Re: why my firewall script work only for some sites?

Niu Kun Fri, 18 Sep 2009 18:26:15 -0700

Long Wind 写道:

I have a firewall script
It provides NAT and allow clients to visit only 3 sites plus DNS servers
On client machine the 1st site (www.debian.org) can be viewed.
but other two sites have problems
the browser display only title bar
in other words it is displayed partially
Note the other two sites are in Chinese
After I uncomment two commands(which reduce security),
the two sites can be viewed.
It seems to me that the problem is specific to etch (kernel 2.6)
The script works fine for  the two sites in sarge (kernel 2.4)
below is my firewall script:


#!/bin/sh
#
# rc.firewall-iptables
FWVER=0.76

echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

DNS1="219.233.241.166"
DNS2="211.167.97.67"
SITE1="www.debian.org"

SITE2="trade.gtja.com"
SITE50="ebank.spdb.com.cn"


EXTIF="eth1"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

echo -en "   loading modules: "

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a


echo "----------------------------------------------------------------------"

echo -en "ip_tables, "
$MODPROBE ip_tables


echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

echo -en "iptable_nat, "
$MODPROBE iptable_nat


echo "----------------------------------------------------------------------"
echo -e "   Done loading modules.\n"

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

#$IPTABLES -A INPUT  -j ACCEPT
#$IPTABLES -A OUTPUT  -j ACCEPT

$IPTABLES -A FORWARD -s $DNS1 -j ACCEPT
$IPTABLES -A FORWARD -d $DNS1 -j ACCEPT
$IPTABLES -A FORWARD -s $DNS2 -j ACCEPT
$IPTABLES -A FORWARD -d $DNS2 -j ACCEPT

$IPTABLES -A INPUT -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -s $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -d $DNS2 -j ACCEPT

$IPTABLES -A FORWARD -s $SITE1 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE1 -j ACCEPT
$IPTABLES -A FORWARD -s $SITE2 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE2 -j ACCEPT
$IPTABLES -A FORWARD -s $SITE50 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE50 -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-iptables v$FWVER done.\n"

Have you tried lenny?

Supposing you can only see part of the webpage, have you captured thedata from your network card to make sure all the data has been discarded?


BTW, backup the old policy rules before you drop them may be a good idea.


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.orgwith a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: why my firewall script work only for some sites?

Reply via email to