Wow, what a firewall script. Thank god most of it is commented out...
No, seriously though -- you'll never get happy if you just keep aimlessly throwing things around and hope they'll just magically work somehow.
Some hints:
1. Decide for a name and location of your firewall script. I have lost count of how many names you have already given for it in this thread.
And make sensible choices. ('iptables' is *not* a good name for your script.)
I'd suggest something like '/usr/local/sbin/firewall'.
2. There is a difference between "/" and "/root", even though "/" is pronounced "root". Yes, it's confusing. Well, not really. Only when you speak about it.
3. As others have already pointed out: you want to call your script from rc.local -- not the other way around. I.e. add a line '/usr/local/sbin/firewall' to your rc.local. Do not add any reference to rc.local to your firewall script. It does not make sense!
4. You want to use modprobe, not insmod.
5. As to your actual firewall script: I don't think it does what you think it does.
Here is a suggestion to get you started: (you need to edit the settings in the top section)
Code:
#!/bin/sh
############# Settings: ######################################################
PUB_IF="ppp0"
PUB_IP=""
PUB_GW=""
PRV_IF="eth1"
PRV_IP="192.168.30.1"
PRV_NET="192.168.30.0/24"
IPT="/sbin/iptables"
#### Public services to allow from anywhere: ####
PUB_TCP_OK="ssh"
PUB_UDP_OK=""
#### End of public services #####################
#### Port forwarding: ###########
# Uncomment the following line to enable port forwarding:
# (and of course adjust this line and the following sections
# according to your setup...)
#PF_HOSTS="DESKTOP SERVER1 SERVER2"
# to Desktop: forward skype, AOE, BitTorrent
PF_DESKTOP_IP="192.168.30.2"
PF_DESKTOP_PORTS_TCP="1573 2300 6881"
PF_DESKTOP_PORTS_UDP="2350 6881"
# to Server1: dns and smtp
PF_SERVER1_IP="192.168.30.5"
PF_SERVER1_PORTS_TCP="domain smtp"
PF_SERVER1_PORTS_UDP="domain"
# to Server2: www
PF_SERVER2_IP="192.168.30.7"
PF_SERVER2_PORTS_TCP="www"
PF_SERVER2_PORTS_UDP=""
#### End of port forwarding ####
############ End of settings #################################################
if ! [ -x "$IPT" ] ; then
echo "Cannot find iptables! Disabling all forwarding and aborting!"
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
exit 1
fi
LOCAL="127.0.0.0/8"
PRIV_A="10.0.0.0/8"
PRIV_B="172.16.0.0/12"
PRIV_C="192.168.0.0/16"
echo "Setting policies..."
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
echo "Flushing/deleting chains..."
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT --delete-chain
$IPT -t nat --delete-chain
$IPT -t mangle --delete-chain
################## src_check_pub #############################################
CURR=src_check_pub_drop
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PUB_IF: "
$IPT -A $CURR -j DROP
CURR=src_check_pub
echo $CURR...
$IPT -N $CURR
test -n "$PUB_GW" && $IPT -A $CURR --src $PUB_GW/32 -j RETURN
$IPT -A $CURR --src $PRIV_A -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_B -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_C -j src_check_pub_drop
$IPT -A $CURR --src $LOCAL -j src_check_pub_drop
$IPT -A $CURR -j RETURN
################## src_check_prv #############################################
CURR=src_check_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR --src $PRV_NET -j RETURN
# Don't block DHCP broadcasts:
$IPT -A $CURR --src 0.0.0.0/32 --dst 255.255.255.255/32 \
-p udp --sport bootpc --dport bootps -j RETURN
$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-host-prohibited
################## input_pub #################################################
CURR=input_pub
echo "$CURR..."
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub
$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT
for i in echo-request destination-unreachable \
time-exceeded parameter-problem ; do
$IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done
if [ -n "$PUB_TCP_OK" ] ; then
for PORT in $PUB_TCP_OK ; do
$IPT -A $CURR -p tcp --dport $PORT -j ACCEPT
done
fi
if [ -n "$PUB_UDP_OK" ] ; then
for PORT in $PUB_UDP_OK ; do
$IPT -A $CURR -p udp --dport $PORT -j ACCEPT
done
fi
$IPT -A $CURR -p tcp --dport ident -j REJECT --reject-with tcp-reset
$IPT -A $CURR -j LOG --log-prefix "Conn. attempt on $PUB_IF: "
$IPT -A $CURR -j DROP
################## input_prv #################################################
CURR=input_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Invalid protocol on $PRV_IF: "
$IPT -A $CURR -j REJECT
################## forward_pub ###############################################
CURR=forward_pub
echo $CURR
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub
$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT
for i in destination-unreachable \
time-exceeded parameter-problem ; do
$IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done
# Allow packets from port forwarding:
for HOST in $PF_HOSTS ; do
eval IP=\${PF_${HOST}_IP}
eval TPORTS=\${PF_${HOST}_PORTS_TCP}
eval UPORTS=\${PF_${HOST}_PORTS_UDP}
if [ -n "$TPORTS" ] ; then
for PORT in $TPORTS; do
$IPT -A $CURR -p tcp --dst $IP/32 --dport $PORT \
-j ACCEPT
done
fi
if [ -n "$UPORTS" ] ; then
for PORT in $UPORTS; do
$IPT -A $CURR -p udp --dst $IP/32 --dport $PORT \
-j ACCEPT
done
fi
done
$IPT -A $CURR -j LOG --log-prefix "Fwd attempt on $PUB_IF: "
$IPT -A $CURR -j DROP
################## forward_prv ###############################################
CURR=forward_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Fwd attempt from $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-net-prohibited
################## INPUT #####################################################
echo "INPUT..."
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $PUB_IF -j input_pub
$IPT -A INPUT -i $PRV_IF -j input_prv
$IPT -A INPUT -j LOG --log-prefix "Unexpected INPUT packet: "
$IPT -A INPUT -j DROP
################## FORWARD ###################################################
echo "FORWARD..."
$IPT -A FORWARD -i $PUB_IF -j forward_pub
$IPT -A FORWARD -i $PRV_IF -j forward_prv
$IPT -A FORWARD -j LOG --log-prefix "Unexpectd FORWARD package: "
$IPT -A FORWARD -j DROP
################## OUTPUT ####################################################
echo "OUTPUT..."
$IPT -A OUTPUT -j ACCEPT
################## PREROUTING ################################################
echo "PREROUTING..."
# Port forwarding:
for HOST in $PF_HOSTS ; do
eval IP=\${PF_${HOST}_IP}
eval TPORTS=\${PF_${HOST}_PORTS_TCP}
eval UPORTS=\${PF_${HOST}_PORTS_UDP}
if [ -n "$TPORTS" ] ; then
for PORT in $TPORTS; do
$IPT -t nat -A PREROUTING -p tcp --dport $PORT \
-j DNAT --to $IP
done
fi
if [ -n "$UPORTS" ] ; then
for PORT in $UPORTS; do
$IPT -t nat -A PREROUTING -p udp --dport $PORT \
-j DNAT --to $IP
done
fi
done
################## POSTROUTING ##############################################
echo "POSTROUTING..."
$IPT -t nat -A POSTROUTING -o $PUB_IF -s $PRV_NET -j MASQUERADE
Cheers
Rupert