透明代理防火墙无法ping通内网，其他ping全正常。为什么？

ahsiao

#!/bin/bash
#Define string
IPT=/sbin/iptables
#Mount necessary module
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Refresh rules
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle

#Default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

#Enable loopback
$IPT -A INPUT -i lo -j ACCEPT

#Enable ping
#$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p icmp --icmp-type 0 -j ACCEPT
#$IPT -A INPUT -s 192.168.37.1 -p icmp --icmp-type echo-reply -j DROP
#$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -p icmp -j ACCEPT
$IPT -A FORWARD -s 10.0.0.0/23 -p icmp -j ACCEPT
#$IPT -A FORWARD -i eth1 -s 10.0.0.0/23 -p icmp -j ACCEPT
#$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p ALL -j ACCEPT

#Enable ip forwarded
echo "1">/proc/sys/net/ipv4/ip_forward

#Snat rules
$IPT -t nat -A POSTROUTING -s 10.0.0.0/23 -o eth0 -j SNAT --to-source 192.168.37.1
$IPT -t nat -A PREROUTING -s 10.0.0.0/23 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -p udp -s 10.0.0.0/23 --dport 53 -j DNAT --to 192.168.1.33
#$IPT -t nat -A PREROUTING -p tcp -s 10.0.0.0/23 --dport 53 -j DNAT --to 192.168.1.33

#Deny local address
$IPT -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i eth0 -s 127.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
$IPT -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP

#Add access rules
#$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.0/23 -p tcp --dport 23 -j ACCEPT

#Prevent IP fregment attrack,100 fregment per second is allowed
$IPT -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#Prevent SYN flood attrack,1 packet per second is allowed
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Prevent Ping of death
$IPT -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
#Prevent Denial of Server attrack
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Denial bad packets
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

#$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth1 -s 10.0.0.0/23 -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i eth1 -s 10.0.0.0/23 -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -p udp -s 10.0.0.0/23 --dport 53 -j ACCEPT
#$IPT -A FORWARD -p tcp -s 10.0.0.0/23 --dport 53 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.0.0.0/23 --dport 443 -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#$IPT -A FORWARD -j DROP

以上是我写的脚本，ping内网不通 。问题在哪儿？   eth0---------internet, eth1---------lan

roamingo

看不出来。

先看只用下面的简单规则能不能ping通。再一条一条往上加。
#Refresh rules
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle

#Default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i eth1 -p icmp -j ACCEPT