CentOS router/firewall/nat iptables setup [SOLVED: Shorewall FTW]
Distro: CentOS 5.3
External IP (eth0): Static assigned by ISP via DHCP
Internal IP (eth1): 10.0.0.1
Services running: Apache, BIND, ProFTP, Samba, DHCP3, MySQL, PHP
Hello. I must preface this by saying I know little about iptables. This is my first attempt at building my own router, having previously used Smoothwall.
The CentOS box in this instance is also my website and DNS server. I have simply built on top of my existing server setup, enabling port forwarding and installing dhcpd.
All outgoing connections accepted, i.e. use should be transparant to a user within my network.
Incoming connections only accepted if forwarded (I think I know how to accomplish this, having nabbed a port forward example when I searched), I currently do not have any of these.
Existing services on the router continue to work.
My web and name server currently work, as does FTP and samba access.
The internet works on my client computer (10.0.0.2 Static via DHCP), however I have trouble accessing some services outside my own network. For example if I FTP to an external server I get:
500 I won't open a connection to 10.0.0.2 (only to PUBLIC IP WAS HERE)
I don't think my internal IP should be making it out there.
Here's my iptables script, cobbled together from various sources:
Any sugestions to make this... better? Or a tutorial for nubs. No GUI so CLI options only.
# Dont shut myself out in case something doesn't work
iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
service iptables save