Gaspar,
Thanx for trying help !
It looks like I found problem. Probably somewhere in file was non-ASCII
chars which are not visible in my editor and causing problem.
I rewrite manually script and now works as expected :-)
I also change little bit approach: default policy for FORWARD chain is
now DROP.
I'm allowing forwarding only new connections from LAN to WAN and accept
only already established
connections from WAN to LAN:
iptables -A FORWARD -i $WAN_intf -o $LAN_intf -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_intf -o $WAN_intf -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
BTW: I have some comments to Your hints (see inline):
br
Gáspár Lajos wrote:
warpme írta:
Hi *
I just try setup firewall. Config is following:
Desktop Firewll (192.168.1.1) ------Eth0
Eth1(91.189.74.10)---------ISP
Script below is working OK for all LAN hosts, but not for for
firewall PC itself (i tested it with i.e. ping www.ibm.com)
Commenting line "iptables -P INPUT DROP" allows to ping from
firewall, but it effectivelly turning off firewall....
It is probably simple error - but I can't find where it is...
Can somebody verify thid script and tell me what is wrong ?
thx in advance
#Config area
BEGIN--------------------------------------------------------------
LAN_intf=eth0
LAN_subnetwork=192.168.1.0/255.255.255.0
WAN_intf=eth1
WAN_ip=91.189.74.10
Open_WAN_TCP_ports=20,21,80,500,1352,4500
Open_WAN_UDP_ports=500,1352,4500,5060
Open_WAN_RTP_port_range=7070:7080
#Config area
END----------------------------------------------------------------
#--Flushing all iptables
tables-------------------------------------------------
iptables -F
iptables -X iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#--Setting up SNAT for outgoing to WAN DATA
connections------------------------
iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j
SNAT --to-source $WAN_ip
I would write like this:
iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT
--to-source $WAN_ip
I'm understand advantage of such approach is that any non WAN_ip host
will be NAT'ed. But for non-LAN addressed hosts it will require
additional entries in routing table for packets received from WAN and
destinated to LAN host. Effectively it will require touch to firewall
- and by this I'm considering this as no beneficial.
#--Allowing self access by loopback
interface----------------------------------
iptables -A INPUT -i lo -p all -j ACCEPT
"-p all" not needed... And I would rather set up the OUTPUT rule than
the INPUT rule because the "lo" interface only accepts connections
from itself... if a new connection is made then first step is to send
OUT something to the other host... :D
iptables -A OUTPUT -o lo -j ACCEPT
Well, default iptables policy for all chains is ACCEPT, so this rule is
redundant.
#--Allowing local access to
LAN------------------------------------------------
iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
no need for "-p all"
Right !
#--Allowing WAN incoming traffic form already established
connections----------
iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j
ACCEPT
#--Allowing WAN incoming traffic for desired
services--------------------------
#Open WAN TCP ports
iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport
$Open_WAN_TCP_ports -j ACCEPT
#Open WAN UDP ports
iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport
$Open_WAN_UDP_ports -j ACCEPT
#Open VoIP UDP port ranges
iptables -A INPUT -p udp -i $WAN_intf --dport
$Open_WAN_RTP_port_range -j ACCEPT
For "ping" you need the following line:
iptables -A INPUT -p icmp -j ACCEPT
Well - it is not needed when only outgoing pings are allowed (my case).
I think incoming pings should be rather disabled - it will help to
protect host from potential DoS via ping flood.
#--Drop all other incoming connection. Only above will be
allowed-------------
iptables -P INPUT DROP
