Hi, I've been having some bizarre issues with a simple firewall I've been trying to set up using iptables. I wrote a script that automatically inserts all the rules into iptables, but when I run this script, all outgoing connections from my box, and any non-LAN connections to the box are dropped! What I've got is a ZyXEL ADSL router (192.168.0.1) which is set up so that the default server is 192.168.0.2 (my linux box). This box doesn't do any forwarding, but is my mail/dns/dhcp/file server. The odd thing is, if I enter all the rules that are in the script manually (from an xterm) in the same order, everything works fine! Here's the script I use: --/etc/init.d/firewall-- #!/bin/sh # echo 1 > /proc/sys/net/ipv4/ip_forward IPTABLES=/usr/local/sbin/iptables # Flush tables and set default policies $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Allow any established or related connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH, SMTP and IMAPs $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT # Allow any traffic on the 192.168.0.0 subnet (internal LAN) $IPTABLES -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT # Log any external (Internet) traffic that isn't on ports 22,25,993 # --THIS DOESN'T WORK!-- $IPTABLES -A INPUT -s ! 192.168.0.0/24 -m multiport --dport ! 22,25,993 -i eth0 -j LOG --log-prefix "INPUT (dropped): " # Set the default policy for INPUT chain $IPTABLES -P INPUT DROP --end firewall-- Anyone got any ideas why the script would cause everything to screw up and why manually entering everything in the same order works fine? TIA, James -- James O'Gorman email: james@netinertia.co.uk | web: www.netinertia.co.uk The scum also rises. -- Dr. Hunter S. Thompson
