Do you have squid running? ----- Original Message ----- From: "Paul Baxter" <ppabaxte@xxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, August 01, 2003 15:03 Subject: Newbie question about iptables an gateway boxes > Hi I have a small net at home with linux box as gateway hopefully. I can > ping the net from my windows box and get email...,but web pages don't > open, the DNS numbers are correct in /etc/resolv.conf and it will > resolve when I "ping -c 5 www.atomicmpc.com.au ". > I am thinking it is todo with my iptables script...here it is; Thanks > for all help Paul > > #!/bin/sh > # > # Atomic IPTables firewall script v1.0 > # > # Simple but effective firewall for use > # in home/small office installations. > # > # Ashton Mills > # Written for the Atomic Uber Linux box guide, > # Issue 21, Oct 2002. > # > # Props to Con Tassios and Technion for their sample scripts. > > # Environment variables, change these values accordingly > > EXT_IF="ppp0" > INT_IF="eth0" > INT_NET="192.168.1.0/24" > > ANY="0.0.0.0/0" > > IPTABLES="/sbin/iptables" > MODPROBE="/sbin/modprobe" > > # > # You shouldn't need to touch anything below here > # > > # Load appropriate iptables modules, others will be loaded dynamically > on demand > > $MODPROBE ip_tables > $MODPROBE iptable_filter > $MODPROBE ip_nat_ftp > $MODPROBE ip_conntrack > $MODPROBE ip_conntrack_ftp > > # Set proc values for TCP/IP. In order: > # > # Disable IP spoofing attacks > # Ignore broadcast pings > # Block source routing > # Kill redirects > # Set acceptable local port range > # Allow dynamic IP addresses > # Enable forwarding (gateway) > > echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > echo "1" > /proc/sys/net/ipv4/ip_forward > > # Flush everything > > $IPTABLES -F INPUT > $IPTABLES -F OUTPUT > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > > # > ## --- DEFAULT POLICY --- ## > # > > # Drop everything on INPUT and FORWARD chains, accept OUTPUT > > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > $IPTABLES -P OUTPUT ACCEPT > > # > ## --- INPUT CHAIN --- ## > # > > # Allow Telstra hearbeat -- BPA users uncomment this > > # $IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT > # $IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT > > # Allow bootp port -- Optus users need this apparently > > $IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT > > # Accept all connections on local and internal interfaces > > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A INPUT -i $INT_IF -j ACCEPT > > # Stateful inspection -- Allow packets in from connections already > established > > $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED > -j ACCEPT > > # Drop packets from invalid sources (reserved networks and localhost) > > $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP > $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP > $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP > $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP > $IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP > > # Don't log igmp, ident, web or ssl. More noise we don't need to log. > > $IPTABLES -A INPUT -p igmp -j DROP > $IPTABLES -A INPUT -p tcp --dport 113 -j DROP > $IPTABLES -A INPUT -p tcp --dport 80 -j DROP > $IPTABLES -A INPUT -p tcp --dport 443 -j DROP > > # Log everything else > > $IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- " > > # > ## --- FORWARD CHAIN --- ## > # > > # Stateful inspection -- Allow packets in from connections already > established > > $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m > state --state ESTABLISHED,RELATED -j ACCEPT > > # Allow all traffic out > > $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT > > # > ## --- OUTPUT CHAIN --- ## > # > > # Follows policy > > # > ## --- NAT --- ## > # > > # Enable masquerade > > $IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE > > # > ## -- Transparent proxy to Squid --- ## > # > > $IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j > REDIRECT --to-port 3128 >
