thusithathik
New member
- Joined
- Nov 12, 2013
- Messages
- 1
Dear friends,
after i start my firewall i can't ping to my router. I'm using clear os for my firewall and 2 NIC cards for LAN & WAN.Error as follows
PING 192.168.2.254 (192.168.2.254) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Please help.
Thank,
Thusitha...
My routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
my firewall
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*nat
REROUTING ACCEPT [52901:4708149]
OSTROUTING ACCEPT [18720:1225057]
:OUTPUT ACCEPT [109262:7242459]
-A PREROUTING -s ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 82
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.222:53
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.222:80
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.222:443
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.0.222:993
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.0.222:995
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.222:2222
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.0.222:3000
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 10101 -j DNAT --to-destination 192.168.0.222:10101
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.222:53
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 6277 -j DNAT --to-destination 192.168.0.222:6277
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 24441 -j DNAT --to-destination 192.168.0.222:24441
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.0.101:123
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 5911 -j DNAT --to-destination 192.168.0.111:5911
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 27027 -j DNAT --to-destination 192.168.0.111:27027
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 5801 -j DNAT --to-destination 192.168.0.101:5801
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.101:2223
-A PREROUTING -d 192.168.0.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 74.52.31.184 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 443 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 993 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 995 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 2222 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 3000 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 10101 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 6277 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 24441 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p udp -m udp --dport 123 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.111 -p tcp -m tcp --dport 5911 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.111 -p tcp -m tcp --dport 27027 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p tcp -m tcp --dport 5801 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p tcp -m tcp --dport 2223 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*mangle
REROUTING ACCEPT [3906197:3300163635]
:INPUT ACCEPT [3826954:3273590417]
:FORWARD ACCEPT [67772:17095110]
:OUTPUT ACCEPT [4014288:3299688418]
OSTROUTING ACCEPT [4071853:3315432490]
-A PREROUTING -i eth0 -j IMQ --todev 1
-A POSTROUTING -o eth0 -j IMQ --todev 0
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
-A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m state --tcp-flags SYN,ACK SYN,ACK --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 11 -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --dport 68 --sport 67 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 68 --sport 67 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 81 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 443 -j ACCEPT
-A INPUT -p udp -m udp -d 192.168.2.100 --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 2224 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 11011 -j ACCEPT
-A INPUT -p gre -d 192.168.2.100 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 1723 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 995 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 2222 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 3000 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 10101 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 6277 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 24441 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.101 -o eth1 --dport 123 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.111 -o eth1 --dport 5911 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.111 -o eth1 --dport 27027 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.101 -o eth1 --dport 5801 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.101 -o eth1 --dport 2223 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 6277 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 443 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 123 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 1194 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 24441 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 2703 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 20001 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 5900:5905 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 27027 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 0 -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 11 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -j DROP
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p icmp -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -o eth0 --dport 67 --sport 68 -j ACCEPT
-A OUTPUT -p tcp -m tcp -o eth0 --dport 67 --sport 68 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 81 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp -s 192.168.2.100 -o eth0 --sport 1194 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 2224 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 11011 -j ACCEPT
-A OUTPUT -p gre -s 192.168.2.100 -o eth0 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 1723 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A drop-lan -j DROP
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
after i start my firewall i can't ping to my router. I'm using clear os for my firewall and 2 NIC cards for LAN & WAN.Error as follows
PING 192.168.2.254 (192.168.2.254) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Please help.
Thank,
Thusitha...
My routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
my firewall
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*nat
REROUTING ACCEPT [52901:4708149]OSTROUTING ACCEPT [18720:1225057]:OUTPUT ACCEPT [109262:7242459]
-A PREROUTING -s ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 82
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.222:53
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.222:80
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.222:443
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.0.222:993
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.0.222:995
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.222:2222
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.0.222:3000
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 10101 -j DNAT --to-destination 192.168.0.222:10101
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.222:53
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 6277 -j DNAT --to-destination 192.168.0.222:6277
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 24441 -j DNAT --to-destination 192.168.0.222:24441
-A PREROUTING -d 192.168.2.100 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.0.101:123
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 5911 -j DNAT --to-destination 192.168.0.111:5911
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 27027 -j DNAT --to-destination 192.168.0.111:27027
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 5801 -j DNAT --to-destination 192.168.0.101:5801
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.0.101:2223
-A PREROUTING -d 192.168.0.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 192.168.2.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 74.52.31.184 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 443 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 993 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 995 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 2222 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 3000 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p tcp -m tcp --dport 10101 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 6277 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.222 -p udp -m udp --dport 24441 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p udp -m udp --dport 123 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.111 -p tcp -m tcp --dport 5911 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.111 -p tcp -m tcp --dport 27027 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p tcp -m tcp --dport 5801 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.101 -p tcp -m tcp --dport 2223 -j SNAT --to-source 192.168.0.100
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*mangle
REROUTING ACCEPT [3906197:3300163635]:INPUT ACCEPT [3826954:3273590417]
:FORWARD ACCEPT [67772:17095110]
:OUTPUT ACCEPT [4014288:3299688418]
OSTROUTING ACCEPT [4071853:3315432490]-A PREROUTING -i eth0 -j IMQ --todev 1
-A POSTROUTING -o eth0 -j IMQ --todev 0
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
# Generated by iptables-save v1.3.5 on Sun Dec 26 16:03:28 2010
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
-A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m state --tcp-flags SYN,ACK SYN,ACK --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type 11 -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --dport 68 --sport 67 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 68 --sport 67 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 81 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 443 -j ACCEPT
-A INPUT -p udp -m udp -d 192.168.2.100 --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 2224 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 11011 -j ACCEPT
-A INPUT -p gre -d 192.168.2.100 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.100 --dport 1723 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 995 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 2222 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 3000 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.222 -o eth1 --dport 10101 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 6277 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.222 -o eth1 --dport 24441 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.101 -o eth1 --dport 123 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.111 -o eth1 --dport 5911 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.111 -o eth1 --dport 27027 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.101 -o eth1 --dport 5801 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.101 -o eth1 --dport 2223 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 6277 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 443 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 123 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 1194 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 24441 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 2703 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 20001 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 5900:5905 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 27027 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 0 -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp -s 192.168.0.0/255.255.255.0 --icmp-type 11 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -j DROP
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p icmp -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -o eth0 --dport 67 --sport 68 -j ACCEPT
-A OUTPUT -p tcp -m tcp -o eth0 --dport 67 --sport 68 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 81 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp -s 192.168.2.100 -o eth0 --sport 1194 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 2224 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 11011 -j ACCEPT
-A OUTPUT -p gre -s 192.168.2.100 -o eth0 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.2.100 -o eth0 --sport 1723 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A drop-lan -j DROP
COMMIT
# Completed on Sun Dec 26 16:03:28 2010
