Below is my iptables-save output with my 4 public ip address replaced with variables to protect the guilty ;) For some reason it seems that my rules stop working intermitantly. What I mean by this is that my internal web server will become inacassible from the outside world for no apparent reason and then start working again for no appararent reason. I have verified that the webserver is not down and the internet connection is up. Actually I am running about 5 sites and they all seem to come and go at the same time. I am also running the DNS for these sites. ***********Any suggestions?************ (HELP!!!) The basic purpose of these rules is to create a natd router/simple firewall with a couple of internal servers and 1 computer in a DMZ. 192.168.1.4 is my web, ftp, ssh, webmin server and 192.168.1.2 is my DNS and anything else server. 192.168.1.19 is my DMZ computer and all natd traffic goes out over ip3. # Generated by iptables-save v1.2.6a on Mon May 5 18:27:55 2003 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [2109:179636] :block - [0:0] -A INPUT -j block -A FORWARD -j block -A block -p icmp -j ACCEPT -A block -p tcp -m tcp --dport 80 -j ACCEPT -A block -p tcp -m tcp --dport 443 -j ACCEPT -A block -p tcp -m tcp --dport 10000 -j ACCEPT -A block -p tcp -m tcp --dport 22 -j ACCEPT -A block -p tcp -m tcp --dport 21 -j ACCEPT -A block -p tcp -m tcp --dport 53 -j ACCEPT -A block -p udp -m udp --dport 53 -j ACCEPT -A block -m state --state RELATED,ESTABLISHED -j ACCEPT -A block -i ! eth1 -m state --state NEW -j ACCEPT -A block -j DROP COMMIT # Completed on Mon May 5 18:27:55 2003 # Generated by iptables-save v1.2.6a on Mon May 5 18:27:55 2003 *mangle :PREROUTING ACCEPT [1837104:1619369453] :INPUT ACCEPT [6951:1032508] :FORWARD ACCEPT [1804503:1615694995] :OUTPUT ACCEPT [2146:187676] :POSTROUTING ACCEPT [1799783:1615394673] COMMIT # Completed on Mon May 5 18:27:55 2003 # Generated by iptables-save v1.2.6a on Mon May 5 18:27:55 2003 *nat :PREROUTING ACCEPT [32168:3420682] :POSTROUTING ACCEPT [815:44791] :OUTPUT ACCEPT [296:23968] -A PREROUTING -d ip4 -j DNAT --to-destination 192.168.1.19 -A PREROUTING -d ip1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip1 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip2 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip3 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip2 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip3 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip2 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip3 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.4 -A PREROUTING -d ip1 -j DNAT --to-destination 192.168.1.2 -A PREROUTING -d ip2 -j DNAT --to-destination 192.168.1.2 -A PREROUTING -d ip3 -j DNAT --to-destination 192.168.1.2 -A POSTROUTING -s 192.168.1.19 -o eth1 -j SNAT --to-source ip4 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source ip3 COMMIT # Completed on Mon May 5 18:27:55 2003
