Bridging Firewall

[Bobby Knueven]

I have a bridging firewall setup (No NAT/MASQ). My iptables are 
working, but something is a little off. I allow connections to the 
internet, DNS with all established,related connections accepted, but 
for some reason my default policies (all of them are DROP) are not 
working. I can access my webserver from outside the firewall and I 
should not be able to. Here's what I have.

  sub1="x.x.x.0/23"

  ### Flush tables
  iptables -F
  iptables -X
  iptables -Z

  ### Policies
  iptables -P INPUT DROP
  iptables -P OUTPUT DROP
  iptables -P FORWARD DROP

  ### Loopback
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

  ### DNS
  iptables -A FORWARD -m state --state NEW -s $sub1 -p UDP --dport 53 -j 
ACCEPT

  ### HTTP
  iptables -A FORWARD -m state --state NEW -s $sub1 -p TCP -m multiport 
--dport 80,443 -j ACCEPT
  ## to block access to the webserver that's sitting behind the firewall 
I have to add this to this
  ## script if I don't I can get to the webserver
  #iptables -A FORWARD -p TCP -d $sub1 --dport 80 -j DROP

  ### Accept established connections
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT