Hi, first of all, your script can be shortened much by deleting rules you never will use, such as smtp, pop3, ftp-ctrl, http, all regarding udp protocol. These protos do not use udp. And xntp isn't tcp but udp. I just went quickly through your script but still I think this never can work. You define -P FORWARD -j DROP but you have no statefull inspection rule and no forward rule which would forward your packets. Do an iptables -L -n -v and you will see that the counters on the FORWARD chain aren't 0 but the on the other chains (input / output) they are 0 (except of local processes). This below enables stateful inspection, forwarding all packets (no matter which proto) with snat. note that 10.0.0/24 is lan and 192.168.1/24 is wan, 192.168.1.2 is $waneth: iptables -A FORWARD -m state -d ! 10.0.0.0/24 -o $waneth --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state -d ! 10.0.0.0/24 -o $waneth --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -d ! 10.0.0.0/24 -o $waneth -j SNAT --to-source 192.168.1.2 iptables -A FORWARD -j ACCEPT Then I would suggest you study how packets traverse the iptables firewall. Just for fun try to set -P FORWARD -j ACCEPT instead of -P FORWARD -j DROP and you will see all your input and output efforts in your script below are gone, since they're only supposed to protect the firewalling host itself running local processes. If you want to build up a simple script without the nat and mangle table you must filter on the FORWARD chain. You only filter on INPUT and OUTPUT if you want to protect local processes such as a locally running ntpd, squid, bind, smtpd and so on. Here's a link that might help you in your studies: http://www.knowplace.org/netfilter/syntax.html I hope I could help you Philipp
-----Ursprüngliche Nachricht----- Von: Rüdiger H [mailto:linuz@linuz.at] Gesendet: Mittwoch, 3. Oktober 2001 21:40 An: suse-security@suse.com Betreff: [suse-security] Hi @ll -----> I have problems with my firewall
On my server a 2.4 kernel with an iptables firewall is running. I have already set up a few rules but there are still problems downloading my emails. It takes about 15 seconds to look if there's mail, without firewall it only takes half a second. Another problem is that i can reach neither an internal nor an external pc using ssh. When my firewall is up I can't use the nfs drive.
Who can help me solving these problems???
#! /bin/bash --login
### Verweis auf den befehl! ### iptables=/usr/sbin/iptables
### Regelketten loeschen! ### iptables -F iptables -t nat -F iptables -X
### Module fuer connection tracking laden ### modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp
### Angabe des Interfaces! ### DEV_EXT=eth0 lan=192.168.77.0/24 dns=195.34.133.11
### Loopback freigabe! ### iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
### FTPconnectiontracking TCP ### iptables -A INPUT -p tcp --sport 1024:65535 --dport ftp -j ACCEPT iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport ftp -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport 1024:65535 -j ACCEPT
### DNSconnectiontracking TCP ### iptables -A INPUT -p tcp --sport 0:65535 --dport domain -j ACCEPT iptables -A INPUT -p tcp --sport 0:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp --sport 0:65535 --dport domain -j ACCEPT iptables -A OUTPUT -p tcp --sport 0:65535 --dport 1024:65535 -j ACCEPT ### DNSconnectiontracking UDP ### iptables -A INPUT -p udp --sport 0:65535 --dport domain -j ACCEPT iptables -A INPUT -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport domain -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT
### FTPserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 21 -j ACCEPT iptables -A OUTPUT -p TCP --sport 21 -j ACCEPT ### FTPserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 21 -j ACCEPT iptables -A OUTPUT -p UDP --sport 21 -j ACCEPT ### FTPserver TCP Rückkanal freigabe! ### #iptables -A INPUT -p TCP --dport 20 -j ACCEPT #iptables -A OUTPUT -p TCP --sport 20 -j ACCEPT ### FTPserver UDP Rückkanal freigabe! ### #iptables -A INPUT -p UDP --dport 20 -j ACCEPT #iptables -A OUTPUT -p UDP --sport 20 -j ACCEPT
### SSHserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 22 -j ACCEPT iptables -A OUTPUT -p TCP --sport 22 -j ACCEPT ### SSHserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 22 -j ACCEPT iptables -A OUTPUT -p UDP --sport 22 -j ACCEPT
### MAILserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 25 -j ACCEPT iptables -A OUTPUT -p TCP --sport 25 -j ACCEPT ### MAILserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 25 -j ACCEPT iptables -A OUTPUT -p UDP --sport 25 -j ACCEPT
### DNSconnectiontracking TCP ### iptables -A INPUT -p tcp --sport 0:65535 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --sport 0:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp --sport 0:65535 --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --sport 0:65535 --dport 1024:65535 -j ACCEPT ### DNSconnectiontracking UDP ### iptables -A INPUT -p udp --sport 0:65535 --dport 25 -j ACCEPT iptables -A INPUT -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport 25 -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT
### DNSserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 53 -j ACCEPT iptables -A OUTPUT -p TCP --sport 53 -j ACCEPT ### DNSserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 53 -j ACCEPT iptables -A OUTPUT -p UDP --sport 53 -j ACCEPT
### WEBserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 80 -j ACCEPT iptables -A OUTPUT -p TCP --sport 80 -j ACCEPT ### WEBserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 80 -j ACCEPT iptables -A OUTPUT -p UDP --sport 80 -j ACCEPT
### POP3server TCP freigabe! ### iptables -A INPUT -p TCP --dport 110 -j ACCEPT iptables -A OUTPUT -p TCP --sport 110 -j ACCEPT ### POP3server UDP freigabe! ### iptables -A INPUT -p UDP --dport 110 -j ACCEPT iptables -A OUTPUT -p UDP --sport 110 -j ACCEPT
### XNTPserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 123 -j ACCEPT iptables -A OUTPUT -p TCP --sport 123 -j ACCEPT ### POP3server UDP freigabe! ### iptables -A INPUT -p UDP --dport 123 -j ACCEPT iptables -A OUTPUT -p UDP --sport 123 -j ACCEPT
### XNTPconnectiontracking TCP ### iptables -A INPUT -p tcp --sport 1024:65535 --dport ntp -j ACCEPT iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport ntp -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport 1024:65535 -j ACCEPT
### XNTPconnectiontracking TCP ### iptables -A INPUT -p udp --sport 1024:65535 --dport ntp -j ACCEPT iptables -A INPUT -p udp --sport 1024:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p UDP --sport 1024:65535 --dport ntp -j ACCEPT iptables -A OUTPUT -p UDP --sport 1024:65535 --dport 1024:65535 -j ACCEPT
### NFSserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 2049 -j ACCEPT iptables -A OUTPUT -p TCP --sport 2049 -j ACCEPT ### NFSserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 2049 -j ACCEPT iptables -A OUTPUT -p UDP --sport 2049 -j ACCEPT
### NFSconnectiontracking TCP ### iptables -A INPUT -p tcp --sport 1024:65535 --dport 2049 -j ACCEPT iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport 2049 -j ACCEPT iptables -A OUTPUT -p TCP --sport 1024:65535 --dport 1024:65535 -j ACCEPT ### NFSconnectiontracking UdP ### iptables -A INPUT -p udp --sport 1024:65535 --dport 2049 -j ACCEPT iptables -A INPUT -p udp --sport 1024:65535 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p UDP --sport 1024:65535 --dport 2049 -j ACCEPT iptables -A OUTPUT -p UDP --sport 1024:65535 --dport 1024:65535 -j ACCEPT
### Alles wird gesperrt! ### iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
Is there any german support?
Thanx for your help Rüdiger H
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com