I have no idea with my script below. I don't know where the mismatch. I plan to build a DMZ Server for windows sharing printer with this script, but not work. However DMZ for web server is done successfully. Please help me!


FW_HOSTNAME="DMZ"
KDCAB="5"
NETMASK_LAMA="netmask 255.255.255.0"
GW_LAMA="192.168.128.1" #IP Address Modem VSAT

NAT_ADDRESS_LAN="192.168.128.254"
BUFFER="32767500" # BUFFER = 65535 * 500

#Network Data Center
ETH_DC="eth0"
NET_DC="192.168.128.0/24"

#Network Local Cabang
ETH_LOCAL="eth1"
NET_LOCAL="192.168.$KDCAB.0/24"

GOTOHELL="DROP"
ipt="iptables"
SPOK="--sport 1024:65535"
VIRUS_ALERT="0"

#*************************
# SETTING NETWORKING
#*************************
# Setting HOSTNAME
hostname $FW_HOSTNAME

#Setting DNS Address
echo "nameserver $FW_NAMESERVER" > /etc/resolv.conf

# Enabling IPV4 Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Static route
route del -net $NET_DC gw $GW_LAMA
route del -net default gw $GW_LAMA
route add -net $NET_DC gw $GW_LAMA
route add -net default gw $GW_LAMA

#Load module for FTP Connection tracking and NAT
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Setting buffer
#DEFAULT = 65535 - Tergantung RAM size
echo $BUFFER > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo $VIRUS_ALERT > /proc/sys/net/ipv4/conf/all/log_martians

#Initialization all the chains
$ipt --flush
$ipt -t nat --flush
$ipt -t mangle --flush

#Initialization the user defined chains
$ipt --delete-chain
$ipt -t nat --delete-chain
$ipt -t mangle --delete-chain

#Set policy
$ipt --policy INPUT DROP
$ipt --policy OUTPUT DROP
$ipt --policy FORWARD DROP
$ipt -t nat --policy POSTROUTING ACCEPT
$ipt -t nat --policy PREROUTING ACCEPT

#DMZ
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 80 -j DNAT --to-destination 192.168.5.10:80
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 137 -j DNAT --to-destination 192.168.5.22:137
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 137 -j DNAT --to-destination 192.168.5.22:137
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 138 -j DNAT --to-destination 192.168.5.22:138
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 139 -j DNAT --to-destination 192.168.5.22:139
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP --dport 139 -j DNAT --to-destination 192.168.5.22:139
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP --dport 445 -j DNAT --to-destination 192.168.5.22:445

#NAT untuk Local Area Network
$ipt -t nat -A POSTROUTING -o $ETH_DC -j SNAT --to-source $NAT_ADDRESS_LAN

#SSH ke FIREWALL dari DATACENTER
$ipt -A INPUT -p TCP -i $ETH_DC --dport ssh -j ACCEPT

#DMZ
$ipt -A INPUT -p TCP -m tcp $SPOK --dport 137 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK --dport 137 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK --dport 138 -j ACCEPT
$ipt -A INPUT -p TCP -m tcp $SPOK --dport 139 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK --dport 139 -j ACCEPT
$ipt -A INPUT -p TCP -m tcp $SPOK --dport 445 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK --dport 445 -j ACCEPT


#Allways allow unlimited traffic on the loopback interface
$ipt -A INPUT -p all -i lo -j ACCEPT
$ipt -A OUTPUT -p all -o lo -j ACCEPT

# Previously initiated and accepted exchanges bypass rule checking
$ipt -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Allowing PING test to this firewall and across between network
$ipt -A INPUT -p icmp -j ACCEPT
$ipt -A OUTPUT -p icmp -j ACCEPT
$ipt -A FORWARD -p icmp -j ACCEPT

#=================================
# APLIKASI PUBLIK/UMUM UTK SEMUA
#=================================
$ipt -N PUBLIK
$ipt -A FORWARD -j PUBLIK
#FTP Control Connection
$ipt -A PUBLIK -p TCP $SPOK --dport ftp -j ACCEPT
$ipt -A PUBLIK -p UDP $SPOK --dport ftp -j ACCEPT
#FTP Data Transfer
$ipt -A PUBLIK -p TCP $SPOK --dport ftp-data -j ACCEPT
$ipt -A PUBLIK -p UDP $SPOK --dport ftp-data -j ACCEPT

#SMTP
$ipt -A PUBLIK -p TCP $SPOK --dport smtp -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK --dport smtps -j ACCEPT
#IMAP
$ipt -A PUBLIK -p TCP $SPOK --dport imap -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK --dport imaps -j ACCEPT
#Web mail server
$ipt -A PUBLIK -p TCP $SPOK --dport 8080 -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK --dport 5432 -j ACCEPT
#POP3
$ipt -A PUBLIK -p TCP $SPOK --dport pop3 -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK --dport pop3s -j ACCEPT
#DNS/Domain/Name Server
$ipt -A PUBLIK -p UDP $SPOK --dport 53 -j ACCEPT
#Web access server
$ipt -A PUBLIK -p TCP $SPOK --dport http -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK --dport https -j ACCEPT
#Remote Desktop
$ipt -A PUBLIK -p TCP $SPOK --dport 3389 -j ACCEPT
#DMZ
$ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 137 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK --dport 137 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK --dport 138 -j ACCEPT
$ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 139 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK --dport 139 -j ACCEPT
$ipt -A PUBLIK -p TCP -m tcp $SPOK --dport 445 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK --dport 445 -j ACCEPT

#Allow previously ESTABLISHED FORWARD connection
$ipt -A FORWARD -p ALL -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Telnet & SSH keluar
$ipt -A OUTPUT -p TCP --dport telnet -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p TCP --dport ssh -m state --state NEW -j ACCEPT

#Allow previously connection
$ipt -A OUTPUT -s 127.0.0.1 -j ACCEPT
$ipt -A OUTPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT