I'm struggling with my firewall, though I'm using my own script. I originally made it for use with DHCP on a PPP interface and static addresses on an internal wireless LAN. Later, we moved to a static address from the ISP on an ethernet connection and it was fine. But then I upgraded to Dapper and everything went Windowsy.
Dapper is known for not handling static IP for wireless routers, so now I have to use DHCP on the LAN, but then my firewall doesn't pass the traffic through. So I have to switch back to static after making the wireless connection and run my firewall manually. Then it all works, but next time I boot up, I'm in static, so I have to go through the whole process again.
How can I get it to pass traffic from DHCP addresses on the LAN side to a static address on the ISP side? And why does it matter that it's DHCP on the LAN side?
Code:
#!/bin/sh
#Firewall for home network
#configuration
INET_IP="202.89.26.82"
INET_IF="eth0"
INET_BCAST="202.89.26.255"
LAN_IP="192.168.0.29"
LAN_IF="eth1"
LAN_BCAST="192.168.0.255"
SELF_IP="127.0.0.1"
SELF_IF="lo"
SELF_BCAST="127.0.0.255"
IPTABLES="/sbin/iptables"
MOD="/sbin/modprobe"
#flush tables
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
#modules
$MOD ipt_LOG
$MOD ipt_REJECT
$MOD ipt_MASQUERADE
$MOD ip_conntrack_amanda
$MOD ip_conntrack_irc
$MOD ip_conntrack_ftp
$MOD ip_conntrack_tftp
$MOD ip_nat_amanda
$MOD ip_nat_irc
$MOD ip_nat_ftp
$MOD ip_nat_tftp
$MOD ip_nat_snmp_basic
$MOD iptable_nat
#defaults to drop everything
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#INPUT FILTER
#allow all packets from local addresses to pass
$IPTABLES -t filter -A INPUT -i $SELF_IF -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN_IF -j ACCEPT
#allow established and related packets from internet
$IPTABLES -t filter -A INPUT -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow trace-route returns (ICMP TTL=0)
$IPTABLES -t filter -A INPUT -i $INET_IF -p ICMP --icmp-type 11 -j ACCEPT
#log all other packets
$IPTABLES -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#FORWARD FILTER
#forward all packets from local addresses
$IPTABLES -t filter -A FORWARD -i $SELF_IF -j ACCEPT #not sure if this is necessary
$IPTABLES -t filter -A FORWARD -i $LAN_IF -j ACCEPT
#accept the return packets
$IPTABLES -t filter -A FORWARD -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
#log all other packets
$IPTABLES -t filter -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
#OUTPUT FILTER
#send all packets from local addresses
$IPTABLES -t filter -A OUTPUT -s $SELF_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -s $LAN_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -s $INET_IP -j ACCEPT # is this safe? it should already be filtered on INPUT, right?
#log all other packets
$IPTABLES -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
#DHCP ADDRESS TRANSLATION
#use masqurading to allow many pcs to access ISP with one dynamic IP address
$IPTABLES -t nat -A POSTROUTING -o $INET_IF -j MASQUERADE
#what's the command for a static ISP address?
#$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0 -j SNAT -o eth0 --to-source $INET_IP I've tried this, but it doesn't work. why?
#enable packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
Bookmarks