· 6 years ago · Apr 15, 2019, 12:48 PM
1#!/bin/sh
2#
3# Generated iptables firewall script for the Linux 2.4 kernel
4# Script generated by Easy Firewall Generator for IPTables 1.15
5# copyright 2002 Timothy Scott Morizot
6#
7# Redhat chkconfig comments - firewall applied early,
8# removed late
9# chkconfig: 2345 08 92
10# description: This script applies or removes iptables firewall rules
11#
12# This generator is primarily designed for RedHat installations,
13# although it should be adaptable for others.
14#
15# It can be executed with the typical start and stop arguments.
16# If used with stop, it will stop after flushing the firewall.
17# The save and restore arguments will save or restore the rules
18# from the /etc/sysconfig/iptables file. The save and restore
19# arguments are included to preserve compatibility with
20# Redhat's or Fedora's init.d script if you prefer to use it.
21
22# Redhat/Fedora installation instructions
23#
24# 1. Have the system link the iptables init.d startup script into run states
25# 2, 3, and 5.
26# chkconfig --level 235 iptables on
27#
28# 2. Save this script and execute it to load the ruleset from this file.
29# You may need to run the dos2unix command on it to remove carraige returns.
30#
31# 3. To have it applied at startup, copy this script to
32# /etc/init.d/iptables. It accepts stop, start, save, and restore
33# arguments. (You may wish to save the existing one first.)
34# Alternatively, if you issue the 'service iptables save' command
35# the init.d script should save the rules and reload them at runtime.
36#
37# 4. For non-Redhat systems (or Redhat systems if you have a problem), you
38# may want to append the command to execute this script to rc.local.
39# rc.local is typically located in /etc and /etc/rc.d and is usually
40# the last thing executed on startup. Simply add /path/to/script/script_name
41# on its own line in the rc.local file.
42
43###############################################################################
44#
45# Local Settings
46#
47
48# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
49# If this is set to the empty string (or is unset), the use of sysctl
50# is disabled.
51
52SYSCTL="/sbin/sysctl -w"
53
54# To echo the value directly to the /proc file instead
55# SYSCTL=""
56
57# IPTables Location - adjust if needed
58
59IPT="/sbin/iptables"
60IPTS="/sbin/iptables-save"
61IPTR="/sbin/iptables-restore"
62
63# Internet Interface
64INET_IFACE="eth0"
65INET_ADDRESS="80.80.80.80"
66
67# Local Interface Information
68LOCAL_IFACE="eth1"
69LOCAL_IP="192.168.1.1"
70LOCAL_NET="192.168.1.0/24"
71LOCAL_BCAST="192.168.1.255"
72
73# Localhost Interface
74
75LO_IFACE="lo"
76LO_IP="127.0.0.1"
77
78# Save and Restore arguments handled here
79if [ "$1" = "save" ]
80then
81 echo -n "Saving firewall to /etc/sysconfig/iptables ... "
82 $IPTS > /etc/sysconfig/iptables
83 echo "done"
84 exit 0
85elif [ "$1" = "restore" ]
86then
87 echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
88 $IPTR < /etc/sysconfig/iptables
89 echo "done"
90 exit 0
91fi
92
93###############################################################################
94#
95# Load Modules
96#
97
98echo "Loading kernel modules ..."
99
100# You should uncomment the line below and run it the first time just to
101# ensure all kernel module dependencies are OK. There is no need to run
102# every time, however.
103
104# /sbin/depmod -a
105
106# Unless you have kernel module auto-loading disabled, you should not
107# need to manually load each of these modules. Other than ip_tables,
108# ip_conntrack, and some of the optional modules, I've left these
109# commented by default. Uncomment if you have any problems or if
110# you have disabled module autoload. Note that some modules must
111# be loaded by another kernel module.
112
113# core netfilter module
114/sbin/modprobe ip_tables
115
116# the stateful connection tracking module
117/sbin/modprobe ip_conntrack
118
119# filter table module
120# /sbin/modprobe iptable_filter
121
122# mangle table module
123# /sbin/modprobe iptable_mangle
124
125# nat table module
126# /sbin/modprobe iptable_nat
127
128# LOG target module
129# /sbin/modprobe ipt_LOG
130
131# This is used to limit the number of packets per sec/min/hr
132# /sbin/modprobe ipt_limit
133
134# masquerade target module
135# /sbin/modprobe ipt_MASQUERADE
136
137# filter using owner as part of the match
138# /sbin/modprobe ipt_owner
139
140# REJECT target drops the packet and returns an ICMP response.
141# The response is configurable. By default, connection refused.
142# /sbin/modprobe ipt_REJECT
143
144# This target allows packets to be marked in the mangle table
145# /sbin/modprobe ipt_mark
146
147# This target affects the TCP MSS
148# /sbin/modprobe ipt_tcpmss
149
150# This match allows multiple ports instead of a single port or range
151# /sbin/modprobe multiport
152
153# This match checks against the TCP flags
154# /sbin/modprobe ipt_state
155
156# This match catches packets with invalid flags
157# /sbin/modprobe ipt_unclean
158
159# The ftp nat module is required for non-PASV ftp support
160#/sbin/modprobe ip_nat_ftp
161
162# the module for full ftp connection tracking
163#/sbin/modprobe ip_conntrack_ftp
164
165# the module for full irc connection tracking
166/sbin/modprobe ip_conntrack_irc
167
168
169###############################################################################
170#
171# Kernel Parameter Configuration
172#
173# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
174# for a detailed tutorial on sysctl and the various settings
175# available.
176
177# Required to enable IPv4 forwarding.
178# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
179# Alternatively, it can be set in /etc/sysctl.conf
180if [ "$SYSCTL" = "" ]
181then
182 echo "1" > /proc/sys/net/ipv4/ip_forward
183else
184 $SYSCTL net.ipv4.ip_forward="1"
185fi
186
187# This enables dynamic address hacking.
188# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
189#if [ "$SYSCTL" = "" ]
190#then
191# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
192#else
193# $SYSCTL net.ipv4.ip_dynaddr="1"
194#fi
195
196# This enables SYN flood protection.
197# The SYN cookies activation allows your system to accept an unlimited
198# number of TCP connections while still trying to give reasonable
199# service during a denial of service attack.
200if [ "$SYSCTL" = "" ]
201then
202 echo "1" > /proc/sys/net/ipv4/tcp_syncookies
203else
204 $SYSCTL net.ipv4.tcp_syncookies="1"
205fi
206
207# This enables source validation by reversed path according to RFC1812.
208# In other words, did the response packet originate from the same interface
209# through which the source packet was sent? It's recommended for single-homed
210# systems and routers on stub networks. Since those are the configurations
211# this firewall is designed to support, I turn it on by default.
212# Turn it off if you use multiple NICs connected to the same network.
213if [ "$SYSCTL" = "" ]
214then
215 echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
216else
217 $SYSCTL net.ipv4.conf.all.rp_filter="1"
218fi
219
220# This option allows a subnet to be firewalled with a single IP address.
221# It's used to build a DMZ. Since that's not a focus of this firewall
222# script, it's not enabled by default, but is included for reference.
223# See: http://www.sjdjweis.com/linux/proxyarp/
224#if [ "$SYSCTL" = "" ]
225#then
226# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
227#else
228# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
229#fi
230
231# The following kernel settings were suggested by Alex Weeks. Thanks!
232
233# This kernel parameter instructs the kernel to ignore all ICMP
234# echo requests sent to the broadcast address. This prevents
235# a number of smurfs and similar DoS nasty attacks.
236if [ "$SYSCTL" = "" ]
237then
238 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
239else
240 $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
241fi
242
243# This option can be used to accept or refuse source routed
244# packets. It is usually on by default, but is generally
245# considered a security risk. This option turns it off.
246if [ "$SYSCTL" = "" ]
247then
248 echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
249else
250 $SYSCTL net.ipv4.conf.all.accept_source_route="0"
251fi
252
253# This option can disable ICMP redirects. ICMP redirects
254# are generally considered a security risk and shouldn't be
255# needed by most systems using this generator.
256#if [ "$SYSCTL" = "" ]
257#then
258# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
259#else
260# $SYSCTL net.ipv4.conf.all.accept_redirects="0"
261#fi
262
263# However, we'll ensure the secure_redirects option is on instead.
264# This option accepts only from gateways in the default gateways list.
265if [ "$SYSCTL" = "" ]
266then
267 echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
268else
269 $SYSCTL net.ipv4.conf.all.secure_redirects="1"
270fi
271
272# This option logs packets from impossible addresses.
273if [ "$SYSCTL" = "" ]
274then
275 echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
276else
277 $SYSCTL net.ipv4.conf.all.log_martians="1"
278fi
279
280
281###############################################################################
282#
283# Flush Any Existing Rules or Chains
284#
285
286echo "Flushing Tables ..."
287
288# Reset Default Policies
289$IPT -P INPUT ACCEPT
290$IPT -P FORWARD ACCEPT
291$IPT -P OUTPUT ACCEPT
292$IPT -t nat -P PREROUTING ACCEPT
293$IPT -t nat -P POSTROUTING ACCEPT
294$IPT -t nat -P OUTPUT ACCEPT
295$IPT -t mangle -P PREROUTING ACCEPT
296$IPT -t mangle -P OUTPUT ACCEPT
297
298# Flush all rules
299$IPT -F
300$IPT -t nat -F
301$IPT -t mangle -F
302
303# Erase all non-default chains
304$IPT -X
305$IPT -t nat -X
306$IPT -t mangle -X
307
308if [ "$1" = "stop" ]
309then
310 echo "Firewall completely flushed! Now running with no firewall."
311 exit 0
312fi
313
314###############################################################################
315#
316# Rules Configuration
317#
318
319###############################################################################
320#
321# Filter Table
322#
323###############################################################################
324
325# Set Policies
326
327$IPT -P INPUT DROP
328$IPT -P OUTPUT DROP
329$IPT -P FORWARD DROP
330
331###############################################################################
332#
333# User-Specified Chains
334#
335# Create user chains to reduce the number of rules each packet
336# must traverse.
337
338echo "Create and populate custom rule chains ..."
339
340# Create a chain to filter INVALID packets
341
342$IPT -N bad_packets
343
344# Create another chain to filter bad tcp packets
345
346$IPT -N bad_tcp_packets
347
348# Create separate chains for icmp, tcp (incoming and outgoing),
349# and incoming udp packets.
350
351$IPT -N icmp_packets
352
353# Used for UDP packets inbound from the Internet
354$IPT -N udp_inbound
355
356# Used to block outbound UDP services from internal network
357# Default to allow all
358$IPT -N udp_outbound
359
360# Used to allow inbound services if desired
361# Default fail except for established sessions
362$IPT -N tcp_inbound
363
364# Used to block outbound services from internal network
365# Default to allow all
366$IPT -N tcp_outbound
367
368###############################################################################
369#
370# Populate User Chains
371#
372
373# bad_packets chain
374#
375
376# Drop packets received on the external interface
377# claiming a source of the local network
378$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
379 --log-prefix "Illegal source: "
380
381$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
382
383# Drop INVALID packets immediately
384$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
385 --log-prefix "Invalid packet: "
386
387$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
388
389# Then check the tcp packets for additional problems
390$IPT -A bad_packets -p tcp -j bad_tcp_packets
391
392# All good, so return
393$IPT -A bad_packets -p ALL -j RETURN
394
395# bad_tcp_packets chain
396#
397# All tcp packets will traverse this chain.
398# Every new connection attempt should begin with
399# a syn packet. If it doesn't, it is likely a
400# port scan. This drops packets in state
401# NEW that are not flagged as syn packets.
402
403# Return to the calling chain if the bad packets originate
404# from the local interface. This maintains the approach
405# throughout this firewall of a largely trusted internal
406# network.
407$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
408
409# However, I originally did apply this filter to the forward chain
410# for packets originating from the internal network. While I have
411# not conclusively determined its effect, it appears to have the
412# interesting side effect of blocking some of the ad systems.
413# Apparently some ad systems have the browser initiate a NEW
414# connection that is not flagged as a syn packet to retrieve
415# the ad image. If you wish to experiment further comment the
416# rule above. If you try it, you may also wish to uncomment the
417# rule below. It will keep those packets from being logged.
418# There are a lot of them.
419# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
420# --state NEW -j DROP
421
422$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
423 --log-prefix "New not syn: "
424$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
425
426$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
427 --log-prefix "Stealth scan: "
428$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
429
430$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
431 --log-prefix "Stealth scan: "
432$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
433
434$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
435 --log-prefix "Stealth scan: "
436$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
437
438$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
439 --log-prefix "Stealth scan: "
440$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
441
442$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
443 --log-prefix "Stealth scan: "
444$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
445
446$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
447 --log-prefix "Stealth scan: "
448$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
449
450# All good, so return
451$IPT -A bad_tcp_packets -p tcp -j RETURN
452
453# icmp_packets chain
454#
455# This chain is for inbound (from the Internet) icmp packets only.
456# Type 8 (Echo Request) is not accepted by default
457# Enable it if you want remote hosts to be able to reach you.
458# 11 (Time Exceeded) is the only one accepted
459# that would not already be covered by the established
460# connection rule. Applied to INPUT on the external interface.
461#
462# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
463# for more info on ICMP types.
464#
465# Note that the stateful settings allow replies to ICMP packets.
466# These rules allow new packets of the specified types.
467
468# ICMP packets should fit in a Layer 2 frame, thus they should
469# never be fragmented. Fragmented ICMP packets are a typical sign
470# of a denial of service attack.
471$IPT -A icmp_packets --fragment -p ICMP -j LOG \
472 --log-prefix "ICMP Fragment: "
473$IPT -A icmp_packets --fragment -p ICMP -j DROP
474
475# Echo - uncomment to allow your system to be pinged.
476# Uncomment the LOG command if you also want to log PING attempts
477#
478# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
479# --log-prefix "Ping detected: "
480# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
481
482# By default, however, drop pings without logging. Blaster
483# and other worms have infected systems blasting pings.
484# Comment the line below if you want pings logged, but it
485# will likely fill your logs.
486$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
487
488# Time Exceeded
489$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
490
491# Not matched, so return so it will be logged
492$IPT -A icmp_packets -p ICMP -j RETURN
493
494# TCP & UDP
495# Identify ports at:
496# http://www.chebucto.ns.ca/~rakerman/port-table.html
497# http://www.iana.org/assignments/port-numbers
498
499# udp_inbound chain
500#
501# This chain describes the inbound UDP packets it will accept.
502# It's applied to INPUT on the external or Internet interface.
503# Note that the stateful settings allow replies.
504# These rules are for new requests.
505# It drops netbios packets (windows) immediately without logging.
506
507# Drop netbios calls
508# Please note that these rules do not really change the way the firewall
509# treats netbios connections. Connections from the localhost and
510# internal interface (if one exists) are accepted by default.
511# Responses from the Internet to requests initiated by or through
512# the firewall are also accepted by default. To get here, the
513# packets would have to be part of a new request received by the
514# Internet interface. You would have to manually add rules to
515# accept these. I added these rules because some network connections,
516# such as those via cable modems, tend to be filled with noise from
517# unprotected Windows machines. These rules drop those packets
518# quickly and without logging them. This prevents them from traversing
519# the whole chain and keeps the log from getting cluttered with
520# chatter from Windows systems.
521$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
522$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
523
524# DNS Server
525# Configure the server to use port 53 as the source port for requests
526# Note, if you run a caching-only name server that only accepts queries
527# from the private network or localhost, you can comment out this line.
528$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
529
530# If you don't query-source the server to port 53 and you have problems,
531# uncomment this rule. It specifically allows responses to queries
532# initiated to another server from a high UDP port. The stateful
533# connection rules should handle this situation, though.
534# $IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT
535
536
537# Not matched, so return for logging
538$IPT -A udp_inbound -p UDP -j RETURN
539
540# udp_outbound chain
541#
542# This chain is used with a private network to prevent forwarding for
543# UDP requests on specific protocols. Applied to the FORWARD rule from
544# the internal network. Ends with an ACCEPT
545
546
547# No match, so ACCEPT
548$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
549
550# tcp_inbound chain
551#
552# This chain is used to allow inbound connections to the
553# system/gateway. Use with care. It defaults to none.
554# It's applied on INPUT from the external or Internet interface.
555
556# DNS Server - Allow TCP connections (zone transfers and large requests)
557# This is disabled by default. DNS Zone transfers occur via TCP.
558# If you need to allow transfers over the net you need to uncomment this line.
559# If you allow queries from the 'net, you also need to be aware that although
560# DNS queries use UDP by default, a truncated UDP query can legally be
561# submitted via TCP instead. You probably will never need it, but should
562# be aware of the fact.
563# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
564
565# Web Server
566
567# HTTP
568$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
569
570# sshd
571$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
572
573
574# Not matched, so return so it will be logged
575$IPT -A tcp_inbound -p TCP -j RETURN
576
577# tcp_outbound chain
578#
579# This chain is used with a private network to prevent forwarding for
580# requests on specific protocols. Applied to the FORWARD rule from
581# the internal network. Ends with an ACCEPT
582
583# Block FTP Access
584
585# Control
586$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 21 -j REJECT
587
588# Data
589$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 20 -j REJECT
590
591
592# No match, so ACCEPT
593$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
594
595###############################################################################
596#
597# INPUT Chain
598#
599
600echo "Process INPUT chain ..."
601
602# Allow all on localhost interface
603$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
604
605# Drop bad packets
606$IPT -A INPUT -p ALL -j bad_packets
607
608# DOCSIS compliant cable modems
609# Some DOCSIS compliant cable modems send IGMP multicasts to find
610# connected PCs. The multicast packets have the destination address
611# 224.0.0.1. You can accept them. If you choose to do so,
612# Uncomment the rule to ACCEPT them and comment the rule to DROP
613# them The firewall will drop them here by default to avoid
614# cluttering the log. The firewall will drop all multicasts
615# to the entire subnet (224.0.0.1) by default. To only affect
616# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
617# if they aren't accepted elsewhere, it will only ensure that
618# multicasts on other protocols are logged.
619# Drop them without logging.
620$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
621# The rule to accept the packets.
622# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
623
624# Rules for the private network (accessing gateway system itself)
625$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
626$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
627
628
629# Inbound Internet Packet Rules
630
631# Accept Established Connections
632$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
633 -j ACCEPT
634
635# Route the rest to the appropriate user chain
636$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
637$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
638$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
639
640# Drop without logging broadcasts that get this far.
641# Cuts down on log clutter.
642# Comment this line if testing new rules that impact
643# broadcast protocols.
644$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
645
646# Log packets that still don't match
647$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
648 --log-prefix "INPUT packet died: "
649
650###############################################################################
651#
652# FORWARD Chain
653#
654
655echo "Process FORWARD chain ..."
656
657# Used if forwarding for a private network
658
659# Drop bad packets
660$IPT -A FORWARD -p ALL -j bad_packets
661
662# Accept TCP packets we want to forward from internal sources
663$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
664
665# Accept UDP packets we want to forward from internal sources
666$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
667
668# If not blocked, accept any other packets from the internal interface
669$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
670
671# Deal with responses from the internet
672$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
673 -j ACCEPT
674
675# Port Forwarding is enabled, so accept forwarded traffic
676$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 80 \
677 --destination 192.168.1.20 -j ACCEPT
678
679$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 80 \
680 --destination 192.168.1.20 -j ACCEPT
681
682# Log packets that still don't match
683$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
684 --log-prefix "FORWARD packet died: "
685
686###############################################################################
687#
688# OUTPUT Chain
689#
690
691echo "Process OUTPUT chain ..."
692
693# Generally trust the firewall on output
694
695# However, invalid icmp packets need to be dropped
696# to prevent a possible exploit.
697$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
698
699# Localhost
700$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
701$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
702
703# To internal network
704$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
705$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
706
707# To internet
708$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
709
710# Log packets that still don't match
711$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
712 --log-prefix "OUTPUT packet died: "
713
714###############################################################################
715#
716# nat table
717#
718###############################################################################
719
720# The nat table is where network address translation occurs if there
721# is a private network. If the gateway is connected to the Internet
722# with a static IP, snat is used. If the gateway has a dynamic address,
723# masquerade must be used instead. There is more overhead associated
724# with masquerade, so snat is better when it can be used.
725# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
726# Another, POSTROUTING, handles snat and masquerade.
727
728echo "Load rules for nat table ..."
729
730###############################################################################
731#
732# PREROUTING chain
733#
734
735# Port Forwarding
736#
737# Port forwarding forwards all traffic on a port or ports from
738# the firewall to a computer on the internal LAN. This can
739# be required to support special situations. For instance,
740# this is the only way to support file transfers with an ICQ
741# client on an internal computer. It's also required if an internal
742# system hosts a service such as a web server. However, it's also
743# a dangerous option. It allows Internet computers access to
744# your internal network. Use it carefully and only if you're
745# certain you know what you're doing.
746
747$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 8080:80 \
748 -j DNAT --to-destination 192.168.1.20:80
749
750$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 8080:80 \
751 -j DNAT --to-destination 192.168.1.20:80
752
753
754###############################################################################
755#
756# POSTROUTING chain
757#
758
759$IPT -t nat -A POSTROUTING -o $INET_IFACE \
760 -j SNAT --to-source $INET_ADDRESS
761
762###############################################################################
763#
764# mangle table
765#
766###############################################################################
767
768# The mangle table is used to alter packets. It can alter or mangle them in
769# several ways. For the purposes of this generator, we only use its ability
770# to alter the TTL in packets. However, it can be used to set netfilter
771# mark values on specific packets. Those marks could then be used in another
772# table like filter, to limit activities associated with a specific host, for
773# instance. The TOS target can be used to set the Type of Service field in
774# the IP header. Note that the TTL target might not be included in the
775# distribution on your system. If it is not and you require it, you will
776# have to add it. That may require that you build from source.
777
778echo "Load rules for mangle table ..."