables -A block -p tcp --dport ftp -j ACCEPT
iptables -A block -p tcp --dport ssh -j ACCEPT
# drop everything else
iptables -A block -j DROP
# apply block filter to INPUT
iptables -A INPUT -j block
echo "1" >> /proc/sys/net/ipv4/ip_forward


thx in advance, great board btw.

1. You've got "block" in there instead of the chain, which should be either INPUT, OUTPUT, FORWARD. You've also used it in the target as well, which I think should be DROP or REJECT.

2. You need some prerouting rules. Something like:
iptables -A PREROUTING -t nat -d firewallsaddress -p tcp --dport X -j DNAT --to-destination 10.4.20.0
Where X is the port you want to forward.

3. It's hard to decipher your rules, but you'll need some forwarding rules in there as well. Something like:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state NEW,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Try making those changes and see if that works. If not then post your modified rules.

Just realized that you did a user defined chain (iptables -N block). That makes alot more sense now. That should work for the INPUT rules, but you need to add the PREROUTING and FORWARD rules to masquerade.