Je n'arrive pas à passer mon firewall correctement de ipchains à
iptables... si qqn pouvait m'aider...

Voici la config de mon réseau :
* un PC sous debian woody servant de routeur/firewall connecté à l'ADSL
via le port eth0 (sur modem alcatel speedtouch ethernet), et au réseau
local via le port eth1.
* sur le réseau local, un PC sous win98 (oui, je sais... ), et un sous
Linux (Mandrake 8.2 et Woody)...

Jusqu'à présent, le PC-routeur est sous noyau 2.2 avec ipchains... tout
marche nickel, les PC du réseau local ont accès à internet sans
problème...

Je souhaite passer à iptables pour avoir un firewall plus à jour, donc
mieux protégé... j'ai donc téléchargé et installé le noyau 2.4.16-k6, et
configuré iptables comme suit :

-------------------------------------
# Script de démarrage du firewall et des règles de routage :

####
# chargement des modules
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe iptable_mangle
modprobe ip_nat_ftp
modprobe ip_nat_snmp_basic
modprobe ip_conntrack
modprobe ip_conntrack_ftp

####
# réinitialisation des chaînes
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

####
# polices par défaut:

# on rejette les connexions entrantes et traversant le routeur
iptables -P INPUT DROP
iptables -P FORWARD DROP

# on accepte le reste
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT


####
# création de la chaîne générale pour les chaînes INPUT et FORWARD :
iptables -N block

# on accepte les connexions qui ne proviennent pas de l'extérieur (eth0)
iptables -A block -i ! eth0 -j ACCEPT

# on accepte les transmissions de paquets sur les connexions établies
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

# on refuse le reste
iptables -A block -j DROP

####
# redirection des chaînes INPUT et FORWARD vers la nouvelle chaîne :
iptables -A INPUT -j block
iptables -A FORWARD -j block


####
# activation du masquerading pour la transmission de connexions depuis
# le réseau interne vers l'extérieur :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

-------------------------------------

... eh ben ça marche pas !!!
La connexion internet fonctionne, j'ai accès sans problème depuis le
PC-Routeur... mais le routage foire ! Pas moyen d'accéder au réseau
externe depuis l'un ou l'autre des PC du réseau interne !! :sisicaivrai:
J'avais pourtant l'impression d'avoir bien compris en théorie le
fonctionnement d'iptables, mais visiblement, y a qqch qui m'échappe...
ai-je oublier qqch dans mon script ?

Merci d'avance pour toute aide...

le mien qui marche nickel , recupere et legerement modifié.
NB: j'interdis tout sauf le port 80 (www) et 22 (ssh) de l'exterieur.
a modifier si necessaire.


#!/bin/sh
# iptables, by Technion
# $Id: iptables,v 1.28 2002/05/12 09:51:50 technion Exp $
# chkconfig: 2345 08 80
# description: Script for setting IPTABLES rules
# processname: iptables


# Is this script to be run on Red Hat Linux? If not, set to "NO"
REDHAT="YES"

# Network information you will need to adjust
INTERNALIF="eth0"
INTERNALNET="192.168.1.0/24"
INTERNALBCAST="192.168.1.255"
EXTERNALIF="ppp0"
MYADDR="" # Only needed for DNAT, leave out otherwise

# Pathnames
DMESG="/bin/dmesg"
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"


# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPTABLES -F
$IPTABLES -P FORWARD DROP
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Starting Firewall:" echo
;;
*)
echo "Usage: firewall (start|stop|restart)"
exit 1
esac
fi
################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#
## Flush everything, start from scratch
#
# Incoming packets from the outside network
$IPTABLES -F INPUT
# Outgoing packets from the internal network
$IPTABLES -F OUTPUT
# Forwarding/masquerading
$IPTABLES -F FORWARD
#Nat table
$IPTABLES -t nat -F
##Setup sysctl controls which affect tcp/ip
#
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Defragment all Packets
#Default now

#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps. These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Allow dynamic ip addreSses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog


##Set basic rules
#
#Note that unlike ipchains, rules passing through a FORWARD chain do NOT
#also have to pass through an INPUT chain.

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
# or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html

#This has been found to be a little buggy. Removed for now.
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP


# Allow all connections on the internal interface
#

$IPTABLES -A INPUT -i lo -j ACCEPT

#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT


#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
#
#Allow IPV6 tunnel traffic
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT

#Allow IPSEC tunnel traffic
#$IPTABLES -A INPUT -p 50 -j ACCEPT
#Allow all traffic from the ipsec device to the internal network
#$IPTABLES -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT

#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT

# rejet INPUT ports indesirables
# interditcion NETBIOS externe netbios
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 137:139 -j DROP
#
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1080 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 3128 -j DROP

# interdiction port virus SLAPPER et divers virus.
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 1052 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 1812 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 1813 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 1978 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 2002 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 4156 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 1243 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 12348 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 27374 -j DROP
#
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1052 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1812 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1813 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1978 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 2002 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 4156 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 1243 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 12348 -j DROP
$IPTABLES -A INPUT -i $EXTERNALIF -p tcp --dport 27374 -j DROP

# ftp-data
$IPTABLES -A INPUT -p tcp --dport 20 -j DROP

# ftp
$IPTABLES -A INPUT -p tcp --dport 21 -j DROP

# ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#telnet
$IPTABLES -A INPUT -p tcp --dport 23 -j DROP

# finger
$IPTABLES -A INPUT -p tcp --dport 79 -j DROP

# interdiction port virus en sortie.
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 1052 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 1812 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 1813 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 1978 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 2002 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p tcp --dport 4156 -j DROP
#
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 1052 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 1812 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 1813 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 1978 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 2002 -j DROP
$IPTABLES -I OUTPUT -o $EXTERNALIF -p udp --dport 4156 -j DROP


##ICMP
#ping don't forward pings going inside
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP

#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT

##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT


#Allow ALL other forwarding going out
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT

#Allow replies coming in

$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT


#Whack allowances
#Allow DHCP- Optus users need this
#$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT

#Allow nameserver packets. Different versions of iptables seem to error here.
#Comment out if necessary.

cat /etc/resolv.conf |
awk '/^nameserver/ {print $2}' |
xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s

#Allow Telstra hearbeat
#This section is propz to Defed
#$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

#From here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services. Uncomment to allow in.


# smtp One per second limit -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s
# --limit-burst 10 -j ACCEPT

#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
$IPTABLES -A INPUT -p tcp --dport 25 -j DROP

# DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j DROP
$IPTABLES -A INPUT -p udp --dport 53 -j DROP

# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# POP-3
$IPTABLES -A INPUT -p tcp --dport 110 -j DROP

# identd
$IPTABLES -A INPUT -p tcp --dport 113 -j DROP

# imap
$IPTABLES -A INPUT -p tcp --dport 143 -j DROP

# https
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP

# MSFT DS
$IPTABLES -A INPUT -p tcp --dport 445 -j DROP

# U PnP
$IPTABLES -A INPUT -p tcp --dport 5000 -j DROP
# applications specifiques

# edonkey port
$IPTABLES -A INPUT -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 4662 -j ACCEPT

##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG
--log-prefix "Firewalled packet: Deepthrt "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG
--log-prefix "Firewalled packet: BO "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG
--log-prefix "Firewalled packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP


#Traceroutes depend on finding a rejected port. DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log igmp. Some people get too many of these
$IPTABLES -A INPUT -p igmp -j REJECT

#Don't log web or ssl because people surfing for long times lose connection
#tracking and cause the system to create a new one, flooding logs.

##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
#Log. There's no point logging noise. There's too much of it.
#Just log connection requests
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG
--log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG
--log-prefix "Firewalled packet:"

#Reject
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP

$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP

#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE


exit 0

C'est bon, j'ai trouvé la solution... il fallait en fait remplacer eth0 par ppp0...
Bien que mon routeur soit lié au modem à travers l'interface eth0, il utilise en fait ppp0 pour se connecter à internet.

effectivement,
tu n'es meme pas obligé de donner une adresse ip a eth qui supporte ppp.

ben ouai... j'dormirai moins con ce soir