Hi,
Here is my iptables script (which does include pre/post routing chains).
Feel free to let me know if Ive left any huge holes :-)
And thanks for your help/time....
#!/bin/sh
LAN_BCAST_ADDR="192.168.0.255/32"
LAN_IF="eth0"
INET_IF="ppp0"
#######################
# FLUSH ALL RULES FIRST
#######################
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -t nat -F
iptables -F syn_flood
iptables -F log_drop
iptables -F udp_pkt
iptables -F icmp_pkt
iptables -X
#######################
# USER DEFINED CHAINS
#######################
# SYN-FLOODING PROTECTION
iptables -N syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn_flood -j DROP
# LOG & DROP
iptables -N log_drop
iptables -A log_drop -j LOG --log-level warning --log-prefix fw:
iptables -A log_drop -j DROP
# ICMP from INET
iptables -N icmp_pkt
iptables -A icmp_pkt -p icmp -m state --state NEW -j DROP
iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# UDP from INET
iptables -N udp_pkt
iptables -A udp_pkt -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A udp_pkt -p udp --sport 4665 --dport 1025: -j ACCEPT
iptables -A udp_pkt -p udp --dport netbios-ns -j DROP
iptables -A udp_pkt -p udp --dport netbios-dgm -j DROP
iptables -A udp_pkt -p udp --dport netbios-ssn -j DROP
iptables -A udp_pkt -p udp --dport bootps -j DROP
# TCP from INET
iptables -N tcp_pkt
iptables -A tcp_pkt -p tcp ! --syn -m state --state NEW -j DROP
iptables -A tcp_pkt -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_pkt -p tcp --syn -j syn_flood
iptables -A tcp_pkt -p tcp --dport auth -j DROP
iptables -A tcp_pkt -p tcp --dport netbios-ns -j DROP
iptables -A tcp_pkt -p tcp --dport netbios-dgm -j DROP
iptables -A tcp_pkt -p tcp --dport netbios-ssn -j DROP
iptables -A tcp_pkt -p tcp --dport bootps -j DROP
iptables -A tcp_pkt -p tcp --dport www -j DROP
iptables -A tcp_pkt -p tcp --dport 4661:4666 -j ACCEPT
#######################
# PREROUTING
#######################
# DROP obviously spoofed IPs
iptables -t nat -A PREROUTING -i ${INET_IF} -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i ${INET_IF} -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ${INET_IF} -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i ${INET_IF} -s 224.0.0.0/4 -j DROP
iptables -t nat -A PREROUTING -i ${INET_IF} -s 240.0.0.0/5 -j DROP
#iptables -t nat -A PREROUTING -i ${LAN_IF} -s ! 192.168.0.0/24 -j DROP
#######################
# INPUT
#######################
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ${LAN_IF} -j ACCEPT
iptables -A INPUT -p icmp -j icmp_pkt
iptables -A INPUT -p udp -j udp_pkt
iptables -A INPUT -p tcp -j tcp_pkt
iptables -A INPUT -j log_drop
######################
# FORWARD
######################
iptables -P FORWARD DROP
iptables -A FORWARD -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p icmp -j icmp_pkt
iptables -A FORWARD -p udp -j udp_pkt
iptables -A FORWARD -p tcp -j tcp_pkt
iptables -A FORWARD -j log_drop
# UNREAL TOURNAMENT TEST
#iptables -A FORWARD -i ${INET_IF} -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT
######################
# OUTPUT
######################
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
######################
# MASQUERADING
######################
#iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o ${INET_IF} -j MASQUERADE
----- Original Message -----
From: "Antony Stone" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 30, 2002 9:56 AM
Subject: Re: sendto: Operation not permitted
> On Friday 31 May 2002 1:43 am, Claudio Mio wrote:
>
> > However I still cant ping a machine on the internal network even though
> > machines on the internal network can ping the firewall.
>
> Okay - that confirms that the firewall knows how to route packets back to
the
> internal machines.
>
> > My routing table is:
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> > Iface
> > 217.35.199.203 0.0.0.0 255.255.255.255 UH 0 0 0
> > ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> > 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> > 0 lo 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
> > 0 ppp0
>
> Looks good (apart from the formatting which my mailer has just messed up).
>
> What are your INPUT and OUTPUT chains (and if you have them, what are your
> PREROUTING and POSTROUTING chains in the nat table) ?
>
>
> Antony.
>
