Search This Blog

Tuesday, January 27, 2009

my debian does not read my own iptables script

Dear my friends,

I am building a firewall with Debian Sarge on my internet gateway. But lookslike my debian does not read my iptables script after I run my own iptables script.

This is the result of the firewall on my debian-box. '192.168.23.0' is the subnet of my internal LAN. eth2 faces my internal LAN whose IP '192.168.23.2' and eth5 faces my ISP whose IP '202.155.0.1':
==
nmap 192.168.23.2

Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 192.168.23.2:
Not shown: 1692 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
113/tcp open auth
515/tcp open printer

Nmap finished: 1 IP address (1 host up) scanned in 13.029 seconds
==
nmap 202.155.0.1

Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 202.155.0.1:
Not shown: 1693 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
515/tcp open printer

Nmap finished: 1 IP address (1 host up) scanned in 14.010 seconds
==
I haven't open the rpcbind,auth,printer. And the 21,23,53 are not opened by my iptables. Where is the mistake? Please tell me. I am new in debian and iptables. Usually I use OpenSuSE and SuSEfirewall2 and I configure the firewall with YaST2 so easily. But now I want to get close to debian too. And I am stucked on this case.
==
here is my script
==
#!/bin/bash
#Zero...zero...from beginning
iptables -F

route add default gateway 202.155.0.1

#Log....them
iptables -I INPUT -j LOG
iptables -I OUTPUT -j LOG
iptables -I FORWARD -j LOG

#Open needed ports
iptables -I INPUT -i eth2 -s 192.168.23.0/24 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT -i eth5 -s 0/0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I OUTPUT -o eth2 -d 192.168.23.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I OUTPUT -o eth5 -d 0/0 -p icmp --icmp-type echo-reply -j ACCEPT

iptables -I INPUT -i eth2 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth2 -p udp --dport 53 -j ACCEPT

iptables -I INPUT -i eth5 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth5 -p udp --dport 53 -j ACCEPT

iptables -I OUTPUT -o eth2 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth2 -p udp --dport 53 -j ACCEPT

iptables -I OUTPUT -o eth5 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth5 -p udp --dport 53 -j ACCEPT

iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 23 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 53 -j ACCEPT

iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 23 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 53 -j ACCEPT

iptables -t nat -I POSTROUTING -p icmp -o eth5 -d 0/0 -j SNAT --to-source 202.155.0.1
iptables -t nat -I POSTROUTING -p icmp -o eth2 -d 192.168.23.0/24 -j SNAT --to-source 192.168.23.2

iptables -t nat -I POSTROUTING -p tcp -o eth5 -d 0/0 -j SNAT --to-source 202.155.0.1
iptables -t nat -I POSTROUTING -p tcp -o eth2 -d 192.168.23.0/24 -j SNAT --to-source 192.168.23.2

iptables -t nat -I PREROUTING -p tcp -i eth5 -s 0/0 -d 202.155.0.1 --dport 23 -j DNAT --to-destination 192.168.23.20:23
iptables -t nat -I PREROUTING -p tcp -i eth2 -s 192.168.23.0/24 -d 192.168.23.2 --dport 23 -j DNAT --to-destination 192.168.23.20:23


Selalu bersama teman-teman di Yahoo! Messenger. Tambahkan mereka dari email atau jaringan sosial Anda sekarang! http://id.messenger.yahoo.com/invite/


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

1 comment:

Anonymous said...

32 year old Business Device Mechanic Tod Piker from Whitecourt, enjoys macram, nike free and
base jumping. Gains a lot of motivation from life by taking a
trip to locales like Kong Family Mansion in Qufu.

my web blog; エンポリオアルマーニ ショップ ()