OK, Thanks for all your help Maarten. Here's what I have so far, that is FINALLY doing something close to what I need. I haven't blocked everything yet, but I an developing rules to keep out alot of the nasties. Tell me what you think. -e /////////////////////////////////////////////////////////////// #!/bin/sh ##################################################################### # /etc/init.d/firewall {start|stop} # # a simple iptables firewall # # based on various scripts found online # to support virtual hosts, NAT rules and masquerading # # Last Rev.3/3/2004 ##################################################################### PATH="$PATH:/usr/bin/:/usr/sbin" DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIF=eth0 INTIF1=eth1 INTIF2=eth2 case "$1" in 'start') #======================================================= # Set policy for tables #======================================================= echo "Clearing any existing rules and setting default policy.." iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #======================================================= # Flush rules in tables #======================================================= iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD #======================================================= # Delete empty tables #======================================================= iptables -X #======================================================= # Flush the nat table and set it's policies #======================================================= iptables -t nat -F iptables -t nat --policy PREROUTING ACCEPT iptables -t nat --policy OUTPUT ACCEPT iptables -t nat --policy POSTROUTING ACCEPT #======================================================= # Allow unlimited loopback #======================================================= echo "Setting up loopback access..." iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #======================================================= # Masquerade everything out eth0 #======================================================= echo "Setting up masquerading..." iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE #======================================================= # Allow all outbound connections from LAN(eth1 & eth2) # to Internet(eth0) # Allow only return traffic from those connections #======================================================= echo "Allow forwarding for 192.168.48.0 subnet..." echo "Allow forwarding for 192.168.5.0 subnet..." iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #======================================================= # Allow all connections from LAN1(eth1) to LAN2(eth2) #======================================================= echo "Allow forwarding between internal networks..." iptables -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT iptables -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT #======================================================= # Allow unlimited outbound connections and return # traffic from firewall #======================================================= iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $INTIF1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $INTIF2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #======================================================= # Allow ssh at the firewall machine (JANUS) #======================================================= iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 22 -j ACCEPT #======================================================= # Routing packets from the external LAN to EMDX #======================================================= echo "Associating internal address 192.168.48.211 with external address 193.54.48.211" iptables -t nat -A PREROUTING -p tcp --dst 193.54.48.211 -j DNAT --to-destination 192.168.48.211 iptables -t nat -A PREROUTING -p udp --dst 193.54.48.211 -j DNAT --to-destination 192.168.48.211 iptables -t nat -A PREROUTING -p icmp --dst 193.54.48.211 -j DNAT --to-destination 192.168.48.211 #======================================================= # Routing packets from an internal LAN to EMDX #======================================================= iptables -t nat -A POSTROUTING -p tcp --dst 193.54.48.211 -j SNAT --to-source 192.168.48.211 iptables -t nat -A POSTROUTING -p udp --dst 193.54.48.211 -j SNAT --to-source 192.168.48.211 iptables -t nat -A POSTROUTING -p icmp --dst 193.54.48.211 -j SNAT --to-source 192.168.48.211 #======================================================= # Routing packets from the external LAN to EMDSNAP #======================================================= echo "Associating internal address 192.168.5.217 with external address 193.54.48.217" iptables -t nat -A PREROUTING -p tcp --dst 193.54.48.217 -j DNAT --to-destination 192.168.5.217 iptables -t nat -A PREROUTING -p udp --dst 193.54.48.217 -j DNAT --to-destination 192.168.5.217 iptables -t nat -A PREROUTING -p icmp --dst 193.54.48.217 -j DNAT --to-destination 192.168.5.217 #======================================================= # Routing packets from an internal LAN to EMDSNAP #======================================================= iptables -t nat -A POSTROUTING -p tcp --dst 193.54.48.217 -j SNAT --to-source 192.168.5.217 iptables -t nat -A POSTROUTING -p udp --dst 193.54.48.217 -j SNAT --to-source 192.168.5.217 iptables -t nat -A POSTROUTING -p icmp --dst 193.54.48.217 -j SNAT --to-source 192.168.5.217 #======================================================= # Drop everything else (not implemented yet) #======================================================= #iptables -A block -j DROP #iptables -A INPUT -j block #iptables -A FORWARD -j block #iptables -L -n #iptables -t nat -L -n #======================================================= # Setup logging #======================================================= echo "Logging started..." iptables -A INPUT -j LOG #iptables -A FORWARD -j LOG #iptables -t nat -A PREROUTING -j LOG #iptables -t nat -A POSTROUTING -j LOG #iptables -A OUTPUT -j LOG #iptables -A block -j LOG ;; 'stop') echo "Flushing iptables firewall..." iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD #iptables -F block iptables -t nat -F ;; 'restart') $0 stop $0 start ;; *) echo "$0 {start|stop}" exit 1 ;; esac exit 0 ////////////////////////////////////////////////////////////////////////////// ///////////////