iptables rules with some error
hello
here is my config (firewall and dmz pcs are Ubuntu server)
firewall iptables pc ip static ADSL(ppp0) eth1
dmz web/pop/dns server 192.168.10.1 eth0
local network 192.168.1.1 eth2
right now every pc can ping the other pc whatever is the local, dmz, or the firewall pc. good!
the firewall can go outside (internet) good! but no others pc. bad!
here are my rules. can someone look at it? i want that each pc can go outside (internet) on port 80, i want to set up the pop server on the dmz, i want dns, smtp, ssl, and ssh on port 222.
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.1:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.10.1:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.10.1:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.1:443
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.10.1:222
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A PREROUTING -i ppp0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.1:53
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:LOGGING -
:fail2ban-ssh -
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state INVALID -j LOG --log-prefix "drop invalid" --log-tcp-options --log-ip-options
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -i lo -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A INPUT -p tcp -m tcp --tcp-flags FIN,PSH,ACK,URG FIN,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j LOG --log-prefix "iptables input drop"
-A INPUT -j LOGGING
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "drop" --log-tcp-options --log-ip-options
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j LOG --log-prefix "iptables forward drop"
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
that's it, thanks for your help, as soon as possible
N
|