hi,
On Sun, 2002-01-27 at 14:03, Jochen Hein wrote:
> - Wenn hier Interesse besteht, dass ich das f�r die PUG auch mache,
> dann kann sich jemand um einen Termin und einen Raum k�mmern.
Das w�r cool, den Firewalls verstehe ich bis heut nicht. Das mit dem
Raum, mhm, da findet sich bestimmt was, in Wiesbaden w�r es sinnvoll, da
da die meisten von euch wohnen.
> - Wenn jemand Firewall-Skripte hat, dann w�rde ich mir die gerne mal
> ansehen.
gern, meine (nicht selbst erstellt) mu� folgende Eigenschaften haben:
SSH intern-extern
WWW "
FTP "
HYlafax intern
PPTP extern
POP/imap intern-extern
SMTP "
finger extern (um mails abzurufen, bzw mailq ansto�en)
Ich denke, ich habe alles.
Hier das Script
#!/bin/sh
#Iptable firewall v0.73
#updated 09/03/01
#Define some constants
echo "Seting up firewall....."
LOCALNETWORK="192.168.100.0/24"
INTINT="eth1" #The internal interface
EXTINT="eth0" #The external interface
INTIP="192.168.100.253" #The internal interface address - Not used
#DHCPSERVER="208.191.175.254/32"
#DHCPSERVER2="192.168.1.1/32"
SQUID="192.168.100.253:3128"
# User should not have to change anything below here
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
ANYWHERE="any/0"
BROADCAST_SRC="0.0.0.0/32"
BROADCAST_DEST="255.255.255.255/32"
PRIVPORTS="0:1023"
PUBLICPORTS="1024:65535"
NFS_PORT="2049"
SOCKS_PORT="1080"
XWINDOW_PORTS="6000:6023"
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#=============================================
# Non iptables stuff
#=============================================
# TCP syncookie protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo -n "Enabling TCP syncookie protection..."
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "done."
else
echo "Problem enabling TCP syncookie protection. Be worried."
fi
# Disable source routed packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
echo -n "Disabling source routed packets...."
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f
done
echo "done."
else
echo "Problems disabling source routed packets, be worried."
fi
# Disable ICMP Redirect Acceptance
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo -n "Disabling ICMP Redirect Acceptance..."
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f
done
echo "done."
else
echo "Problems disabling ICMP Redirect Acceptance, be worried."
fi
# Turn on IP Spoof protection by using IP Source Address Verification
# This is from the IPChains-HOWTO, but it works for iptables too.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo -n "Stopping broacast pings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "done."
else
echo "Problem stopping broadcast pings. Be worried."
fi
# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo -n "Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "done."
else
echo "Forwarding not turned on! Be worried."
fi
# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo -n "Turning on bad error message protection..."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "done."
else
echo "Problem turing on bad error message protection. Be worried."
fi
# Insert the required kernel modules
# Note if iptables is compiled in, this will
# generate error messages. These can be safely
# ignored.
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#=============================================
# Flush the old rules and set default policies
#=============================================
echo "Setting defaults"
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#=============================================
# Filter rules
#=============================================
# Filter out some troublesome things I would drop anyway
#/sbin/iptables -t nat -A PREROUTING -i ppp+ \
# -s 192.168.0.2 -j DROP
#Test transparent proxying
# Uncomment if you want to use, but read the howto first!
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p tcp --dport 80 \
# -j DNAT --to $SQUID
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -s $LOCALNETWORK \
-j MASQUERADE
echo "Masquerading enabled"
#Allow all loopback interface traffic. If there are bad
#packets here, a firewall won't protect you.
#BTW, traffic from an ip addresses on this machine to any
#ip address on this machine goes through lo, not the
#interface you would expect.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -j ACCEPT
echo "Unlimited traffic on Loopback setup"
#Allow unlimited LAN traffic
/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT
#This next allows local broadcasts from this machine.
/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \
-j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT
echo "LAN traffic allowed"
# Anything coming from our internal network should have only our
# address
/sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j LOG \
--log-level info --log-prefix "Forwarding problem..."
/sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j DROP
#Allow forwarding from inside to out and vice versa
/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT
# remote inteface, claiming to be local machines gets dropped
/sbin/iptables -A INPUT -i $EXTINT -s $LOCALNETWORK -j DROP
# Drop incoming on remote interface from known bad IPs (probably
# an attempted spoof or misconfigured machine, just in case the rules above don't stop this.)
/sbin/iptables -A INPUT -i $EXTINT -s $LOOPBACK -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $LOOPBACK -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_A -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_A -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_B -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_B -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_C -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_C -j DROP
echo "Done with private addresses"
# Refuse multicast/anycast/broadcast address (from NET-3-HOWTO)
# Multicast (224.0.0.0/4) is an illegal source address (it uses UDP)
# They are 100% likely to be spoofed or a misconfiguration. This range is only
# valid as a destination address, never a source.
/sbin/iptables -A INPUT -i $EXTINT -s $MULTICAST -j DROP
# Refuse Class E reserved addresses. They are 99.99%+ likely to be spoofed or a misconfiguration.
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_E -j DROP
# The IANA has defined some sets of addresses as reserved. Therefore
# these addresses should never be a source address. The reserved
# addresses are: 0-2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.* 27.*.*.*,
# 31.*.*.*, 36-37.*.*.* 39.*.*.* 41.*.*.*, 42.*.*.*, 58-60.*.*.*,
# 69-79.*.*.*, 82-127.*.*.*, 197.*.*.*, 201.*.*.*, 219-223.*.*.*,
# 240-255.*.*.*
# One location of the current list as of 07/20/2001 is at
# http://www.iana.org/assignments/ipv4-address-space
/sbin/iptables -A INPUT -s 0.0.0.0/8 -j DROP #Yes this is a little redundant
/sbin/iptables -A INPUT -s 1.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 2.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 5.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 7.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 23.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 27.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 31.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 36.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 37.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 39.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 41.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 42.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 58.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 59.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 60.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 69.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 70.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 71.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 72.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 73.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 74.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 75.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 76.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 77.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 78.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 79.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 82.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 83.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 84.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 85.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 86.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 87.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 88.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 89.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 90.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 91.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 92.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 93.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 94.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 95.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 96.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 97.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 98.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 99.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 100.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 101.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 102.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 103.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 104.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 105.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 106.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 107.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 108.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 109.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 110.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 110.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 111.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 112.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 113.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 114.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 115.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 116.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 117.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 118.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 119.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 120.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 121.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 122.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 123.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 124.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 125.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 126.0.0.0/8 -j DROP
#Redundent?
/sbin/iptables -A INPUT -i $EXTINT -s 127.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 197.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 219.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 220.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 221.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 222.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 223.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 225.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 226.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 227.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 228.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 229.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 230.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 231.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 232.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 233.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 234.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 235.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 236.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 237.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 238.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 239.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 241.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 242.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 243.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 244.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 245.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 246.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 247.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 248.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 249.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 250.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 251.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 252.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 253.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 254.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 255.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 0.0.0.0/8 -j DROP #Yes this is a little redundant
#/sbin/iptables -A INPUT -i $EXTINT -s 1.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 2.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 5.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 7.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 23.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 27.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 31.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 36.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 37.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 39.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 41.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 42.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 58.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 59.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 60.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 69.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 70.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 71.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 72.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 73.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 74.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 75.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 76.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 77.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 78.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 79.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 82.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 83.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 84.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 85.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 86.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 87.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 88.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 89.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 90.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 91.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 92.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 93.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 94.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 95.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 96.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 97.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 98.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 99.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 100.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 101.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 102.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 103.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 104.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 105.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 106.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 107.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 108.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 109.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 110.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 110.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 111.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 112.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 113.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 114.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 115.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 116.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 117.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 118.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 119.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 120.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 121.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 122.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 123.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 124.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 125.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 126.0.0.0/8 -j DROP
##Redundent?
#/sbin/iptables -A INPUT -i $EXTINT -s 127.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 197.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 219.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 220.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 221.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 222.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 223.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 224.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 225.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 226.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 227.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 228.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 229.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 230.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 231.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 232.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 233.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 234.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 235.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 236.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 237.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 238.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 239.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 240.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 241.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 242.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 243.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 244.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 245.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 246.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 247.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 248.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 249.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 250.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 251.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 252.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 253.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 254.0.0.0/8 -j DROP
#/sbin/iptables -A INPUT -i $EXTINT -s 255.0.0.0/8 -j DROP
echo "Done with reserved addresses"
#Allow some ICMP messages
#Allow source quench (type 4)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type source-quench \
-m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type source-quench \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow parameter problem status (type 12)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type parameter-problem \
-m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type parameter-problem \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow Destination unreachable (type 3)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
destination-unreachable -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
destination-unreachable -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#Allow time exceeded (type 11) messages
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
time-exceeded -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
time-exceeded -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#Allow outgoing pings (type 8 and type 0)
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p ICMP --icmp-type \
# echo-reply -j DROP
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
echo-reply -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
echo-request -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p ICMP --icmp-type \
echo-request -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
echo-request -m state --state NEW \
-j ACCEPT
echo "Some ICMP allowed"
#Allow traceroute
#By default, it uses UDP packets, and tends (for Linux at least)
#to use source ports 32769-65536 and destination ports
# 33434:33523. It can be made to any port, however.
# Note that the input is handles by the icmp type 3 above.
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -m state --state NEW -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \
--sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
echo "traceroute allowed"
# Kill malformed packets -- enhance this list yourself!
# Block XMAS packets
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL ALL -j DROP
/sbin/iptables -A FORWARD -p TCP --tcp-flags ALL ALL -j DROP
# Block NULL packets
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL NONE -j DROP
/sbin/iptables -A FORWARD -p TCP --tcp-flags ALL NONE -j DROP
echo "Some malformed packets blocked"
# Anything coming from the Internet should have a real Internet address
/sbin/iptables -A FORWARD -i $EXTINT -s 192.168.0.0/16 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 172.16.0.0/12 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 10.0.0.0/8 -j DROP
# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN -- log the SMB ones
# SMB / Windows filesharing
/sbin/iptables -t nat -A PREROUTING -p TCP --dport 137:139 \
-i $EXTINT -j LOG --log-level info \
--log-prefix "SMB tried to come in..."
/sbin/iptables -t nat -A PREROUTING -p TCP --dport 137:139 \
-i $EXTINT -j DROP
/sbin/iptables -t nat -A PREROUTING -p UDP --dport 137:139 \
-i $EXTINT -j LOG --log-level info \
--log-prefix "SMB tried to come in..."
/sbin/iptables -t nat -A PREROUTING -p UDP --dport 137:139 \
-i $EXTINT -j DROP
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j LOG \
--log-level info --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j LOG \
--log-level info --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j DROP
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 137:139 -j DROP
#Allow DHCP traffic
#/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP -s $DHCPSERVER \
# --sport 67 --dport 68 -j ACCEPT
#/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $BROADCAST_SRC --sport 68 \
# -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT -i $EXTINT -p UDP -s $BROADCAST_SRC --sport 67 \
# -d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $ANYWHERE --sport 68 \
# -d $DHCPSERVER --dport 67 -m state --state NEW,ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT -i $EXTINT -p UDP -s $DHCPSERVER --sport 67 \
# -d $ANYWHERE --dport 68 -m state --state ESTABLISHED -j ACCEPT
#
#Internal DHCP server
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $DHCPSERVER2 \
# --sport 68 --dport 67 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $BROADCAST_SRC \
# --sport 68 -d $BROADCAST_DEST --dport 67 -j ACCEPT
#/sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $BROADCAST_SRC --sport 67 \
# -d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT -i $INTINT -p UDP -s $BROADCAST_SRC --sport 68 \
# -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $ANYWHERE --sport 67 \
# -d $DHCPSERVER2 --dport 68 -m state --state ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT -i $INTINT -p UDP -s $DHCPSERVER2 --sport 68 \
# -d $ANYWHERE --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
#echo "DCHP allowed"
# Refuse all 0.0.0.0 source packets. The only legitimate use is for DHCP (already covered).
/sbin/iptables -A INPUT -i $EXTINT -s $BROADCAST_SRC -j DROP
# Refuse all broadcasts (except DHCP which is already covered).
/sbin/iptables -A INPUT -i $EXTINT -d $BROADCAST_DEST -j DROP
#Allow DNS (port 53 TCP and UDP)
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 53 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 53 \
--dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP --sport \
$PUBLICPORTS --dport 53 -j ACCEPT
echo "DNS queries allowed"
#Allow Web access (ports 80 and 443)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --sport 80 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --sport 443 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 443 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
#Limit logging of incoming http packets. Most seem to be cookie placement
#attempts
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 \
-m limit -j LOG --log-level info --log-prefix "Port 80 dropped.."
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 -j DROP
echo "Web and Secure Web allowed"
#Allow WEB server access (Port 80)
/sbin/iptables -A INPUT -i $EXTINT -p TCP \
--dport 80 -j ACCEPT
#/sbin/iptables -A INPUT -i $EXTINT -p TCP \
# --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--sport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport 80 -j ACCEPT
echo "WEB server allowed"
#Allow WEB-SSL server access (Port 443)
/sbin/iptables -A INPUT -i $EXTINT -p TCP \
--dport 443 -j ACCEPT
#/sbin/iptables -A INPUT -i $EXTINT -p TCP \
# --sport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--sport 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport 443 -j ACCEPT
echo "WEB-SSL server allowed"
#Allow Email (port 25 and 110)
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 25 \
--sport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 110 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 110 \
--sport $PUBLICPORTS -j ACCEPT
echo "Email allowed (except IMAP)"
#Allow ssh (port 22 - client access)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--dport 22 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \
--dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 22 \
-m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--dport 22 -j ACCEPT
echo "SSH client allowed"
#Allow SSH server access (Port 22)
/sbin/iptables -A INPUT -i $EXTINT -p TCP \
--dport 22 -j ACCEPT
#/sbin/iptables -A INPUT -i $EXTINT -p TCP \
# --sport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--sport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport 22 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport 22 -j ACCEPT
echo "SSH server allowed"
#Allow IMAP server access (Port 143)
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 143 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 143 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 143 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport 143 -j ACCEPT
echo "IMAP server allowed"
#Allows usenet (port 119)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--dport 119 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \
--dport 119 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 119 \
-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 119 \
-j ACCEPT
echo "News allowed"
#Allow smtp (port 25 - client access)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 25 -j ACCEPT
echo "smtp client allowd"
#Allow SMTP server access (Port 25)
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport 25 -j ACCEPT
echo "SMTP server allowed"
#Allow FINGER server access (Port 79)
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 79 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 79 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 79 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport 79 -j ACCEPT
echo "FINGER server allowed"
#Allow finger (port 79 - client access)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --dport 79 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 79 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 79 -j ACCEPT
echo "FINGER client allowed"
#Allow distributed.net
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 2064 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 2064 \
--dport $PUBLICPORTS -m state --state NEW,ESTABLISHED -j ACCEPT
echo "Distributed.net allowed"
#Allow ntp
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport 123 \
--dport 123 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 123 \
--dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
echo "ntp allowed"
#Allow outgoing whois(port 43)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 43 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 43 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
echo "whois allowed"
##Allow FTP
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport $PUBLICPORTS --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport $PUBLICPORTS --sport 21 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 20 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 20 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 21 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 21 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 20 \
--dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED \
-j ACCEPT
echo "FTP allowed"
#Allow ICQ (UDP port 4000 and TCP public ports)
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 4000 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 4000 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 4000 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
#Don't think this one does anything.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ICQ allowed"
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -p 47 \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -p 47 \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
#Rules to allow surfing
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -s $LOCALNETWORK \
-j ACCEPT
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -d $LOCALNETWORK \
-j ACCEPT
echo "PPTPD allowed"
#Reject port 113
#I can't reject in nat, so let it through. The next rule will block.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport 113 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 113 -j REJECT
#Limit logging of pings.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
echo-request -m limit -j LOG --log-level info \
--log-prefix "Ping dropped.."
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
echo-request -j DROP
#Log everything else (which would be dropped anyway)
/sbin/iptables -A INPUT -j LOG --log-level info \
--log-prefix "Input packet dropped"
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j LOG --log-level info \
--log-prefix "Output packet dropped"
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -A FORWARD -j LOG --log-level info \
--log-prefix "Forward packet dropped"
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A PREROUTING -j LOG --log-level info \
--log-prefix "PreNat logging."
/sbin/iptables -t nat -A POSTROUTING -j LOG \
--log-level info --log-prefix "PostNat logging."
/sbin/iptables -t nat -A OUTPUT -j LOG \
--log-level info --log-prefix "Out NAT logging."
