There are a lot of unnecessary rules here... try pruning it down to a bare minimum first then add logging rules to catch the DROP points... eg,
# set a few variables
make BINDIR=/usr/local/bin LIBDIR=/usr/local/lib MANDIR=/usr/local/manecho ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo " setting global variables"
echo ""
iptables="/usr/local/sbin/iptables"
All this is unnecessary unless you call the variables later, (which isn't happening). They should be set outside of iptables...
Notice the extra typing just to define the word iptables which exists in the normal PATH anyway...
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
A lot of extra text just to do this..
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.ip_forward=1
# load some modules
/sbin/depmod -a
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp port=444; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then modprobe ip_tables; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then modprobe ip_conntrack; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then modprobe iptable_filter; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then modprobe iptable_mangle; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then modprobe iptable_nat; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o ]; then modprobe ipt_LOG; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_limit.o ]; then modprobe ipt_limit; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o ]; then modprobe ipt_state; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mac.o ]; then modprobe ipt_mac; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_owner.o ]; then modprobe ipt_owner; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o ]; then modprobe ipt_REJECT; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o ]; then modprobe ipt_MASQUERADE; fi
Most of these modules load automatically with the rules, in the correct order and with correct dependencies..
Try...
insmod ip_conntrack_ftp
insmod ip_nat_ftp
insmod ip_conntrack_irc
insmod ip_nat_irc
after all the rules have loaded. These ones require manual loading.
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
Missing the nat & mangle tables & chain deletes !! Try...
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
done above...
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT shouldn't be first rule. General rules come last...
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
Unnecessary. You already have an ACCEPT policy...
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This should be the first rule to get ip_conntrack working.. try
iptables
-I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT Unnecessary with a default ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
All this is handled by the rp_filter...
# blocked hosts
echo " dropping all packets from blocked hosts"
echo ""
$iptables -I INPUT -s 192.168.0.1 -j DROP
$iptables -I FORWARD -s 192.168.0.1 -j DROP
Where would these packets come from? Prob unneccessary rules...
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT default Accept policy!
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP Are you sure you want to do this?
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP Check the tutorial for a much tidier way...
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 20 -j ACCEPT
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp --dport 444 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4900:5100 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4661 -j ACCEPT
$iptables -A INPUT -p udp --dport 4665 -j ACCEPT
Do you have servers
on the firewall that need these rules?
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
$iptables -A FORWARD -i eth0 -p tcp --dport 444 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 444 -j DNAT --to-destination 10.0.0.2:444
$iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 20 -j DNAT --to-destination 10.0.0.2:20
$iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662
$iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661
$iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665
$iptables -A FORWARD -i eth0 -p tcp --dport 4900:5100 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4900:5100 -j DNAT --to-destination 10.0.0.2:4900:5100
Recommended don't use the
-d x.x.x.x in the PREROUTING chain. If you only have 1 ip address, it adds a lot more computing time to each packet for no reason.
# logging
echo " applying logging rules"
echo ""
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
Where are the logging rules for the FORWARD chain?
Also, each packet getting logged here is because there isn't a matching ACCEPT rule. Don't you want to know what is really happening?
I'd recommend adding LOG rules in nat PREROUTING too, eg
iptables -t nat -I PREROUTING -i eth0 -j LOG --log-prefix "Incoming_nat "
to get the first packet of any connection logged.
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
Unnecessary. This is your default policy...
Better to have a LOG rule as the last rule here to catch what is missed by the other rules.. eg
iptables -A INPUT -j LOG --log-prefix "Dropped "
iptables -A FORWARD -j LOG --log-prefix "Dropped "
& what about dns packets? Try...
iptables -I INPUT -p udp --sport 53 -j ACCEPT
iptables -I FORWARD 3 -p udp --sport 53 -j ACCEPT
A recommended
tutorial
Sorry if I come across quite critical, but it looks like you've got a script that hasn't been well thought out, as I have commented on.
Prob better to go back to square 1 and find good reasons to add rules. Get the "setting up nat" section working first then the DNATs then the filtering then the default policies, working from the LOG file outputs, if you wish to build from scratch.