# iptables gives everything internet access...but the router

## FcukThisGame

Here's my current iptables rules script:

```
iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

export LAN1=eth1

export LAN2=eth2

export WAN=eth3

iptables -I INPUT -i ${LAN1} -j ACCEPT

iptables -I INPUT -i ${LAN2} -j ACCEPT

iptables -I INPUT  -i lo -j ACCEPT

iptables -I OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport ssh -i ${LAN1} -j ACCEPT

iptables -A INPUT -p TCP --dport ssh -i ${LAN2} -j ACCEPT

iptables -A FORWARD -i ${LAN1} -o ${WAN} -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ${LAN2} -o ${WAN} -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -t nat -A OUTPUT -p TCP --sport 80 -j ACCEPT

iptables -A INPUT -p TCP --dport 6881:6889 -j ACCEPT

iptables -t nat -A PREROUTING -p TCP --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.1.15

iptables -A INPUT -p TCP --dport 21337 -j ACCEPT

iptables -t nat -A PREROUTING -p TCP --dport 21337 -i ${WAN} -j DNAT --to 192.168.1.15:21337

iptables -A INPUT -p TCP --dport 1337 -j ACCEPT

iptables -t nat -A PREROUTING -p TCP --dport 1337 -i ${WAN} -j DNAT --to 192.168.1.15:1337

iptables -A INPUT -p TCP --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i ${WAN} --dport 3389 -j DNAT --to 192.168.1.15:3389

iptables -A INPUT -p UDP --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p UDP --dport 53 -j ACCEPT

iptables -A INPUT -p TCP --sport 53 -j ACCEPT

iptables -A INPUT -p TCP --dport 53 -j ACCEPT

/etc/init.d/iptables save

```

Everything is working great, except the machine itself has no internet access. Help!

----------

## truc

```
iptables -A INPUT -p UDP --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT 
```

I think you're missing the same rule but for tcp sport 80 (at the very least)

BTW, you should add a last rule which LOGs everything on every predefined chain on the filter table, this will make your debugging easier:)

----------

## chithanh

 *Quote:*   

> iptables -P INPUT DROP 

 You don't accept any packets which come as response to the output.

----------

## d2_racing

Hi, I use this script for a least a couples of months :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPT="/sbin/iptables"

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est sur Internet (WAN)

WAN ="eth0"

# Interface qui est dans votre réseau local (LAN)

LAN ="eth1"

# Adresse de votre passerelle (Firewall)

FIREWALL_IP="192.168.1.1" 

# Interface Loopback

LO="lo"

LO_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

# C'est déjà assez compliqué comme ça, on ne gère pas les paquets en sortie.

$IPT -P OUTPUT ACCEPT

# On laisse entrer tous les paquets que le Firewall ou le LAN a initié

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# On laisse l'interface Loopback faire son travail en entrée.

$IPT -A INPUT -i $LO -j ACCEPT

# On laisse le trafic entrer qui frappe sur notre LAN, soit l'interface de notre réseau interne.

$IPT -A INPUT -i $LAN -j ACCEPT

# Permet un accès SSH au firewall venant du WAN, soit à partir du bureau , on utilise le port 5022, soit un port non standard et le service sshd doit écouter sur ce port pour que le tout fonctionne.

$IPT -A INPUT -i $WAN -p tcp -m tcp --dport 5022 -j ACCEPT

# On permet le ping venant du WAN

$IPT -A INPUT -i $WAN -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Petite amélioration pour accélérer une connexion IRC

$IPT -A INPUT -i $WAN -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset

#### LE FUN COMMENCE ####

# On indique à notre Firewall de faire le routage entre le LAN et le WAN et vice-versa, seulement pour les connexions qui sont valide.

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# On indique à notre Firewall de faire le routage sans se poser de questions du LAN vers le WAN.

$IPT -A FORWARD -i eth1 -j ACCEPT

# On indique à notre Firewall que mon ordinateur dans le LAN veut recevoir les paquets venant des torrents.

$IPT -A FORWARD -d 192.168.1.200/32 -i eth0 -p tcp -m tcp --dport 6881:6999 -j ACCEPT

$IPT -A FORWARD -d 192.168.1.200/32 -i eth0 -p udp -m udp --dport 6881:6999 -j ACCEPT

$IPT -A FORWARD -d 192.168.1.200/32 -i eth0 -p udp -m udp --dport 49001 -j ACCEPT

# Permet d'avoir une autre route, pour mon deuxième serveur ssh qui celui-ci est dans mon LAN.

# En gros, j'utilise 2 serveurs SSH et chacun a son propre port.

# Ces 2 lignes sont très spéciale, car j'intercepte le port 4022 et je le route vers mon ordinateur sur le port 22.

$IPT -t NAT -A PREROUTING -i $WAN -p tcp -m tcp --dport 4022 -j DNAT --to-destination 192.168.1.200:22

# J'indique au routeur qu'il peut router ce paquet vers mon ordi.

$IPT -A FORWARD -d 192.168.1.200/32 -i $WAN -p tcp -m tcp --dport 22 -j ACCEPT

### La table NAT qui me permet de faire du DNAT pour diriger mes paquets sur mon ordi à partir du firewall

$IPT -t NAT -A PREROUTING -i $WAN -p tcp -m tcp --dport 6881:6999 -j DNAT --to-destination 192.168.1.200

$IPT -t NAT -A PREROUTING -i $WAN -p udp -m udp --dport 6881:6999 -j DNAT --to-destination 192.168.1.200

$IPT -t NAT -A PREROUTING -i $WAN -p udp -m udp --dport 49001 -j DNAT --to-destination 192.168.1.200

### La magie du routeur,

$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

```

----------

## Hu

 *FcukThisGame wrote:*   

> Here's my current iptables rules script

 Please consider using the Gentoo initscript, which can atomically save and load the entire rules set.  I see that your script concludes with asking it to save the rules.  It would be better if you used only that functionality and allowed that to restore your rules at boot. *FcukThisGame wrote:*   

> 
> 
> ```
> export LAN1=eth1
> 
> ...

 You do not need to export these.  By exporting them, you expose them to child processes.  Simply setting them is sufficient for this script. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -I OUTPUT -o lo -j ACCEPT
> ```
> ...

 This is redundant, since you do not drop any outbound traffic. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A INPUT -p TCP --dport ssh -i ${LAN1} -j ACCEPT
> 
> ...

 This is redundant, since any inbound LAN traffic was already allowed by earlier rules. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A FORWARD -i ${LAN1} -o ${WAN} -m state --state NEW,ESTABLISHED -j ACCEPT
> 
> ...

 Why do you disallow RELATED here? *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
> ```
> ...

 This is much broader than you probably want.  I suggest dropping this rule entirely. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -t nat -A OUTPUT -p TCP --sport 80 -j ACCEPT
> ```
> ...

 This is redundant. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A INPUT -p TCP --dport 6881:6889 -j ACCEPT
> 
> ...

 This pair of rules does not make sense.  You already allowed all LAN traffic above, so the INPUT rule here is clearly meant to serve the WAN.  However, if you wanted to receive the WAN traffic on this machine, you would not redirect the traffic to an internal machine.  The same problem applies to the next three pairs. *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A INPUT -p TCP --dport 3389 -j ACCEPT
> 
> ...

 Do you really want to expose a Windows RDP server to the Internet? *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A INPUT -p UDP --dport 53 -j ACCEPT
> ```
> ...

 Are you running a DNS server on the gateway and providing its service to the Internet? *FcukThisGame wrote:*   

> 
> 
> ```
> iptables -A INPUT -p TCP --sport 53 -j ACCEPT
> ```
> ...

 This is a handy way for anyone who wants in to connect to any port he wants.  He can set his source port to 53 and you will grant him total access.

----------

## hooliz

what about /etc/resolv.conf ?

----------

