/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
If I send or recieve mail I get logs about port 25. that I opent. Also my backend machines cannot surf or ftp. So what is going on, please help.. Here is my firewall script: #Point this to your copy of ip_tables IPT="/usr/local/sbin/iptables" # Flush old rules, delete the firewall chain if it exists # Setting standard filter policy on DROP $IPT -F $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -F -t nat $IPT -X firewall $IPT -Z #Set up the firewall chain $IPT -N firewall $IPT -A firewall -j LOG --log-level info --log-prefix Firewall: $IPT -A firewall -j REJECT # Enable IP Forwarding, if it isn't already echo 1 > /proc/sys/net/ipv4/ip_forward # Refuse incoming packets pretending to be from the external adress $IPT -A INPUT -s $EXTIP -j firewall # remote interface, claiming to be local machines, IP spoofing, get lost $IPT -A INPUT -i $EXTIF -s $LOCALNET -d $UNIVERSE -j firewall # outgoing to local net on remote interface, stuffed routing, deny $IPT -A OUTPUT -o $EXTIF -s $LOCALNET -d $UNIVERSE -j firewall # Loopback interfaces are valid $IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT $IPT -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Local interface, local machines, going anywhere is valid $IPT -A INPUT -i $INTIF -s $IPNET -d $UNIVERSE -j ACCEPT # All internal machines have access to the firewall machine $IPT -A INPUT -i $INTIF -s $LOCALNET -j ACCEPT $IPT -A OUTPUT -o $INTIF -d $LOCALNET -j ACCEPT # Accept DNS, 'cause it's warm and friendly $IPT -A INPUT -p udp --sport 53 -j ACCEPT $IPT -A INPUT -m multiport -p tcp --sport 42,53 -j ACCEPT $IPT -A OUTPUT -m multiport -p tcp --dport 42,53 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT # Allow SSH to this server. $IPT -A INPUT -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -p udp --dport 22 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT $IPT -A OUTPUT -p udp --sport 22 -j ACCEPT # Setting up SMTP Server (25) $IPT -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT $IPT -A OUTPUT -o $EXTIF -p tcp --sport 25 -j ACCEPT # Allowing SMTP Client (25) $IPT -A OUTPUT -o $EXTIF -p tcp --dport 25 -j ACCEPT # Reject incoming and outgoing traffic to port 137,138,139 Net BIOS $IPT -A INPUT -p tcp --dport 137:139 -j REJECT $IPT -A OUTPUT -p tcp --dport 137:139 -j REJECT $IPT -A INPUT -p udp --dport 137:139 -j REJECT $IPT -A OUTPUT -p udp --dport 137:139 -j REJECT # Allow EXTERNAL access to the Webserver $IPT -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -o $EXTIF -p tcp --sport 80 -j ACCEPT #Setup Masquerading. $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # Catch all rules $IPT -A INPUT -s $UNIVERSE -d $UNIVERSE -j firewall $IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j firewall $IPT -A FORWARD -j firewall _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
