> my script: > echo "1" > /proc/sys/net/ipv4/ip_forward > > #vidage des tables > iptables -F > iptables -X > > #policies par defaut > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > #autorise boucle locale > > iptables -A OUTPUT -o lo -m state --state RELATED,ESTABLISHED,NEW -j > ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT > iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT > iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --dport 23 -j ACCEPT > > iptables -A INPUT -i lo -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT > iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT > iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 23 -j ACCEPT > > #forward > > iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE > iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT -o eth0 > #iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED > -j > ACCEPT > > problem: > pc firewall can acces on web > pc firewall can acces in private network > private network can acces in pc firewall > private network CAN'T acces on web > The first problem I see is that you allow ESTABLISHED,RELATED,NEW in your INPUT and OUTPUT chains. Once you hit that rule, the only thing going past are INVALID packets so the rest of the INPUT and OUTPUT chains aren't doing anything useful. The second problem I see is the FORWARD chain has "-i eth0 -o eth0" on the ESTABLISHED,RELATED rule which can't be right. All the packets on the FORWARD chain are going to be either "-i eth0 -o eth1" or "-i eth1 -o eth0". Since your private address space (192.168.1.0/24) shouldn't exist on the outside, there's little need to specify both the address and the interface in your rules. It looks like you have rules in your INPUT and OUTPUT chains intended to pass traffic through the firewall. Only packets directed at the firewall go through INPUT and only packets generated by the firewall go through OUTPUT. Packets passing through the firewall are seen on FORWARD. Look at (make that study!) the tutorial, including a nice diagram (in "Traversing of Tables and Chains"), written by Oskar Andreasson at http://iptables-tutorial.frozentux.net. Here's what I suggest to help get you going... Change your default policies to ACCEPT (temporarily). # Keep this iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE The first two rules in each chain should be: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state INVALID -j DROP Now the only packets the rest of the rules in each chain see are state NEW. Add your rules one at a time and check the packet counts using the command: iptables -nvL If you add a rule for web traffic and then surf the web. The rule should have a count associated with it. If not, then the rule isn't doing what you expect! When all the rules you add have counts then you can change the default policies back to DROP and your firewall is complete. Optionally you can add the following to the end of each chain so when something doesn't work, you can examine the firewall syslog to see what went wrong. Make sure if you do this that you have set up some kind of log rotation so you don't fill the disk up with log files. # # Log whats left before dropping (should be last rule in each chain) # iptables -A FORWARD -m limit --limit 20/minute -j LOG --log-level \ notice --log-prefix "[FORWARD] " iptables -A INPUT -m limit --limit 20/minute -j LOG --log-level \ notice --log-prefix "[INPUT] " iptables -A OUTPUT -m limit --limit 20/minute -j LOG --log-level \ notice --log-prefix "[OUTPUT] "
