Dear all,
Quote:
The only issue with having many matches in a single iptables rule (aside from win32sux point) is that a few of the options require things to be in a specific order to work properly.
|
hmm...I think that is possibly the problem...
Quote:
I'd recommend that you post all of your rules to make sure that you somehow didn't compromise the firewall integrity by "shortening" one of the rules. Doing iptables -I FORWARD -j ACCEPT will often fix alot of problems, but it also will completely open up your network to an attacker.
|
heres the full script that is finally working.
IPT=/sbin/iptables
EXTDEV=ppp0
#For static IP
#EXTIP=""
# For dailup streamyx account
EXTIP=`ifconfig ppp0 | grep "P-t-P" | cut -c 0-36 | sed -e s/[a-zA-Z:-]//g`
LOGOPT="--log-level=3 -m limit --limit 3/minute --limit-burst 3"
INTDEV=eth0
INTIP="192.168.0.1"
webserver IP = 192.168.0.100
#------------------------------------------------------------
#Clean the table rules
#------------------------------------------------------------
for table in mangle filter nat
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -F
$IPT -X
#-------------------------------------------------------------
#Source NAT for external IP
#-------------------------------------------------------------
$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100
$IPT -t nat -A POSTROUTING -p tcp -d 192.168.0.100 --dport 80 -j SNAT --to-source $INTIP
#------------------------------------------------------------
#For traffic (heading to) flow into firewall
#------------------------------------------------------------
$IPT -A INPUT -i lo -j ACCEPT # localhost
$IPT -A INPUT -p udp --dport 5060 -j ACCEPT
$IPT -A INPUT -p udp --dport 10001:65535 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT # DNS
$IPT -A INPUT -p tcp --dport 389 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A INPUT -p icmp -i $INTDEV -j ACCEPT # ping
$IPT -A INPUT -p tcp --dport 5900 -j ACCEPT
$IPT -A INPUT -p tcp --dport 5901 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -j DROP
#------------------------------------------------------------
#For traffic (leaving from) flow out from firewall
#------------------------------------------------------------
$IPT -A OUTPUT -o lo -j ACCEPT # localhost
$IPT -A OUTPUT -p udp --dport 5060 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10000:65535 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 389 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS
$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # Webmin
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # https
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -j DROP
$IPT -A FORWARD -p tcp -i $EXTDEV -o $INTDEV -d 192.168.0.100 --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -j DROP
thanks a lot for helping all!