Eugene:
I made a couple of changes to your script. I added the ip_conntrack module.
I rewrote your forwarding rules near the end. I would recommend that you
make all
Your default policies drop, and then open up what you need to. Try those
changes.
If they don't work do a iptables -v -L -t nat and iptables -v -L FORWARDING.
Copy and paste them and send it to the group. The other thing to try is
tcpdump. I
usually use tcpdump -nvi eth0 port 25 and tcpdump -nvi eth1 port 25 on
separate
ssh windows, telnet should work fine as well. See if the packets are being
DNAT'd
and Forwarded. I am assuming everything else works ok. I.e. you can connect
out
via an internal machine etc, preferably the one in question. Let me know how
you make out.
Stu.........
#!/bin/sh
#/usr/sbin/firewall.sh
###Flushing###
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
###Default policies###
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
###Loading Iptables###
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack #Added this module
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
###not to sure what this does###
### This is intended for antispoofing filtering
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
### This one
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###Enable NAT/MASQUERADING and IPforwarding###
iptables -t nat -A POSTROUTING -s intip -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
###Disable response to ping###working
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
###Tranparent proxy###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT-to-port
3128
###Disable ICMP redirect acceptance###
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
###Disable response to broadcasts###
echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
###Don't accept source routed packets###
echo "0" /proc/sys/net/ipv4/conf/all/accept_source_route
###Enable bad error message protection###
echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
###Log spoofed packets, source routed packets, redirect packets###
echo "1" /proc/sys/net/ipv4/conf/all/log_martians
###INPUT Policies###
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 79 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 79 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 23 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 23 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 22 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 21 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 21 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20 -j DROP
###Block e-mail password sender###
iptables -A OUTPUT -p udp -o eth0 -s 0/0 --dport 25 -j DROP
iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 25 -j DROP
###Deny spoofed IPs###
iptables -A INPUT -i etho -s intip -j DROP
###Port Forwarding Changes by Stu ###
#Rule to DNAT incoming connections
iptables -t nat -A PREROUTING -p tcp -i eth0 -d EXTIP \
-s 0/0 --dport 25 -j DNAT --to intip
#Rule to forward traffic destined to Internal Machine on Port 25
iptables -A FORWARD -p tcp -i eth0 -o eth1 -m state --state
NEW,ESTABLISHED,RELATED \
-d intip --dport 25 -j ACCEPT
#Rule to allow traffic out from the Internal Network
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Original Rules Commented out
# iptables -t nat -A PREROUTING -p tcp -d extip --dport 25 -j DNAT-to
intip:port
# iptables -A FORWARD -i eth0 -p tcp -d intip-dport 25 -j ACCEPT
###Allow all connections on the loopback device###
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
