LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
 
Search this Thread
Old 07-08-2012, 06:25 PM   #1
nadvig
LQ Newbie
 
Registered: Jul 2012
Posts: 3

Rep: Reputation: Disabled
iptables rules with some error


hello

here is my config (firewall and dmz pcs are Ubuntu server)

firewall iptables pc ip static ADSL(ppp0) eth1
dmz web/pop/dns server 192.168.10.1 eth0
local network 192.168.1.1 eth2

right now every pc can ping the other pc whatever is the local, dmz, or the firewall pc. good!

the firewall can go outside (internet) good! but no others pc. bad!

here are my rules. can someone look at it? i want that each pc can go outside (internet) on port 80, i want to set up the pop server on the dmz, i want dns, smtp, ssl, and ssh on port 222.

*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.1:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.10.1:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.10.1:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.1:443
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.10.1:222
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A PREROUTING -i ppp0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:LOGGING -
:fail2ban-ssh -
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state INVALID -j LOG --log-prefix "drop invalid" --log-tcp-options --log-ip-options
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -p tcp -m tcp --tcp-flags FIN,PSH,ACK,URG FIN,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j LOG --log-prefix "iptables input drop"
-A INPUT -j LOGGING
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j LOG --log-prefix "iptables forward drop"
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
-A fail2ban-ssh -j RETURN
COMMIT

that's it, thanks for your help, as soon as possible

N
 
Old 07-10-2012, 07:23 PM   #2
nadvig
LQ Newbie
 
Registered: Jul 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
hi!

is it because my question is too long???? There is a lot of people who look at it without one answer from you.

i only want to know why my rules are not working and there were working before i move house last month. my network is the same than before except the interfaces on the firewall may have change. but i think i have take care of this on the rules. But sadly the local and dmz networks cannot go outside (Internet).

thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - Anyone using iptables with 50,000+ rules? lrirwin Linux - Networking 1 03-21-2012 06:35 PM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 05:50 PM
[SOLVED] IPtables rules what do they mean ?? jonaskellens Linux - Newbie 6 09-05-2009 04:34 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM


All times are GMT -5. The time now is 06:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration