How To Install A Custom Iptables Firewall

Want to support HowtoForge? Become a subscriber!
 
Submitted by sbovisjb1 (Contact Author) (Forums) on Mon, 2006-03-27 19:20. :: Linux

How To Install A Custom Iptables Firewall

. This guide is to show you how to edit your iptables if you're running on a server This guide info came from iptables rocks, but i edited a bunch of data to make it suitable for what i want it to do

Check to see if you already have iptables installed

rpm -q iptables

if iptables is installed you should see this outputted in console screen

 iptables-1.3.0-2

If iptables is not installed run use this command

up2date -i iptables

Configuring System Files

This will log kernel (user) usage and activities to a log file so that the admin can look at it later

Open terminal and sign in as root (su-)

Then type mkdir /var/log/firewall. This creates the virual directory where all this information will be stored

gedit /etc/syslog.conf

Edit the log file so that it should look like this

#IPTables logging 
#kernel messages.
kern.debug;kern.info /var/log/firewall

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

To activate these configurations type/etc/rc.d/init.d/syslog restart

This will make the kernel log activities

Then to make sure FTP sessions run correctly run this command

insmod ip_conntrack_ftp

//Book page 1//

Further System Preparation

Well, I dont know about you but wouldnt you like a saftey in case something goes bad... I know that i would, because it wont be fun if you're locked out side of you're system with all that importent data inside... A friend of mine did that do his dad's PC once :)

Go into terminal and type su - and then enter password

Then enter this command (it creats the script(it resets you're settings if you screw up)

vi /root/firewall_reset

# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

pressctrl+s

run this command if you lock you're self out from now on

iptables-restore < /root/firewall_reset

One of the 2 scripts needed

To create script rungedit /root/primary_firewall

#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]

#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP

#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.
#Note how at the end we log any outbound packets that are not accepted.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP

#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish to log any accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP

-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT

#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 1.2.3.4 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

Then enter iptables-restore < /root/primary_firewall

into the terminal (remeber to be root)

The second firewall script

This script is an advanced program that scans ports constantly for hackers/viruses and other undesireables...Together with the above script you will have a very formidable defense system indeed

Sign in as root

Make this directory

mkdir /var/lock/subsys

Edit this file(type in gedit first :)) /etc/init.d/firewall.iptables

Enter in this code

As root enter in this command

chown root:root /etc/init.d/firewall.iptables

chmod 700 /etc/init.d/firewall.iptables

Then enter cd /etc/init.d

And enter /sbin/chkconfig --level 345 firewall.iptables on

Then enter /etc/init.d/firewall.iptables start

 
#!/bin/sh
#
# firewall Firewall startup/shutdown script
#
# Version: @(#) /etc/rc.d/init.d/firewall.iptables 23-Dec-2005
#
#
# Translated to iptables format, with several additions and modifications,
# from Craig Zeller's (zeller@fatpenguin.com) ipchains-based firewall script, by
# Bob Sully (rcs@malibyte.net)
#
# Thanks to Jeff Carlson (jeff@ultimateevil.org) for his assistance re: and several other issues,
# Rohan Amin (rohan@rohanamin.com) and Erik Wasser (erik.wasser@iquer.com) for help with the port-forwarding
# routine, and Nate Waddoups for his quick PPTP hack.

#
# Latest revision: 13-Mar-2006
#

# chkconfig: 345 11 91
#
# description: IP Firewall startup/shutdown script for iptables
#
# probe: true
#

#
# CONSTANTS - Do not edit
#

ANYWHERE="0.0.0.0/0" # Match any IP address
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address
BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address
CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks
CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks
CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses
PRIVPORTS="0:1023" # Well-Known, Privileged Port Range
UNPRIVPORTS="1024:65535" # Unprivileged Port Range
TRACEROUTE_SRC_PORTS="32769:65535" # Traceroute Source Ports
TRACEROUTE_DEST_PORTS="33434:33523" # Traceroute Destination Ports


#
# The Loopback interface defines should not be
# edited unless your Linux distribution defines
# these differently.
#

LOOPBACK_INTERFACE="lo" # The loopback interface
LOOPBACK_NETWORK="127.0.0.0/8" # Reserved Loopback Address Range



#
# See how we were called.
#

case "$1" in
start)
echo "Starting Firewall services"
echo "firewall: Configuring Firewall Rules using iptables"

# Remove any existing rules from all chains
iptables -F
iptables -F -t nat
iptables -F -t mangle

# Remove any pre-existing user-defined chains
iptables -X
iptables -X -t nat
iptables -X -t mangle

# Zero counts
iptables -Z

# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# A bug that showed up as of the Red Hat 7.2 release results in
# the following 5 default policies breaking the firewall
# initialization:

# fgrep -q '7.2' /etc/redhat-release
# if [ $? -ne 0 ] ; then
# iptables -t nat -P PREROUTING DROP
# iptables -t nat -P OUTPUT DROP
# iptables -t nat -P POSTROUTING DROP

# iptables -t mangle -P PREROUTING DROP
# iptables -t mangle -P OUTPUT DROP
# fi


# Open the configuration file
if [ -f /etc/firewall/firewall.conf.iptables ]; then
. /etc/firewall/firewall.conf.iptables
else
# Turn off IP Forwarding & Masquerading
echo 0 >/proc/sys/net/ipv4/ip_forward

# Turn off dynamic IP hacking
echo "0" > /proc/sys/net/ipv4/ip_dynaddr

echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables; "
echo "firewall: default policies set to DROP on INPUT/OUTPUT/FORWARD chains."
exit 1
fi


#
# If your IP address is dynamically assigned by a DHCP server,
# your DHCP server's IP address and this machine's IP address are
# obtained from /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.
#


if [ $DHCP -gt 0 ]; then

# Grab external IP address if already assigned

EXTERNAL_IP=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $1}' )
if [ -n $EXTERNAL_IP ]; then
EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' )
EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | grep Network | sed 's/\/[0-9].*//g' | awk '{print $2}' )
BROADCAST_NET=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $2}' )
fi

# Turn on dynamic IP hacking
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Incoming DHCPOFFER from available DHCP servers
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT

# Initialization of rebinding: No lease or Lease time expired.
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s 0.0.0.0 --sport 68 \
-d 255.255.255.255 --dport 67 -j ACCEPT

# Fall back to initialization
# The client knows its server, but has either lost its
# lease, or else needs to reconfirm the IP address after
# rebooting.
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER_IP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s 255.255.255.255 --sport 68 \
-d $DHCP_SERVER_IP --dport 67 -j ACCEPT

# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.
# Depending on the server implementation, the destination
# address can be the new IP address, the subnet address, or
# the limited broadcast address.

# If the network subnet address is used as the destination,
# the next rule must allow incoming packets destined to the
# subnet address, and the rule must preceed any general rules
# that block such incoming broadcast packets.

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER_IP --sport 67 \
--dport 68 -j ACCEPT

# Lease renewal
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER_IP --sport 67 \
-d $EXTERNAL_IP --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $EXTERNAL_IP --sport 68 \
-d $DHCP_SERVER_IP --dport 67 -j ACCEPT

echo "firewall: DHCP Client configured"

else
# External IP assigned without DHCP (i.e. static); get netmask
EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' )

fi


#
# Refuse directed broadcasts; you may choose not to log these, as they can fill up your logs quickly
#

# iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK \
# -m limit --limit 1/s \
# -j LOG --log-prefix "[Directed Broadcast] "
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP
# iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET \
# -m limit --limit 1/s \
# -j LOG --log-prefix "[Directed Broadcast] "
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP

# Refuse limited broadcasts
# iptables -A INPUT -i $EXTERNAL_INTERFACE -d 255.255.255.255 \
# -m limit --limit 1/s \
# -j LOG --log-prefix "[Limited Broadcast] "
iptables -A INPUT -i $EXTERNAL_INTERFACE -d 255.255.255.255 -j DROP



#
# Edit these to match the number of servers or connections
# you support.
#

# X Window port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.

XWINDOW_PORTS="6000:6063" # (TCP) X Windows

# SSH starts at 1023 and works down to 513 for each additional
# simultaneous incoming connection.

SSH_HI_PORTS="513:1023" # SSH Simultaneous Connections


#
# Iptables allows creation of customized chains. The -l (log) flag no longer
# exists. This is a custom chain which allows logging of DROPped packets.
#

iptables -N LnD # Define custom DROP chain

iptables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] " --log-level=info
iptables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP drop] " --log-level=info
iptables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP drop] " --log-level=info
iptables -A LnD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG drop] " --log-level=info
iptables -A LnD -j DROP

#
# This custom chain logs, then REJECTs packets.
#

iptables -N LnR # Define custom REJECT chain

iptables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP reject] " --log-level=info
iptables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP reject] " --log-level=info
iptables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP reject] " --log-level=info
iptables -A LnR -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG reject] " --log-level=info
iptables -A LnR -j REJECT

#
# This chain logs, then DROPs "Xmas" and Null packets which might indicate a port-scan attempt
#

iptables -N ScanD # Define custom chain for possible port-scans

iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Scan?] "
iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Scan?] "
iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan?] "
iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan?] "
iptables -A ScanD -j DROP


#
# This chain limits the number of new incoming connections to preventing DDoS attacks
#

iptables -N DDoS # Define custom chain for possible DDoS attack or SYN-flood scan

iptables -A DDoS -m limit --limit 1/s --limit-burst 10 -j RETURN
iptables -A DDoS -j LOG --log-prefix "[DOS Attack/SYN Scan?] "
iptables -A DDoS -j DROP


#
# This chain drops connections from IANA reserved IP blocks
#

iptables -N IANA

iptables -A IANA -p tcp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - TCP] " --log-level=info
iptables -A IANA -p udp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - UDP] " --log-level=info
iptables -A IANA -p icmp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - ICMP] " --log-level=info
iptables -A IANA -f -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - FRAG] " --log-level=info
iptables -A IANA -j DROP


#
# This chain drops connections from IPs in the firewall.banned file
#

iptables -N Banned

iptables -A Banned -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Banned] " --log-level=info
iptables -A Banned -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Banned] " --log-level=info
iptables -A Banned -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Banned] " --log-level=info
iptables -A Banned -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Banned] " --log-level=info
iptables -A Banned -j DROP


#
# Disallow packets frequently used by port-scanners
#

# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD

# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD

# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD

# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD

# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD

# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD

# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD

# SYN-Flood
# (Request for new connection; large number indicate possible DDoS-type attack;
# same as --syn)
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS


# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done


# Disallow fragmented packets. This may not be as necessary as it once was.
# Comment it out with # if desired.
# iptables -A INPUT -f -i $EXTERNAL_INTERFACE -j LnD
# iptables -A INPUT -f -i $INTERNAL_INTERFACE -j LnD


#
# Loopback
#

# Unlimited traffic on the loopback interface (lo)

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT


#
# Refuse any connections to/from problem sites.
#
# /etc/firewall/firewall.banned contains a list of IPs
# to block all access, both inbound and outbound.
# The file should contain IP addresses with CIDR
# netmask, one per line:
#
# NOTE: No comments are allowed in the file.
#
# 111.0.0.0/8 - To block a Class-A network
# 111.222.0.0/16 - To block a Class-B network
# 111.222.254.0/24 - To block a Class-C network
# 111.222.254.244/32 - To block a single IP address
#
# The CIDR netmask number describes the number of bits
# in the network portion of the address, and may be on
# any boundary.
#

if [ -f /etc/firewall/firewall.banned ]; then
while read BANNED; do
iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j Banned
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j Banned
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j Banned
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j Banned
iptables -A FORWARD -d $BANNED -j Banned
iptables -A FORWARD -s $BANNED -j Banned
done < /etc/firewall/firewall.banned
echo "firewall: Banned addresses added to rule set"

else
echo "firewall: Banned address/network file not found."
fi

#
# Refuse connections from IANA-reserved blocks
#

if [ -f /etc/firewall/firewall.iana-reserved ]; then
while read RESERVED; do
iptables -A INPUT -i $EXTERNAL_INTERFACE -s $RESERVED -j IANA
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $RESERVED -j IANA
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $RESERVED -j IANA
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $RESERVED -j IANA
done < /etc/firewall/firewall.iana-reserved
echo "firewall: Connections from IANA-reserved addresses blocked"

else
echo "firewall: IANA-reserved address/network file not found."
fi

#
# Localizations
#
# The /etc/firewall/firewall.local file should contain rules in
# standard 'iptables' format.
#

if [ -f /etc/firewall/firewall.local.iptables ]; then
. /etc/firewall/firewall.local.iptables
echo "firewall: Local rules added"
else
echo "firewall: Local rules file not found."
fi



#
# ICMP
#

# (4) Source Quench.
# Incoming & outgoing requests to slow down (flow control)

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p ICMP --icmp-type 4 -j ACCEPT
fi

# (12) Parameter Problem.
# Incoming & outgoing error messages

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p ICMP --icmp-type 12 -j ACCEPT
fi

# (3) Destination Unreachable, Service Unavailable.
# Incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type \
fragmentation-needed -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p ICMP --icmp-type 3 -j ACCEPT
iptables -A FORWARD -p ICMP --icmp-type fragmentation-needed -j ACCEPT
fi

# (11) Time Exceeded.
# Incoming & outgoing timeout conditions,
# also intermediate TTL response to traceroutes

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p ICMP --icmp-type 11 -j ACCEPT
fi

# (0 | 8) Allow OUTPUT pings to anywhere.

if [ $OUTBOUND_PING -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p ICMP --icmp-type 8 -s $INTERNAL_NETWORK -j ACCEPT
iptables -A FORWARD -p ICMP --icmp-type 0 -d $INTERNAL_NETWORK -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Outbound ping enabled"
fi

fi

# (0 | 8) Allow incoming pings from anywhere
# (stops at firewall).

if [ $INBOUND_PING -gt 0 ]; then

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Inbound ping enabled"
fi

fi

#
# Unprivileged Ports
# Avoid ports subject to protocol and system administration problems.
#

NFS_PORT="2049" # (TCP/UDP) NFS
OPENWINDOWS_PORT="2000" # (TCP) Openwindows
SOCKS_PORT="1080" # (TCP) Socks


# Openwindows: establishing a connection

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $OPENWINDOWS_PORT -s $EXTERNAL_IP -d $ANYWHERE -j LnR

# Openwindows: incoming connection

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $OPENWINDOWS_PORT -d $EXTERNAL_IP -j LnD

# X Window: establishing a remote connection

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $XWINDOW_PORTS -s $EXTERNAL_IP -d $ANYWHERE -j LnR

# X Window: incoming connection attempt

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $XWINDOW_PORTS -d $EXTERNAL_IP -j LnD

# SOCKS: establishing a connection

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $SOCKS_PORT -s $EXTERNAL_IP -d $ANYWHERE -j LnR

# SOCKS: incoming connection

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $SOCKS_PORT -d $EXTERNAL_IP -j LnD

# NFS: TCP connections

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $NFS_PORT -d $EXTERNAL_IP -j LnD

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--dport $NFS_PORT -d $ANYWHERE -j LnR

# NFS: UDP connections

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--dport $NFS_PORT -d $EXTERNAL_IP -j LnD

# NFS: incoming request (normal UDP mode)

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--dport $NFS_PORT -d $ANYWHERE -j LnR


#
# DNAT/SNAT Port Forwarding
#

if [ $PORT_FORWARD -gt 0 ]; then
if [ -f /etc/firewall/firewall.nat ]; then
while read IP_PORT; do
# extract the protocols, IPs and ports
NAT_TYPE=$(echo "$IP_PORT" | awk '{print $1}')
NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $2}')
NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $3}')
NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $4}')

# write the rules!

# this is the prerouting dnat
iptables -A PREROUTING -t nat -p $NAT_TYPE -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT \
--to-destination $NAT_INT_IP:$NAT_INT_PORT

# This allows packets from external->internal
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p $NAT_TYPE \
-d $NAT_INT_IP --dport $NAT_INT_PORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# This allows packets from internal->external
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p $NAT_TYPE \
-s $NAT_INT_IP --sport $NAT_INT_PORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# This enables access to the 'public' server from the internal network
iptables -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNAL_NETWORK \
-p $NAT_TYPE --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP

echo firewall: dnat: $NAT_TYPE:$EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT

done < /etc/firewall/firewall.nat

# unset some variables
unset IP_PORT
unset NAT_TYPE
unset NAT_EXT_PORT
unset NAT_INT_IP
unset NAT_INT_PORT

else
echo "firewall.nat (port-forwarding table) not found! Port-forwarding not enabled."
fi
fi


#
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier.
#

# Required Services

#
# DNS client modes (53)
#

if [ $DNS_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 53 -s $EXTERNAL_IP \
-d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -p UDP --sport 53 \
--dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 53 --dport $UNPRIVPORTS -j ACCEPT
fi

# TCP client-to-server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary name server for zone transfers from
# their primary name servers, and as hackers.

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport \
$UNPRIVPORTS --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 53 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 53 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: DNS client enabled"
fi
fi

#
# DNS server modes (53)
#

#
# DNS caching & forwarding name server
#

if [ $DNS_CACHING_SERVER -gt 0 ]; then

# Server-to-server query or response
# Caching only name server uses UDP, not TCP

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: DNS Caching server enabled"
fi

fi

#
# DNS full name server
#

if [ $DNS_FULL_SERVER -gt 0 ]; then

# Client-to-server DNS transaction.

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT


# Zone Transfers.
# Due to the potential danger of zone transfers,
# allow TCP traffic to only specific secondaries.

# /etc/firewall/firewall.dns contains a list of
# secondary, tertiary, etc. domain name servers with which
# zone transfers are allowed. The file should contain IP
# addresses with CIDR netmask, one per line:


if [ -f /etc/firewall/firewall.dns ]; then
while read DNS_SECONDARY; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 53 -s $DNS_SECONDARY -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $DNS_SECONDARY -j ACCEPT

done < /etc/firewall/firewall.dns

else
echo "firewall: ** No secondary DNS configured **"

fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: DNS Full server enabled"
fi

fi

#
# AUTH (113) - Allowing your outgoing AUTH requests as a client
#

if [ $AUTH_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 113 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 113 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 113 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 113 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Auth client enabled"
fi

fi


# AUTH server (113)

if [ $AUTH_SERVER -gt 0 ]; then

# Accepting incoming AUTH requests

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 113 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 113 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Auth server enabled"
fi

else

# Rejecting incoming AUTH requests

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--dport 113 -d $EXTERNAL_IP -j LnR

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Auth server requests will be rejected"
fi

fi


#
# TCP Services on selected ports.
#

#
# Sending Mail through a remote SMTP server (25)
#

if [ $SMTP_REMOTE_SERVER -gt 0 ]; then

# SMTP client to an ISP account without a local server
for SMTP_SRVR in ${SMTP_SERVER}; do

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $SMTP_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 25 --dport $UNPRIVPORTS -s $SMTP_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SMTP_SRVR --sport $UNPRIVPORTS --dport 25 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SMTP_SRVR -d $INTERNAL_NETWORK \
--sport 25 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote SMTP server: ${SMTP_SRVR}"
fi
done
fi

#
# Sending Mail through a local SMTP server (25)
#

if [ $SMTP_LOCAL_SERVER -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 25 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

# Receiving Mail as a Local SMTP server (25)

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 25 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 25 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: SMTP Local server enabled"
fi

fi



#
# POP3 (110) - Retrieving Mail as a POP3 client
#

if [ $POP3_CLIENT -gt 0 ]; then
for POP_SRVR in ${POP_SERVER}; do

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 110 -s $EXTERNAL_IP -d $POP_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 110 --dport $UNPRIVPORTS -s $POP_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP_SRVR --sport $UNPRIVPORTS --dport 110 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP_SRVR -d $INTERNAL_NETWORK \
--sport 110 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote POP-3 server: ${POP_SRVR}"
fi
done

fi



#
# POP3 (110) - Hosting a POP3 server for remote clients
#

if [ $POP3_SERVER -gt 0 ]; then
for MY_POP3_CLIENT in ${MY_POP3_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 110 -s $MY_POP3_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 110 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_POP3_CLIENT} may access local POP-3 server"
fi

done
fi



#
# POP3S (995) - Retrieving Mail as a POP3S client
#

if [ $POP3S_CLIENT -gt 0 ]; then
for POP3S_SRVR in ${POP3S_SERVERS}; do

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 995 -s $EXTERNAL_IP -d $POP3S_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 995 --dport $UNPRIVPORTS -s $POP3S_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP3S_SRVR --sport $UNPRIVPORTS --dport 995 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP3S_SRVR -d $INTERNAL_NETWORK \
--sport 995 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote POP-3 secure server: ${POP3S_SRVR}"
fi
done

fi


#
# POP3S (995) - Hosting a secure POP3 server for remote clients
#

if [ $POP3S_SERVER -gt 0 ]; then
for MY_POP3S_CLIENT in ${MY_POP3S_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 995 -s $MY_POP3S_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 995 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3S_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_POP3S_CLIENT} may access local secure POP-3 server"
fi

done
fi



#
# IMAP (143) - Retrieving Mail as an IMAP client
#

if [ $IMAP_CLIENT -gt 0 ]; then
for IMAP_SRVR in ${MY_IMAP_SERVER}; do

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 143 -s $EXTERNAL_IP -d $IMAP_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 143 --dport $UNPRIVPORTS -s $IMAP_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAP_SRVR --sport $UNPRIVPORTS --dport 143 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAP_SRVR -d $INTERNAL_NETWORK \
--sport 143 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote IMAP server: ${IMAP_SRVR}"
fi
done

fi

#
# IMAP (143) - Hosting an IMAP server for remote clients
#

if [ $IMAP_SERVER -gt 0 ]; then
for MY_IMAP_CLIENT in ${MY_IMAP_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 143 -s $MY_IMAP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 143 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAP_CLIENTS -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_IMAP_CLIENT} may access local IMAP server"
fi

done
fi

#
# IMAPS (993) - Retrieving Mail as an Secure IMAP client
#

if [ $IMAPS_CLIENT -gt 0 ]; then
for IMAPS_SRVR in ${MY_IMAPS_SERVER}; do

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 993 -s $EXTERNAL_IP -d $IMAPS_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 993 --dport $UNPRIVPORTS -s $IMAPS_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAP_SRVR --sport $UNPRIVPORTS --dport 993 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAPS_SRVR -d $INTERNAL_NETWORK \
--sport 993 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote Secure IMAP server: ${IMAPS_SRVR}"
fi
done

fi

#
# IMAPS (993) - Hosting a Secure IMAP server for remote clients
#

if [ $IMAPS_SERVER -gt 0 ]; then
for MY_IMAPS_CLIENT in ${MY_IMAPS_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 993 -s $MY_IMAP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 993 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAP_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_IMAPS_CLIENT} may access local Secure IMAP server"
fi

done
fi

#
# NNTP (119) - Reading and posting news as a Usenet client
#

if [ $NNTP_CLIENT -gt 0 ]; then
for NEWS_SRVR in ${NEWS_SERVER}; do
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $NEWS_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 119 --dport $UNPRIVPORTS -s $NEWS_SRVR -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $NEWS_SRVR --sport $UNPRIVPORTS --dport 119 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $NEWS_SRVR -d $INTERNAL_NETWORK \
--sport 119 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote NNTP server: ${NEWS_SRVR}"
fi
done
fi

#
# NNTP (119) - Hosting a Usenet news server for remote clients
#

if [ $NNTP_SERVER -gt 0 ]; then
for NNTP_CLIENT in ${MY_NNTP_CLIENTS}; do
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 119 -s $NNTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 119 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $NNTP_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote client ${NNTP_CLIENT} may access local NNTP server"
fi
done
fi

#
# NNTP (119) - Allowing peer news feeds for a local Usenet server
#

if [ $NNTP_NEWS_FEED -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $MY_NEWS_FEED -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 119 --dport $UNPRIVPORTS -s $MY_NEWS_FEED -d $EXTERNAL_IP -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: External NNTP News feed access enabled"
fi

fi

#
# Secure NNTP (563) - Reading and posting news as a Usenet client over SSL
# Submitted by Renaud Colinet
#

if [ $NNTPS_CLIENT -gt 0 ]; then
for SNEWS_SRVR in ${SNEWS_SERVER}; do
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 563 -s $EXTERNAL_IP -d $SNEWS_SRVR -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 563 --dport $UNPRIVPORTS -s $SNEWS_SERVER -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SNEWS_SRVR --sport $UNPRIVPORTS --dport 563 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SNEWS_SRVR -d $INTERNAL_NETWORK \
--sport 563 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote secure NNTP server: ${SNEWS_SRVR}"
fi
done
fi

#
# TELNET (23) - Allowing outgoing client access to remote sites
#

if [ $TELNET_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 23 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 23 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 23 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 23 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote TELNET servers"
fi

fi

#
# TELNET (23) - Allowing incoming access to your local server
# Note: Not recommended! Suggest SSH instead!
#

if [ $TELNET_SERVER -gt 0 ]; then
for MY_TELNET_CLIENT in ${MY_TELNET_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 23 -s $MY_TELNET_CLIENTS -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 23 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_TELNET_CLIENTS -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_TELNET_CLIENT} may access local TELNET server"
fi
done

fi

#
# SSH Client (22) - Allowing client access to remote SSH servers
#

if [ $SSH_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 22 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $SSH_HI_PORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 22 --dport $SSH_HI_PORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 22 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 22 --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $SSH_HI_PORTS --dport 22 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 22 --dport $SSH_HI_PORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote SSH servers"
fi

fi

#
# SSH (see config) - Allowing remote client access to your local SSH server
#

if [ $SSH_SERVER -gt 0 ]; then
for MY_SSH_CLIENT in ${MY_SSH_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $SSH_PORT --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $SSH_HI_PORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $SSH_PORT --dport $SSH_HI_PORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_SSH_CLIENT} may access local SSH server"
fi
done

fi


#
# FTP (20, 21) - Allowing outgoing client access to remote FTP servers
#

if [ $FTP_CLIENT -gt 0 ]; then

# Outgoing request

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 21 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
--sport $UNPRIVPORTS --dport 21 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

# Normal Port mode FTP data channels

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
--sport 20 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport 20 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

# Passive mode FTP data channels

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 20:21 -j ACCEPT
iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 20:21 --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote FTP servers"
fi

fi

#
# FTP (20, 21) - Allowing incoming access to your local FTP server
#

if [ $FTP_SERVER -gt 0 ]; then
for MY_FTP_CLIENT in ${MY_FTP_CLIENTS}; do
# Incoming request

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
--sport $UNPRIVPORTS --dport 21 -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 21 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT

# Normal Port mode FTP data channel responses

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport 20 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport 20 -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

# Passive mode FTP data channel responses

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote site ${MY_FTP_CLIENT} may access local FTP server"
fi
done
fi


#
# HTTP (80) - Accessing remote web sites as a client
#

if [ $HTTP_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 80 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 80 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 80 -j ACCEPT
iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 80 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote HTTP servers"
fi

fi

#
# HTTP (80) - Allowing remote access to a local web server
#

if [ $HTTP_SERVER -gt 0 ]; then
for HTTP_CLIENT in ${MY_HTTP_CLIENTS}; do
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 80 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 80 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 8080 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 8080 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote client ${HTTP_CLIENT} may access local HTTP server"
fi
done
fi


#
# HTTPS (443) - Accessing remote web sites over SSL as a client
#

if [ $HTTPS_CLIENT -gt 0 ]; then
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 443 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 443 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 443 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 443 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote HTTPS servers"
fi

fi

#
# HTTPS (443) - Allowing remote access to a local SSL web server
#

if [ $HTTPS_SERVER -gt 0 ]; then
for HTTPS_CLIENT in ${MY_HTTPS_CLIENTS}; do
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 443 -s $HTTPS_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 443 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTPS_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote client ${HTTPS_CLIENT} may access local HTTPS server"
fi
done
fi

#
# HTTP Proxy Client (8008/8080)
#

if [ $HTTP_PROXY -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -s $EXTERNAL_IP -d $WEB_PROXY_SERVER -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -s $WEB_PROXY_SERVER -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote sites via HTTP Proxy Server"
fi

fi


#
# FINGER (79) - Accessing remote finger servers as a client
#

if [ $FINGER_CLIENT -gt 0 ]; then
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 79 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 79 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 79 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 79 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote FINGER servers"
fi

fi

#
# FINGER (79) - Allowing remote client access to a local finger server (dangerous!)
#

if [ $FINGER_SERVER -gt 0 ]; then
for FINGER_CLIENT in $MY_FINGER_CLIENTS}; do

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 79 -s $FINGER_CLIENT -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 79 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $FINGER_CLIENT -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote client ${FINGER_CLIENT} may access local FINGER server"
fi
done
fi

#
# WHOIS (43) - Accessing a remote WHOIS server as a client
#

if [ $WHOIS_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 43 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 43 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 43 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 43 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote WHOIS servers"
fi

fi

#
# GOPHER (70) - Accessing a remote GOPHER server as a client
#

if [ $GOPHER_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 70 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 70 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 70 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 70 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote GOPHER servers"
fi

fi

#
# WAIS (210) - Accessing a remote WAIS server as a client
#

if [ $WAIS_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 210 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 210 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 210 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 210 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote WAIS servers"
fi

fi

#
# Real Video (554) - Real Video Client
#

if [ $RV_CLIENT -gt 0 ]; then
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 554 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport 554 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 554 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
--sport 554 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Real Video client enabled"
fi
fi

#
# PPTP (1723) - Accessing PPTP servers as a client
#

if [ $PPTP_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 1723 \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport 1723 --dport $UNPRIVPORTS \
-s $ANYWHERE -d $EXTERNAL_IP \
-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p 47 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 47 -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A INPUT -i $INTERNAL_INTERFACE -p 47 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p 47 -j ACCEPT

iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK \
--sport $UNPRIVPORTS --dport 1723 -j ACCEPT

iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK \
-m state --state ESTABLISHED,RELATED \
--sport 1723 --dport $UNPRIVPORTS -j ACCEPT

iptables -A FORWARD -p 47 -s $INTERNAL_NETWORK -j ACCEPT
iptables -A FORWARD -p 47 -d $INTERNAL_NETWORK -j ACCEPT

fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote PPTP servers"
fi

fi



#
# UDP - Accept only on selected ports
#

#
# TRACEROUTE
#
# Traceroute usually uses -s 32769:65535 -d 33434:33523
#

if [ $OUTBOUND_TRACEROUTE -gt 0 ]; then

# Enable outgoing TRACEROUTE requests

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
-s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_DEST_PORTS \
--dport $TRACEROUTE_SRC_PORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Outbound TRACEROUTE enabled"
fi

fi

if [ $INBOUND_TRACEROUTE -gt 0 ]; then

# Enable incoming TRACEROUTE query

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
-s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Inbound TRACEROUTE enabled"
fi

fi


#
# DHCP Server
#
# This assumes that you're running a DHCP server on your firewall to
# supply IP addresses to your internal network using dhcpd. See any
# of several DHCP HowTo sites for the actual server setup.
#

if [ $DHCP_SERVER -gt 0 ]; then

iptables -A INPUT -i $INTERNAL_INTERFACE -p udp -s $BROADCAST_SRC \
-d $BROADCAST_DEST --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p udp -s $INTERNAL_IP \
--sport 67:68 --dport 67:68 -j ACCEPT
iptables -A FORWARD -p udp -s $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A FORWARD -p udp -d $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: DHCP Server enabled"
fi

fi


#
# NTP (123) - Accessing remote Network Time Servers
#

if [ $NTP_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 123 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 123 --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 123 --dport 123 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 123 -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: NTP Client enabled"
fi

fi


#
# ICQ (4000) - The Miribilis ICQ Client
#

if [ $ICQ_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 4000 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 4000 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 4000 -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 4000 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: ICQ Client enabled"
fi

fi

#
# GAMES
# Half-Life/CounterStrike
#

if [ $HALF_LIFE -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
-m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -s $ANYWHERE \
-d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 27000:27050 --dport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK -m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Half-Life/CounterStrike game ports enabled"
fi

fi

#
# Return to Castle Wolfenstein
#

if [ $WOLF_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 27950:27965 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
--sport 27950:27965 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

if [ $MASQUERADING -gt 0 ]; then
iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 27950:27965 -j ACCEPT
iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 27950:27965 --dport $UNPRIVPORTS -j ACCEPT
fi

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Castle Wolfenstein game ports enabled"
fi
fi


# -------------------------------------------------------------

#
# Spoofing and Bad Addresses
#

# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from
# the external interface's IP address.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD

# Get first two octets of external IP address

OCT1=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:\([0-9][0-9]*\).*/\1/p' )
OCT2=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:\([0-9][0-9]*\.[0-9][0-9]*\).*/\1/p' )

if [ ! $OCT1 = "10" ]; then

# Refuse packets claiming to be to or from a Class-A private network.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_A -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_A -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_A -j LnD

fi

if [ ! $OCT2 = "172.16" ]; then

# Refuse packets claiming to be to or from a Class-B private network.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_B -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_B -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_B -j LnD

fi

if [ ! $OCT2 = "192.168" ]; then

# Refuse packets claiming to be to or from a Class-C private network.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_C -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_C -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_C -j LnD

fi

# Refuse packets claiming to be from the loopback.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD

# Refuse malformed broadcast packets.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD

# Refuse Class-D Multicast addresses.
# Multicast is only illegal as a source address.
# Multicast uses UDP.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnR

# Refuse Class-E reserved IP addresses.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET -j LnR


# -------------------------------------------------------------

#
# DROP (on input), REJECT (output) and LOG anything else on the external (red) interface
#

iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
-s $ANYWHERE -j LnD

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
-s $ANYWHERE -j LnR

iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
-s $ANYWHERE -j LnD

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
-s $ANYWHERE -j LnR

iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP \
-s $ANYWHERE -j LnD

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP \
-s $ANYWHERE -j LnR


#
# Masquerade internal traffic
#

if [ $MASQUERADING -gt 0 ]; then


# All internal traffic is masqueraded externally

iptables -t nat -A POSTROUTING -s $INTERNAL_NETWORK -o $EXTERNAL_INTERFACE -j SNAT \
--to $EXTERNAL_IP

# Note: some may find this works better on machines with non-static
# external IP addresses:
# iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE


# Enable IP Forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

#
# Unlimited traffic within the local network
#

# All internal machines have access to the firewall machine

iptables -A INPUT -i $INTERNAL_INTERFACE -s $INTERNAL_NETWORK -j ACCEPT

iptables -A OUTPUT -o $INTERNAL_INTERFACE -d $INTERNAL_NETWORK -j ACCEPT

if [ $VERBOSE -gt 0 ]; then
echo "firewall: Masquerading internal network"
fi
fi


# -------------------------------------------------------------

# Zero counts
iptables -Z

# -------------------------------------------------------------

echo "done"
touch /var/lock/subsys/firewall
echo
;;

status)
if [ -f /var/lock/subsys/firewall ]; then
echo "Firewall started and configured"
else
echo "Firewall stopped"
fi
exit 0
;;

restart|reload)
$0 stop
$0 start
;;

stop)
echo "Shutting down Firewall services"

# Turn off IP Forwarding
echo 0 >/proc/sys/net/ipv4/ip_forward

# Turn off dynamic IP hacking
echo 0 > /proc/sys/net/ipv4/ip_dynaddr

# Flush the rule chains
iptables -F

# Delete custom chains
iptables -X

# Zero counts
iptables -Z

# Set the default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Open the configuration file
if [ -f /etc/firewall/firewall.conf.iptables ]; then
. /etc/firewall/firewall.conf.iptables

if [ $MASQUERADING -gt 0 ]; then
# Allow unlimited local traffic on the internal interface
iptables -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT
fi
else
echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables"
exit 1
fi

rm -f /var/lock/subsys/firewall
echo
;;
*)
echo "Usage: /etc/rc.d/init.d/firewall.iptables {start|stop|status|restart|reload}"
exit 1
esac

exit 0

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by brody (registered user) on Thu, 2006-03-30 21:14.

Thank you!! I really appreciate you're insightfull(well engcouraging) comments... but i got all my insipiration from the net... and these comments are very encouraging for a 16 year old!!

T.V. - Why do you think they call it programming? Think about THAT...:P

Submitted by Anonymous (not registered) on Tue, 2006-03-28 12:26.

I'am just getting really into building my own firewall script and my first firewall box.

This article really helped me with the steps involed in making my own custom firewall script.

Thanks

Arch