Firstly, using "!!!!!!" gets you nowhere. Now, if your firewall doesn't work.. follow the rules of "KISS" (Keep It Simple Stupid) which everybody knows. Remove all the protection of the internal IPs and dropping in the FORWARD chain and put some LOGging rule to see which are being droped and why... Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx -----Original Message----- From: Daniel Arjona [mailto:darjona@xxxxxxxxxxxxxxx] Sent: Wednesday, August 27, 2003 6:15 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: HELP ME PLEASE!!!!!!!!! Hello: I tried to configure an iptables firewall, but i can't. I need cofigure this to use FTP, Kazaa, Internet, ICQ and access the IMAP server of Netscape with my Netscape Client. I'm a Linux newbie. Please Help me!!! Observations: iptables firewall, mail server and proxy server are installed in the same server. It's not recomended, but i don`t have other choice. Regards, DANIEL ARJONA PD: SEE MY IPTABLES SCRIPT ## eth1 = my local interface ## eth0 = public network interface ## XXX.XXX.XXX.0/24 = My local subnet ## FLUSH iptables -F iptables -X iptables -Z iptables -t nat -F ## DEFAULT POLICIES iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT ## LOCAL HOST iptables -A INPUT -i lo -j ACCEPT ## ACCEPT ACCESS FROM THE LOCAL NETWORK & LOCAL INTERFACE iptables -A INPUT -s XXX.XXX.XXX.0/24 -i eth1 -j ACCEPT ## SMTP Port iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT ## POP3 Port iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 110 -j ACCEPT ## FORWARDS TO HTTP PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT ## FORWARDS TO HTTPS PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 443 -j ACCEPT ## FORWARDS TO IMAP PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 143 -j ACCEPT ## FORWARDS TO KAZAA PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 1214 -j ACCEPT ## FORWARD TO DNS QUERIES PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p udp --dport 53 -j ACCEPT ## FORWARDS TO FTP PORT iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -p tcp --dport 21 -j ACCEPT ## DENIED FORWARD FOR THE OTHERS PORTS iptables -A FORWARD -s XXX.XXX.XXX.0/24 -i eth1 -j DROP ## MASQUERADING OF THE LOCAL NETWORK iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.0/24 -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 1:1024 -j DROP iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p udp --dport 1:1024 -j DROP ## CLOSE WEBMIN PORT iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 10000 -j DROP echo " OK . Verifique que lo que se aplica con: iptables -L -n" # END
