Linux.com

I have no idea with my script below. I don't know where the mismatch. I plan to build a DMZ Server for windows sharing printer with this script, but not work. However DMZ for web server is done successfully. Please help me! FW_HOSTNAME="DMZ" KDCAB="5" NETMASK_LAMA="netmask 255.255.255.0" GW_LAMA="192.168.128.1" #IP Address Modem VSAT NAT_ADDRESS_LAN="192.168.128.254" BUFFER="32767500" # BUFFER = 65535 * 500 #Network Data Center ETH_DC="eth0" NET_DC="192.168.128.0/24" #Network Local Cabang ETH_LOCAL="eth1" NET_LOCAL="192.168.$KDCAB.0/24" GOTOHELL="DROP" ipt="iptables" SPOK="--sport 1024:65535" VIRUS_ALERT="0" #************************* # SETTING NETWORKING #************************* # Setting HOSTNAME hostname $FW_HOSTNAME #Setting DNS Address echo "nameserver $FW_NAMESERVER" > /etc/resolv.conf # Enabling IPV4 Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Static route route del -net $NET_DC gw $GW_LAMA route del -net default gw $GW_LAMA route add -net $NET_DC gw $GW_LAMA route add -net default gw $GW_LAMA #Load module for FTP Connection tracking and NAT modprobe ip_conntrack modprobe ip_nat_ftp modprobe ip_conntrack_ftp modprobe iptable_nat # Setting buffer #DEFAULT = 65535 - Tergantung RAM size echo $BUFFER > /proc/sys/net/ipv4/netfilter/ip_conntrack_max # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo $VIRUS_ALERT > /proc/sys/net/ipv4/conf/all/log_martians #Initialization all the chains $ipt --flush $ipt -t nat --flush $ipt -t mangle --flush #Initialization the user defined chains $ipt --delete-chain $ipt -t nat --delete-chain $ipt -t mangle --delete-chain #Set policy $ipt --policy INPUT DROP $ipt --policy OUTPUT DROP $ipt --policy FORWARD DROP $ipt -t nat --policy POSTROUTING ACCEPT $ipt -t nat --policy PREROUTING ACCEPT #DMZ $ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 80 -j DNAT --to-destination 192.168.5.10:80 $ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 137 -j DNAT --to-destination 192.168.5.22:137 $ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 137 -j DNAT --to-destination 192.168.5.22:137 $ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 138 -j DNAT --to-destination 192.168.5.22:138 $ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 139 -j DNAT --to-destination 192.168.5.22:139 $ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 139 -j DNAT --to-destination 192.168.5.22:139 $ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 445 -j DNAT --to-destination 192.168.5.22:445 #NAT untuk Local Area Network $ipt -t nat -A POSTROUTING -o $ETH_DC -j SNAT --to-source $NAT_ADDRESS_LAN #SSH ke FIREWALL dari DATACENTER $ipt -A INPUT -p TCP -i $ETH_DC --dport ssh -j ACCEPT #DMZ $ipt -A INPUT -p TCP -m tcp $SPOK --dport 137 -j ACCEPT $ipt -A INPUT -p UDP -m udp $SPOK --dport 137 -j ACCEPT $ipt -A INPUT -p UDP -m udp $SPOK --dport 138 -j ACCEPT $ipt -A INPUT -p TCP -m tcp $SPOK --dport 139 -j ACCEPT $ipt -A INPUT -p UDP -m udp $SPOK --dport 139 -j ACCEPT $ipt -A INPUT -p TCP -m tcp $SPOK --dport 445 -j ACCEPT $ipt -A INPUT -p UDP -m udp $SPOK --dport 445 -j ACCEPT #Allways allow unlimited traffic on the loopback interface $ipt -A INPUT -p all -i lo -j ACCEPT $ipt -A OUTPUT -p all -o lo -j ACCEPT # Previously initiated and accepted exchanges bypass rule checking $ipt -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Allowing PING test to this firewall and across between network $ipt -A INPUT -p icmp -j ACCEPT $ipt -A OUTPUT -p icmp -j ACCEPT $ipt -A FORWARD -p icmp -j ACCEPT #================================= # APLIKASI PUBLIK/UMUM UTK SEMUA #================================= $ipt -N PUBLIK $ipt -A FORWARD -j PUBLIK #FTP Control Connection $ipt -A PUBLIK -p TCP $SPOK --dport ftp -j ACCEPT $ipt -A PUBLIK -p UDP $SPOK --dport ftp -j ACCEPT #FTP Data Transfer $ipt -A PUBLIK -p TCP $SPOK --dport ftp-data -j ACCEPT $ipt -A PUBLIK -p UDP $SPOK --dport ftp-data -j ACCEPT #SMTP $ipt -A PUBLIK -p TCP $SPOK --dport smtp -j ACCEPT $ipt -A PUBLIK -p TCP $SPOK --dport smtps -j ACCEPT #IMAP $ipt -A PUBLIK -p TCP $SPOK --dport imap -j ACCEPT $ipt -A PUBLIK -p TCP $SPOK --dport imaps -j ACCEPT #Web mail server $ipt -A PUBLIK -p TCP $SPOK --dport 8080 -j ACCEPT $ipt -A PUBLIK -p TCP $SPOK --dport 5432 -j ACCEPT #POP3 $ipt -A PUBLIK -p TCP $SPOK --dport pop3 -j ACCEPT $ipt -A PUBLIK -p TCP $SPOK --dport pop3s -j ACCEPT #DNS/Domain/Name Server $ipt -A PUBLIK -p UDP $SPOK --dport 53 -j ACCEPT #Web access server $ipt -A PUBLIK -p TCP $SPOK --dport http -j ACCEPT $ipt -A PUBLIK -p TCP $SPOK --dport https -j ACCEPT #Remote Desktop $ipt -A PUBLIK -p TCP $SPOK --dport 3389 -j ACCEPT #DMZ $ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 137 -j ACCEPT $ipt -A PUBLIK -p UDP -m udp $SPOK --dport 137 -j ACCEPT $ipt -A PUBLIK -p UDP -m udp $SPOK --dport 138 -j ACCEPT $ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 139 -j ACCEPT $ipt -A PUBLIK -p UDP -m udp $SPOK --dport 139 -j ACCEPT $ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 445 -j ACCEPT $ipt -A PUBLIK -p UDP -m udp $SPOK --dport 445 -j ACCEPT #Allow previously ESTABLISHED FORWARD connection $ipt -A FORWARD -p ALL -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT #Telnet & SSH keluar $ipt -A OUTPUT -p TCP --dport telnet -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p TCP --dport ssh -m state --state NEW -j ACCEPT #Allow previously connection $ipt -A OUTPUT -s 127.0.0.1 -j ACCEPT $ipt -A OUTPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT

dont worked any platform. thanks.