# Home DSL Router (or: My Firewall Script)

## Spida

I have put together a (IMO) nice and secure firewall-script and want to share it for use and discussion.

The Script is designed to run on a router between internal network, wlan and external network (Internet).

It is quite heavy on logging and shows a bunch of scans and access to ports of some windows trojans - anything that may hint to your box getting unwanted attention.

/etc/init.d/procparam

```

#!/sbin/runscript

depend() {

 before *

}

start() {

 ebegin "Setting /proc options."

 /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

 /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 for i in /proc/sys/net/ipv4/conf/*; do

   /bin/echo "1" > $i/rp_filter

 done

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

 /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

 eend 0

}

```

/etc/conf.d/iptables

```

FIREWALL="/etc/firewall.rules"

ENABLE_FORWARDING_IPv4="yes"

SAVE_RESTORE_OPTIONS="-c"

```

/etc/init.d/iptables

```

#!/sbin/runscript

# Distributed under the terms of the GNU General Public License, v2 or later

#

# Firewall Script based on 

#     Gentoo Security Guide

#         http://www.gentoo.org/doc/en/gentoo-security.xml

#     with many usefull hints from

#         http://www.linuxguruz.org/iptables/

#

# by Spida (at) gmx (dot) net

#

# Version History:

#    1.0 of 200306201700

#       Initial Version

#    1.1 of 200306202200

#       Fixed descriptions of possible options

#    1.2 of 200306292300

#       Added more (commented out) debugging possibilities

#

#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`

#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`

#NET=$IP/$MASK

IPTABLES="/sbin/iptables"

IPTABLESSAVE="/sbin/iptables-save"

IPTABLESRESTORE="/sbin/iptables-restore"

DEV_INT="eth0"

IP_INT="192.168.0.1"

IP_INT_NET="192.168.0.0/24"

IP_INT_BCAST="192.168.0.255"

DEV_WLAN="eth2"

IP_WLAN="192.168.2.1"

IP_WLAN_NET="192.168.2.0/24"

IP_WLAN_BCAST="192.168.2.255"

DEV_INT2="eth0"

IP_INT2="123.123.123.65";

IP_INT2_NET="123.123.123.64/24"

IP_INT2_BCAST="123.123.123.127"

DEV_EXT="ppp0"

IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"

IP_BCAST="255.255.255.255"

ANY="0.0.0.0/0"

DEV_LOOP="lo"

IP_LOOP="127.0.0.1"

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

   need net procparam

   use logger 

}

rules() {

   ebegin "Setting internal rules"

   # default policies

   einfo "Setting default rule to drop"

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   # default rule

   einfo "Creating states chain"

   $IPTABLES -N allow-existingconnection

   $IPTABLES -F allow-existingconnection

   $IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT

   einfo "Creating fragments chain"

   $IPTABLES -N disallow-fragments

   $IPTABLES -F disallow-fragments

   $IPTABLES -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "

   $IPTABLES -A disallow-fragments -f -j DROP

   einfo "Creating invalid detection chain"

   $IPTABLES -N disallow-invalid

   $IPTABLES -F disallow-invalid

   $IPTABLES -A disallow-invalid -m state --state INVALID -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Invalid: "

   $IPTABLES -A disallow-invalid -m state --state INVALID -j DROP

   einfo "Creating spoofing detection chain"

   $IPTABLES -N disallow-spoofing

   $IPTABLES -F disallow-spoofing

   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Ext. Broadcast: "

   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -j DROP

   einfo "Creating portscan detection chain (based on flags)"

   $IPTABLES -N disallow-flagscan

   $IPTABLES -F disallow-flagscan

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -m limit --limit 6/minute -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL                -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS-PSH:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: NULL_SCAN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -j DROP

   einfo "Creating portscan detection chain (based on ports)"

   $IPTABLES -N disallow-portscan

   $IPTABLES -F disallow-portscan

   $IPTABLES -A disallow-portscan -p tcp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 7             -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p udp --dport 7             -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 11            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 11            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 15            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 15            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 19            -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p udp --dport 19            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 23            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 23            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 69            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 69            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 79            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 79            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 87            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 87            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 98            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 98            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 111           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 111           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 520           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 520           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 540           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 540           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 6000:6063     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 6000:6063     -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "

   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -j DROP

   einfo "Creating trojan scan  detection chain"

   $IPTABLES -N disallow-trojanscan

   $IPTABLES -F disallow-trojanscan

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -j DROP

   einfo "Creating icmp chains"

   $IPTABLES -N disallow-someicmp

   $IPTABLES -F disallow-someicmp

   $IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"

   $IPTABLES -A disallow-someicmp -p icmp -j DROP

   $IPTABLES -N allow-someicmp

   $IPTABLES -F allow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp

   einfo "Creating ping chain"

   $IPTABLES -N allow-ping

   $IPTABLES -F allow-ping

   $IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

   einfo "Creating ftp chain"

   $IPTABLES -N allow-ftp

   $IPTABLES -F allow-ftp

   $IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT

   $IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT

   einfo "Creating ssh chain"

   $IPTABLES -N allow-ssh

   $IPTABLES -F allow-ssh

   # Flood protection

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT

   einfo "Creating smtp chain"

   $IPTABLES -N allow-smtp

   $IPTABLES -F allow-smtp

   $IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT

   einfo "Creating dns chain"

   $IPTABLES -N allow-dns

   $IPTABLES -F allow-dns

   $IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT

   $IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT

   einfo "Creating dhcp chain"

   $IPTABLES -N allow-dhcp

   $IPTABLES -F allow-dhcp

   $IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT

   $IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT

   einfo "Creating http/https chain"

   $IPTABLES -N allow-www

   $IPTABLES -F allow-www

   $IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT

   einfo "Creating pop3 chain"

   $IPTABLES -N allow-pop3

   $IPTABLES -F allow-pop3

   $IPTABLES -A allow-pop3 -p tcp --dport 110 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N allow-ident

   $IPTABLES -F allow-ident

   $IPTABLES -A allow-ident -p tcp --dport 113 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N disallow-ident

   $IPTABLES -F disallow-ident

   $IPTABLES -A disallow-ident -p tcp --dport 113 -j REJECT

   einfo "Creating news chain"

   $IPTABLES -N allow-news

   $IPTABLES -F allow-news

   $IPTABLES -A allow-news -p tcp --dport 119 -j ACCEPT

   einfo "Creating ntp chain"

   $IPTABLES -N allow-ntp

   $IPTABLES -F allow-ntp

   $IPTABLES -A allow-ntp -p udp --dport 123 -j ACCEPT

   einfo "Creating smb chain"

   $IPTABLES -N allow-smb

   $IPTABLES -F allow-smb

   $IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT

   einfo "Creating imap chain"

   $IPTABLES -N allow-imap

   $IPTABLES -F allow-imap

   $IPTABLES -A allow-imap -p tcp --dport 143 -j ACCEPT

   $IPTABLES -A allow-imap -p tcp --dport 993 -j ACCEPT

   einfo "Creating ldap chain"

   $IPTABLES -N allow-ldap

   $IPTABLES -F allow-ldap

   $IPTABLES -A allow-ldap -p tcp --dport 389 -j ACCEPT

   einfo "Creating rsync chain"

   $IPTABLES -N allow-rsync

   $IPTABLES -F allow-rsync

   $IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT

   einfo "Creating cvs chain"

   $IPTABLES -N allow-cvs

   $IPTABLES -F allow-cvs

   $IPTABLES -A allow-cvs -p tcp --dport 2401 -j ACCEPT

   einfo "Creating icq chain"

   $IPTABLES -N allow-icq

   $IPTABLES -F allow-icq

   $IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT

   einfo "Creating irc chain"

   $IPTABLES -N allow-irc

   $IPTABLES -F allow-irc

   $IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT

   einfo "Creating teamspeak chain"

   $IPTABLES -N allow-teamspeak

   $IPTABLES -F allow-teamspeak

   $IPTABLES -A allow-teamspeak -p udp --dport 8767 -j ACCEPT

   einfo "Creating cddb chain"

   $IPTABLES -N allow-cddb

   $IPTABLES -F allow-cddb

   $IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT

   einfo "Creating pgp chain"

   $IPTABLES -N allow-pgp

   $IPTABLES -F allow-pgp

   $IPTABLES -A allow-pgp -p tcp --dport 11371 -j ACCEPT

   einfo "Creating squid chain"

   $IPTABLES -N allow-squid

   $IPTABLES -F allow-squid

   $IPTABLES -A allow-squid -p tcp --dport 3128 -j ACCEPT

   einfo "Applying general protection to input"

   $IPTABLES -A INPUT -j disallow-fragments

   $IPTABLES -A INPUT -j disallow-invalid

   $IPTABLES -A INPUT -j disallow-flagscan

   $IPTABLES -A INPUT -j disallow-portscan

   $IPTABLES -A INPUT -j disallow-trojanscan

   $IPTABLES -A INPUT -j allow-existingconnection

   $IPTABLES -A INPUT -j allow-someicmp

   einfo "Applying general protection to forward"

   $IPTABLES -A FORWARD -j disallow-fragments

   $IPTABLES -A FORWARD -j disallow-invalid

   $IPTABLES -A FORWARD -j disallow-flagscan

   $IPTABLES -A FORWARD -j disallow-portscan

   $IPTABLES -A FORWARD -j disallow-trojanscan

   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

   $IPTABLES -A FORWARD -j allow-existingconnection

   $IPTABLES -A FORWARD -j allow-someicmp

   einfo "Applying general protection to output"

   $IPTABLES -A OUTPUT -j disallow-fragments

   $IPTABLES -A OUTPUT -j disallow-invalid

   $IPTABLES -A OUTPUT -j disallow-flagscan

   $IPTABLES -A OUTPUT -j disallow-portscan

   $IPTABLES -A OUTPUT -j disallow-trojanscan

   $IPTABLES -A OUTPUT -j allow-existingconnection

   $IPTABLES -A OUTPUT -j allow-someicmp

   einfo "Creating directional chains"

   $IPTABLES -N external-to-fw

   $IPTABLES -F external-to-fw

   $IPTABLES -A INPUT   -i $DEV_EXT               -j external-to-fw

   $IPTABLES -N fw-to-external

   $IPTABLES -F fw-to-external

   $IPTABLES -A OUTPUT  -o $DEV_EXT               -j fw-to-external

   $IPTABLES -N internal-to-external

   $IPTABLES -F internal-to-external

   $IPTABLES -A FORWARD -i $DEV_INT  -o $DEV_EXT  -j internal-to-external

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT  -j internal-to-external

   $IPTABLES -N external-to-internal

   $IPTABLES -F external-to-internal

   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT  -j external-to-internal

   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT2 -j external-to-internal

   $IPTABLES -N internal-to-fw

   $IPTABLES -F internal-to-fw

   $IPTABLES -A INPUT   -i $DEV_INT               -j internal-to-fw

   $IPTABLES -A INPUT   -i $DEV_INT2              -j internal-to-fw

   $IPTABLES -N fw-to-internal

   $IPTABLES -F fw-to-internal

   $IPTABLES -A OUTPUT  -o $DEV_INT               -j fw-to-internal

   $IPTABLES -A OUTPUT  -o $DEV_INT2              -j fw-to-internal

   $IPTABLES -N external-to-wlan

   $IPTABLES -F external-to-wlan

   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_WLAN -j external-to-wlan

   $IPTABLES -N wlan-to-external

   $IPTABLES -F wlan-to-external

   $IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_EXT  -j wlan-to-external

   $IPTABLES -N wlan-to-fw

   $IPTABLES -F wlan-to-fw

   $IPTABLES -A INPUT   -i $DEV_WLAN              -j wlan-to-fw

   $IPTABLES -N fw-to-wlan

   $IPTABLES -F fw-to-wlan

   $IPTABLES -A OUTPUT  -o $DEV_WLAN              -j fw-to-wlan

   $IPTABLES -N internal-to-wlan

   $IPTABLES -F internal-to-wlan

   $IPTABLES -A FORWARD -i $DEV_INT  -o $DEV_WLAN -j internal-to-wlan

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_WLAN -j internal-to-wlan

   $IPTABLES -N wlan-to-internal

   $IPTABLES -F wlan-to-internal

   $IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_INT  -j wlan-to-internal

   $IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_INT2 -j wlan-to-internal

   # server on eth0:0

   $IPTABLES -A FORWARD -i $DEV_INT -o $DEV_INT2 -j ACCEPT

   

   # loopback

   $IPTABLES -A INPUT                   -i lo                     -j ACCEPT

   $IPTABLES -A OUTPUT                  -o lo                     -j ACCEPT

   

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "

#   $IPTABLES -A INPUT   -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "

#   $IPTABLES -A OUTPUT  -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "

   einfo "Applying rules to external-to-fw chain"

   $IPTABLES -A external-to-fw -j disallow-spoofing

   $IPTABLES -A external-to-fw -j disallow-ident

   $IPTABLES -A external-to-fw -j allow-teamspeak

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-fw -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "

   einfo "Applying rules to internal-to-external chain"

   $IPTABLES -A internal-to-external -j allow-ping

   $IPTABLES -A internal-to-external -j allow-ftp

   $IPTABLES -A internal-to-external -j allow-ssh

   $IPTABLES -A internal-to-external -j allow-smtp

   $IPTABLES -A internal-to-external -j allow-dns

   $IPTABLES -A internal-to-external -j allow-www

   $IPTABLES -A internal-to-external -j allow-pop3

   $IPTABLES -A internal-to-external -j allow-news

   $IPTABLES -A internal-to-external -j allow-ntp

   $IPTABLES -A internal-to-external -j allow-imap

   $IPTABLES -A internal-to-external -j allow-ldap

   $IPTABLES -A internal-to-external -j allow-rsync

   $IPTABLES -A internal-to-external -j allow-cvs

   $IPTABLES -A internal-to-external -j allow-squid

   $IPTABLES -A internal-to-external -j allow-icq

   $IPTABLES -A internal-to-external -j allow-irc

   $IPTABLES -A internal-to-external -j allow-cddb

   $IPTABLES -A internal-to-external -j allow-teamspeak

   $IPTABLES -A internal-to-external -j allow-pgp

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A internal-to-external -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "

   einfo "Applying rules to wlan-to-external chain"

   $IPTABLES -A wlan-to-external -j allow-ping

   $IPTABLES -A wlan-to-external -j allow-ftp

   $IPTABLES -A wlan-to-external -j allow-ssh

   $IPTABLES -A wlan-to-external -j allow-smtp

   $IPTABLES -A wlan-to-external -j allow-dns

   $IPTABLES -A wlan-to-external -j allow-www

   $IPTABLES -A wlan-to-external -j allow-pop3

   $IPTABLES -A wlan-to-external -j allow-news

   $IPTABLES -A wlan-to-external -j allow-ntp

   $IPTABLES -A wlan-to-external -j allow-imap

   $IPTABLES -A wlan-to-external -j allow-ldap

   $IPTABLES -A wlan-to-external -j allow-rsync

   $IPTABLES -A wlan-to-external -j allow-cvs

   $IPTABLES -A wlan-to-external -j allow-squid

   $IPTABLES -A wlan-to-external -j allow-icq

   $IPTABLES -A wlan-to-external -j allow-irc

   $IPTABLES -A wlan-to-external -j allow-cddb

   $IPTABLES -A wlan-to-external -j allow-teamspeak

   $IPTABLES -A wlan-to-external -j allow-pgp

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A wlan-to-external -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-ext: "

   einfo "Applying rules to internal-to-wlan chain"

   $IPTABLES -A internal-to-wlan -j allow-ping

   $IPTABLES -A internal-to-wlan -j allow-ftp

   $IPTABLES -A internal-to-wlan -j allow-ssh

   $IPTABLES -A internal-to-wlan -j allow-www

   $IPTABLES -A internal-to-wlan -j allow-rsync

   $IPTABLES -A internal-to-wlan -j allow-cvs

   $IPTABLES -A internal-to-wlan -j allow-teamspeak

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A internal-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: int-to-wlan: "

   einfo "Applying rules to wlan-to-internal chain"

   $IPTABLES -A wlan-to-internal -j allow-ping

   $IPTABLES -A wlan-to-internal -j allow-ssh

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A wlan-to-internal -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-int: "

   

   einfo "Applying rules to internal-to-fw chain"

   $IPTABLES -A internal-to-fw -j allow-ping

   $IPTABLES -A internal-to-fw -j allow-ssh

   $IPTABLES -A internal-to-fw -j allow-smtp

   $IPTABLES -A internal-to-fw -j allow-dns

   $IPTABLES -A internal-to-fw -j allow-dhcp

   $IPTABLES -A internal-to-fw -j allow-pop3

   $IPTABLES -A internal-to-fw -j allow-imap

   $IPTABLES -A internal-to-fw -j allow-squid

   $IPTABLES -A internal-to-fw -j allow-teamspeak

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A internal-to-fw -j LOG --log-level info --log-prefix "FIREWALL: int-to-fw: "

   einfo "Applying rules to wlan-to-fw chain"

   $IPTABLES -A wlan-to-fw -j allow-ping

   $IPTABLES -A wlan-to-fw -j allow-ssh

   $IPTABLES -A wlan-to-fw -j allow-dns

   $IPTABLES -A wlan-to-fw -j allow-dhcp

   $IPTABLES -A wlan-to-fw -j allow-squid

   $IPTABLES -A wlan-to-fw -j allow-teamspeak

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A wlan-to-fw -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-fw: "

   einfo "Applying rules to fw-to-external chain"

   $IPTABLES -A fw-to-external -j allow-ping

   $IPTABLES -A fw-to-external -j allow-ftp

   $IPTABLES -A fw-to-external -j allow-ssh

   $IPTABLES -A fw-to-external -j allow-dns

   $IPTABLES -A fw-to-external -j allow-www

   $IPTABLES -A fw-to-external -j allow-ntp

   $IPTABLES -A fw-to-external -j allow-rsync

   $IPTABLES -A fw-to-external -j allow-cvs

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "

   einfo "Applying rules to fw-to-internal chain"

   $IPTABLES -A fw-to-internal -j allow-ping

   $IPTABLES -A fw-to-internal -j allow-ftp

   $IPTABLES -A fw-to-internal -j allow-ssh

   $IPTABLES -A fw-to-internal -j allow-smtp

   $IPTABLES -A fw-to-internal -j allow-www

   $IPTABLES -A fw-to-internal -j allow-pop3

   $IPTABLES -A fw-to-internal -j allow-imap

   $IPTABLES -A fw-to-internal -j allow-smb

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "

   einfo "Applying rules to fw-to-wlan chain"

   $IPTABLES -A fw-to-wlan -j allow-ping

   $IPTABLES -A fw-to-wlan -j allow-ftp

   $IPTABLES -A fw-to-wlan -j allow-ssh

   $IPTABLES -A fw-to-wlan -j allow-www

   $IPTABLES -A fw-to-wlan -j allow-smb

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: fw-to-wlan: "

   

   einfo "Applying rules to external-to-internal chain"

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "

   $IPTABLES -A external-to-internal -j DROP

   einfo "Applying rules to external-to-wlan chain"

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: ext-to-wlan: "

   $IPTABLES -A external-to-wlan -j DROP

   einfo "Masquerading external Connections"

   $IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE

   eend $?

}

start() {

   stop

   ebegin "Starting firewall"

#   if [ -e "${FIREWALL}" ]; then

#      einfo "Restoring iptables ruleset"

#      restore

#   else

#      einfo "${FIREWALL} does not exists. Using default rules."

      rules

#   fi

   if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then

      einfo "Enabling forwarding for ipv4"

      echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

   fi

   eend $?

}

stop() {

   ebegin "Stopping firewall"

      # set sane defaults that disable forwarding

      if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then

         echo "0" > /proc/sys/net/ipv4/conf/all/forwarding

      fi

      for a in `cat /proc/net/ip_tables_names`; do

         $IPTABLES -F -t $a

         $IPTABLES -X -t $a

  

         if [ $a == nat ]; then

            $IPTABLES -t nat -P PREROUTING ACCEPT

            $IPTABLES -t nat -P POSTROUTING ACCEPT

            $IPTABLES -t nat -P OUTPUT ACCEPT

         elif [ $a == mangle ]; then

            $IPTABLES -t mangle -P PREROUTING ACCEPT

            $IPTABLES -t mangle -P INPUT ACCEPT

            $IPTABLES -t mangle -P FORWARD ACCEPT

            $IPTABLES -t mangle -P OUTPUT ACCEPT

            $IPTABLES -t mangle -P POSTROUTING ACCEPT

         elif [ $a == filter ]; then

            $IPTABLES -t filter -P INPUT ACCEPT

            $IPTABLES -t filter -P FORWARD ACCEPT 

            $IPTABLES -t filter -P OUTPUT ACCEPT

         fi

      done

      # Flush Built-in Rules

      $IPTABLES -F INPUT

      $IPTABLES -F OUTPUT

      $IPTABLES -F FORWARD

      # Attempt to Flush All Rules in Filter Table

      $IPTABLES -F

   eend $?

}

showstatus() {

   ebegin "Status"

   $IPTABLES -L -n -v --line-numbers

   einfo "NAT status"

   $IPTABLES -L -n -v --line-numbers -t nat

   eend $?

}

panic() {

   ebegin "Setting panic rules"

   $IPTABLES -F

   $IPTABLES -X

   $IPTABLES -t nat -F

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -A INPUT -i lo -j ACCEPT

   $IPTABLES -A OUTPUT -o lo -j ACCEPT

   eend $?

}

save() {

   ebegin "Saving iptables state"

   $IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL

   eend $?

}

restore() {

   ebegin "Restoring Firewall rules"

   $IPTABLESRESTORE < $FIREWALL

   eend $?

}

restart() {

   svc_stop; svc_start

}

showoptions() {

   echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

   echo "start)      will restore setting if exists else force rules"

   echo "stop)       delete all rules and set all to accept"

   echo "rules)      force settings of new rules"

   echo "save)       will store settings in ${FIREWALL}"

   echo "restore)    will restore settings from ${FIREWALL}"

   echo "showstatus) Shows the status"

}

```

Last edited by Spida on Mon Jun 30, 2003 9:14 pm; edited 2 times in total

----------

## uzik

As one poster here said "There's a lot of background radiation".

You'll get a lot of logs from this.

It seems fairly complete to me.

I would personally tighten it up by only allowing SSH from sources

where YOU might be. Don't allow it from any source. The same

for other services.

----------

## Spida

The homepage of this script is now at the Gentoo-Server-Project-Wiki

----------

## Diggs

I'm sorry, I don't have wlan but only:

internet -- eth0 -- box gentoo -- eth1 -- lan

Box is connected to internet via adsl [ppp+].

I changed the original /etc/init.d/iptables in:

```

#!/sbin/runscript

# Distributed under the terms of the GNU General Public License, v2 or later

#

# Firewall Script based on 

#     Gentoo Security Guide

#         http://www.gentoo.org/doc/en/gentoo-security.xml

#     with many usefull hints from

#         http://www.linuxguruz.org/iptables/

#

# by Spida (at) gmx (dot) net

#

# Version History:

#    1.0 of 200306201700

#       Initial Version

#    1.1 of 200306202200

#       Fixed descriptions of possible options

#    1.2 of 200306292300

#       Added more (commented out) debugging possibilities

#    1.3 of 200307151000

#       Added distcc, cut rigths for wlan

#

#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`

#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`

#NET=$IP/$MASK

FIREWALL=/etc/firewall.rules

IPTABLES="/sbin/iptables"

IPTABLESSAVE="/sbin/iptables-save"

IPTABLESRESTORE="/sbin/iptables-restore"

DEV_INT="eth0"

IP_INT="192.168.0.1"

IP_INT_NET="192.168.0.0/24"

IP_INT_BCAST="192.168.0.255"

DEV_INT2="eth1"

IP_INT2="192.168.1.1";

IP_INT2_NET="192.168.1.1/24"

IP_INT2_BCAST="192.168.1.255"

DEV_EXT="ppp0"

IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"

IP_BCAST="255.255.255.255"

ANY="0.0.0.0/0"

DEV_LOOP="lo"

IP_LOOP="127.0.0.1"

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

   need net procparam

   use logger 

}

rules() {

   ebegin "Setting internal rules"

   # default policies

   einfo "Setting default rule to drop"

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   # default rule

   einfo "Creating states chain"

   $IPTABLES -N allow-existingconnection

   $IPTABLES -F allow-existingconnection

   $IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT

   einfo "Creating fragments chain"

   $IPTABLES -N disallow-fragments

   $IPTABLES -F disallow-fragments

   $IPTABLES -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "

   $IPTABLES -A disallow-fragments -f -j DROP

   einfo "Creating invalid detection chain"

   $IPTABLES -N disallow-invalid

   $IPTABLES -F disallow-invalid

   $IPTABLES -A disallow-invalid -m state --state INVALID -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Invalid: "

   $IPTABLES -A disallow-invalid -m state --state INVALID -j DROP

   einfo "Creating spoofing detection chain"

   $IPTABLES -N disallow-spoofing

   $IPTABLES -F disallow-spoofing

   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Ext. Broadcast: "

   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -j DROP

   einfo "Creating portscan detection chain (based on flags)"

   $IPTABLES -N disallow-flagscan

   $IPTABLES -F disallow-flagscan

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -m limit --limit 6/minute -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL                -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS-PSH:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: NULL_SCAN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -j DROP

   einfo "Creating portscan detection chain (based on ports)"

   $IPTABLES -N disallow-portscan

   $IPTABLES -F disallow-portscan

   $IPTABLES -A disallow-portscan -p tcp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 7             -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p udp --dport 7             -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 11            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 11            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 15            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 15            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 19            -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p udp --dport 19            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 23            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 23            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 69            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 69            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 79            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 79            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 87            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 87            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 98            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 98            -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 111           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 111           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 520           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 520           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 540           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 540           -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -j DROP

   $IPTABLES -A disallow-portscan -p tcp --dport 6000:6063     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 6000:6063     -j DROP

   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "

   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -j DROP

   einfo "Creating trojan scan  detection chain"

   $IPTABLES -N disallow-trojanscan

   $IPTABLES -F disallow-trojanscan

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -j DROP

   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -j DROP

   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -j DROP

   einfo "Creating icmp chains"

   $IPTABLES -N disallow-someicmp

   $IPTABLES -F disallow-someicmp

   $IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"

   $IPTABLES -A disallow-someicmp -p icmp -j DROP

   $IPTABLES -N allow-someicmp

   $IPTABLES -F allow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp

   einfo "Creating ping chain"

   $IPTABLES -N allow-ping

   $IPTABLES -F allow-ping

   $IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

   einfo "Creating ftp chain"

   $IPTABLES -N allow-ftp

   $IPTABLES -F allow-ftp

   $IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT

   $IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT

   einfo "Creating ssh chain"

   $IPTABLES -N allow-ssh

   $IPTABLES -F allow-ssh

   # Flood protection

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT

   einfo "Creating smtp chain"

   $IPTABLES -N allow-smtp

   $IPTABLES -F allow-smtp

   $IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT

   einfo "Creating dns chain"

   $IPTABLES -N allow-dns

   $IPTABLES -F allow-dns

   $IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT

   $IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT

   einfo "Creating dhcp chain"

   $IPTABLES -N allow-dhcp

   $IPTABLES -F allow-dhcp

   $IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT

   $IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT

   einfo "Creating http/https chain"

   $IPTABLES -N allow-www

   $IPTABLES -F allow-www

   $IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT

   einfo "Creating pop3 chain"

   $IPTABLES -N allow-pop3

   $IPTABLES -F allow-pop3

   $IPTABLES -A allow-pop3 -p tcp --dport 110 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N allow-ident

   $IPTABLES -F allow-ident

   $IPTABLES -A allow-ident -p tcp --dport 113 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N disallow-ident

   $IPTABLES -F disallow-ident

   $IPTABLES -A disallow-ident -p tcp --dport 113 -j REJECT

   einfo "Creating news chain"

   $IPTABLES -N allow-news

   $IPTABLES -F allow-news

   $IPTABLES -A allow-news -p tcp --dport 119 -j ACCEPT

   einfo "Creating ntp chain"

   $IPTABLES -N allow-ntp

   $IPTABLES -F allow-ntp

   $IPTABLES -A allow-ntp -p udp --dport 123 -j ACCEPT

   einfo "Creating smb chain"

   $IPTABLES -N allow-smb

   $IPTABLES -F allow-smb

   $IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT

   einfo "Creating imap chain"

   $IPTABLES -N allow-imap

   $IPTABLES -F allow-imap

   $IPTABLES -A allow-imap -p tcp --dport 143 -j ACCEPT

   $IPTABLES -A allow-imap -p tcp --dport 993 -j ACCEPT

   einfo "Creating ldap chain"

   $IPTABLES -N allow-ldap

   $IPTABLES -F allow-ldap

   $IPTABLES -A allow-ldap -p tcp --dport 389 -j ACCEPT

   einfo "Creating rsync chain"

   $IPTABLES -N allow-rsync

   $IPTABLES -F allow-rsync

   $IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT

   einfo "Creating cvs chain"

   $IPTABLES -N allow-cvs

   $IPTABLES -F allow-cvs

   $IPTABLES -A allow-cvs -p tcp --dport 2401 -j ACCEPT

   einfo "Creating icq chain"

   $IPTABLES -N allow-icq

   $IPTABLES -F allow-icq

   $IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT

   einfo "Creating irc chain"

   $IPTABLES -N allow-irc

   $IPTABLES -F allow-irc

   $IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT

   einfo "Creating teamspeak chain"

   $IPTABLES -N allow-teamspeak

   $IPTABLES -F allow-teamspeak

   $IPTABLES -A allow-teamspeak -p udp --dport 8767 -j ACCEPT

   einfo "Creating cddb chain"

   $IPTABLES -N allow-cddb

   $IPTABLES -F allow-cddb

   $IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT

   einfo "Creating pgp chain"

   $IPTABLES -N allow-pgp

   $IPTABLES -F allow-pgp

   $IPTABLES -A allow-pgp -p tcp --dport 11371 -j ACCEPT

   einfo "Creating squid chain"

   $IPTABLES -N allow-squid

   $IPTABLES -F allow-squid

   $IPTABLES -A allow-squid -p tcp --dport 3128 -j ACCEPT

   einfo "Creating distcc chain"

   $IPTABLES -N allow-distcc

   $IPTABLES -F allow-distcc

   $IPTABLES -A allow-distcc -p tcp --dport 3632 -j ACCEPT

   einfo "Applying general protection to input"

   $IPTABLES -A INPUT -j disallow-fragments

   $IPTABLES -A INPUT -j disallow-invalid

   $IPTABLES -A INPUT -j disallow-flagscan

   $IPTABLES -A INPUT -j disallow-portscan

   $IPTABLES -A INPUT -j disallow-trojanscan

   $IPTABLES -A INPUT -j allow-existingconnection

   $IPTABLES -A INPUT -j allow-someicmp

   einfo "Applying general protection to forward"

   $IPTABLES -A FORWARD -j disallow-fragments

   $IPTABLES -A FORWARD -j disallow-invalid

   $IPTABLES -A FORWARD -j disallow-flagscan

   $IPTABLES -A FORWARD -j disallow-portscan

   $IPTABLES -A FORWARD -j disallow-trojanscan

   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

   $IPTABLES -A FORWARD -j allow-existingconnection

   $IPTABLES -A FORWARD -j allow-someicmp

   einfo "Applying general protection to output"

   $IPTABLES -A OUTPUT -j disallow-fragments

   $IPTABLES -A OUTPUT -j disallow-invalid

   $IPTABLES -A OUTPUT -j disallow-flagscan

   $IPTABLES -A OUTPUT -j disallow-portscan

   $IPTABLES -A OUTPUT -j disallow-trojanscan

   $IPTABLES -A OUTPUT -j allow-existingconnection

   $IPTABLES -A OUTPUT -j allow-someicmp

   einfo "Creating directional chains"

   $IPTABLES -N external-to-fw

   $IPTABLES -F external-to-fw

   $IPTABLES -A INPUT   -i $DEV_EXT               -j external-to-fw

   $IPTABLES -N fw-to-external

   $IPTABLES -F fw-to-external

   $IPTABLES -A OUTPUT  -o $DEV_EXT               -j fw-to-external

   $IPTABLES -N internal-to-external

   $IPTABLES -F internal-to-external

   $IPTABLES -A FORWARD -i $DEV_INT  -o $DEV_EXT  -j internal-to-external

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT  -j internal-to-external

   $IPTABLES -N external-to-internal

   $IPTABLES -F external-to-internal

   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT  -j external-to-internal

   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT2 -j external-to-internal

   $IPTABLES -N internal-to-fw

   $IPTABLES -F internal-to-fw

   $IPTABLES -A INPUT   -i $DEV_INT               -j internal-to-fw

   $IPTABLES -A INPUT   -i $DEV_INT2              -j internal-to-fw

   $IPTABLES -N fw-to-internal

   $IPTABLES -F fw-to-internal

   $IPTABLES -A OUTPUT  -o $DEV_INT               -j fw-to-internal

   $IPTABLES -A OUTPUT  -o $DEV_INT2              -j fw-to-internal

      # loopback

   $IPTABLES -A INPUT                   -i lo                     -j ACCEPT

   $IPTABLES -A OUTPUT                  -o lo                     -j ACCEPT

   

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "

#   $IPTABLES -A INPUT   -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "

#   $IPTABLES -A OUTPUT  -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "

   einfo "Applying rules to external-to-fw chain"

   $IPTABLES -A external-to-fw -j disallow-spoofing

   $IPTABLES -A external-to-fw -j disallow-ident

   $IPTABLES -A external-to-fw -j allow-teamspeak

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-fw -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "

   einfo "Applying rules to internal-to-external chain"

   $IPTABLES -A internal-to-external -j allow-ping

    $IPTABLES -A internal-to-external -j allow-ftp

   $IPTABLES -A internal-to-external -j allow-ssh

    $IPTABLES -A internal-to-external -j allow-smtp

    $IPTABLES -A internal-to-external -j allow-dns

    $IPTABLES -A internal-to-external -j allow-www

    $IPTABLES -A internal-to-external -j allow-pop3

    $IPTABLES -A internal-to-external -j allow-news

    $IPTABLES -A internal-to-external -j allow-ntp

    $IPTABLES -A internal-to-external -j allow-imap

    $IPTABLES -A internal-to-external -j allow-rsync

    $IPTABLES -A internal-to-external -j allow-cvs

    $IPTABLES -A internal-to-external -j allow-icq

    $IPTABLES -A internal-to-external -j allow-irc

    $IPTABLES -A internal-to-external -j allow-cddb

    $IPTABLES -A internal-to-external -j allow-teamspeak

    $IPTABLES -A internal-to-external -j allow-pgp

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A internal-to-external -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "

   einfo "Applying rules to fw-to-external chain"

   $IPTABLES -A fw-to-external -j allow-ping

   $IPTABLES -A fw-to-external -j allow-ftp

   $IPTABLES -A fw-to-external -j allow-ssh

   $IPTABLES -A fw-to-external -j allow-dns

   $IPTABLES -A fw-to-external -j allow-www

   $IPTABLES -A fw-to-external -j allow-ntp

   $IPTABLES -A fw-to-external -j allow-rsync

   $IPTABLES -A fw-to-external -j allow-cvs

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "

   einfo "Applying rules to fw-to-internal chain"

   $IPTABLES -A fw-to-internal -j allow-ping

   $IPTABLES -A fw-to-internal -j allow-ftp

   $IPTABLES -A fw-to-internal -j allow-ssh

   $IPTABLES -A fw-to-internal -j allow-smtp

   $IPTABLES -A fw-to-internal -j allow-www

   $IPTABLES -A fw-to-internal -j allow-pop3

   $IPTABLES -A fw-to-internal -j allow-imap

   $IPTABLES -A fw-to-internal -j allow-smb

   $IPTABLES -A fw-to-internal -j allow-distcc

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "

   

   einfo "Applying rules to external-to-internal chain"

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "

   $IPTABLES -A external-to-internal -j DROP

   einfo "Masquerading external Connections"

   $IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE

   eend $?

}

start() {

   stop

   ebegin "Starting firewall"

#   if [ -e "${FIREWALL}" ]; then

#      einfo "Restoring iptables ruleset"

#      restore

#   else

#      einfo "${FIREWALL} does not exists. Using default rules."

      rules

#   fi

   if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then

      einfo "Enabling forwarding for ipv4"

      echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

   fi

   eend $?

}

stop() {

   ebegin "Stopping firewall"

      # set sane defaults that disable forwarding

      if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then

         echo "0" > /proc/sys/net/ipv4/conf/all/forwarding

      fi

      for a in `cat /proc/net/ip_tables_names`; do

         $IPTABLES -F -t $a

         $IPTABLES -X -t $a

  

         if [ $a == nat ]; then

            $IPTABLES -t nat -P PREROUTING ACCEPT

            $IPTABLES -t nat -P POSTROUTING ACCEPT

            $IPTABLES -t nat -P OUTPUT ACCEPT

         elif [ $a == mangle ]; then

            $IPTABLES -t mangle -P PREROUTING ACCEPT

            $IPTABLES -t mangle -P INPUT ACCEPT

            $IPTABLES -t mangle -P FORWARD ACCEPT

            $IPTABLES -t mangle -P OUTPUT ACCEPT

            $IPTABLES -t mangle -P POSTROUTING ACCEPT

         elif [ $a == filter ]; then

            $IPTABLES -t filter -P INPUT ACCEPT

            $IPTABLES -t filter -P FORWARD ACCEPT 

            $IPTABLES -t filter -P OUTPUT ACCEPT

         fi

      done

      # Flush Built-in Rules

      $IPTABLES -F INPUT

      $IPTABLES -F OUTPUT

      $IPTABLES -F FORWARD

      # Attempt to Flush All Rules in Filter Table

      $IPTABLES -F

   eend $?

}

showstatus() {

   ebegin "Status"

   $IPTABLES -L -n -v --line-numbers

   einfo "NAT status"

   $IPTABLES -L -n -v --line-numbers -t nat

   eend $?

}

panic() {

   ebegin "Setting panic rules"

   $IPTABLES -F

   $IPTABLES -X

   $IPTABLES -t nat -F

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -A INPUT -i lo -j ACCEPT

   $IPTABLES -A OUTPUT -o lo -j ACCEPT

   eend $?

}

save() {

   ebegin "Saving iptables state"

   $IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL

   eend $?

}

restore() {

   ebegin "Restoring Firewall rules"

   $IPTABLESRESTORE < $FIREWALL

   eend $?

}

restart() {

   svc_stop; svc_start

}

showoptions() {

   echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

   echo "start)      will restore setting if exists else force rules"

   echo "stop)       delete all rules and set all to accept"

   echo "rules)      force settings of new rules"

   echo "save)       will store settings in ${FIREWALL}"

   echo "restore)    will restore settings from ${FIREWALL}"

   echo "showstatus) Shows the status"

}

```

It Goes well for me   :Wink:  this is the output:

```

gateway init.d # /etc/init.d/iptables start

 * Stopping firewall...                                                                                                 [ ok ]

 * Starting firewall...

 * Setting internal rules...

 * Setting default rule to drop

 * Creating states chain

 * Creating fragments chain

 * Creating invalid detection chain

 * Creating spoofing detection chain

 * Creating portscan detection chain (based on flags)

 * Creating portscan detection chain (based on ports)

 * Creating trojan scan  detection chain

 * Creating icmp chains

 * Creating ping chain

 * Creating ftp chain

 * Creating ssh chain

 * Creating smtp chain

 * Creating dns chain

 * Creating dhcp chain

 * Creating http/https chain

 * Creating pop3 chain

 * Creating ident chain

 * Creating ident chain

 * Creating news chain

 * Creating ntp chain

 * Creating smb chain

 * Creating imap chain

 * Creating ldap chain

 * Creating rsync chain

 * Creating cvs chain

 * Creating icq chain

 * Creating irc chain

 * Creating teamspeak chain

 * Creating cddb chain

 * Creating pgp chain

 * Creating squid chain

 * Creating distcc chain

 * Applying general protection to input

 * Applying general protection to forward

 * Applying general protection to output

 * Creating directional chains

 * Applying rules to external-to-fw chain

 * Applying rules to internal-to-external chain

 * Applying rules to fw-to-external chain

 * Applying rules to fw-to-internal chain

 * Applying rules to external-to-internal chain

 * Masquerading external Connections                                                                                    [ ok ]

 * Enabling forwarding for ipv4                                                                                         [ ok ]

gateway init.d #

```

----------

## Martijn Lettenmeijer

This probably is a very stupid question, but I've tried to use the iptables file you guys posted above, I've simply overwritten the original iptables file, but when I do /sbin/depscan.sh, it fails, giving a syntax error near a specified line, and i can't start the iptables either when i type /etc/init.d/iptables start it says "bad intrepreter: No such file or directory". 

I'm using kernel 2.6.8-rc1 gentoo-dev-sources and iptables v1.2.11

Hope you guys can tell me what the hell i'm doin' wrong cause I spend all morning in trying everything I know.

*FIXED THE PROBLEM* it was dos-format, dos2unix fixed it  :Smile: 

----------

## ]Trix[

HELP  :Smile: 

$IPTABLES -t nat -A PREROUTING -d $PUBLICIP -p tcp --dport 9176 -j DNAT --to-destination  $WORKSTATION

$IPTABLES -t nat -A PREROUTING -d $PUBLICIP -p udp --dport 9176 -j DNAT --to-destination  $WORKSTATION

$IPTABLES -A FORWARD -o $INTIF -d $WORKSTATION -p tcp --dport 9176 -j ACCEPT

$IPTABLES -A FORWARD -o $INTIF -d $WORKSTATION -p udp --dport 9176 -j ACCEPT

How would you put this in the firewall script so that it would be in the same style as the whole script?

----------

## dnebinger

Spida, it is quite modular and quite thorough.  It represents a great job at developing a general set of rules.

But I would raise the following issues:

1. FTP support: You've allowed for the active ftp protocols on ports 20 & 21, but what about passive?  This traffic will usually be on the higher ports (typically a range specified in the configuration for the ftp daemon).  I do believe that if the ftp daemon tries to open a passive connection outbound it's going to get knocked off at the knees.

2. Measure the checks: The more checks that a packet goes through, the longer it will take to travel through the iptables stack.  Your script has a lot of checks in it.  Consider a pgp packet as it traverses all of the chains etc. that you've specified.  You're probably looking at 30+ checks at least (although I haven't counted each individual check, but I'm confident it is quite a large number).  That's a significant number of hops and means the packet is going to be hanging around on the box a lot longer than what it really should.

3. No detail on why the checks are ordered in the way they are (is there an order?):  As #2 indicates, the increased number of checks that a packet needs to be pushed through means it will hang around on the box longer.  Therefore they should be ordered to give priority to either a) heavily used ports or b) ports you want to have processed sooner rather than later.

4. No reason for accepting specific outbound traffic: I tend to prefer allowing all outbound traffic and filter on those ports that shouldn't be going outbound (i.e. dhcp responses, dns responses, ipp packets, windows networking stuff, known trojan/virus ports).  It greatly reduces the number of checks outbound traffic needs to go through.

Obviously to improve the throughput you'd have to alter the script to use multiple ports on accept lines.  Once you start doing that, though, you lose the modularity that you've built into the script.

The point that needs to be made is that there is no 'one iptables script fits all'.  Each site, each box for that matter, has it's own set of services and it's own usage criteria.  To that end the iptables rules will (should) always vary from box to box, whether it is a server, a desktop, a gateway, or some combination of the three.

New users looking to get their boxen online grab scripts like this thinking they are going to secure it for them, yet they don't understand the nuances of the individual rules nor how they are grouped.  How many folks that grab the script are going to know what the teamspeak or pgp ports are for and whether they need them or not?  How many are going to know that they've exposed their system to incoming teamspeak packets, whether they have teamspeak or not?

----------

