still can't do stuff

gabberatski gabberatski@freegates.be
Thu, 5 Jul 2001 21:53:19 +0200 

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C1059C.E72715E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I can ping my intern network (192.168.x), but I can't ping for example =
my DNS servers (from my ISP)
What is wrong?

#!/bin/sh      LAN_IP_RANGE=3D"192.168.0.0/24"
LAN_IP=3D"192.168.0.1/32"
LAN_BCAST_ADRESS=3D"192.168.0.255/32"
LOCALHOST_IP=3D"127.0.0.1/32"
INET_IFACE=3D"ppp0"
LAN_IFACE=3D"eth0"
IPTABLES=3D"/usr/local/sbin/iptables" echo "Initiliazing the =
firewall..."
#Clear existing rules and chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X #Default DROP policy

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP #Masqerading


$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE #ICQ =
forwarding for file transfers
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p tcp --dport =
20000:20030 -j ACCEPT=20
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20000:20030 =
-j DNAT --to 192.168.0.4:20000-20030
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG =
--log-level DEBUG --log-prefix "IPT FORWARD packet died: " $IPTABLES -N =
icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets=20

#TCP connection

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j =
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP=20

#ICMP rules

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT=20

#TCP rules $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed #ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed #smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #http
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j allowed #smtp over =
ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4444 -j allowed #proFTPd
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5190 -j allowed #ICQ
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6667 -j allowed #irc
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8245 -j allowed #ipcheck


#UDP rules=20

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j =
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j =
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j =
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j =
ACCEPT=20

#INPUT CHAIN=20

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets =
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG =
--log-level DEBUG --log-prefix "IPT INPUT packet died: "=20

#OUTPUT CHAIN

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG =
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

------=_NextPart_000_0007_01C1059C.E72715E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I can ping my intern network =
(192.168.x), but I=20
can't ping for example my DNS servers (from my ISP)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>What is wrong?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#!/bin/sh&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =

LAN_IP_RANGE=3D"192.168.0.0/24"<BR>LAN_IP=3D"192.168.0.1/32"<BR>LAN_BCAST=
_ADRESS=3D"192.168.0.255/32"<BR>LOCALHOST_IP=3D"127.0.0.1/32"<BR>INET_IFA=
CE=3D"ppp0"<BR>LAN_IFACE=3D"eth0"<BR>IPTABLES=3D"/usr/local/sbin/iptables=
"=20
echo "Initiliazing the firewall..."<BR>#Clear existing rules and=20
chains<BR>$IPTABLES -F<BR>$IPTABLES -t nat -F<BR>$IPTABLES =
-X<BR>$IPTABLES -t=20
nat -X #Default DROP policy</FONT></DIV><FONT face=3DArial size=3D2>
<DIV><BR>iptables -P INPUT DROP<BR>iptables -P OUTPUT DROP<BR>iptables =
-P=20
FORWARD DROP #Masqerading</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE =
#ICQ=20
forwarding for file transfers<BR>$IPTABLES -A FORWARD -i $INET_IFACE -o=20
$LAN_IFACE -p tcp --dport 20000:20030 -j ACCEPT <BR>$IPTABLES -t nat -A=20
PREROUTING -i $INET_IFACE -p tcp --dport 20000:20030 -j DNAT --to=20
192.168.0.4:20000-20030<BR>$IPTABLES -A FORWARD -m limit --limit =
3/minute=20
--limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD =
packet died:=20
" $IPTABLES -N icmp_packets<BR>$IPTABLES -N tcp_packets<BR>$IPTABLES -N=20
udpincoming_packets </DIV>
<DIV>&nbsp;</DIV>
<DIV>#TCP connection<BR></DIV>
<DIV>$IPTABLES -N allowed<BR>$IPTABLES -A allowed -p TCP --syn -j=20
ACCEPT<BR>$IPTABLES -A allowed -p TCP -m state --state =
ESTABLISHED,RELATED -j=20
ACCEPT<BR>$IPTABLES -A allowed -p TCP -j DROP </DIV>
<DIV>&nbsp;</DIV>
<DIV>#ICMP rules</DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j=20
ACCEPT<BR>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j=20
ACCEPT<BR>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j=20
ACCEPT<BR>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j =
ACCEPT=20
</DIV>
<DIV>&nbsp;</DIV>
<DIV>#TCP rules $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j=20
allowed<BR></DIV>
<DIV>$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j =
allowed<BR>$IPTABLES=20
-A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed #ssh<BR>$IPTABLES -A=20
tcp_packets -p TCP -s 0/0 --dport 25 -j allowed #smtp<BR>$IPTABLES -A=20
tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #http<BR>$IPTABLES -A=20
tcp_packets -p TCP -s 0/0 --dport 113 -j allowed<BR>$IPTABLES -A =
tcp_packets -p=20
TCP -s 0/0 --dport 465 -j allowed #smtp over ssh<BR>$IPTABLES -A =
tcp_packets -p=20
TCP -s 0/0 --dport 4444 -j allowed #proFTPd<BR>$IPTABLES -A tcp_packets =
-p TCP=20
-s 0/0 --dport 5190 -j allowed #ICQ<BR>$IPTABLES -A tcp_packets -p TCP =
-s 0/0=20
--dport 6667 -j allowed #irc<BR>$IPTABLES -A tcp_packets -p TCP -s 0/0 =
--dport=20
8245 -j allowed #ipcheck<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>#UDP rules </DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j=20
ACCEPT<BR>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port =
123 -j=20
ACCEPT<BR>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port =
2074 -j=20
ACCEPT<BR>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port =
4000 -j=20
ACCEPT </DIV>
<DIV>&nbsp;</DIV>
<DIV>#INPUT CHAIN </DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j =
icmp_packets<BR>$IPTABLES -A=20
INPUT -p TCP -i $INET_IFACE -j tcp_packets<BR>$IPTABLES -A INPUT -p UDP =
-i=20
$INET_IFACE -j udpincoming_packets $IPTABLES -A INPUT -p ALL -i =
$LAN_IFACE -d=20
$LAN_BCAST_ADRESS -j ACCEPT<BR>$IPTABLES -A INPUT -p ALL -d =
$LOCALHOST_IP -j=20
ACCEPT<BR>$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT<BR>$IPTABLES -A =
INPUT=20
-m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG =
--log-prefix=20
"IPT INPUT packet died: " </DIV>
<DIV>&nbsp;</DIV>
<DIV>#OUTPUT CHAIN</DIV>
<DIV><BR>$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j =
ACCEPT<BR>$IPTABLES -A=20
OUTPUT -p ALL -s $LAN_IP -j ACCEPT<BR>$IPTABLES -A OUTPUT -m limit =
--limit=20
3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT =
OUTPUT=20
packet died: "</FONT></DIV></BODY></HTML>

------=_NextPart_000_0007_01C1059C.E72715E0--