iptables problem (two network interfaces)

From: crowl (crowl_at_gmx.de)
Date: 07/01/04


Date: 1 Jul 2004 07:17:40 -0700

My lab:
Internet - PIX - DMZ - Debian box with two network cards - Intranet

PIX IP: 192.168.0.10
Debian eth0 IP: 192.168.0.11
Debian eth1 IP: 172.19.0.11

The debian box should seperate the internet/dmz from local lan
(intranet). IPtables should work as firewall. All traffic from lan ->
internet should be allowed. All traffic from internet -> lan should be
blocked except established connection opened from lan site.

I have a iptables script, but it seems that I have missconfigured
something. If I try to do a ping a website or a pop3 request to my
internet provider from my machine inside the lan (ip 172.19.l.55), I
get no answer. SSH access to the debian box is working.

Here my script, hopefully that someone can help me to figure out my
mistake. Thanks in advance.

# intranet
IFACE_INT=eth1

# internet
IFACE_EXT=eth0

# loopback
IFACE_LO=lo

# flush filters
iptables -F
iptables -t nat -F

iptables -X
iptables -t nat -X

# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# accept ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# enable ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# *** INPUT ***

# allow all from intranet
iptables -A INPUT -i $IFACE_INT -j ACCEPT

# no internet connection with a local ip!
iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP

# allow established internet connection
iptables -A INPUT -i $IFACE_EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# *** FORWARD ***

# intranet -> internet allow all
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT

# internet -> intranet only if for established connection
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# *** OUTPUT ***

# intranet
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT

# loopback
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT

# internet
iptables -A OUTPUT -o $IFACE_EXT -j ACCEPT

# Masquerading
iptables -A POSTROUTING -o $IFACE_EXT -t nat -j MASQUERADE