Gaspar, Thanx for trying help ! It looks like I found problem. Probably somewhere in file was non-ASCII chars which are not visible in my editor and causing problem. I rewrite manually script and now works as expected :-) I also change little bit approach: default policy for FORWARD chain is now DROP. I'm allowing forwarding only new connections from LAN to WAN and accept only already established connections from WAN to LAN: iptables -A FORWARD -i $WAN_intf -o $LAN_intf -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN_intf -o $WAN_intf -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT BTW: I have some comments to Your hints (see inline): br Gáspár Lajos wrote: > warpme írta: >> Hi * >> >> I just try setup firewall. Config is following: >> >> Desktop Firewll (192.168.1.1) ------Eth0 >> Eth1(91.189.74.10)---------ISP >> >> Script below is working OK for all LAN hosts, but not for for >> firewall PC itself (i tested it with i.e. ping www.ibm.com) >> Commenting line "iptables -P INPUT DROP" allows to ping from >> firewall, but it effectivelly turning off firewall.... >> It is probably simple error - but I can't find where it is... >> Can somebody verify thid script and tell me what is wrong ? >> >> thx in advance >> >> #Config area >> BEGIN-------------------------------------------------------------- >> >> LAN_intf=eth0 >> LAN_subnetwork=192.168.1.0/255.255.255.0 >> >> WAN_intf=eth1 >> WAN_ip=91.189.74.10 >> >> Open_WAN_TCP_ports=20,21,80,500,1352,4500 >> Open_WAN_UDP_ports=500,1352,4500,5060 >> Open_WAN_RTP_port_range=7070:7080 >> >> >> #Config area >> END---------------------------------------------------------------- >> >> >> >> >> #--Flushing all iptables >> tables------------------------------------------------- >> iptables -F >> iptables -X iptables -t nat -F >> iptables -t nat -X >> iptables -t mangle -F >> iptables -t mangle -X >> >> >> >> >> #--Setting up SNAT for outgoing to WAN DATA >> connections------------------------ >> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j >> SNAT --to-source $WAN_ip > I would write like this: > > iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT > --to-source $WAN_ip I'm understand advantage of such approach is that any non WAN_ip host will be NAT'ed. But for non-LAN addressed hosts it will require additional entries in routing table for packets received from WAN and destinated to LAN host. Effectively it will require touch to firewall - and by this I'm considering this as no beneficial. >> #--Allowing self access by loopback >> interface---------------------------------- >> iptables -A INPUT -i lo -p all -j ACCEPT >> >> > "-p all" not needed... And I would rather set up the OUTPUT rule than > the INPUT rule because the "lo" interface only accepts connections > from itself... if a new connection is made then first step is to send > OUT something to the other host... :D > iptables -A OUTPUT -o lo -j ACCEPT Well, default iptables policy for all chains is ACCEPT, so this rule is redundant. > >> >> #--Allowing local access to >> LAN------------------------------------------------ >> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT >> >> > no need for "-p all" Right ! > >> >> #--Allowing WAN incoming traffic form already established >> connections---------- >> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j >> ACCEPT >> >> >> #--Allowing WAN incoming traffic for desired >> services-------------------------- >> #Open WAN TCP ports >> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport >> $Open_WAN_TCP_ports -j ACCEPT >> >> #Open WAN UDP ports >> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport >> $Open_WAN_UDP_ports -j ACCEPT >> >> #Open VoIP UDP port ranges >> iptables -A INPUT -p udp -i $WAN_intf --dport >> $Open_WAN_RTP_port_range -j ACCEPT >> >> > For "ping" you need the following line: > iptables -A INPUT -p icmp -j ACCEPT Well - it is not needed when only outgoing pings are allowed (my case). I think incoming pings should be rather disabled - it will help to protect host from potential DoS via ping flood. >> #--Drop all other incoming connection. Only above will be >> allowed------------- >> iptables -P INPUT DROP >> >> >> > > >