i think i am allowing them. specifically with the following two lines:
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
Agree. But why udp? ftp doesn't use udp.
where ei-in is the chain of packets arriving from a non-local machine on the external interface.
You can save up a lot of rulesets which will make your script easier to control by using squid for www, ssl and pasv ftp. Also you can run bind as a dns forwarder bound to your int eth (Not to your ext eth!).
well, i am. currently, i don't forward 443 to squid, but 80 is automatically handled by squid without the need to specify a proxy. and i actually did not know that ftp can be handled by squid too.
You run squid transparently? Good thing though, but not ftp pasv capable. I see, you handled it the other way 'round, opening your firewall box from 1024:. Just checking back your script. You shouldn't close all icmp traffic. In particular you should allow ping, pong and icmp unreachable. Not doing so could cause loss of bandwith because of unanswered icmp unreachables. Anti spoof is ok. You can enhance it by doing echo 1 > /proc/sys/net/ipv4/rp_filter Then I miss smurf protection... # SMURF PROTECTION echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ....as well as fragmented ip protection # IP DEFRAGMENTATION echo 1 > /proc/sys/net/ipv4/ip_always_defrag Syntax & useless stuff #-A input -s 0.0.0.0/0 -d 0.0.0.0/0 79:79 -p 6 -j ACCEPT # http (tcp) #-A input -s 0.0.0.0/0 -d 0.0.0.0/0 80:80 -p 6 -j ACCEPT # ident (tcp) -A input -s 0.0.0.0/0 -d 0.0.0.0/0 113:113 -p 6 -j ACCEPT You don't need to write 79:79, 80:80 or 113:113. if you just write 79, 80 and 113 you'll be fine. Why allowing finger? do you like other people fingering you? Giving away information? Why auth port open? (send)Mail does work with auth port to authenticate the mail sender. You don't need that. Works well without. Also same problem as port 79. giving away information. Transparent proxy: I'm afraid I was wrong. You don't run squid in transparent mode. Your input chain for www would have other syntax. ### screw that micro$oft netbeui bullshit I'm afraid netbeui is something else than netbios. Netbeui is ISO layer 3- approx 5. Netbios would be (like www, or ftp) application layer (7). It's not really correct what I write here, because MS network doesn't know about 7-Layer OSI model. What you mean here is netbios. ### screw that micro$oft netbeui bullshit -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 6 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 6 -j DENY -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 17 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 17 -j DENY You can save up 3 rules by using -b (= bidirecitonal) option and forgetting about protocols This line below covers your four lines above. -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -b General information ### deny everything by default :input REJECT in your config ok. With squid running you would fail with this policy. ### this is not really relevant :forward ACCEPT This is relevant. With forward = deny nothing works. I think you should check back at the priciple of how ipchains forward rule works. The forward rule decides whether to route the packet. I attached a drawing about it. lo device is not included in this drawing. It's german. I guess you sprichst Deutsch. ### and we allow the local user to do anything :output ACCEPT The output policy covers two directions. From your ext eth out to the internet and from your int eth into your internal net. CUL Philipp