You're right about the MASQUERADE rule; it needs to match traffic exiting the WAN interface.
Please use [code][/code] tags around code, scripts, logs etc. as it greatly improves readability.
Quote:
Originally Posted by enyawix
iptables -N state-checking
iptables -A state-checking -m state --state INVALID -j DROP
iptables -A state-checking -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A state-checking -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
|
Check state or flags, not both. The last rule is pointless, as you're matching "packets without the SYN flag set and the FIN/RST/ACK flags set, matching the state NEW". No packet can possibly match those criteria.
Quote:
Originally Posted by enyawix
iptables -A state-checking -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A state-checking -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
|
Unless you deliberately want to exclude non-TCP/UDP sessions (like responses to ICMP pings), you might as well delete the "-p udp -m udp" part from the first of these two rules, and omit the second rule.
Quote:
Originally Posted by enyawix
#
# Some ip range checking
#
iptables -N local-only
iptables -A local-only -i lo -j ACCEPT
iptables -A local-only -i $LAN -s 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $LAN -d 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $WAN -s 0.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 127.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 10.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 169.254.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A local-only -i $WAN -s 192.0.2.0/24 -j DROP
iptables -A local-only -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 224.0.0.0/3 -j DROP
|
Some of these rules are not required. Invalid addresses like 0.0.0.0/0 and 127.0.0.0/8 ("martians") are dropped by the IP stack. Not sure why you're blocking all multicast addresses; should that perhaps be 224.0.0.0/8 (link-local multicast)?
Also, the "-i lo -j ACCEPT" rule really, really, REALLY needs to be at the top of the INPUT chain, and not in a user-defined chain called further down the line.
Quote:
Originally Posted by enyawix
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
|
OK, you just allowed all traffic from the LAN to the Internet...
Quote:
Originally Posted by enyawix
# Don't forward from the outside to the inside.
iptables -A FORWARD -i $WAN -o $LAN -j DROP
|
...and then you summarily block everything going in the opposite direction, including reply packets. The result will be that nothing will work.
Quote:
Originally Posted by enyawix
iptables -P INPUT DROP
iptables -A INPUT -j state-checking
iptables -A INPUT -j local-only
|
This looks OK (but as I mentioned, the loopback rule should be the first rule in the INPUT chain).
Quote:
Originally Posted by enyawix
iptables -P FORWARD DROP
iptables -A FORWARD -j state-checking
iptables -A FORWARD -j local-only
iptables -A FORWARD -i $LAN -j ACCEPT
|
No packets will ever reach this part of the FORWARD chain, as they will either have been allowed by the blanket ACCEPT rule for LAN-to-WAN traffic, or blocked by the DROP rule covering all WAN-to-LAN traffic.