Hi...i will try this.
I have DSL with dynamic IP.
Thanks.
-----------------
#!/bin/bash
# Change this to the name of the interface that provides your "uplink"
# (connection to the Internet)
UPLINK="eth0"
# Change this next line so it lists all your network interfaces, including lo, but LESS the UPLINK.
INTERFACES="lo eth1 eth2"
# Change this line so that it lists the assigned numbers or symbolic names (from
# /etc/services) of all the services that you'd like to provide to the general
# public. If you don't want any services enabled, set it to.
SERVICES="ftp ssh"
################
if [ "$1" = "start" ]
then
echo "Starting firewall..."
# (1) inicial configurations.
#
# clear any existing firewall stuff before we start.
iptables --flush
iptables --zero
iptables --delete-chain
# by default all traffic that comes to/through this machine it will drop it,
# outgoing is allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# we're a router of some kind, enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# (2) otimization and security options.
#
# explicitly disable ECN.
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# disable spoofing on all interfaces
for x in ${INTERFACES} ${UPLINK}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
# reject bad/malicious packates
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
# allow certain inbound ICMP types (ping, traceroute..)
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-request -j ACCEPT
# (3) open and close the doors.
#
# enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
# some others services
# squid
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
# allow msn for these mac address.
iptables -A FORWARD -m mac --mac-source 00
0:09:9E:9A:08 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00
0:09:9E:9A:08 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -d loginnet.passport.com -j ACCEPT
# deny msn to everyone.
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -d loginnet.passport.com -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -d loginnet.passport.com -j DROP
# (4) finishing ...
#
# dynamic IP address, use masquerading
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
# forward stuffs
iptables -A FORWARD -i eth2 -s 192.168.3.1 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
for TABLE in filter nat mangle; do
iptables -t $TABLE -F
iptables -t $TABLE -X
done
for CHAIN in INPUT OUTPUT FORWARD; do
iptables -t filter -P $CHAIN ACCEPT
done
fi
-----------------
The above is the firewall with all the changes.
But i still can't surf and ping .
There is no problem with the internet, cause and i use another firewall , everything works.