# sancho + mldonky + gentoo iptables script

## utang

*heul* ich habe bisher immer emule auf meinem Win-client (192.168.99.14) laufen lassen und mein Gentoo-Firewallscript funktionierte Einwandfrei. Ich hatte immer eine High-ID. Nun habe ich auf dem Win-client sancho und mldonkey auf dem Router (192.168.99.1). Das ganze Drama sehe ich mit mit sancho vom Win-client an. Und zwar kann ich max. eine Low-ID erzwingen....  Wie bekomm ich es hin, dass mein mldonky auf dem Router  wenigstens für den Port 4242 eine High-ID ausspuckt?

So funktionierte mein script als der Emule Client auf dem winrechner war.

```
#!/sbin/runscript

# Distributed under the terms of the GNU General Public License, v2 or later

#

# Firewall Script based on

#     Gentoo Security Guide

#         http://www.gentoo.org/doc/en/gentoo-security.xml

#     with many usefull hints from

#         http://www.linuxguruz.org/iptables/

#

# by Spida (at) gmx (dot) net

#

# Kewle Dinge: $IPTABLES -t nat -A PREROUTING -p tcp -d $HATEIP --dport 80 -i eth1 -j DNAT --to $GOOGLE

#

#

#

#

IP=`/sbin/ifconfig $DEV_EXT | grep inet | cut -d : -f 2 | cut -d P -f 1`

#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`

#NET=$IP/$MASK

IPTABLES="/sbin/iptables"

IPTABLESSAVE="/sbin/iptables-save"

IPTABLESRESTORE="/sbin/iptables-restore"

DEV_INT="eth0"

IP_INT="192.168.0.1"

IP_INT_NET="192.168.0.0/24"

IP_INT_BCAST="192.168.0.255"

DEV_INT2="eth1"

IP_INT2="192.168.99.1";

IP_INT2_NET="192.168.99.0/24"

IP_INT2_BCAST="192.168.99.255"

DEV_EXT="ppp0"

IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"

IP_BCAST="255.255.255.255"

ANY="0.0.0.0/0"

DEV_LOOP="lo"

IP_LOOP="127.0.0.1"

#MULE_IP="192.168.99.2"

MULE_IP="192.168.99.4"

MULE_IP2="192.168.99.2"

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

   need net procparam

   use logger

}

rules() {

  

 ebegin "Setting internal rules"

   # default policies

   einfo "Setting default rule to drop"

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -t nat -P PREROUTING  ACCEPT

   $IPTABLES -t nat -P POSTROUTING ACCEPT

   # default rule

   einfo "Creating states chain"

   $IPTABLES -N allow-existingconnection

   $IPTABLES -F allow-existingconnection

   $IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT

   einfo "Creating fragments chain"

   $IPTABLES -N disallow-fragments

   $IPTABLES -F disallow-fragments

#   $IPTABLES -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "

   $IPTABLES -A disallow-fragments -f -j DROP

   einfo "Creating invalid detection chain"

   $IPTABLES -N disallow-invalid

   $IPTABLES -F disallow-invalid

#   $IPTABLES -A disallow-invalid -m state --state INVALID -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Invalid: "

   $IPTABLES -A disallow-invalid -m state --state INVALID -j DROP

#   einfo "Creating p2p-rules"

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4662 -j DNAT --to-destination 192.168.99.4

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4242 -j DNAT --to-destination 192.168.99.4

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4660 -j DNAT --to-destination 192.168.99.4

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 9090 -j DNAT --to-destination 192.168.99.4

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 3306 -j DNAT --to-destination 192.168.99.4

#   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4665 -j DNAT --to-destination 192.168.99.4

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4660 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4661 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4662 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 2525 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 3306 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 3333 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 3721 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4242 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4321 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 4646 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 5555 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 6565 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 6666 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 7654 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 7777 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 9090 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 9373 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 10001 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 12345 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p udp --dport 4671 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p udp --dport 4672 -j DNAT --to-destination $MULE_IP

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 1898 -j DNAT --to-destination $MULE_IP2

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 1904 -j DNAT --to-destination $MULE_IP2

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 5000 -j DNAT --to-destination $MULE_IP2

   $IPTABLES -t nat -A PREROUTING -i $DEV_EXT -p tcp --dport 6900 -j DNAT --to-destination $MULE_IP2

#   $IPTABLES -t nat -A PREROUTING -i $DEV_INT2 -p tcp --sport 4662 -j ACCEPT

#   $IPTABLES -t nat -A PREROUTING -i $DEV_INT2 -p udp --sport 4672 -j ACCEPT

#   $IPTABLES -t nat -A PREROUTING -i $DEV_INT2 -p tcp --sport 4661 -j ACCEPT

 einfo "Creating squid p2p"

   $IPTABLES -N allow-p2p

   $IPTABLES -F allow-p2p

   $IPTABLES -A allow-p2p -p tcp --dport 4660       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 4660       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 4661       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 4661       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 2525       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 2525       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 3306       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 3306       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 3333       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 3333       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 3721       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 3721       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 4242       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 4242       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 4321       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 4321       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 4646       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 4646       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 5555       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 5555       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 6565       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 6565       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 6666       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 6666       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 7654       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 7654       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 7777       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 7777       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 9090       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 9090       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 9373       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 9373       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 10001      --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 10001      -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 12345      --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 12345      -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1898       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 1898       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1904       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 1904       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 5000       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 5000       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 6900       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 6900       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 6900       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 6900       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 8000       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 8000       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 8020       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 8020       -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 80         --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 80         -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1238       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-p2p -p tcp --dport 1025:65535 --sport 1238         -j ACCEPT

   einfo "Creating spoofing detection chain"

   $IPTABLES -N disallow-spoofing

   $IPTABLES -F disallow-spoofing

#   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Ext. Broadcast: "

   $IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -j DROP

   einfo "Creating portscan detection chain (based on flags)"

   $IPTABLES -N disallow-flagscan

   $IPTABLES -F disallow-flagscan

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -m limit --limit 6/minute -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH          -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL                -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS-PSH:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG   -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: NULL_SCAN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE               -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST         -j DROP

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"

   $IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN         -j DROP

   einfo "Creating portscan detection chain (based on ports)"

   $IPTABLES -N disallow-portscan

   $IPTABLES -F disallow-portscan

#   $IPTABLES -A disallow-portscan -p tcp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 7             -j DROP

#   $IPTABLES -A disallow-portscan -p udp --dport 7             -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "

   $IPTABLES -A disallow-portscan -p udp --dport 7             -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 11            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 11            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 15            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 15            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 19            -j DROP

#   $IPTABLES -A disallow-portscan -p udp --dport 19            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "

   $IPTABLES -A disallow-portscan -p udp --dport 19            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 23            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 23            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 69            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 69            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 79            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 79            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 87            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 87            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 98            -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 98            -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 111           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 111           -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 520           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 520           -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 540           -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 540           -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1080          -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 1114          -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 2000          -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 10000         -j DROP

#   $IPTABLES -A disallow-portscan -p tcp --dport 6001:6063     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "

   $IPTABLES -A disallow-portscan -p tcp --dport 6001:6063     -j DROP

#   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "

   $IPTABLES -A disallow-portscan -p udp --dport 33434:33523   -j DROP

   einfo "Creating trojan scan  detection chain"

   $IPTABLES -N disallow-trojanscan

   $IPTABLES -F disallow-trojanscan

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6670          -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 1243          -j DROP

#   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 1243          -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713     -j DROP

#   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713     -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 27374         -j DROP

#   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 27374         -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346   -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 20034         -j DROP

#   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "

   $IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338   -j DROP

#   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "

   $IPTABLES -A disallow-trojanscan -p udp --dport 28431         -j DROP

   einfo "Creating icmp chains"

   $IPTABLES -N disallow-someicmp

   $IPTABLES -F disallow-someicmp

#   $IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"

   $IPTABLES -A disallow-someicmp -p icmp -j DROP

   $IPTABLES -N allow-someicmp

   $IPTABLES -F allow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp

   einfo "Creating ping chain"

   $IPTABLES -N allow-ping

   $IPTABLES -F allow-ping

   $IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

   einfo "Creating ftp chain"

   $IPTABLES -N allow-ftp

   $IPTABLES -F allow-ftp

   $IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT

   $IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT

   einfo "Creating xmms chain"

   $IPTABLES -N allow-xmms

   $IPTABLES -F allow-xmms

   $IPTABLES -A allow-xmms -p tcp --dport 6000 -j ACCEPT

   $IPTABLES -A allow-xmms -p udp --dport 6000 -j ACCEPT

   $IPTABLES -A allow-xmms -p udp --dport 10940 -j ACCEPT

   $IPTABLES -A allow-xmms -p udp --dport 10940 -j ACCEPT

   einfo "Creating ssh chain"

   $IPTABLES -N allow-ssh

   $IPTABLES -F allow-ssh

   # Flood protection

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT

   einfo "Creating smtp chain"

   $IPTABLES -N allow-smtp

   $IPTABLES -F allow-smtp

   $IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT

   einfo "Creating dns chain"

   $IPTABLES -N allow-dns

   $IPTABLES -F allow-dns

   $IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT

   $IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT

   einfo "Creating dhcp chain"

   $IPTABLES -N allow-dhcp

   $IPTABLES -F allow-dhcp

   $IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT

   $IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT

  

   einfo "Creating http/https chain"

   $IPTABLES -N allow-www

   $IPTABLES -F allow-www

   $IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 554 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8020 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 4001:4005 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 4002 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 4003 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 27600 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 27800 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 40000:42999 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 41005 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 41006 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 44000 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 49001 -j ACCEPT

   einfo "Creating pop3 - ssl chain"

   $IPTABLES -N allow-pop3

   $IPTABLES -F allow-pop3

   $IPTABLES -A allow-pop3 -p tcp --dport 110 -j ACCEPT

   $IPTABLES -A allow-pop3 -p tcp --dport 995 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N allow-ident

   $IPTABLES -F allow-ident

   $IPTABLES -A allow-ident -p tcp --dport 113 -j ACCEPT

   einfo "Creating ident chain"

   $IPTABLES -N disallow-ident

   $IPTABLES -F disallow-ident

   $IPTABLES -A disallow-ident -p tcp --dport 113 -j REJECT

   einfo "Creating news chain"

   $IPTABLES -N allow-news

   $IPTABLES -F allow-news

   $IPTABLES -A allow-news -p tcp --dport 119 -j ACCEPT

   einfo "Creating ntp chain"

   $IPTABLES -N allow-ntp

   $IPTABLES -F allow-ntp

   $IPTABLES -A allow-ntp -p udp --dport 123 -j ACCEPT

   einfo "Creating smb chain"

   $IPTABLES -N allow-smb

   $IPTABLES -F allow-smb

   $IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 139 -j ACCEPT

   einfo "Creating imap chain"

   $IPTABLES -N allow-imap

   $IPTABLES -F allow-imap

   $IPTABLES -A allow-imap -p tcp --dport 143 -j ACCEPT

   $IPTABLES -A allow-imap -p tcp --dport 993 -j ACCEPT

   einfo "Creating ldap chain"

   $IPTABLES -N allow-ldap

   $IPTABLES -F allow-ldap

   $IPTABLES -A allow-ldap -p tcp --dport 389 -j ACCEPT

   einfo "Creating rsync chain"

   $IPTABLES -N allow-rsync

   $IPTABLES -F allow-rsync

   $IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT

   einfo "Creating cvs chain"

   $IPTABLES -N allow-cvs

   $IPTABLES -F allow-cvs

   $IPTABLES -A allow-cvs -p tcp --dport 2401 -j ACCEPT

   einfo "Creating icq chain"

   $IPTABLES -N allow-icq

   $IPTABLES -F allow-icq

   $IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT

   einfo "Creating irc chain"

   $IPTABLES -N allow-irc

   $IPTABLES -F allow-irc

   $IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT

   einfo "Creating teamspeak chain"

   $IPTABLES -N allow-teamspeak

   $IPTABLES -F allow-teamspeak

   $IPTABLES -A allow-teamspeak -p udp --dport 8767 -j ACCEPT

   einfo "Creating cddb chain"

   $IPTABLES -N allow-cddb

   $IPTABLES -F allow-cddb

   $IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT

   einfo "Creating pgp chain"

   $IPTABLES -N allow-pgp

   $IPTABLES -F allow-pgp

   $IPTABLES -A allow-pgp -p tcp --dport 11371 -j ACCEPT

   einfo "Creating squid chain"

   $IPTABLES -N allow-squid

   $IPTABLES -F allow-squid

   $IPTABLES -A allow-squid -p tcp --dport 3128 -j ACCEPT

   einfo "Creating rdesktop chain"

   $IPTABLES -N allow-rdesktop

   $IPTABLES -F allow-rdesktop

   $IPTABLES -A allow-rdesktop -p tcp --dport 3389 -j ACCEPT

   einfo "Applying general protection to input"

   $IPTABLES -A INPUT -j disallow-fragments

   $IPTABLES -A INPUT -j disallow-invalid

   $IPTABLES -A INPUT -j disallow-flagscan

   $IPTABLES -A INPUT -j disallow-portscan

   $IPTABLES -A INPUT -j disallow-trojanscan

   $IPTABLES -A INPUT -j allow-existingconnection

   $IPTABLES -A INPUT -j allow-someicmp

   einfo "Applying general protection to forward"

   $IPTABLES -A FORWARD -j disallow-fragments

   $IPTABLES -A FORWARD -j disallow-invalid

   $IPTABLES -A FORWARD -j disallow-flagscan

   $IPTABLES -A FORWARD -j disallow-portscan

   $IPTABLES -A FORWARD -j disallow-trojanscan

   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

   $IPTABLES -A FORWARD -j allow-existingconnection

   $IPTABLES -A FORWARD -j allow-someicmp

   

   einfo "Applying general protection to output"

   $IPTABLES -A OUTPUT -j disallow-fragments

   $IPTABLES -A OUTPUT -j disallow-invalid

   $IPTABLES -A OUTPUT -j disallow-flagscan

   $IPTABLES -A OUTPUT -j disallow-portscan

   $IPTABLES -A OUTPUT -j disallow-trojanscan

   $IPTABLES -A OUTPUT -j allow-existingconnection

   $IPTABLES -A OUTPUT -j allow-someicmp

#   einfo "Creating directional chains"

#   $IPTABLES -N external-to-fw

#   $IPTABLES -F external-to-fw

#   $IPTABLES -A INPUT   -i $DEV_EXT               -j external-to-fw

#   $IPTABLES -N fw-to-external

#   $IPTABLES -F fw-to-external

#   $IPTABLES -A OUTPUT  -o $DEV_EXT               -j fw-to-external

#   $IPTABLES -N internal-to-external

#   $IPTABLES -F internal-to-external

#   $IPTABLES -A FORWARD -i $DEV_INT  -o $DEV_EXT  -j internal-to-external

#   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT  -j internal-to-external

#   $IPTABLES -N external-to-internal

#   $IPTABLES -F external-to-internal

#   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT  -j external-to-internal

#   $IPTABLES -A FORWARD -i $DEV_EXT  -o $DEV_INT2 -j external-to-internal

#   $IPTABLES -N internal-to-fw

#   $IPTABLES -F internal-to-fw

#   $IPTABLES -A INPUT   -i $DEV_INT               -j internal-to-fw

#   $IPTABLES -A INPUT   -i $DEV_INT2              -j internal-to-fw

#   $IPTABLES -N fw-to-internal

#   $IPTABLES -F fw-to-internal

#   $IPTABLES -A OUTPUT  -o $DEV_INT               -j fw-to-internal

#   $IPTABLES -A OUTPUT  -o $DEV_INT2              -j fw-to-internal

   # server on eth0:0

#  $IPTABLES -A FORWARD -i $DEV_INT -o $DEV_INT2 -j ACCEPT

   

   # loopback

   $IPTABLES -A INPUT                   -i lo                     -j ACCEPT

   $IPTABLES -A OUTPUT                  -o lo                     -j ACCEPT

   

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "

#   $IPTABLES -A INPUT   -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "

#   $IPTABLES -A OUTPUT  -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "

   einfo "Applying rules to external-to-fw chain"

   $IPTABLES -A INPUT -i $DEV_EXT    -j disallow-spoofing

   $IPTABLES -A INPUT -i $DEV_EXT       -j disallow-ident

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A -A INPUT -i $DEV_EXT   -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "

  einfo "Applying rules to internal-to-external chain"

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ping

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ftp

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ssh

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-dns

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-www

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-pop3

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-smtp

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-news

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ntp

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-imap

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ldap

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-rsync

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-cvs

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-squid

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-icq

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-irc

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-cddb

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-teamspeak

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-p2p

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-rdesktop

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-pgp

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "

   einfo "Applying rules to internal-to-fw chain"

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-ping

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-ssh

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-smtp

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-dns

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-dhcp

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-pop3

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-imap

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-squid

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-teamspeak

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-smb

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-xmms

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A INPUT -i $DEV_INT2 -j LOG --log-level info --log-prefix "FIREWALL: int-to-fw: "

   einfo "Applying rules to fw-to-external chain"

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ping

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ftp

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ssh

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-dns

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-www

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ntp

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-rsync

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-cvs

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "

   einfo "Applying rules to fw-to-internal chain"

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-ping

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-ftp

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-ssh

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-smtp

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-www

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-pop3

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-imap

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-smb

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-xmms

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "

   einfo "Applying rules to external-to-internal chain"

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "

   $IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT2 -j allow-p2p

   $IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT2 -j DROP

   einfo "Masquerading external Connections"

   $IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE

#iptables -t nat -I PREROUTING -i <extif> -p tcp --dport 4662 -j DNAT --to <machine>:4662

   eend $?

}

start() {

   stop

   ebegin "Starting firewall"

#   if [ -e "${FIREWALL}" ]; then

#      einfo "Restoring iptables ruleset"

#      restore

#   else

#      einfo "${FIREWALL} does not exists. Using default rules."

      rules

#   fi

   if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then

      einfo "Enabling forwarding for ipv4"

      echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

   fi

   eend $?

}

stop() {

   ebegin "Stopping firewall"

      # set sane defaults that disable forwarding

      if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then

         echo "0" > /proc/sys/net/ipv4/conf/all/forwarding

      fi

      for a in `cat /proc/net/ip_tables_names`; do

         $IPTABLES -F -t $a

         $IPTABLES -X -t $a

 

         if [ $a == nat ]; then

            $IPTABLES -t nat -P PREROUTING ACCEPT

            $IPTABLES -t nat -P POSTROUTING ACCEPT

            $IPTABLES -t nat -P OUTPUT ACCEPT

         elif [ $a == mangle ]; then

            $IPTABLES -t mangle -P PREROUTING ACCEPT

            $IPTABLES -t mangle -P INPUT ACCEPT

            $IPTABLES -t mangle -P FORWARD ACCEPT

            $IPTABLES -t mangle -P OUTPUT ACCEPT

            $IPTABLES -t mangle -P POSTROUTING ACCEPT

         elif [ $a == filter ]; then

            $IPTABLES -t filter -P INPUT ACCEPT

            $IPTABLES -t filter -P FORWARD ACCEPT

            $IPTABLES -t filter -P OUTPUT ACCEPT

         fi

      done

      # Flush Built-in Rules

      $IPTABLES -F INPUT

      $IPTABLES -F OUTPUT

      $IPTABLES -F FORWARD

      # Attempt to Flush All Rules in Filter Table

      $IPTABLES -F

   eend $?

}

showstatus() {

   ebegin "Status"

   $IPTABLES -L -n -v --line-numbers

   einfo "NAT status"

   $IPTABLES -L -n -v --line-numbers -t nat

   eend $?

}

panic() {

   ebegin "Setting panic rules"

   $IPTABLES -F

   $IPTABLES -X

   $IPTABLES -t nat -F

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -A INPUT -i lo -j ACCEPT

   $IPTABLES -A OUTPUT -o lo -j ACCEPT

   eend $?

}

save() {

   ebegin "Saving iptables state"

   $IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL

   eend $?

}

restore() {

   ebegin "Restoring Firewall rules"

   $IPTABLESRESTORE < $FIREWALL

   eend $?

}

restart() {

   svc_stop; svc_start

}

showoptions() {

   echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

   echo "start)      will restore setting if exists else force rules"

   echo "stop)       delete all rules and set all to accept"

   echo "rules)      force settings of new rules"

   echo "save)       will store settings in ${FIREWALL}"

   echo "restore)    will restore settings from ${FIREWALL}"

   echo "showstatus) Shows the status"

}  
```

Ein Drama!!! =//

----------

## qmp

Die Mule IP ist lokal. Versuch entweder über eine Pipe mit `cat whatever` die DSL-IP reinzukriegen oder das Ganze von IP-Based auf device Based umzumodeln.

Früher ging das bei mir mit -i für Interface folgendermaßen: 

# Edonkey Forwarding

iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.20 

iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.0.20 

Gruß

Q

----------

## moe

Wenn MLDonkey auf dem Router selbst läuft, reicht es doch den Port zu öffnen?! Also

```
$IPTABLES -A INPUT -i $DEV_EXT -p tcp --dport 123456 -j ACCEPT
```

Oder hab ich jetzt irgendwas falsch verstanden?

HTH Maurice

P.S. DROP ist unklug

----------

## utang

@moe, ich versuchs mal =)

also ich habe meine Firewall mal gekürzt so,dass sie übersichtlich ist.

```

#!/sbin/runscript

# Distributed under the terms of the GNU General Public License, v2 or later

#

# Firewall Script based on

#     Gentoo Security Guide

#         http://www.gentoo.org/doc/en/gentoo-security.xml

#     with many usefull hints from

#         http://www.linuxguruz.org/iptables/

#

# by Spida (at) gmx (dot) net

#

# Kewle Dinge: $IPTABLES -t nat -A PREROUTING -p tcp -d $HATEIP --dport 80 -i eth1 -j DNAT --to $GOOGLE

#

#

#

#

IP=`/sbin/ifconfig $DEV_EXT | grep inet | cut -d : -f 2 | cut -d P -f 1`

#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`

#NET=$IP/$MASK

IPTABLES="/sbin/iptables"

IPTABLESSAVE="/sbin/iptables-save"

IPTABLESRESTORE="/sbin/iptables-restore"

DEV_INT="eth0"

IP_INT="192.168.0.1"

IP_INT_NET="192.168.0.0/24"

IP_INT_BCAST="192.168.0.255"

DEV_INT2="eth1"

IP_INT2="192.168.99.1";

IP_INT2_NET="192.168.99.0/24"

IP_INT2_BCAST="192.168.99.255"

DEV_EXT="ppp0"

IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"

IP_BCAST="255.255.255.255"

ANY="0.0.0.0/0"

DEV_LOOP="lo"

IP_LOOP="127.0.0.1"

MULE_IP="192.168.99.1"

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

   need net procparam

   use logger

}

rules() {

  

 ebegin "Setting internal rules"

   # default policies

   einfo "Setting default rule to drop"

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -t nat -P PREROUTING  ACCEPT

   $IPTABLES -t nat -P POSTROUTING ACCEPT

   # default rule

   einfo "Creating p2p-sancho"

   $IPTABLES -N allow-sancho

   $IPTABLES -F allow-sancho

   $IPTABLES -A allow-sancho -p tcp --dport 4001       --sport 1025:65535 -j ACCEPT

   $IPTABLES -A allow-sancho -p tcp --dport 1025:65535 --sport 4001       -j ACCEPT

   einfo "Creating states chain"

   $IPTABLES -N allow-existingconnection

   $IPTABLES -F allow-existingconnection

   $IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT

   einfo "Creating icmp chains"

   $IPTABLES -N disallow-someicmp

   $IPTABLES -F disallow-someicmp

#  $IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"

   $IPTABLES -A disallow-someicmp -p icmp -j DROP

   $IPTABLES -N allow-someicmp

   $IPTABLES -F allow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp

   $IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp

   einfo "Creating ping chain"

   $IPTABLES -N allow-ping

   $IPTABLES -F allow-ping

   $IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

   einfo "Creating ssh chain"

   $IPTABLES -N allow-ssh

   $IPTABLES -F allow-ssh

 

# Flood protection

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

   $IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT

   einfo "Creating smtp chain"

   $IPTABLES -N allow-smtp

   $IPTABLES -F allow-smtp

   $IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT

   einfo "Creating dns chain"

   $IPTABLES -N allow-dns

   $IPTABLES -F allow-dns

   $IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT

   $IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT

   einfo "Creating dhcp chain"

   $IPTABLES -N allow-dhcp

   $IPTABLES -F allow-dhcp

   $IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT

   $IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT

  

   einfo "Creating http/https chain"

   $IPTABLES -N allow-www

   $IPTABLES -F allow-www

   $IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 554 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8020 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 4002 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 4003 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 27600 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 27800 -j ACCEPT

   $IPTABLES -A allow-www -p tcp --dport 40000:42999 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 41005 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 41006 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 44000 -j ACCEPT

   $IPTABLES -A allow-www -p udp --dport 49001 -j ACCEPT

   einfo "Creating smb chain"

   $IPTABLES -N allow-smb

   $IPTABLES -F allow-smb

   $IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 137 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 138 -j ACCEPT

   $IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT

   $IPTABLES -A allow-smb -p udp --dport 139 -j ACCEPT

   einfo "Creating rsync chain"

   $IPTABLES -N allow-rsync

   $IPTABLES -F allow-rsync

   $IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT

   einfo "Creating icq chain"

   $IPTABLES -N allow-icq

   $IPTABLES -F allow-icq

   $IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT

   einfo "Creating irc chain"

   $IPTABLES -N allow-irc

   $IPTABLES -F allow-irc

   $IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT

   einfo "Creating cddb chain"

   $IPTABLES -N allow-cddb

   $IPTABLES -F allow-cddb

   $IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT

   einfo "Applying general protection to input"

   $IPTABLES -A INPUT -j allow-existingconnection

   $IPTABLES -A INPUT -j allow-someicmp

   einfo "Applying general protection to forward"

   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

   $IPTABLES -A FORWARD -j allow-existingconnection

   $IPTABLES -A FORWARD -j allow-someicmp

   

   einfo "Applying general protection to output"

   $IPTABLES -A OUTPUT -j allow-existingconnection

   $IPTABLES -A OUTPUT -j allow-someicmp

# server on eth0:0

#  $IPTABLES -A FORWARD -i $DEV_INT -o $DEV_INT2 -j ACCEPT

   

# loopback

   $IPTABLES -A INPUT                   -i lo                     -j ACCEPT

   $IPTABLES -A OUTPUT                  -o lo                     -j ACCEPT

   

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "

#   $IPTABLES -A INPUT   -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "

#   $IPTABLES -A OUTPUT  -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "

einfo "Applying rules to external-to-fw chain"

#   $IPTABLES -A INPUT -i $DEV_EXT       -j disallow-ident

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A -A INPUT -i $DEV_EXT   -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "

  einfo "Applying rules to internal-to-external chain"

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ping

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-ssh

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-dns

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-www

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-smtp

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-rsync

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-icq

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-irc

   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j allow-cddb

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "

   einfo "Applying rules to internal-to-fw chain"

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-ping

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-ssh

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-smtp

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-dns

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-dhcp

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-smb

   $IPTABLES -A INPUT -i $DEV_INT2 -j allow-sancho

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A INPUT -i $DEV_INT2 -j LOG --log-level info --log-prefix "FIREWALL: int-to-fw: "

   einfo "Applying rules to fw-to-external chain"

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ping

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-ssh

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-dns

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-www

   $IPTABLES -A OUTPUT -o $DEV_EXT -j allow-rsync

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "

   einfo "Applying rules to fw-to-internal chain"

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-ping

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-ssh

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-smtp

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-www

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-smb

   $IPTABLES -A OUTPUT -o $DEV_INT2 -j allow-sancho

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "

   einfo "Applying rules to external-to-internal chain"

#   Use that for heavy debugging. Every dropped packet will be logged

#   $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "

   $IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT2 -j DROP

   einfo "Masquerading external Connections"

   $IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE

   eend $?

}

start() {

   stop

   ebegin "Starting firewall"

      rules

   if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then

      einfo "Enabling forwarding for ipv4"

      echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

   fi

   eend $?

}

stop() {

   ebegin "Stopping firewall"

      # set sane defaults that disable forwarding

      if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then

         echo "0" > /proc/sys/net/ipv4/conf/all/forwarding

      fi

      for a in `cat /proc/net/ip_tables_names`; do

         $IPTABLES -F -t $a

         $IPTABLES -X -t $a

 

         if [ $a == nat ]; then

            $IPTABLES -t nat -P PREROUTING ACCEPT

            $IPTABLES -t nat -P POSTROUTING ACCEPT

            $IPTABLES -t nat -P OUTPUT ACCEPT

         elif [ $a == mangle ]; then

            $IPTABLES -t mangle -P PREROUTING ACCEPT

            $IPTABLES -t mangle -P INPUT ACCEPT

            $IPTABLES -t mangle -P FORWARD ACCEPT

            $IPTABLES -t mangle -P OUTPUT ACCEPT

            $IPTABLES -t mangle -P POSTROUTING ACCEPT

         elif [ $a == filter ]; then

            $IPTABLES -t filter -P INPUT ACCEPT

            $IPTABLES -t filter -P FORWARD ACCEPT

            $IPTABLES -t filter -P OUTPUT ACCEPT

         fi

      done

      # Flush Built-in Rules

      $IPTABLES -F INPUT

      $IPTABLES -F OUTPUT

      $IPTABLES -F FORWARD

      # Attempt to Flush All Rules in Filter Table

      $IPTABLES -F

   eend $?

}

showstatus() {

   ebegin "Status"

   $IPTABLES -L -n -v --line-numbers

   einfo "NAT status"

   $IPTABLES -L -n -v --line-numbers -t nat

   eend $?

}

panic() {

   ebegin "Setting panic rules"

   $IPTABLES -F

   $IPTABLES -X

   $IPTABLES -t nat -F

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P INPUT   DROP

   $IPTABLES -P OUTPUT  DROP

   $IPTABLES -A INPUT -i lo -j ACCEPT

   $IPTABLES -A OUTPUT -o lo -j ACCEPT

   eend $?

}

save() {

   ebegin "Saving iptables state"

   $IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL

   eend $?

}

restore() {

   ebegin "Restoring Firewall rules"

   $IPTABLESRESTORE < $FIREWALL

   eend $?

}

restart() {

   svc_stop; svc_start

}

showoptions() {

   echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

   echo "start)      will restore setting if exists else force rules"

   echo "stop)       delete all rules and set all to accept"

   echo "rules)      force settings of new rules"

   echo "save)       will store settings in ${FIREWALL}"

   echo "restore)    will restore settings from ${FIREWALL}"

   echo "showstatus) Shows the status"

}  
```

----------

## utang

es funktioniert leider nicht, selbst wenn ich nur versuchen möchte den Port des Routers zu öffnen ... irgendwo ist da n fehler auf den ich nicht komme ...  :Sad: 

----------

## moe

Hast du denn irgendwo einen Port für MLDonkey (fürs edonkey-Netz) geöffnet? Ich sehe da irgendwie nur den GUI-Port für sancho..

----------

