Oke, vegre sikerult osszedobni egy egesz jol mukodo tuzfalat, csupan egyetlen dolog nem akar mukodni internet felol, meghozza az FTP. Belso halorol tokeletes, kivulrol nem csatlakozik. Ranyomtam egy port scannert ami szerint a 20-as port zarva, 21-es nyitva. De mindent ugyanazzal a parancsal nyit ki, akor miert lehet zarva csak a 20-as?
Egyebkent mas hiabat, vagy otletet lattok benne?
#!/bin/sh
# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# IPTables
IPT="iptables"
# Internet Interface
INET_IFACE="ppp0"
INET_ADDRESS="195.228.0.234"
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.0.1"
LOCAL_NET="192.168.0.0/24"
# Flush the tables
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
# Define default policy to DROP packets
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
# Delete the optional user-defined chains specified
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Allow ICMP types ('echo request/reply' and 'time exceeded') traffic
$IPT -A INPUT -i $INET_IFACE -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p icmp --icmp-type 8 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p icmp --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
# Permit DNS traffic
$IPT -A INPUT -i $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -j ACCEPT
# Accept network return traffic from the internet:
$IPT -A INPUT -i $INET_IFACE -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state INVALID -j ACCEPT
# Accept SSH traffic from the internet
$IPT -A INPUT -i $INET_IFACE -m state -p tcp -s 0/0 --dport 22 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 22 --state ESTABLISHED,RELATED -j ACCEPT
# Accept FTP traffic from the internet
$IPT -A INPUT -i $INET_IFACE -m state -p tcp -s 0/0 --dport 21 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 21 --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -m state -p tcp -s 0/0 --dport 20 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 20 --state ESTABLISHED,RELATED -j ACCEPT
# Accept HTTP traffic from the internet
$IPT -A INPUT -i $INET_IFACE -m state -p tcp -s 0/0 --dport 80 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 80 --state ESTABLISHED,RELATED -j ACCEPT
# Accept RoR traffic from the internet
$IPT -A INPUT -i $INET_IFACE -m state -p tcp -s 0/0 --dport 3000 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 3000 --state ESTABLISHED,RELATED -j ACCEPT
# Accept all local (loopback) traffic on the lo interface
$IPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
$IPT -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
# Accept private subnet traffic on LOCAL_IFACE
$IPT -A INPUT -s $LOCAL_NET -i $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -d $LOCAL_NET -o $LOCAL_IFACE -j ACCEPT
# Allow forwarding packets:
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Packet masquerading
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE