# Configuring iptables

## rajendra82

I am a linux newbie but I wanted to get my system running with a firewall setup so I went with the script located at 

http://projectfiles.com/firewall/rc.firewall

Here is the code listing:

```
#!/bin/bash

#

# rc.firewall version 2.0rc4 -- 08/07/02

# http://projectfiles.com/firewall/

# By Scott Bartlett <srb@mnsolutions.com>

#

# This software may be used and distributed according to the terms of the GNU

# General Public License (GPL) provided credit is given to the original author.

#

# NOTE: All lists are delimited by single spaces, eg "eth0 eth1 ppp0".

#

###############################

# -- Configuration Section -- #

###############################

# Ports listed here will be open to ANY connecting host.  Protocols 'tcp' and

# 'udp' can be optionally specified.  If no protocol is specified, then

# connections using either protocols will be accepted on the given port or port

# range.  Use the format: <port-number or port-range>[/<protocol>]

# Example: OPEN_PORTS="80/tcp 53 2400-2500/tcp"

OPEN_PORTS=""

# Listing internal (private) interfaces here will allow this machine to act as a

# router.  All interfaces NOT listed here are considered external (public) 

# and will be automatically protected by the firewall. IP aliases are permitted.

# Example: INTERNAL_INTERFACES="eth1 eth2"

INTERNAL_INTERFACES=""

# If you have internal interfaces or are using port forwards, then list dial-up

# interfaces (or any other interface that is not always connected/online)

# here.  Again, this setting is only required you have INTERNAL_INTERFACES

# or PORT_FORWARDS.  Note: Interfaces configured to obtain an IP address

# automatically (DHCP), do not need to be listed here as the DHCP client will

# requests the same address each time it renews the lease.

# Example: DYNAMIC_INTERFACES="ppp0"

DYNAMIC_INTERFACES=""

# Most users do not need to change anything below this point.

########################################

# -- Advanced Configuration Section -- #

########################################

# ** DO NOT ** modify anything below unless you know what you are doing!!

# See online documentation at: http://projectfiles.com/firewall/config.html

TRUSTED_NETWORKS=""

PORT_FORWARDS=""

PORT_FWD_ALL="yes"

PORT_FWD_ROUTED_NETWORKS="yes"

ADDITIONAL_ROUTED_NETWORKS=""

TRUST_ROUTED_NETWORKS="yes"

NO_RP_FILTER_INTERFACES=""

NAT_EXTERNAL="yes"

ADDITIONAL_NAT_INTERFACES=""

INTERNAL_DHCP="yes"

RFC_1122_COMPLIANT="yes"

LOGGING="no"

###########################################################

# -- Nothing below this point should need modification -- #

###########################################################

# Set version information.

VERSION="2.0rc4"

# Welcome!

echo "-> Projectfiles.com rc.firewall version $VERSION running."

# Set PATH explicity.

export PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"

# Add SysV style initialization support (ignore everything except 'stop' and 'clear').

if [ "$1" == "stop" ] || [ "$1" == "clear" ]; then

  iptables -t filter -F > /dev/null 2>&1

  iptables -t filter -X > /dev/null 2>&1

  iptables -t nat -F > /dev/null 2>&1

  iptables -t nat -X > /dev/null 2>&1

  iptables -t mangle -F > /dev/null 2>&1

  iptables -t mangle -X > /dev/null 2>&1

  iptables -t filter -P INPUT ACCEPT > /dev/null 2>&1

  iptables -t filter -P OUTPUT ACCEPT > /dev/null 2>&1

  iptables -t filter -P FORWARD ACCEPT > /dev/null 2>&1

  iptables -t nat -P PREROUTING ACCEPT > /dev/null 2>&1

  iptables -t nat -P POSTROUTING ACCEPT > /dev/null 2>&1

  iptables -t nat -P OUTPUT ACCEPT  > /dev/null 2>&1

  iptables -t mangle -P POSTROUTING ACCEPT > /dev/null 2>&1

  iptables -t mangle -P OUTPUT ACCEPT > /dev/null 2>&1

  iptables -t mangle -P PREROUTING ACCEPT > /dev/null 2>&1

  iptables -t mangle -P INPUT ACCEPT > /dev/null 2>&1

  iptables -t mangle -P FORWARD ACCEPT > /dev/null 2>&1

  echo "-> Firewall disabled."

  exit

fi

if [ "$1" == "loadconfig" ]; then

  echo "-> Using data from /etc/firewall.conf instead of current configuration data."

fi

# Define exit/failure function.

exit_failure() {

  echo " [ FAILED ]"

  echo "-> FATAL: $FAILURE"

  echo "-> Firewall configuration ** ABORTED **."

  exit 1

}

# Sanity checking section

echo -n "-> Performing sanity checks"

# Make sure we are running the script with root privileges.

if [ "$EUID" != "0" ]; then

  FAILURE="You must have root privileges to configure the firewall."

  exit_failure

fi

# Use configuration data from /etc/firewall.conf if requested.

if [ "$1" == "loadconfig" ]; then

  if [ -r /etc/firewall.conf ]; then

    if (( `head -1 /etc/firewall.conf | grep -c \

  "# Linux Firewall configuration backup -- http://projectfiles.com/firewall/"` )); then

    COMPATIBLE_VERSIONS="2.0rc4"

      if (( $(echo "$COMPATIBLE_VERSIONS" | grep -c `head -3 /etc/firewall.conf | tail -1 | cut -d\" -f2`) )); then

   . /etc/firewall.conf

      else

   FAILURE="/etc/firewall.conf is too outdated.  Please configure the options at the beginning of rc.firewall and recreate the file."

   exit_failure

      fi

    else

      FAILURE="The file /etc/firewall.conf does not appear to associated with this program.  Refusing to load data."

      exit_failure

    fi

  else

    FAILURE="Cannot read from /etc/firewall.conf.  Did you forget to back up your configuration data or has the file been moved?"

    exit_failure

  fi

fi

# Save selected variable settings if we are going to back up our configuration.

if [ "$1" == "saveconfig" ] || [ "$1" == "writeconfig" ]; then

  ORIG_OPEN_PORTS="$OPEN_PORTS"

  ORIG_TRUSTED_NETWORKS="$TRUSTED_NETWORKS"

fi

# Determine if we are a router.

if [ -n "$INTERNAL_INTERFACES" ] || [ -n "$PORT_FORWARDS" ]; then

  IS_ROUTER="yes"

fi

# That was easy, now santity check trusted networks.

if [ -n "$TRUSTED_NETWORKS" ]; then

  for NETWORK in $TRUSTED_NETWORKS; do

    NET=`echo "$NETWORK:" | cut -d: -f1`

    MOD_PORTS=`echo "$NETWORK:" | cut -d: -f2`

    if (( `echo "$NETWORK:" | cut -d: -f3 | grep -c "."` )); then

      FAILURE="Syntax error in TRUSTED_NETWORKS definition."

      exit_failure

    fi

    HOST=`echo "$NET/" | cut -d/ -f1`

    MASK=`echo "$NET/" | cut -d/ -f2`   # Optional: Netfilter assumes /32 if not defined.

    if (( `echo "$NET/" | cut -d/ -f3 | grep -c "."` )); then

      FAILURE="Syntax error in TRUSTED_NETWORKS definition."

      exit_failure

    fi

    for OCTET in `echo "$HOST." | cut -d. -f1,2,3,4 --output-delimiter=" "`; do

      if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then

   FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."

   exit_failure

      fi

    done

    if (( `echo "$HOST." | cut -d. -f5 | grep -c "."` )); then

      FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."

      exit_failure

    fi

    if [ -n "$MASK" ]; then

      if (( `echo "$MASK" | grep -c "[^[:digit:]]"` )) || [ "$MASK" -lt "0" ] || [ "$MASK" -gt "32" ]; then

   FAILURE="All network masks must between '/0' (0.0.0.0) and '/32' (255.255.255.255) inclusive."

   exit_failure

      fi

    fi

    if [ -z "$MOD_PORTS" ]; then

      TRUSTED="$TRUSTED $NET"

    else

      PORTS=`echo "$MOD_PORTS/" | cut -d/ -f1`

      PROTOCOL=`echo "$MOD_PORTS/" | cut -d/ -f2`

      if (( `echo "$ITEM/" | cut -d/ -f3 | grep -c "."` )); then

   FAILURE="Invalid syntax in TRUSTED_NETWORKS definition."

   exit_failure

      fi

      if (( `echo "$PORTS" | grep -c "[^[:digit:]]"` )) || [ "$PORTS" -lt "1" ] || [ "$PORTS" -gt "65536" ]; then

   for PORT in `echo "$PORTS-" | cut -d- -f1,2 --output-delimiter=" "`; do

     if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then

       FAILURE="Invalid port number in TRUSTED_NETWORKS definition, must be between 1 and 65535."

       exit_failure

     fi

   done

   if (( `echo "$PORTS-" | cut -d- -f3 | grep -c "."` )); then

     FAILURE="Invalid syntax in TRUSTED_NETWORKS."

     exit_failure

   fi

      fi

      if [ "$PROTOCOL" == "tcp" ] || [ "$PROTOCOL" == "udp" ]; then

   TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/$PROTOCOL"

      elif [ -z "$PROTOCOL" ]; then

   TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/tcp"

   TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/udp"

      else

   FAILURE="Invalid protocol in TRUSTED_NETWORKS."

   exit_failure

      fi

    fi

  done

  TRUSTED_NETWORKS=$TRUSTED

  TRUSTED_PORTS=$TRUSTED_PORTS

fi

# Santity check additional routed networks.

if [ "$IS_ROUTER" == "yes" ]; then

  for NETWORK in $ADDITIONAL_ROUTED_NETWORKS; do

    HOST=`echo "$NETWORK/" | cut -d/ -f1`

    MASK=`echo "$NETWORK/" | cut -d/ -f2`   # Optional: Netfilter assumes /32 if not defined.

    if (( `echo "$NETWORK/" | cut -d/ -f3 | grep -c "."` )); then

      FAILURE="Syntax error in network definition."

      exit_failure

    fi

    for OCTET in `echo "$HOST." | cut -d. -f1,2,3,4 --output-delimiter=" "`; do

      if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then

   FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."

   exit_failure

      fi

    done

    if (( `echo "$HOST." | cut -d. -f5 | grep -c "."` )); then

      FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."

      exit_failure

    fi

    if [ -n "$MASK" ]; then

      if (( `echo "$MASK" | grep -c "[^[:digit:]]"` )) || [ "$MASK" -lt "0" ] || [ "$MASK" -gt "32" ]; then

   FAILURE="All network masks must between '/0' (0.0.0.0) and '/32' (255.255.255.255) inclusive."

   exit_failure

      fi

    fi

  done

fi

# Santity check port forwarding definitions.  Destination port is optional.

if [ "$IS_ROUTER" == "yes" ]; then

  for FORWARD in $PORT_FORWARDS; do

    PROTOCOL=`echo "$FORWARD:" | cut -d: -f1`

    IN_PORTS=`echo "$FORWARD:" | cut -d: -f2`

    DEST=`echo "$FORWARD:" | cut -d: -f3`

    DPORTS=`echo "$FORWARD:" | cut -d: -f4`

    if (( `echo "$FORWARD:" | cut -d: -f5 | grep -c "."` )); then

      FAILURE="Too many parameters in port forwarding definition."

      exit_failure

    fi

    if [ "$PROTOCOL" != "tcp" ] && [ "$PROTOCOL" != "udp" ]; then

      FAILURE="Port forwarding <protocol> must be either 'tcp' or 'udp'."

      exit_failure

    fi

    if (( `echo "$IN_PORTS" | grep -c "[^[:digit:]]"` )) || [ "$IN_PORTS" -lt "1" ] || [ "$IN_PORTS" -gt "65536" ]; then

      for PORT in `echo "$IN_PORTS" | cut -d- -f1,2 --output-delimiter=" "`; do

   if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then

     FAILURE="Port forwarding <in_ports> must be in the range: 1 to 65535."

     exit_failure

   fi

      done

      if (( `echo "$IN_PORTS" | cut -d- -f3 | grep -c "."` )); then

   FAILURE="Port forwarding <in_ports> syntax invalid."

   exit_failure

      fi

    fi

    for OCTET in `echo "$DEST" | cut -d. -f1,2,3,4 --output-delimiter=" "`; do

      if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then

   FAILURE="Port forwarding <dest> must be in dotted decimal format [e.g. 192.168.0.10]."

   exit_failure

      fi

    done

    if (( `echo "$DEST" | cut -d. -f5 | grep -c "."` )); then

      FAILURE="Port forwarding <dest> must be in dotted decimal format [e.g. 192.168.0.10]."

      exit_failure

    fi

    if [ -n "$DPORTS" ]; then

      if (( `echo "$DPORTS" | grep -c "[^[:digit:]]"` )) || [ "$DPORTS" -lt "1" ] || [ "$DPORTS" -gt "65536" ]; then

   for PORT in `echo "$DPORTS" | cut -d- -f1,2 --output-delimiter=" "`; do

     if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then

       FAILURE="Port forwarding <dports> must be in the range from 1 to 65535."

       exit_failure

     fi

   done

   if (( `echo "$DPORTS" | cut -d- -f3 | grep -c "."` )); then

     FAILURE="Port forwarding <dports> syntax invalid."

     exit_failure

   fi

      fi

    fi

    if [ "$PORT_FWD_ALL" == "yes" ]; then

      OPEN_PORTS="$OPEN_PORTS $IN_PORTS/$PROTOCOL"

    fi

  done

fi

echo -n "."

# Sanity check open ports.

if [ -n "$OPEN_PORTS" ]; then

  MOD_PORTS=""

  for ITEM in $OPEN_PORTS; do

    PORTS=`echo "$ITEM/" | cut -d/ -f1`

    PROTOCOL=`echo "$ITEM/" | cut -d/ -f2`

    if (( `echo "$ITEM/" | cut -d/ -f3 | grep -c "."` )); then

      FAILURE="Invalid syntax in OPEN_PORTS."

      exit_failure

    fi

    if (( `echo "$PORTS" | grep -c "[^[:digit:]]"` )) || [ "$PORTS" -lt "1" ] || [ "$PORTS" -gt "65536" ]; then

      for PORT in `echo "$PORTS-" | cut -d- -f1,2 --output-delimiter=" "`; do

   if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then

     FAILURE="Invalid port number in OPEN_PORTS, must be between 1 and 65535."

     exit_failure

   fi

      done

      if (( `echo "$PORTS-" | cut -d- -f3 | grep -c "."` )); then

   FAILURE="Invalid syntax in OPEN_PORTS."

   exit_failure

      fi

    fi

    if [ "$PROTOCOL" == "tcp" ] || [ "$PROTOCOL" == "udp" ]; then

      MOD_PORTS="$MOD_PORTS $PORTS/$PROTOCOL"

    elif [ -z "$PROTOCOL" ]; then

      MOD_PORTS="$MOD_PORTS $PORTS/tcp"

      MOD_PORTS="$MOD_PORTS $PORTS/udp"

    else

      FAILURE="Invalid protocol in OPEN_PORTS."

      exit_failure

    fi

  done

  OPEN_PORTS=$MOD_PORTS

fi

# Sanity check that dynamic, nat, and rp_filter interface definitions do not use IP aliases.

if [ "$IS_ROUTER" == "yes" ]; then

  if (( `echo "$DYNAMIC_INTERFACES $NO_RP_FILTER_INTERFACES $ADDITIONAL_NAT_INTERFACES" | grep -c ":"` )); then

    FAILURE="Dynamic_interfaces, rp_filter, and no_nat_interface definitions cannot contain IP aliases."

    exit_failure

  fi

fi

  

# Obtain list of external interfaces.

EXTERNAL_INTERFACES=`ifconfig | grep "^[[:alpha:]]" | cut -d\  -f1 | sed s/^lo.*//`

if [ "$IS_ROUTER" == "yes" ]; then

  for INTERFACE in $INTERNAL_INTERFACES; do

    EXTERNAL_INTERFACES=`echo "$EXTERNAL_INTERFACES" | sed s/^$INTERFACE$//`

  done

fi

EXTERNAL_INTERFACES=`echo $EXTERNAL_INTERFACES`      # Remove newlines

# Divide internal and external interfaces into static and dynamic groups.

for INTERFACE in $INTERNAL_INTERFACES; do

  if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then

    DYNAMIC_INTERNAL_INTERFACES="$DYNAMIC_INTERNAL_INTERFACES $INTERFACE"

  else

    STATIC_INTERNAL_INTERFACES="$STATIC_INTERNAL_INTERFACES $INTERFACE"

  fi

done

for INTERFACE in $EXTERNAL_INTERFACES; do

  if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then

    DYNAMIC_EXTERNAL_INTERFACES="$DYNAMIC_EXTERNAL_INTERFACES $INTERFACE"

  else

    STATIC_EXTERNAL_INTERFACES="$STATIC_EXTERNAL_INTERFACES $INTERFACE"

  fi

done

for INTERFACE in $DYNAMIC_INTERFACES; do

  if !(( `echo "$INTERNAL_INTERFACES $EXTERNAL_INTERFACES" | grep -c "$INTERFACE"` )); then

    DYNAMIC_EXTERNAL_INTERFACES="$DYNAMIC_EXTERNAL_INTERFACES $INTERFACE"

  fi

done

# Obtain list of interfaces to NAT outbound connections

if [ "$IS_ROUTER" == "yes" ]; then

  if [ "$NAT_EXTERNAL" == "yes" ]; then

    for INTERFACE in $STATIC_EXTERNAL_INTERFACES; do

      if !(( `echo "$INTERFACE" | grep -c ":"` )); then

   STATIC_NAT_INTERFACES="$STATIC_NAT_INTERFACES $INTERFACE"

      fi

    done

    for INTERFACE in $DYNAMIC_EXTERNAL_INTERFACES; do

      if !(( `echo "$INTERFACE" | grep -c ":"` )); then

   DYNAMIC_NAT_INTERFACES="$DYNAMIC_NAT_INTERFACES $INTERFACE"

      fi

    done

  fi

  for INTERFACE in $ADDITIONAL_NAT_INTERFACES; do

    if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then

      DYNAMIC_NAT_INTERFACES="$DYNAMIC_NAT_INTERFACES $INTERFACE"

    else

      STATIC_NAT_INTERFACES="$STATIC_NAT_INTERFACES $INTERFACE"

    fi

  done

fi

# Make sure we have iptables installed.

if (( `iptables -V 2>&1 | grep -c "command not found"` )); then

FAILURE="Cannot find 'iptables' command.  Did you forget to install iptables?"

exit_failure

fi

# If we are a router, check that all static internal interfaces are up.

if [ "$IS_ROUTER" == "yes" ]; then

for INTERFACE in $STATIC_INTERNAL_INTERFACES; do

  if !(( `ifconfig | grep -c "^$INTERFACE\ "` )); then

    FAILURE="A static internal interface is down.  Did you forgot to configure interfaces before running the firewall?"

    exit_failure

  fi

done

fi

# Check to see if we have a proc filesystem, if not and we are a router, then exit.

if [ "$IS_ROUTER" == "yes" ] && ! [ -a "/proc/version" ]; then

  FAILURE="Routing requires proc filesystem support.  Please mount /proc or add proc filesystem support to your kernel."

  exit_failure

fi

echo -n "."

# Determine if this is a modular kernel, if so modprobe the required modules.

if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then

  for MODULE in ip_tables ip_conntrack ipt_state iptable_filter; do

    if (( `modprobe -l | grep -c "$MODULE"` )); then

      modprobe $MODULE > /dev/null 2>&1

    fi

  done

  if [ "$RFC_1122_COMPLIANT" == "yes" ]; then

    if (( `modprobe -l | grep -c "ipt_REJECT"` )); then

      modprobe ipt_REJECT > /dev/null 2>&1

    fi

  fi

  if [ "$LOGGING" == "yes" ]; then

    for MODULE in ipt_LOG ipt_limit; do 

      if (( `modprobe -l | grep -c "$MODULE"` )); then

   modprobe $MODULE > /dev/null 2>&1

      fi

    done

  fi

  if [ "$IS_ROUTER" == "yes" ]; then

    for MODULE in iptable_nat ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp; do 

      if (( `modprobe -l | grep -c "$MODULE"` )); then

   modprobe $MODULE > /dev/null 2>&1

      fi

    done

    if [ -n "$DYNAMIC_INTERFACES" ]; then

      if (( `modprobe -l | grep -c "ipt_MASQUERADE"` )); then

   modprobe ipt_MASQUERADE > /dev/null 2>&1

      fi

    fi

    if [ -n "$PORT_FORWARDS" ]; then

      for MODULE in iptable_mangle ipt_mark ipt_MARK; do 

   if (( `modprobe -l | grep -c "$MODULE"` )); then

     modprobe $MODULE > /dev/null 2>&1

   fi

      done

    fi

  fi

fi

# Obtain list of NAT addresses if we are a router doing nat.

if [ "$IS_ROUTER" == "yes" ]; then

  for INTERFACE in $STATIC_NAT_INTERFACES; do

    ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\  -f1 | head -1`

    NAT_ADDRESSES="$NAT_ADDRESSES $ADDRESS"

  done

fi

NAT_ADDRESSES=`echo $NAT_ADDRESSES`   # Remove extra whitespace

# Obtain list of internal networks with subnet masks corrisponding to internal interfaces.

if [ "$IS_ROUTER" == "yes" ]; then

  for INTERFACE in $STATIC_INTERNAL_INTERFACES; do

    STROKE="0"

    MASK=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "Mask" | cut -d: -f4 | head -1`

    for OCTET in 1 2 3 4; do

      BINARY=`echo "$MASK" | cut -d. -f$OCTET`

      for SUBTRACT in 128 64 32 16 8 4 2 1; do

   if [ "$((BINARY - SUBTRACT))" -ge "0" ]; then

     BINARY=$((BINARY - SUBTRACT))

     STROKE=$((STROKE + 1))

   fi

     done

    done

    NETWORK=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\  -f1 | head -1`/$STROKE

    INTERNAL_NETWORKS="$INTERNAL_NETWORKS $NETWORK"

  done

  INTERNAL_NETWORKS=`echo $INTERNAL_NETWORKS`

fi

# Obtain a list of external addresses for exit message and port forwarding.

if [ -n "$STATIC_EXTERNAL_INTERFACES" ]; then

  for INTERFACE in $STATIC_EXTERNAL_INTERFACES; do

    ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\  -f1 | head -1`

    EXTERNAL_ADDRESSES="$EXTERNAL_ADDRESSES $ADDRESS"

  done

  EXTERNAL_ADDRESSES=`echo $EXTERNAL_ADDRESSES`

fi

# Make a table of interfaces for marking packets based on their incoming interface.  Do not include IP aliases.

if [ "$IS_ROUTER" == "yes" ] && [ -n "$PORT_FORWARDS" ]; then

  COUNT="0"

  TAB="0"

  for INTERFACE in $STATIC_INTERNAL_INTERFACES $STATIC_EXTERNAL_INTERFACES; do

    COUNT=$((COUNT + 1))

    if !(( `echo "$INTERFACE" | grep -c ":"` )); then

      TAB=$((TAB + 1))

      INTERFACE_TAB[$TAB]="$INTERFACE"

      ADDRESS_TAB[$TAB]=`echo $INTERNAL_NETWORKS $EXTERNAL_ADDRESSES | cut -d\  -f$COUNT | cut -d/ -f1`

      if [ "$PORT_FWD_ROUTED_NETWORKS" == "yes" ]; then

   if (( `echo "$STATIC_INTERNAL_INTERFACES" | grep -c "$INTERFACE"` )); then

     NETWORK_TAB[$TAB]="$ADDITIONAL_ROUTED_NETWORKS `echo "$INTERNAL_NETWORKS" | cut -d\  -f$COUNT`"

   fi

      fi

    fi

  done

  for INTERFACE in $DYNAMIC_INTERNAL_INTERFACES $DYNAMIC_EXTERNAL_INTERFACES; do

    TAB=$((TAB + 1))

    INTERFACE_TAB[$TAB]="$INTERFACE"

  done

fi

# If we do not trust routed networks then add internal interfaces as "secured" addresses in the exit message.

if [ "$IS_ROUTER" == "yes" ] && [ -n "$STATIC_INTERNAL_INTERFACES" ] && [ "$TRUST_ROUTED_NETWORKS" != "yes" ]; then

  for INTERFACE in $STATIC_INTERNAL_INTERFACES; do

    ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\  -f1 | head -1`

    EXTERNAL_ADDRESSES="$EXTERNAL_ADDRESSES $ADDRESS"

  done

fi

# Check the validity of rp_filter interfaces.

for INTERFACE in $NO_RP_FILTER_INTERFACES; do

  if ! [ -w "/proc/sys/net/ipv4/conf/$INTERFACE/rp_filter" ]; then

    FAILURE="Cannot write to /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter.  Is the interface definition valid?"

    exit_failure

  fi

done

echo -n "."

# Make sure the filter table exists.

if (( `iptables -t filter -L 2>&1 | grep -c "Table does not exist"` )); then

  FAILURE="Could not find 'filter' table.  Did you compile support for all necessary modules?"

  exit_failure

fi

# Check for the REJECT target if RFC 1122 compliance is enabled.

if [ "$RFC_1122_COMPLIANT" == "yes" ]; then

  if ((`iptables -t filter -i lo -o lo -I FORWARD -j REJECT 2>&1 | grep -c "No chain/target/match by that name"`)); then

    FAILURE="Could not find 'REJECT' target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t filter -D FORWARD 1

  fi

fi

# If logging is enabled check for LOG and limit targets.

if [ "$LOGGING" == "yes" ]; then

  if (( `iptables -t filter -i lo -o lo -I FORWARD -m limit 2>&1 | \

    grep -c "No chain/target/match by that name"` )); then

    FAILURE="Could not find 'limit' target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t filter -D FORWARD 1

  fi

  if (( `iptables -t filter -i lo -o lo -I FORWARD -j LOG 2>&1 | grep -c "No chain/target/match by that name"` )); then

    FAILURE="Could not find 'LOG' target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t filter -D FORWARD 1

  fi

fi

# Check for existance of the nat table if we need it.

if [ -n "$STATIC_NAT_INTERFACES" ] || [ -n "$DYNAMIC_NAT_INTERFACES" ] || [ -n "$PORT_FORWARDS" ]; then

  if (( `iptables -t nat -L 2>&1 | grep -c "Table does not exist"` )); then

    FAILURE="Could not find 'nat' table.  Did you compile support for all necessary modules?"

    exit_failure

  fi

fi

# Determine if we need the MASQUERADE target.

if [ -n "$DYNAMIC_NAT_INTERFACES" ]; then

  if ((`iptables -t nat -I POSTROUTING -o lo -j MASQUERADE 2>&1 | grep -c "No chain/target/match by that name"`)); then

    FAILURE="Could not find 'MASQUERADE' target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t nat -D POSTROUTING 1

  fi

fi

# Check for state maching module.

if (( `iptables -t filter -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>&1 | \

       grep -c "No chain/target/match by that name"` )); then

  FAILURE="Failed to load state matching module.  Did you compile support for all necessary modules?"

  exit_failure

else

  iptables -t filter -D OUTPUT 1

fi

echo -n "."

# With port forwarding enabled make sure we can use the mangle table, the mark match module, and MARK target.

if [ -n "$PORT_PORTWARDS" ]; then

  if (( `iptables -t mangle -L 2>&1 | grep -c "Table does not exist"` )); then

    FAILURE="Could not find 'mangle' table, required for port forwarding.  Did you compile support for all necessary modules?"

    exit_failure

  fi

  if (( `iptables -t mangle -I OUTPUT -j MARK --set-mark "1" | grep -c "No chain/target/match by that name"` )); then

    FAILURE="Failed to load MARK target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t mangle -D OUTPUT 1

  fi

  if (( `iptables -t mangle -I OUTPUT -m mark --mark "1" -j ACCEPT | grep -c "No chain/target/match by that name"` )); then

    FAILURE="Failed to mark match module or MARK target.  Did you compile support for all necessary modules?"

    exit_failure

  else

    iptables -t mangle -D OUTPUT 1

  fi

fi

# Obtain broadcast list if we are doing logging (so that we will not log them).

if [ "$LOGGING" == "yes" ]; then

  BCAST_LIST="255.255.255.255"

  for INTERFACE in $STATIC_INTERNAL_INTERFACES $STATIC_EXTERNAL_INTERFACES; do 

    BROADCAST=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "Bcast" | cut -d: -f3 | cut -d\  -f1 | head -1`

    if !(( `echo "$BCAST_LIST" | grep -c "$BROADCAST"` )); then

      BCAST_LIST="$BCAST_LIST $BROADCAST"

    fi

  done

fi

# System and configuration approved.

echo " [ PASSED ]"

# Write a configuration file if passed the 'saveconfig' or 'writeconfig' argument.

if [ "$1" == "saveconfig" ] || [ "$1" == "writeconfig" ]; then

  if [ -a /etc/firewall.conf ]; then

    if !(( `head -1 /etc/firewall.conf | grep -c "# Linux Firewall configuration backup -- http://projectfiles.com/firewall/"` )); then

      echo "-> WARNING: The file '/etc/firewall.conf' is associated with another program!"

      echo "->          Press any key to overwrite, or CTRL-C to abort."

      read -rsn1

    fi

  fi

cat << EOF > /etc/firewall.conf

# Linux Firewall configuration backup -- http://projectfiles.com/firewall/

# Generated by '$PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` $1' on `date`.

# Generated with version: "$VERSION".

# WARNING: DO NOT EDIT THIS FILE DIRECTLY!

# Make changes to $PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` and run '$PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` $1'.

OPEN_PORTS="$ORIG_OPEN_PORTS"

INTERNAL_INTERFACES="$INTERNAL_INTERFACES"

DYNAMIC_INTERFACES="$DYNAMIC_INTERFACES"

TRUSTED_NETWORKS="$ORIG_TRUSTED_NETWORKS"

PORT_FORWARDS="$PORT_FORWARDS"

PORT_FWD_ALL="$PORT_FWD_ALL"

PORT_FWD_ROUTED_NETWORKS="$PORT_FWD_ROUTED_NETWORKS"

ADDITIONAL_ROUTED_NETWORKS="$ADDITIONAL_ROUTED_NETWORKS"

TRUST_ROUTED_NETWORKS="$TRUST_ROUTED_NETWORKS"

NO_RP_FILTER_INTERFACES="$NO_RP_FILTER_INTERFACES"

NAT_EXTERNAL="$NAT_EXTERNAL"

ADDITIONAL_NAT_INTERFACES="$ADDITIONAL_NAT_INTERFACES"

INTERNAL_DHCP="$INTERNAL_DHCP"

RFC_1122_COMPLIANT="$RFC_1122_COMPLIANT"

LOGGING="$LOGGING"

EOF

  echo "-> Firewall configuration saved to '/etc/firewall.conf'"

  exit

fi

##########################

# -- Firewall Section -- #

##########################

# Set ip_forward and enable kernel level reverse path filtering.

if [ "$IS_ROUTER" == "yes" ]; then

  echo "1" > /proc/sys/net/ipv4/ip_forward 

  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

  for INTERFACE in $NO_RP_FILTER_INTERFACES; do

    echo "0" > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter

  done

else 

  echo "0" > /proc/sys/net/ipv4/ip_forward

fi

# Set default policies.

iptables -t filter -F

iptables -t filter -X

iptables -t filter -P INPUT DROP

iptables -t filter -P FORWARD DROP

iptables -t filter -P OUTPUT ACCEPT

if !(( `iptables -t nat -F 2>&1 | grep -c "Table does not exist"` )); then

  iptables -t nat -X

  iptables -t nat -P PREROUTING ACCEPT

  iptables -t nat -P POSTROUTING ACCEPT

  iptables -t nat -P OUTPUT ACCEPT

fi

if !(( `iptables -t mangle -F 2>&1 | grep -c "Table does not exist"` )); then

  iptables -t mangle -F

  iptables -t mangle -X

  iptables -t mangle -P POSTROUTING ACCEPT

  iptables -t mangle -P OUTPUT ACCEPT

  iptables -t mangle -P PREROUTING ACCEPT > /dev/null 2>&1   # New 2.4.18 builtin mangle chains

  iptables -t mangle -P INPUT ACCEPT > /dev/null 2>&1

  iptables -t mangle -P FORWARD ACCEPT > /dev/null 2>&1

fi

# Initialize trusted chain

iptables -t filter -N TRUSTED

if [ "$RFC_1122_COMPLIANT" == "yes" ]; then

  iptables -t filter -A TRUSTED -j REJECT

else

  iptables -t filter -A TRUSTED -j DROP

fi

# Set logging preferences.  Do not log broadcasts.

if [ "$LOGGING" == "yes" ]; then

  iptables -t filter -N LOGME

  iptables -t filter -I TRUSTED -j LOGME

  for BROADCAST in $BCAST_LIST; do

    iptables -t filter -I LOGME -d $BROADCAST -j RETURN

  done

  iptables -t filter -A LOGME -p icmp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \

         --log-prefix "firewall: "

  iptables -t filter -A LOGME -p tcp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \

           --log-prefix "firewall: "

  iptables -t filter -A LOGME -p udp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \

           --log-prefix "firewall: "

fi

# Accept icmp-echo-request packets if RFC-1122 compliance option is enabled.  Limit logging of imap packets.

if [ "$RFC_1122_COMPLIANT" == "yes" ]; then

  if [ "$LOGGING" == "yes" ]; then

    iptables -t filter -I TRUSTED 2 -p icmp --icmp-type echo-request -j ACCEPT   # -I TRUSTED 2 so that it goes after LOGME.

    iptables -t filter -I TRUSTED -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 10 -j ACCEPT

  else

    iptables -t filter -I TRUSTED -p icmp --icmp-type echo-request -j ACCEPT

  fi

fi

# Insert trusted networks into trusted chain before everything else.

for NETWORK in $TRUSTED_NETWORKS ; do

  iptables -t filter -I TRUSTED -s $NETWORK -j ACCEPT

done

# Set default policy for ESTABLISHED and RELATED connections to ACCEPT on FORWARD chains.

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

if [ "$IS_ROUTER" == "yes" ]; then

  iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

fi

# ICMP DNAT information leak workaround

iptables -t filter -A OUTPUT -p icmp -m state --state INVALID -j DROP

# For servers, only allow NEW connections to specified INPUT ports.  For port forwarding, allow on FORWARD chain.

for ITEM in $OPEN_PORTS $TRUSTED_PORTS; do

  NET=""

  if (( `echo "$ITEM:" | cut -d: -f2 | grep -c "."` )); then

    NET="-s `echo "$ITEM:" | cut -d: -f1`"

    ITEM=`echo "$ITEM:" | cut -d: -f2`

  fi

  PORTS=`echo "$ITEM" | cut -d/ -f1`

  PORTS=`echo "$PORTS" | cut -d- -f1,2 --output-delimiter=":"`

  PROTOCOL=`echo "$ITEM" | cut -d/ -f2`

  COUNT="0"

  for FORWARD in $PORT_FORWARDS; do

    IN_PORTS=`echo "$FORWARD" | cut -d: -f2 | cut -d- -f1,2 --output-delimiter=":"`

    if [ "`echo "$FORWARD" | cut -d: -f1`" == "$PROTOCOL" ] && [ "$PORTS" == "$IN_PORTS" ]; then

      DEST=`echo "$FORWARD" | cut -d: -f3`

      DPORTS=`echo "$FORWARD" | cut -d: -f4 | cut -d- -f1,2 --output-delimiter=":"`

      if [ -z "$DPORTS" ]; then

   DPORTS="$IN_PORTS"

      fi

      iptables -t filter -A FORWARD -m state --state NEW $NET -d $DEST -p $PROTOCOL --dport $DPORTS -j ACCEPT

      COUNT="1"

      if [ -z "$NET" ]; then

   continue 2   # i.e. This port forward is open to everyone.

      fi

    fi

  done

  if [ "$COUNT" == "0" ]; then

    iptables -t filter -A INPUT -m state --state NEW $NET -p $PROTOCOL --dport $PORTS -j ACCEPT

  fi

done

# For routers, allow routing of internal and routed networks on internal interfaces.

if [ "$IS_ROUTER" == "yes" ]; then

  COUNT="0"

  for INTERFACE in $STATIC_INTERNAL_INTERFACES; do

    COUNT=$((COUNT + 1))

    NETWORK=`echo "$INTERNAL_NETWORKS" | cut -d\  -f$COUNT`

    INTERFACE=`echo "$INTERFACE" | cut -d: -f1`

    iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT

    if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then

      iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT

    fi

    if [ "$INTERNAL_DHCP" == "yes" ]; then

      iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -p udp --dport 67 -j ACCEPT

    fi

    for NETWORK in $ADDITIONAL_ROUTED_NETWORKS; do

      iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT

      if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then

   iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT

      fi

    done

  done

  for INTERFACE in $DYNAMIC_INTERNAL_INTERFACES; do

    iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -j ACCEPT

    if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then

      iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -j ACCEPT

    fi

  done

fi

# Accept new connections from the loopback interface (localhost).

iptables -t filter -A INPUT -i lo -m state --state NEW -j ACCEPT

# Jump to the trusted chain if this packet establishes a NEW connection.

iptables -t filter -A INPUT -m state --state NEW -j TRUSTED

# Configure port forwarding.

for FORWARD in $PORT_FORWARDS; do

  PROTOCOL=`echo "$FORWARD" | cut -d: -f1`

  IN_PORTS=`echo "$FORWARD" | cut -d: -f2 | cut -d- -f1,2 --output-delimiter=":"`

  DEST=`echo "$FORWARD" | cut -d: -f3`

  PORTS=`echo "$FORWARD" | cut -d: -f4`

  if [ -z "$PORTS" ]; then

    PORTS="$IN_PORTS"

  fi

  DPORTS=`echo "$PORTS" | cut -d- -f1,2 --output-delimiter=":"`

  COUNT="0"

  while (( `echo "${INTERFACE_TAB[$(($COUNT + 1))]}" | grep -c "."` )); do

    COUNT=$((COUNT + 1))

    if (( `echo "$DYNAMIC_INTERFACES" | grep -c "${INTERFACE_TAB[$COUNT]}"` )); then

      iptables -t nat -A POSTROUTING -m mark --mark "$COUNT" -o ${INTERFACE_TAB[$COUNT]} -d $DEST \

          -p $PROTOCOL --dport $DPORTS -j MASQUERADE

    else

      iptables -t nat -A POSTROUTING -m mark --mark "$COUNT" -o ${INTERFACE_TAB[$COUNT]} -d $DEST \

          -p $PROTOCOL --dport $DPORTS -j SNAT --to-source ${ADDRESS_TAB[$COUNT]}

    fi

    iptables -t filter -A FORWARD -m mark --mark "$COUNT" -i ${INTERFACE_TAB[$COUNT]} -d $DEST \

        -m state --state NEW -p $PROTOCOL --dport $DPORTS -j TRUSTED

    for ADDRESS in $EXTERNAL_ADDRESSES $INTERNAL_NETWORKS; do

      ADDRESS=`echo $ADDRESS | cut -d/ -f1`

      if (( `echo "$DYNAMIC_INTERNAL_INTERFACES" | grep -c "$INTERFACE"` )) && [ "$PORT_FWD_ROUTED_NETWORKS" == "yes" ]; then

   iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \

       -p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS

   iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \

       -p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"

   continue   # i.e. we are going to accept anything on this interface.

      fi

      for ITEM in $OPEN_PORTS $TRUSTED_PORTS; do

   if (( `echo "$ITEM:" | cut -d: -f2 | grep -c "."` )); then

     NET="-s `echo "$ITEM:" | cut -d: -f1`"

     ITEM=`echo "$ITEM:" | cut -d: -f2`

   else

     NET=""

   fi

   PORT=`echo "$ITEM/" | cut -d/ -f1`

   PORT=`echo "$PORT" | cut -d- -f1,2 --output-delimiter=":"`

   if [ "$PROTOCOL" == "`echo "$ITEM/" | cut -d/ -f2`" ] && [ "$PORT" == "$IN_PORTS" ]; then

     iptables -t nat -A PREROUTING $NET -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \

         -p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS

     iptables -t mangle -A PREROUTING $NET -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \

         -p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"

     if [ -z "$NET" ]; then

       continue 2   # i.e. This port forward is open to everyone.

     fi

   fi

      done

      for NETWORK in ${NETWORK_TAB[$COUNT]}; do

   iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \

        -p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS

   iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \

       -p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"

      done

      for NETWORK in $TRUSTED_NETWORKS; do

   iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \

       -p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS

   iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \

       -p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"

      done

    done

  done

done

# Configure NAT

if [ "$IS_ROUTER" == "yes" ]; then

  COUNT="0"

  for INTERFACE in $STATIC_NAT_INTERFACES; do

    COUNT=$((COUNT + 1))

    ADDRESS=`echo "$NAT_ADDRESSES" | cut -d\  -f$COUNT`

    if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then

      iptables -t nat -A POSTROUTING -o $INTERFACE -j SNAT --to-source $ADDRESS

    else

      for NETWORK in $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS; do

   iptables -t nat -A POSTROUTING -s $NETWORK -o $INTERFACE -j SNAT --to-source $ADDRESS

      done

    fi

  done

  for INTERFACE in $DYNAMIC_NAT_INTERFACES; do

    if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then

      iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE

    else

      for NETWORK in $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS; do

   iptables -t nat -A POSTROUTING -s $NETWORK -o $INTERFACE -j MASQUERADE

      done

    fi

  done

fi

# Print exit message.

if [ -z "$EXTERNAL_ADDRESSES" ]; then

  echo "-> Successfully configured firewall."

else

  echo "-> Successfully secured the following addresses: `echo $EXTERNAL_ADDRESSES | sed s/\ /,\ /g`."

fi

if [ "$IS_ROUTER" == "yes" ]; then

  if [ -n "$DYNAMIC_EXTERNAL_INTERFACES" ]; then

    echo "-> Successfully secured the following external interfaces: `echo $DYNAMIC_EXTERNAL_INTERFACES | sed s/\ /,\ /g`."

  fi

  if [ -n "$INTERNAL_NETWORKS" ] || [ -n "$ADDITIONAL_ROUTED_NETWORKS" ]; then

    echo "-> Routing is enabled for the following networks: `echo $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS | \

    sed s/\ /,\ /g`."

  fi

  if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then

    echo "-> Alert!  Routing is enabled for ALL connections through: `echo $DYNAMIC_INTERNAL_INTERFACES \

    | sed s/\ /,\ /g`."

  fi

fi

# Done!
```

But when I go to http://scan.sygatetech.com/ and perform a quick scan ICMP port is shown as open.  If I do a UDP scan, most ports are called closed but a few including NetBios are found to be open.  The question is, should I worry about this?  And if so how do I close my machine off to hackers.  I am running a single user machine connected via cable modem, hooked up to eth0.

EDIT (rac): put bodacious code listing into a code block

----------

## nitro322

I haven't read through your existing script (as it's REALLY long), but this should drop all ICMP and netbios packets:

```
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p icmp -j DROP

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 137:139 -j DROP

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 137:139 -j DROP
```

----------

## pilla

nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =)

----------

## Zu`

 *Bloody Bastard wrote:*   

> nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =)

 

Is it easy to set up?

----------

## pilla

It's not very hard... you need  to:

1) setup a new user for nessus  -- "nessus-adduser"

2) run "nessud" as root

3) run "nessus" (the GUI) as normal user and then login in as the user you added in (1)

4)choose the options you want to scan

5)choose the hosts you want to scan (Target Selection)

6) Run!

(I hope I haven't forgotten something importat...)

 *Zu` wrote:*   

>  *Bloody Bastard wrote:*   nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =) 
> 
> Is it easy to set up?

 

----------

## nitro322

 *Bloody Bastard wrote:*   

> 1) setup a new user for nessus  -- "nessus-adduser"
> 
> 2) run "nessud" as root
> 
> 3) run "nessus" (the GUI) as normal user and then login in as the user you added in (1)
> ...

 

You'll also probably have to run nessus-mkcert to create a certificate.  Also, you'll probably want to start it with 'nessusd -D' instead, so it gets forked to the background.

----------

## Zu`

 *Bloody Bastard wrote:*   

> It's not very hard... you need  to:
> 
> 1) setup a new user for nessus  -- "nessus-adduser"
> 
> 2) run "nessud" as root
> ...

 

Thanks, I'll try it out.

----------

## TuxFriend

 *rajendra82 wrote:*   

>  ICMP port is shown as open

 

change RFC_1122_COMPLIANT="yes" to RFC_1122_COMPLIANT="no"

TuxFriend

----------

## network

How exactly does not sending ICMP echo-requests and port-unreach packets back qualify as being more secure?  IMO these scanning website are giving new firewall users misleading information.  By default NO services are availalble to external machines, though yes, the firewall does send icmp-port-unreach packets (telling the connecting host that the port is not available...) as per internet standards.

I invite insightful responses.

Scott Bartlett

Projectfiles.com Linux Firewall Maintainer

----------

## mglauche

filtering icmp in gereral is a bad idea (but it seems popular along novice firewall users)

icmp is good for a various things from admin-usage (does that host work ?) to Congestion-Controll-Messages (ECN, Excpicit Congestion Notify, can be send by a router(!) to sender, much better behaviour during congestion !)

However .. limiting icmp messages is good  :Wink:  (also blocking unnormal large packets, etc) but does not help much if you are a end user ...  :Smile: 

----------

## TuxFriend

 *network wrote:*   

> How exactly does not sending ICMP echo-requests and port-unreach packets back qualify as being more secure? I invite insightful responses.

 

It's good to be able to use ping when you are the originator. I agree that letting ICMP trough the firewall isn't a huge security risk, however the best security is if unknown people don't know that your machine exist. The counterpart of security is functionality so I wonder what functionality do you want to provide to unknown people by letting them know that your machine exist? If you are not able to answer that question it's better to drop ICMP.

TuxFriend

----------

