I recently installed Centos 6 and is my SOHO firewall/router. The small network is layout like such:
Code :
|--eth0(WAN)
Centos 6(firewall/router)
|---eth1(LAN)
|
Switch
|
|
LAN(192.168.3.0/27)
|
|
PCs ----Laptops---Printer
I can ping my devices from the firewall and talk to all my devices from the firewall(eth1). Now the issue is when I am on my laptop(on the LAN), oddly I can only talk to a few devices on my LAN(the firewall interface(eth1) and only the AP) but nothing else. I know it has to be something that I changed inadvertently by accident in my iptables ruleset that I cannot pinpoint out. Its a bit long but here it is:
Code :
#! /bin/sh
IPTABLES="/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----#
EXTIF="eth0"
INTIF="eth1"
#DMZ_IFACE="eth2"
INTLAN="192.168.3.0/27"
#DMZ_LAN="192.168.2.0/27"
#VONAGE="192.168.2.10"
#DMZ_VOIP_SERVER="192.168.2.2"
VPNIF="tun0"
VPNNET="192.168.4.0/27"
#VPNIP="192.168.4.1"
SQUID_BOX="127.0.0.1"
DG_PORT="8080"
#----Special Variables-----#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"
# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level 4
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level 4
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level 4
$IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " --log-level 4
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " --log-level 4
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " --log-level 4
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level 4
$IPTABLES -A LDROP -j DROP
#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
#Inbound Special Ports
$IPTABLES -N SPECIALPORTS
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT
#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute
$IPTABLES -N ICMPINBOUND
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
#Outbound ICMP/Traceroute
$IPTABLES -N ICMPOUTBOUND
#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT
#Tranparent proxy settings
#$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 12022 -m state --state NEW -j ACCEPT
###################################VPN############################################################
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A INPUT -i $VPNIF -j ACCEPT
$IPTABLES -A INPUT -i $VPNIF -j DROP
##ICMP & Traceroute filtering
#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
############Separate logging of special portscans/connection attempts #######################
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
#Transparent/Danguardian
#$IPTABLES -A INPUT -i $INTIF -p tcp -s $INTLAN --dport $DG_PORT -m state --state NEW -j ACCEPT
##Catch all rule
$IPTABLES -A INPUT -j LDROP
##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT
######################################## VPN #####################################################
$IPTABLES -A OUTPUT -o $EXTIF -s $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -j ACCEPT
$IPTABLES -A OUTPUT -j LDROP
####################
## FORWARD-Chain ## (everything that passes the firewall, incoming)
####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding
##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT
######################################## VPN ##################################################################
$IPTABLES -A FORWARD -i $VPNIF -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $VPNIF -s $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTLAN -j ACCEPT
$IPTABLES -A FORWARD -i $VPNIF -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
########################################## DMZ #########################################################################
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $INTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 12444 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 10000:20000 -m state --state NEW -j ACCEPT
################################################## Zoneminder WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.3.22 --dport 8080 -m state --state NEW -j ACCEPT
################################################## VOIP ASTERISK WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################
## PREROUTING ##
################
##Port-Forwarding (--> Also see chain FORWARD)
######################################################## SSH ################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT --to-destination 192.168.3.30
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12022 -j DNAT --to-destination $DMZ_SSH_SERVER
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT --to-destination 192.168.3.22
######################################################### HTTP ############################################################
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $DG_PORT
#Transparent Proxy crap
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -d ! $SQUID_BOX --dport 80 -j REDIRECT --to-ports $DG_PORT
######################################### ASTERISK VOIP SERVER####################################################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12444 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $VONAGE
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $VONAGE
###################
## POSTROUTING ##
###################
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $DMZ_LAN -d $DMZ_IP -j MASQUERADE
#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac
exit 0
I believe it would be an OUTPUT rule that is missing or wrong. ??
---------- Post updated at 04:25 PM ---------- Previous update was at 01:58 PM ----------
To paint a better picture, here is a nmap scan from my laptop looking for port 80 that is definately open that can be seen from the firewall itself
from the laptop sitting on the 192.168.3.0/27 subnet
Code :
Nmap scan report for 192.168.3.16
Host is up.
PORT STATE SERVICE
80/tcp filtered http
and respectively from the firewall
Code :
Nmap scan report for 192.168.3.16
Host is up (0.013s latency).
PORT STATE SERVICE
80/tcp open http
What is so weird is that there are some targets that I can see from both sides. I will have to run a sniffer and see what I can come up with.