iptables rules with some error

nadvig · 07-08-2012, 06:25 PM

hello

here is my config (firewall and dmz pcs are Ubuntu server)

firewall iptables pc ip static ADSL(ppp0) eth1
dmz web/pop/dns server 192.168.10.1 eth0
local network 192.168.1.1 eth2

right now every pc can ping the other pc whatever is the local, dmz, or the firewall pc. good!

the firewall can go outside (internet) good! but no others pc. bad!

here are my rules. can someone look at it? i want that each pc can go outside (internet) on port 80, i want to set up the pop server on the dmz, i want dns, smtp, ssl, and ssh on port 222.

*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.1:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.10.1:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.10.1:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.1:443
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.10.1:222
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A PREROUTING -i ppp0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:LOGGING -
:fail2ban-ssh -
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state INVALID -j LOG --log-prefix "drop invalid" --log-tcp-options --log-ip-options
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -p tcp -m tcp --tcp-flags FIN,PSH,ACK,URG FIN,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j LOG --log-prefix "iptables input drop"
-A INPUT -j LOGGING
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j LOG --log-prefix "iptables forward drop"
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
-A fail2ban-ssh -j RETURN
COMMIT

that's it, thanks for your help, as soon as possible

N

nadvig · 07-10-2012, 07:23 PM

hi!

is it because my question is too long???? There is a lot of people who look at it without one answer from you.

i only want to know why my rules are not working and there were working before i move house last month. my network is the same than before except the interfaces on the firewall may have change. but i think i have take care of this on the rules. But sadly the local and dmz networks cannot go outside (Internet).

thanks