Hi,
I have problem with my firewall setings (RH7.2/iptables)! When I enable rules, all computer can access internet and send mail but cant login to SMB and dont see this IP and server behind this IP! When I clear all rules, then computers can see server and login to samba domain, but cant see internet anymore! :( There is short description what I want: In this server I have DNS, DHCP, WWW, SMTP, IMAP, SAMBA (as NT Domain Server). Eth0(IP:212.212.212.212[Internet]) I want enable SSH, MAIL, HTTP, HTTPS Eth1(IP:192.168.100.1[Intranet]) Wide open to everyone from this interface! More I want that all intranet can log-in to SMB server, access internet (transp. squid), send mail, etc! (FTP in active mode) And from internet can only see only those ports what is needed to work these daemons properly (SMTP, WWW, ...) what are running on my server! And can access only WWW(http, https) and SSH ports and mail trafic! I put here rulez what i have now on my server and what wont work correctly! FORWARDING rules gives error that iptables dont have parameter --dport! But other lines it works fine! Please help me with this problem! I dont have any experience with networking and firewalling and cant fix this myself! Thnx to everyone, who answers to my problem. There is script: IPTABLES.FIREWALL: ----------------------- #!/bin/bash # Delete OLD Rules echo "Starting Firewall" iptables -t filter --flush iptables -t nat --flush iptables -t mangle --flush iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD iptables --delete-chain syn-flood iptables --delete-chain icmp-flood #Definations EXTIP="212.212.212.212" LOCALIP="192.168.100.1" LOCALNET="192.168.100.0/24" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" # Default Policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT /bin/echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN #(FAKE traffic emulation from hackers not allowed) /bin/echo "0" /proc/sys/net/ipv4/conf/all/accept_source_route #Lubame ip_forwardi /bin/echo "1" /proc/sys/net/ipv4/ip_forward iptables -N icmp-flood iptables -A INPUT -i eth0 -p icmp -s 0/0 -j icmp-flood iptables -A icmp-flood -m limit --limit 1/s --limit-burst 100 -j RETURN iptables -A icmp-flood -j LOG --log-prefix "icmp-flood-detected" iptables -A icmp-flood -j DROP iptables -A INPUT -i eth0 -p tcp -s $CLASS_A -j DROP iptables -A INPUT -i eth0 -p tcp -s $CLASS_B -j DROP iptables -A INPUT -i eth0 -p tcp -s $CLASS_C -j DROP iptables -A INPUT -s $LOCALNET -p tcp -d $LOCALIP --dport 1:1023 -j ACCEPT iptables -A INPUT -s 0/0 -p tcp -d $EXTIP --dport 22 -j ACCEPT #SSH iptables -A INPUT -s 0/0 -p tcp -d $EXTIP --dport 80 -j ACCEPT #HTTP iptables -A INPUT -s 0/0 -p tcp -d $EXTIP --dport 113 -j ACCEPT #IDENT iptables -A INPUT -s 0/0 -p tcp -d $EXTIP --dport 123 -j ACCEPT #NTP iptables -A INPUT -s 0/0 -p tcp -d $EXTIP --dport 443 -j ACCEPT #HTTPS iptables -A INPUT -s 0/0 -p tcp -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -s 0/0 -p tcp -d 0/0 --dport 1:1023 -j DROP # INPUT ------ UDP ----- iptables -A INPUT -i eth0 -s $CLASS_A -p udp -j DROP iptables -A INPUT -i eth0 -s $CLASS_B -p udp -j DROP iptables -A INPUT -i eth0 -s $CLASS_C -p udp -j DROP iptables -A INPUT -s $LOCALNET -p udp -d $LOCALIP --dport 1:1023 -j ACCEPT iptables -A INPUT -s 0/0 -p udp -d $EXTIP --dport 123 -j ACCEPT #NTP iptables -A INPUT -s 0/0 -p udp -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -s 0/0 -p udp -d 0/0 --dport 1:1023 -j DROP # --- FORWARD --- iptables -A FORWARD -o eth0 --dport 137 -j DROP iptables -A FORWARD -o eth0 --dport 138 -j DROP iptables -A FORWARD -o eth0 --dport 139 -j DROP iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -d $LOCALNET -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -s $LOCALNET -o eth0 -j MASQUERADE ----------------------------- M.
