Machine details: Mandrake 8.0 Linux Version 2.4.3-20mdk 434MHz Intel Celeron (Mendocino) Processor, 256M RAM Network interface to Internet: eth0 Network interface to Intranet: eth1 Hi I am facing problem getting my iptables based firewall working. If I use only the /etc/rc.d/rc.firewall.inet_sharing-2.4 rules which were generated by mandrake's drakgw, NAT works properly. Here is what those rules do: ---- begin rc.firewall.inet_sharing-2.4 ---- #!/bin/sh # Load the NAT module (this pulls in all the others). modprobe iptable_nat # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # In the NAT table (-t nat), Append a rule (-A) after routing (POSTROUTING) # which says to MASQUERADE the connection (-j MASQUERADE). iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE # Allows forwarding specifically to our LAN iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT # Allow dhcp requests iptables -A INPUT -i eth1 -p udp --sport bootpc --dport bootps -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport bootpc --dport bootps -j ACCEPT iptables -A INPUT -i eth1 -p udp --sport bootps --dport bootpc -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport bootps --dport bootpc -j ACCEPT # Allow dns requests iptables -A INPUT -i eth1 -p udp --dport domain -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport domain -j ACCEPT ---- end rc.firewall.inet_sharing-2.4 ---- How ever if I use my own firewall with NAT enabled, it doesn't seem to work. What am I doing wrong. Purpose of my firewall is to keep only ssh, http, https & smtp ports open to outside world. Keeping all the ports open to my intranet. But when I use my firewall, NAT doesn't work! Here is how I have setup my firewall: ---- begin my.firewall.rules ---- # chain policies # set default policies /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP # flush tables /sbin/iptables -F /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD #/sbin/iptables -F -t mangle /sbin/iptables -X /sbin/iptables -F -t nat # create DUMP table /sbin/iptables -N DUMP > /dev/null /sbin/iptables -F DUMP /sbin/iptables -A DUMP -p tcp -j LOG /sbin/iptables -A DUMP -p udp -j LOG /sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset /sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -A DUMP -j DROP # Stateful table /sbin/iptables -N STATEFUL > /dev/null /sbin/iptables -F STATEFUL /sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT /sbin/iptables -A STATEFUL -j DUMP # loopback rules /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # allow everything from and to Intranet /sbin/iptables -A INPUT -i eth1 -j ACCEPT /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT # drop reserved addresses incoming /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP # allow certain inbound ICMP types /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT # opened ports /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT # Set up NAT for internal network /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE # push everything else to state table /sbin/iptables -A INPUT -j STATEFUL ---- end my.firewall.rules ---- Any help would be greatly appreciated. Thanks, Nak
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
