CentOS

Alright, alas here is my problem. This is the nat script that I use at home and for a few customers. It has always in the past worked fine without a problem. This latest environment is a bit different. Typically my machines have been sitting right on the internet, this one is stuck behind a comcast NAT. This may not even be the problem but it's the only noticeable difference between that environment and the one I'm on now.

The server itself has no problems. The machines behind its nat have no problems with connectivity or transparent squid. The issue is whenever I try to initiate another type of connection from the client machines. Typically I wouldn't mind this for security reasons but I need SSL to work.

I have a feeling i left out a single rule and it's causing iptables to drop something that needs to be forwarded/accepted.


[code]
# set wan interface such as eth1 or ppp0
SHARE_IF="eth0"
WAN="eth0"
LAN="eth1"

# clean old fw
echo "Clearing old firewall rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Get some kernel modules
echo "Loading kernel modules..."
$MOD ip_tables
$MOD iptable_filter
$MOD iptable_nat
$MOD ip_conntrack
$MOD ipt_MASQUERADE
$MOD ip_nat_ftp
$MOD ip_nat_irc
$MOD ip_conntrack_ftp
$MOD ip_conntrack_irc

# Clean old rules if any, rhel specific but above will take care of everything
# service iptables stop

# unlimited traffic via loopback device
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

echo "Setting ${WAN} as WAN interface..."
$IPT --table nat --append POSTROUTING --out-interface ${WAN} -j MASQUERADE

echo Blocking open ports
iptables -A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 135:139 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 445 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 9022 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 4445 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 1720 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 5038 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3128 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}

echo Block other ports, just in case.
iptables -A INPUT -p tcp --dport 21 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 25 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 79 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 110 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset -i ${WAN}

echo Setting Rules

#port 3389=RDP
#iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT -i ${WAN}

echo Mapping Ports to other network locations

echo Enabling Transparent Squid Routing
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#Rule for dansguardian routing
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
# End other custom rules

echo All Done!
echo
echo Network Services status:
echo
[/code]

Thanks!

how about these two lines

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT