error - but I don't know where....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi *

I just try setup firewall. Config is following:

Desktop               Firewll  
(192.168.1.1) ------Eth0   Eth1(91.189.74.10)---------ISP

Script below is working OK for all LAN hosts, but not for for firewall PC itself (i tested it with i.e. ping www.ibm.com)
Commenting line "iptables -P INPUT DROP" allows to ping from firewall, but it effectivelly turning off firewall....
It is probably simple error - but I can't find where it is...
Can somebody verify thid script and tell me what is wrong ?

thx in advance
  

#Config area BEGIN--------------------------------------------------------------

LAN_intf=eth0
LAN_subnetwork=192.168.1.0/255.255.255.0

WAN_intf=eth1
WAN_ip=91.189.74.10

Open_WAN_TCP_ports=20,21,80,500,1352,4500
Open_WAN_UDP_ports=500,1352,4500,5060
Open_WAN_RTP_port_range=7070:7080


#Config area END----------------------------------------------------------------




#--Flushing all iptables tables-------------------------------------------------
iptables -F
iptables -X 
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X




#--Setting up SNAT for outgoing to WAN DATA connections------------------------
iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j SNAT --to-source $WAN_ip
  
  
#--Allowing self access by loopback interface----------------------------------
iptables -A INPUT -i lo -p all -j ACCEPT



#--Allowing local access to LAN------------------------------------------------
iptables -A INPUT -i $LAN_intf -p all -j ACCEPT



#--Allowing WAN incoming traffic form already established connections----------
iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j ACCEPT


#--Allowing WAN incoming traffic for desired services--------------------------
#Open WAN TCP ports
iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport $Open_WAN_TCP_ports -j ACCEPT

#Open WAN UDP ports
iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport $Open_WAN_UDP_ports -j ACCEPT

#Open VoIP UDP port ranges
iptables -A INPUT -p udp -i $WAN_intf --dport $Open_WAN_RTP_port_range -j ACCEPT


#--Drop all other incoming connection. Only above will be allowed-------------
iptables -P INPUT DROP
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux