Hi I need help understanding what goes wrong in this script. I cannot ping anyone and cannot resolve as well. In fact I believe the only thing I can get is an ip address from my isp's dhcp server.
Best Regards kc ## FIREWALL ## ## Symbolic Constants CONNECTION_TRACKING="1" LOCAL="eth0" INTERNET="eth1" LOOPBACK_INTERFACE="lo" MY_ISP="24.0.0.0/8" LOOPBACK="127.0.0.0/8" IPADDR=`ifconfig eth1|awk '/inet/{print $2}'|awk -F ':' '{print $2}'` INTERNAL_IP=`ifconfig eth0|awk '/inet/{print $2}'|awk -F ':' '{print $2}'` LOCAL_NET="192.168.3.0/24" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" SUBNET_BASE="192.168.3.0" SUBNET_BROADCAST="192.168.3.255" ## Hosts DESKTOP="host2" DESKTOP2="host" WWW="host3" #MAIL="192.168.2.5" #IRC="192.168.2.40" #IMAP_CLIENTS="continued... " TIME_SERVER="time.server.address" HOSTS_PING="isp subnet" NAMESERVER="nameserver1" DHCP_SERVER="dhcp-server1" ## PORTS IRC_PORT="6667" WEB_PORT="80" SSL_PORT="443" SSH_PORTS="445" DK_PORT="4660" XWINDOW_PORTS="6000:6063" TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" ## Private Class Networks CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" ## Flush the chains of all rules iptables --flush iptables -t nat --flush iptables -t mangle --flush echo "Flushed rules for all chains" ## Show Internal and External Addresses and enable forwarding echo "External IP " $IPADDR echo "Internal IP " $INTERNAL_IP #echo "1" > /proc/sys/net/ipv4/ip_forward ## Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ## Disable Source Routed Packets for p in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $p done ## Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies ## Disable ICMP Redirect Acceptance # A redirect message SHOULD be silently discarded if the new gateway address it specifies is not on the same subnet that it came from. for p in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $p done ## Don't send redirect Messages for p in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $p done ## Drop Spoofed Packets coming in on an interface, to which a reply would result in going out a different interface. for p in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $p done ## Log packets with impossible addresses. for p in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $p done ## Unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ##### POLICY ##### ## Default Policy iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP iptables -t nat --policy PREROUTING DROP iptables -t nat --policy OUTPUT DROP iptables -t nat --policy POSTROUTING DROP iptables -t mangle --policy PREROUTING DROP iptables -t mangle --policy OUTPUT DROP iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain # DNS iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d $NAMESERVER --dport 53 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $INTERNET -tcp -s $IPADDR --sport $UNPRIVPORTS -d $NAMESERVER --dport 53 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $NAMESERVER --sport 53 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport 53 -d $NAMESERVER --dport 53 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR --dport 53 -j ACCEPT ### STEALTH SCAN POLICY ### # All of the bits are cleared iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP ## Refuse packets from the following ban list ## example iptables -I INPUT -i $INTERNET -s 72.21.42.186 -j DROP #iptables -I INPUT -i $INTERNET -s address/mask -j DROP ## Packet State Validation if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: " iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: " iptables -A OUTPUT -m state --state INVALID -j DROP fi ## DROP spoofed packets pretending to be from your external IP address iptables -A INPUT -i $INTERNET -s $IPADDR -j DROP ## Accessing Remote Web Sites as a client -- with Parental Control -- if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 80 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 80 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 80 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ## Allowing Remote Access to a Local Webserver if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 80 -m state --state NEW -j ACCEPT fi iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 80 -j ACCEPT iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 80 --dport $UNPRIVPORTS -j ACCEPT ## Refuse packets coming from private networks... iptables -A INPUT -i $INTERNET -s $CLASS_A -j DROP iptables -A INPUT -i $INTERNET -s $CLASS_B -j DROP iptables -A INPUT -i $INTERNET -s $CLASS_C -j DROP ## Refuse packets from loopback interface iptables -A INPUT -i $INTERNET -s $LOOPBACK -j DROP ## Refuse broadcast packets # block for internal network later iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP ## Refuse directed broadcasts # block for internal network later iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP ## Refuse Limited Broadcasts iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP ## Refuse Class D multicast addresses iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT ## Refuse Class E reserved IP addresses iptables -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP ## Refuse addresses defined as reserved by IANA iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP # above rule creates difficulty with DHCP iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP ## Blocking incoming connections to X-Window server iptables -A INPUT -i $INTERNET -p tcp ! --syn --destination-port $XWINDOW_PORTS -j DROP ## DNS Requests (Lookup) echo " DNS lookup" if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d $NAMESERVER --dport 53 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d $NAMESERVER --dport 53 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ## Local SMTP sending and receiving mail echo " Local SMTP " if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 25 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 25 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 25 -m state --state NEW -j ACCEPT fi iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 25 -j ACCEPT iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 25 --dport $UNPRIVPORTS -j ACCEPT ## Local IMAP server echo " IMAP server" #if [ "CONNECTION_TRACKING" = "1" ]; then # iptables -A INPUT -i $INTERNET -p tcp -s $IMAP_CLIENTS --sport $UNPRIVPORTS -d $IPADDR --dport 143 -m state --state NEW -j ACCEPT #fi #iptables -A INPUT -i $INTERNET -p tcp -s $IMAP_CLIENTS --sport $UNPRIVPORTS -d $IPADDR --dport 143 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 143 -d $IMAP_CLIENTS --dport $UNPRIVPORTS -j ACCEPT ## SSH ACCESS -- use tcpwrappers -- change destination port #if [ "CONNECTION_TRACKING" = "1" ]; then #iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -m state --state NEW -j ACCEPT #fi #iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 22 --dport $SSH_PORTS -j ACCEPT #if [ "CONNECTION_TRACKING" = "1"]; then # iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $SSH_PORTS -dports 22 -m state --state NEW -j ACCEPT #fi #iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $SSH_PORTS --dport 22 -j ACCEPT #iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 22 -d $IPADDR --dport $SSH_PORTS -j ACCEPT ## Accessing Remote Web Sites over SSL or TLS as a Client echo " ACCESS to SSL or TLS" if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 443 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 443 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 443 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ## Allowing Remote Access to a Local SSL or TLS Web Server if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 443 -m state --state NEW -j ACCEPT fi iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR --dport 443 -j ACCEPT iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 443 --dport $UNPRIVPORTS -j ACCEPT ## Allowing whois if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 43 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS --dport 43 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 43 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ## Enable outgoing traceroute requests iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT ## DHCP client to remote server # Initialization or rebinding - no lease or least time expired iptables -A OUTPUT -o $INTERNET -p udp -s $BROADCAST_SRC --sport 68 -d $BROADCAST_DEST --dport 67 -j ACCEPT # Incoming DHCPOFFER from DHCP servers iptables -A INPUT -i $INTERNET -p udp -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT # reconfirm ip address iptables -A OUTPUT -o $INTERNET -p udp -s $BROADCAST_SRC --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT # allow incoming packets destined to subnet address iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT # Lease renewal iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 -d $IPADDR --dport 68 -j ACCEPT ## NTP access echo " NTP ACCESS" if [ "CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d $TIME_SERVER --dport 123 -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d $TIME_SERVER --dport 123 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp -s $TIME_SERVER --sport 123 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ## drop fragmented icmp messages echo "ICMP FILTERING" iptables -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented ICMP: " iptables -A INPUT -i $INTERNET --fragment -p icmp -j DROP ## Accept Source Quench control Type 4 iptables -A INPUT -i $INTERNET -p icmp --icmp-type source-quench -d $IPADDR -j ACCEPT iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type source-quench -j ACCEPT ## Pramater problem status Type 12 iptables -A INPUT -i $INTERNET -p icmp --icmp-type parameter-problem -d $IPADDR -j ACCEPT iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type parameter-problem -j ACCEPT ## Destination Unreachable Error Type 3 iptables -A INPUT -i $INTERNET -p icmp --icmp-type destination-unreachable -d $IPADDR -j ACCEPT iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type destination-unreachable -j DROP iptables -A INPUT -i $INTERNET -p icmp --icmp-type time-exceeded -d $IPADDR -j ACCEPT ## Outgoing ping to Remote hosts if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A OUTPUT -o $INTERNET -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT fi iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ## Allowing incoming pings from trusted hosts if [ "$CONNECTION_TRACKING" = "1" ]; then iptables -A INPUT -i $INTERNET -p icmp -s $HOSTS_PING --icmp-type echo-request -d $IPADDR -m state --state NEW -j ACCEPT fi iptables -A INPUT -i $INTERNET -p icmp -s $HOSTS_PING --icmp-type echo-request -d $IPADDR -j ACCEPT iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type echo-reply -d $HOSTS_PING -j ACCEPT #### LOGS @@@@@@ echo " STARTING LOGS" iptables -A INPUT -i $INTERNET -j LOG iptables -A INPUT -i $INTERNET -p icmp --icmp-type ! 8 -d $IPADDR -j LOG --log-prefix "ICMP input: " iptables -A INPUT -i $INTERNET -p tcp -d $IPADDR --dport $PRIVPORTS -j LOG --log-prefix "Private input: " iptables -A INPUT -i $INTERNET -p tcp -d $IPADDR --dport 20:460 -j LOG --log-prefix "Active input: " iptables -A OUTPUT -o $INTERNET -j LOG --log-prefix "All output: " echo "Starting to LOG " #echo "Enabling ARP Caching" #echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp #echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp echo "Enable TCP Explicit Congestion Notification" echo "1" > /proc/sys/net/ipv4/tcp_ecn #disable packets with routing information #echo "Disabling source routing" #for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do # echo "0" > $i; #done #echo "Enabling Invalid Packet Rejection" #for i in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo "1" > $i; #done #echo "Setting up ICMP Stuff" echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects #echo "Enabling SYN Cookies" #echo "1" > /proc/sys/net/ipv4/tcp_syncookies #reduce timeout to kill stale connections (prevent DOS) #echo "Setting connection timeouts" #echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout #echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time #echo 0 > /proc/sys/net/ipv4/tcp_window_scaling #echo 0 > /proc/sys/net/ipv4/tcp_sack #echo "Enabling AntiPortscanning Rules" #echo "*NULL Scan" #iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP #echo "*NMAP FIN/URG/PSH (Xmas scan)" #iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #echo "*SYN/RST Scan" #iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #echo "*SYN/FIN Scan" #iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP #iptables -A FORWARD -s 192.168.3.0/24 -d 0/0 -i $LOCAL -j ACCEPT #iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 80 -j DNAT --to $WWW:80 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6112 -j DNAT --to $WWW:22 #iptables -t nat -A PREROUTING -p udp -d $EXTERNAL_IP --dport 4660 -j DNAT --to $DESKTOP:4660 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 4660 -j DNAT --to $DESKTOP:4660 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 4661 -j DNAT --to $DESKTOP2:4661 #iptables -t nat -A PREROUTING -p udp -d $EXTERNAL_IP --dport 4661 -j DNAT --to $DESKTOP2:4661 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 81 -j DNAT --to $DESKTOP:22 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6667 -j DNAT --to $IRC:6667 #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 215 -j DNAT --to $DESKTOP:22 #hosts deni #iptables -A INPUT -p tcp --dport 6667 -j DENY #iptables -A INPUT -s 24.112.11.162 -p tcp --dport 6667 -j ACCEPT #iptables -A INPUT -s -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]