Good day everyone, I am very new to this list. I am running FC3 and want to convert my server to act as firewall, which does static NAT. I had setup everything and works fine in simulation. But the only thing is i am not able to make restriction in the FORWARD chain. The basic functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is missing in my firewall. I tried to make it by applicy DROP policy to the FORWARD chain & also appending a default DROP rule to the end of the FORWARD chain. But when i do so, all the packets were getting dropped at the firewall. I have pasted my firewall script below. I have enabled ip_conntrack & iptable_nat modules during bootup. OS: Fedora Core 3 IPtables Version: v1.2.11 # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *filter :INPUT ACCEPT [364:57615] :FORWARD ACCEPT [1:52] :OUTPUT ACCEPT [211:18044] -A INPUT -s 10.44.x.x -p icmp -j ACCEPT -A INPUT -s 10.44.x.x -p icmp -j ACCEPT -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Fri Apr 27 08:16:21 2007 # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *nat :PREROUTING ACCEPT [289:55706] :POSTROUTING ACCEPT [77:6468] :OUTPUT ACCEPT [77:6468] -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x COMMIT # Completed on Fri Apr 27 08:16:21 2007 Output of iptables -nv -L Chain INPUT (policy ACCEPT 73 packets, 13040 bytes) pkts bytes target prot opt in out source destination 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes) pkts bytes target prot opt in out source destination Any help would be highly appreciated. Thanks & Regards, Gopinath.U
