# [SOLVED] Iptables - not working as expected

## PietdeBoer

Hey guys,

I've created/copied an iptables script.. it does what i want it to do.. except that it does not block all incoming ports on the WAN interface exept the ones i specificly allow

Any clues what goes wrong?

```

# First we flush our current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Copy and paste these examples ...

export LAN=eth0

export WAN=eth1

# Then we lock our services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# (Optional) Allow access to our ssh server from the WAN

iptables -A INPUT -p TCP --dport 23081 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 23084 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 23085 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 23085 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 9101 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 9102 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 9203 -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports

# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.201

iptables -t nat -A PREROUTING -p tcp --dport 3389 -i ${WAN} -j DNAT --to 192.168.0.202

# This is so when we boot we don't have to run the rules by hand# 

/sbin/iptables-save > /etc/iptables-save

# If you have a dynamic internet address you probably want to enable this:

# net.ipv4.ip_dynaddr = 1
```

----------

## py-ro

You never DROP those Packets and your default is to allow.

Alter

```
iptables -P INPUT ACCEPT 
```

to 

```
iptables -P INPUT DROP
```

Py

----------

## PietdeBoer

will try when im at the site, thx!

----------

## PietdeBoer

I changed the line as suggested above, when i re-ran the script my external DNS stopped functioning.

Am i missing something?

----------

## bendeguz

 *PietdeBoer wrote:*   

> I changed the line as suggested above, when i re-ran the script my external DNS stopped functioning.
> 
> Am i missing something?

 

I think it is because you don't allow the answer to come back from the dns server.

Add this line somewhere:

```

IPTABLES -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT

```

(Is this a home router? You should learn basic iptables to understand what is happening in your script.)

----------

## PietdeBoer

Thx, that worked like a charm!

----------

## d2_racing

Yep, that was your problem.

You can check mine too : http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur

----------

