Unable to ping after running iptables/routing firewall script
by ZajiKoL0J from LinuxQuestions.org on (#53S4K)
Hey everyone, nice to meet you all. This is a problem I've been having for the past few days and can't seem to find what exactly is wrong. This is not my script, it's someone else's I found on github with some slight modifications I made ( https://github.com/ianlee/standalone-fw ). My script wasn't working so I thought I might try someone else's to see if there's would work but it isn't and I don't want the solution to mines however I'm completely stuck so here I am. All of these are in bash as I'm still very new to Linux, only 3-4 months of using it so far and I'm not a programmer by any means.
My current setup is 2 virtual machines, both running Fedora's latest version. Both of them have a NAT Network as well as Internal Network so that they're able to communicate with each other. When I made the NAT Network, I gave it the Network CIDR of 192.168.10.0/24. Enp0s1 is the NAT Network connection and Enp0s8 is the Internal Network. I'm able to ping to each other after running the first two initial scripts however after running the firewall script with the rules, I'm getting no response back.
I run the following 2 scripts so that I can ping each other, the 'internal' machine
Code: EXTERNAL_INTERFACE="enp0s1"
INTERNAL_GATEWAY_BINDING="1"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="2"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $EXTERNAL_INTERFACE down
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add default gw $INTERNAL_SUBNET.$INTERNAL_GATEWAY_BINDING
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.confAnd this on the external machine, the one that is going to be running the script,
Code: FIREWALL_IP="192.168.10.5"
EXTERNAL_SUBNET="192.168.0.0"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="1"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add -net $INTERNAL_SUBNET.0 netmask 255.255.255.0 gw $INTERNAL_SUBNET.$INTERNAL_BINDING
echo "1" >/proc/sys/net/ipv4/ip_forward
route add -net $EXTERNAL_SUBNET netmask 255.255.255.0 gw $FIREWALL_IP
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
Where 192.168.10.5 is the address with internet connectivity on Enp0s1. I'm able to ping from 192.168.10.1 and 192.168.10.2 between each other just fine, however then I try running the script,
Code: #interface name
EXTERNAL="enp0s1"
INTERNAL="enp0s8"
INTERNAL_NETWORK="192.168.10.0/24"
#Allowing ports
TCP_ALLOW_PORTS_IN="22,80,443,8080,3131" #from these ports (acting as a client)
TCP_ALLOW_PORTS_OUT="22,80,443,8080,3131"
UDP_ALLOW_PORTS_IN="80"
UDP_ALLOW_PORTS_OUT="80"
#internal server ip
INTERNAL_SERVER_IP="192.168.10.2"
TCP_ALLOW_PORTS_IN_SERVER="80,22,443,8080,3131" #acting as server (allow connections to these ports)
TCP_ALLOW_PORTS_OUT_SERVER="80,22,443,8080,3131"
UDP_ALLOW_PORTS_IN_SERVER="80"
UDP_ALLOW_PORTS_OUT_SERVER="80"
ICMP_ALLOW_TYPES="0,8"
#block traffic to and from these IP addresses
IP_BLOCK=""
#block these ports regardless of IP or protocol.
BLOCK_PORTS_IN="0,23"
BLOCK_PORTS_OUT="0,23"
MAXIMIZE_THROUGHPUT="20"
MINIMIZE_DELAY="21,22"
DNS_PORT_IN="53"
DNS_PORT_OUT="53"
DHCP_PORT_IN="67"
DHCP_PORT_OUT="68"
#empty all existing chains
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
#set policies to drop
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
#SNAT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#DNAT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
iptables -t nat -A PREROUTING -i $EXTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -t nat -A PREROUTING -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j DNAT --to $INTERNAL_SERVER_IP
done
#MANGLE
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -N dhcpin
iptables -N dhcpout
iptables -N dhcpforward
iptables -N blockin
iptables -N blockout
iptables -N necessitiesin
iptables -N necessitiesout
iptables -N necessitiesforward
iptables -N icmpin
iptables -N udpin
iptables -N tcpin
iptables -N udpout
iptables -N tcpout
#chain for blocking Inbound traffic
#block inbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockin -i $EXTERNAL -s $IP_BLOCK -j DROP
fi
#block inbound traffic from a source address from the outside matching your internal network.
iptables -A blockin -i $EXTERNAL -s $INTERNAL_NETWORK -j DROP
#block syn and fin bits.
iptables -A blockin -i $EXTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A blockout -i $INTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#block inbound traffic to and from specified ports
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_IN -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#drop SYN packets to high ports
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#block outbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockout -i $INTERNAL -d $IP_BLOCK -j DROP
fi
iptables -A blockout -i $INTERNAL ! -s $INTERNAL_NETWORK -j DROP
#block out bound to and from specified ports
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#Block all external traffic directed to ports 32768 - 32775, 137 - 139, TCP ports 111 and 515.
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#allow inbound udp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow inbound tcp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow outbound udp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow outbound tcp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow inbound udp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow inbound tcp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow outbound udp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#allow outbound tcp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#ICMP Chain
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -A icmpin -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j ACCEPT
done
#allow inbound udp user defined traffic
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#add inbound udp chain to default input chain
#allow inbound user defined traffic
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#allow outbound udp user defined traffic
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
#allow outbound tcp user defined traffic
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
iptables -A INPUT -j dhcpin
iptables -A OUTPUT -j dhcpout
iptables -A FORWARD -j dhcpforward
iptables -A FORWARD -j blockin
iptables -A INPUT -j blockin
iptables -A FORWARD -j blockout
iptables -A INPUT -j blockout
iptables -A INPUT -j necessitiesin
iptables -A OUTPUT -j necessitiesout
iptables -A FORWARD -j necessitiesforward
iptables -A FORWARD -p icmp -j icmpin
iptables -A FORWARD -p udp -j udpin
iptables -A FORWARD -p tcp -j tcpin
iptables -A FORWARD -p udp -j udpout
iptables -A FORWARD -p tcp -j tcpoutI run that on the external machine and I get no response when I try pinging for any of the allowed ports for TCP or UDP from the internal machine to the external machine. I can see it go through via Wireshark but the ping command itself doesn't yield any response. I've tried changing the network by using all the networks I see when I run IP route show (192.168.10.2/24 , 192.168.10.0/24, 192.168.0.0/24, 192.168.10.5/24, 192.168.10.1/24) but nothing is working and it's frustrating not knowing where I'm going wrong.
Any help would be appreciated as this is really racking my brain.
My current setup is 2 virtual machines, both running Fedora's latest version. Both of them have a NAT Network as well as Internal Network so that they're able to communicate with each other. When I made the NAT Network, I gave it the Network CIDR of 192.168.10.0/24. Enp0s1 is the NAT Network connection and Enp0s8 is the Internal Network. I'm able to ping to each other after running the first two initial scripts however after running the firewall script with the rules, I'm getting no response back.
I run the following 2 scripts so that I can ping each other, the 'internal' machine
Code: EXTERNAL_INTERFACE="enp0s1"
INTERNAL_GATEWAY_BINDING="1"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="2"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $EXTERNAL_INTERFACE down
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add default gw $INTERNAL_SUBNET.$INTERNAL_GATEWAY_BINDING
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.confAnd this on the external machine, the one that is going to be running the script,
Code: FIREWALL_IP="192.168.10.5"
EXTERNAL_SUBNET="192.168.0.0"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="1"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add -net $INTERNAL_SUBNET.0 netmask 255.255.255.0 gw $INTERNAL_SUBNET.$INTERNAL_BINDING
echo "1" >/proc/sys/net/ipv4/ip_forward
route add -net $EXTERNAL_SUBNET netmask 255.255.255.0 gw $FIREWALL_IP
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
Where 192.168.10.5 is the address with internet connectivity on Enp0s1. I'm able to ping from 192.168.10.1 and 192.168.10.2 between each other just fine, however then I try running the script,
Code: #interface name
EXTERNAL="enp0s1"
INTERNAL="enp0s8"
INTERNAL_NETWORK="192.168.10.0/24"
#Allowing ports
TCP_ALLOW_PORTS_IN="22,80,443,8080,3131" #from these ports (acting as a client)
TCP_ALLOW_PORTS_OUT="22,80,443,8080,3131"
UDP_ALLOW_PORTS_IN="80"
UDP_ALLOW_PORTS_OUT="80"
#internal server ip
INTERNAL_SERVER_IP="192.168.10.2"
TCP_ALLOW_PORTS_IN_SERVER="80,22,443,8080,3131" #acting as server (allow connections to these ports)
TCP_ALLOW_PORTS_OUT_SERVER="80,22,443,8080,3131"
UDP_ALLOW_PORTS_IN_SERVER="80"
UDP_ALLOW_PORTS_OUT_SERVER="80"
ICMP_ALLOW_TYPES="0,8"
#block traffic to and from these IP addresses
IP_BLOCK=""
#block these ports regardless of IP or protocol.
BLOCK_PORTS_IN="0,23"
BLOCK_PORTS_OUT="0,23"
MAXIMIZE_THROUGHPUT="20"
MINIMIZE_DELAY="21,22"
DNS_PORT_IN="53"
DNS_PORT_OUT="53"
DHCP_PORT_IN="67"
DHCP_PORT_OUT="68"
#empty all existing chains
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
#set policies to drop
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
#SNAT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#DNAT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
iptables -t nat -A PREROUTING -i $EXTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -t nat -A PREROUTING -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j DNAT --to $INTERNAL_SERVER_IP
done
#MANGLE
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -N dhcpin
iptables -N dhcpout
iptables -N dhcpforward
iptables -N blockin
iptables -N blockout
iptables -N necessitiesin
iptables -N necessitiesout
iptables -N necessitiesforward
iptables -N icmpin
iptables -N udpin
iptables -N tcpin
iptables -N udpout
iptables -N tcpout
#chain for blocking Inbound traffic
#block inbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockin -i $EXTERNAL -s $IP_BLOCK -j DROP
fi
#block inbound traffic from a source address from the outside matching your internal network.
iptables -A blockin -i $EXTERNAL -s $INTERNAL_NETWORK -j DROP
#block syn and fin bits.
iptables -A blockin -i $EXTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A blockout -i $INTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#block inbound traffic to and from specified ports
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_IN -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#drop SYN packets to high ports
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#block outbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockout -i $INTERNAL -d $IP_BLOCK -j DROP
fi
iptables -A blockout -i $INTERNAL ! -s $INTERNAL_NETWORK -j DROP
#block out bound to and from specified ports
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#Block all external traffic directed to ports 32768 - 32775, 137 - 139, TCP ports 111 and 515.
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#allow inbound udp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow inbound tcp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow outbound udp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow outbound tcp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow inbound udp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow inbound tcp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow outbound udp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#allow outbound tcp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#ICMP Chain
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -A icmpin -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j ACCEPT
done
#allow inbound udp user defined traffic
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#add inbound udp chain to default input chain
#allow inbound user defined traffic
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#allow outbound udp user defined traffic
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
#allow outbound tcp user defined traffic
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
iptables -A INPUT -j dhcpin
iptables -A OUTPUT -j dhcpout
iptables -A FORWARD -j dhcpforward
iptables -A FORWARD -j blockin
iptables -A INPUT -j blockin
iptables -A FORWARD -j blockout
iptables -A INPUT -j blockout
iptables -A INPUT -j necessitiesin
iptables -A OUTPUT -j necessitiesout
iptables -A FORWARD -j necessitiesforward
iptables -A FORWARD -p icmp -j icmpin
iptables -A FORWARD -p udp -j udpin
iptables -A FORWARD -p tcp -j tcpin
iptables -A FORWARD -p udp -j udpout
iptables -A FORWARD -p tcp -j tcpoutI run that on the external machine and I get no response when I try pinging for any of the allowed ports for TCP or UDP from the internal machine to the external machine. I can see it go through via Wireshark but the ping command itself doesn't yield any response. I've tried changing the network by using all the networks I see when I run IP route show (192.168.10.2/24 , 192.168.10.0/24, 192.168.0.0/24, 192.168.10.5/24, 192.168.10.1/24) but nothing is working and it's frustrating not knowing where I'm going wrong.
Any help would be appreciated as this is really racking my brain.