Find the answer to your Linux question:
Results 1 to 5 of 5
I've got the following script, but i've got some problems. I've tried alot of permissions. I don't know what permissions you really need. I've putted my iptables script in my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Dec 2003
    Location
    Netherlands
    Posts
    193

    Troubleshooting iptables script


    I've got the following script, but i've got some problems. I've tried alot of
    permissions. I don't know what permissions you really need.

    I've putted my iptables script in my /etc/init.d as rc.firewall.iptables

    Can someone please help me?

    I've tried also #!/bin/bash maybe there is something wrong with it?

    thnx alot allready
    #!/bin/sh

    ################################################## ################################################## ###############
    #
    # $Id: firewall.iptables,v 1.39 2004/04/12
    #
    ################################################## ################################################## ###############

    function testresult {
    let i=i+$1
    case $1 in
    '0')
    echo -e "\033[40m\033[1;32mOK\033[0m"
    ;;
    '1')
    echo -e "\033[40m\033[1;31mFailed\033[0m"
    ;;
    '2')
    echo -e "\033[40m\033[1;31mFatal Error: 2\033[0m"
    ;;
    *)
    echo -e "\033[40m\033[1;31mFatal Error: ?\033[0m"
    ;;
    esac
    return $i
    }


    case "$1" in

    ################################################## ################################################## ###############
    ################################################## ################################################## ###############
    start)


    ################################################## ################################################## ###############
    # ++++++++++++
    # GENERAL
    # ++++++++++++

    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Starten firewall iptables ..." | tee -a /var/log/messages

    echo -en " Laden modules: "


    #

    #
    # 1.1 Internet Configuration.
    #

    INET_IP="xxx.xxx.xxx.xxx"
    INET_IFACE="eth1"
    INET_BROADCAST="xxx.xxx.xxx.xxx"


    #
    # 1.2 Local Area Network configuration.
    #
    # your LAN's IP range and localhost IP. /24 means to only use the first 24
    # bits of the 32 bit IP address. the same as netmask 255.255.255.0
    #

    LAN_IP="192.168.0.5"
    LAN_IP_RANGE="192.168.0.0/16"
    LAN_IFACE="eth0"

    #
    # 1.3 DMZ Configuration.
    #

    UNPRIVPORTS="1024:65535"

    #
    # 1.4 Localhost Configuration.
    #

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    #
    # 1.5 IPTables Configuration.
    #

    IPTABLES="/sbin/iptables"

    #
    # 1.6 Other Configuration.
    #

    VNC_IP="192.168.0.4"

    #
    # 1.7 Masq. Machine IP
    #

    MASQ_IP=192.168.200.20

    #
    # 1.8 VNC-server port

    VNC_PORT=5901

    #
    # 1.9 Setting limit levels for logging
    #

    limit1="-m limit --limit 1/s"
    limit2="-m limit --limit 10/minute"
    limit3="-m limit --limit 20/s"
    log="-j LOG --log-level 5 --log-prefix"
    ################################################## #########################
    #
    # 2. Module loading.
    #

    #
    # Needed to initially load modules
    #

    /sbin/depmod -a

    #
    # 2.1 Required modules
    #

    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_TOS
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe ipt_tos
    /sbin/modprobe ipt_nat_ftp
    /sbin/modprobe ipt_conntrack_ftp

    #
    # 2.2 NON Required modules
    #

    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe ip_queue
    /sbin/modprobe ip_nat_irc
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_multiport
    /sbin/modprobe ipt_mark
    /sbin/modprobe ipt_mac
    /sbin/modprobe ipt_owner
    /sbin/modprobe ipt_tcpmss
    /sbin/modprobe ipt_unclean
    /sbin/modprobe ipt_ttl
    /sbin/modprobe ipt_length
    /sbin/modprobe ipt_TCPMSS
    /sbin/modprobe ipt_MIRROR
    /sbin/modprobe ipt_MARK
    /sbin/modprobe ipt_ULOG

    #
    # 2.3 Create New Chains
    #

    $IPTABLES -N CHECK &&
    $IPTABLES -N BLOCK &&
    $IPTABLES -N LOG-FORWARD &&
    $IPTABLES -N LOG-INPUT &&
    $IPTABLES -N LOG-OUTPUT &&
    $IPTABLES -N LDROP
    err=`testresult $?`
    i=$?
    echo "Creating new chains ... $err";

    #
    # 2.4 Setting kernel parameters
    #

    #
    # 2.4.1 Enable IP FORWARDING
    #

    echo 1 > /proc/sys/net/ipv4/ip_forward

    #
    # 2.4.2 Enable Syn Cookies protection in kernel
    #

    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    #
    # 2.4.3 ICMP Dead Error Messages Protection
    #

    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    #
    # 2.4.4 Set the maximum number of connections to track
    #

    echo 2048 > /proc/sys/net/ipv4/ip_conntrack_max

    #
    # 2.4.5 Enable response to ping (ICMP echo)
    #

    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    #
    # 2.4.6 Disable response to broadcasts
    #

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    #
    # 2.4.7 Reduce DoS'ing ability by reducing timeouts
    #

    echo 10 > /proc/sys/net/ipv4/tcp_fin_timout
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
    echo 0 > /proc/sys/net/ipv4/tcp_sack

    #
    # 2.4.8 Set out local port range
    #
    echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

    #
    # 2.4.9 Time To Live (TTL)
    #

    echo 64 > /proc/sys/net/ipv4/ip_default_ttl

    #
    # 2.4.10 Increase the default queuelength. (Kernel default: 1024)
    #

    echo > 2048 /proc/sys/net/ipv4/ip_queue_maxlen

    #
    # 2.4.11 Turn on source address verification in kernel
    #

    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $interface;
    done

    #
    # 2.4.12 Disable ICMP redirect acceptance
    #

    for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $interface;
    done

    #
    # 2.4.13 Disable ICMP send_redirects
    #

    for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $interface;
    done

    #
    # 2.4.14 Log spoofed packets, source routed packets, redirect packets
    #

    for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $interface;
    done

    echo "Initialiseren kernelparameters ... $err";

    #
    # 2.5.0 Unclean packet check
    #

    $IPTABLES -A CHECK -m unclean $limit2 $log "UNCLEAN: " &&
    $IPTABLES -A CHECK -m unclean $-j DROP &&
    err=`testresult $?`
    i=$?
    echo "Activeren UNCLEAN check ... $err";

    #
    # 2.5.1 Check for invalid packets
    #

    $IPTABLES -A CHECK -m state --state INVALID $limit2 $log "INVALID; " &&
    $IPTABLES -A CHECK -m state --state INVALID -j DROP &&

    #
    # 2.5.2 NMAP FN/URG/PSH - XMAS - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH $limit2 $log "NMAP-XMAS: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP &&

    #
    # 2.5.3 SYN/RST - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL SYN,RST SYN,RST $limit2 $log "SYN/RST: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL SYN,RST SYN,RST -j DROP &&

    #
    # 2.5.4 SYN/FIN -- scan(Waarschijnlijk)
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 $log "SYN/FIN: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 -j DROP &&

    #
    # 2.5.5 FIN - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN $limit2 $log "FIN: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN -j DROP &&

    #
    # 2.5.6 ALL/ALL - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL $limit2 $log "ALL/ALL: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL -j DROP &&

    #
    # 2.5.7 NULL - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE $limit2 $log "NULL: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE -j DROP &&

    #
    # 2.5.8 SPOOFING:
    #

    $IPTABLES -A CHECK -s 0.0.0.0 $log "SPOOFING: " &&
    $IPTABLES -A CHECK -s 255.255.255.255 $log "SPOOFING: " &&
    $IPTABLES -A CHECK -s 0.0.0.0 -j LDROP &&
    $IPTABLES -A CHECK -s 255.255.255.255 -j LDROP &&

    #
    # 2.5.9 SPOOFING CLASS:
    #

    $IPTABLES -A CHECK -s 10.0.0.0/8 $log "SPOOFING A CLASS: " &&
    $IPTABLES -A CHECK -s 172.16.0.0/12 $log "SPOOFING B CLASS: " &&
    $IPTABLES -A CHECK -s 192.168.0.0/16 $log "SPOOFING C CLASS: " &&
    $IPTABLES -A CHECK -s 224.0.0.0/4 $log "SPOOFING D CLASS: " &&
    $IPTABLES -A CHECK -s 240.0.0.0/5 $log "SPOOFING E CLASS: " &&
    $IPTABLES -A CHECK -s 169.254.0.0/16 $log "SPOOFING F CLASS: " &&

    $IPTABLES -A CHECK -s 10.0.0.0/8 -j LDROP &&
    $IPTABLES -A CHECK -s 172.16.0.0/12 -j LDROP &&
    $IPTABLES -A CHECK -s 192.168.0.0/16 -j LDROP &&
    $IPTABLES -A CHECK -s 224.0.0.0/4 -j LDROP &&
    $IPTABLES -A CHECK -s 240.0.0.0/5 -j LDROP &&
    $IPTABLES -A CHECK -s 169.254.0.0/16 -j LDROP

    err=`testresult $?`
    i=$?
    echo "Activeren general check chain (1) ... $err";

    #
    # 2.5.10 Block all ip addresses reserved by IANA (for the time being)
    # this changes regulary, see http://www.iana.org/assignments/ipv4-address-space
    # Updated 01 Dec 2001
    #

    RESERVED_NET="
    0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
    5.0.0.0/8 \
    7.0.0.0/8 \
    23.0.0.0/8 \
    27.0.0.0/8 \
    31.0.0.0/8 \
    36.0.0.0/8 37.0.0.0/8 \
    39.0.0.0/8 \
    41.0.0.0/8 42.0.0.0/8 \
    58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
    69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
    74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
    82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
    88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
    95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
    102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
    108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
    114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
    120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
    126.0.0.0/8 127.0.0.0/8 \
    197.0.0.0/8 \
    221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
    224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
    230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
    236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
    240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
    246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
    252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

    a=0
    for NET in $RESERVED_NET; do
    $IPTABLES -A CHECK -s $NET $log "IANA: " &&
    $IPTABLES -A CHECK -s $NET $NET -j LDROP &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;

    err=`testresult $?`
    i=$?
    echo "Activeren general check chain (2) ... $err";

    fi;

    #
    # 2.6 BLOCK
    #

    #
    # 2.6.1 Weigeren van sommige common ports
    #

    common_ports_refused="1080 1984 2000 2049 3128 6000:6063 8080 10000"

    a=0

    for common_ports in $common_ports_refused;
    do
    $IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $common_ports -j LOG-INPUT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?

    echo "Weigeren connectie naar common ports ... $err";

    #
    # 2.6.2 Weigeren van Trojan porten
    #

    # Block Subseven (1.7/1.9) 1243 / 6711:6713
    # Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374
    # Block NetBus 12345:12346
    # Block NetBus 2 Pro 20034
    # Block Stacheldraht 16660 / 60001 / 65000
    # Block Back Orifice, Deep BO 31337:31338
    # Block Back Orifice 2K 54320:54321
    # Block Trinity v3\n 33270
    # Block Trin00 1524 / 27444 / 27665 / 31335
    # Block Cheeseworm 10008

    trojan_ports="1243 6711:6713 1999 6776 27374 12345:12346 20034 16660 60001 \
    65000 31337:31338 54320:54321 33270 1524 27444 27665 31335 10008"

    a= 0
    for trojans in $trojan_ports;
    do
    $IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $trojans -j LOG-INPUT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "Blokkeer Trojans ... $err";

    $IPTABLES -A BLOCK -j ACCEPT

    #
    # 2.7 PREROUTING
    #
    echo;

    #
    # 2.7.1 Setting default policies
    #

    $IPTABLES -t nat -p PREROUTING ACCEPT
    err=`testresult $?`
    i=$?
    echo "Zetten van standaard PREROUTING ... $err";

    #
    # 2.7.4 Zetten van voorbeeld portforwarding, kijk ook naar FORWARD section
    #

    a=0
    for net in $abnamro_net; do
    $path_iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -s $net -d $ext_ip --dport 1025:1500 -j DNAT --to $MASQ_IP &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "PREROUTING - ABNAMRO - homenet ... $err";

    #
    # 2.7.5 Regels om TOS waarden van packetjes te mangle door de FIREWALL
    #

    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput &&
    err=`testresult $?`
    i=$?
    echo "MANGLE - TOS PREROUTING ... $err";

    #
    # 2.8 FORWARDING
    #

    echo;

    #
    # 2.8.1 Zetten van default policy
    #

    $IPTABLES -P FORWARD DROP
    err=`testresult $?`
    i=$?
    echo "Zetten van default policy FORWARD ... $err";

    #
    # 2.8.2 Besides MTU, there is yet another way to set the maximum size, the so called Maximum segment.
    # This is a field in the TCP Options part of a SYN packet.
    # The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally
    # 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work.
    # In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. The basic commandline is:
    #

    $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    #
    # 2.8.3 The first thing you want to do is log and drop any suspicious packets:
    #

    $IPTABLES -A FORWARD -i $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check FORWARD ... $err";

    #
    # 2.8.4 Allow forwarding of all protocolls incoming on the external interface
    # to lan if the connection is initiated by the LAN (LAN = Local Area Network)
    #

    $IPTABLES -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.8.5 Allow forwarding of all protocols incoming on the local interface coming from the local network
    #

    $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

    #
    # 2.8.6 Example rule portforwarding, enable also rule in PREROUTING Section
    #

    $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MASQ_IP --dport 21 -m state --state NEW -j ACCEPT

    #
    # 2.8.7 ABN-AMRO Homenet
    #

    a=0
    for net in $abnamro_net; do
    $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -s $net --sport ftp-data -d $MASQ_IP --dport 1025:1500 -m state --state NEW -j ACCEPT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "FORWARD - ABNAMRO homenet ... $err";

    #
    # 2.9 INPUT
    #

    echo;

    #
    # 2.9.1 Setting default policy
    #

    $IPTABLES -P INPUT DROP
    err=`testresult $?`
    i=$?
    echo "Setting default policy INPUT ... $err";

    #
    # 2.9.2 The first thing you want to do is log and drop any suspicious packets:
    #

    $IPTABLES -A INPUT -i $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check INPUT ... $err";

    #
    # 2.9.3 Loopback
    #

    $IPTABLES -A INPUT -i lo -j ACCEPT

    #
    # 2.9.4 DHCP
    #

    $IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootpc --dport bootps -j ACCEPT
    $IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

    #
    # 2.10 INPUT External
    #

    echo;

    #
    # 2.10.1 Accept incoming packets on external interface that are related to connections made by the server
    #

    $IPTABLES -A INPUT -i $INET_IFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.10.2 Reject new connections not started with SYN packet on external interface
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP -m state --state NEW ! --syn -j LDROP

    #
    # 2.10.3 FTP incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ftp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT -FTP ... $err";

    #
    # 2.10.4 SSH Incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ssh -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SSH ... $err";

    #
    # 2.10.5 TELNET Incoming
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport telnet -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - TELNET Incoming

    #
    # 2.10.6 SMTP Incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SMTP ... $err";

    #
    # 2.10.7 HTTP Incoming when running own Webserver
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport http -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - HTTP ... $err";

    #
    # 2.10.8 DNS Incoming when running own DNS server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport domain -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - DNS ... $err";

    #
    # 2.10.9 POP3 Incoming when running own pop3 server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - POP3 ... $err";

    #
    # 2.10.10 AUTH Incoming when running own ident-server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - AUTH ... $err";

    #
    # 2.10.11 When you're not runnig AUTH Incoming then use following rulez:
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j REJECT --reject-with tcp-reset
    err=`testresult $?`
    i=$?
    echo "EXT - reject AUTH ... $err";

    #
    # 2.10.12 IMAP Incoming when running own IMAP-Server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imap -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - IMAP ... $err";

    #
    # 2.10.13 HTTPS Incoming when running won HTTPS server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport https -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - HTTP Secure ... $err";

    #
    # 2.10.14 IMAP SSL Incoming when running own IMAP server with SSL
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imaps -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - IMAP Secure ... $err";

    #
    # 2.10.15 POP3 Incoming when running own server with SSL
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3s -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - POP3 Secure ... $err";

    #
    # 2.10.16 VNC Incoming when running own VNC server
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 5901 -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - VNC ... $err";

    #
    # 2.10.17 WEBMIN Incoming when running own WEBMIN Server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 10000 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - WEBMIN ... $err";

    #
    # 2.10.18 ICQ incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE --sport $UNPRIVPORTS -d $INET_IP --dport $UNPRIVPORTS -m state --state NEW -j BLOCK
    err=`testresult $?`
    i=$?
    echo "EXT - ICQ-filetransfer all ... Caution, opens ALL unpriv_ports !!! ... $err";

    #
    # 2.11 INPUT Local
    #

    echo;

    #
    # 2.11.1 Accept packages for our subnet, we trust our local network (LAN)
    #

    $IPTABLES -A INPUT -i ! $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - TOTAL LAN ... $err";

    #
    # 2.11.2 Accept incoming packets on local interface that are related to connections made by the server
    #

    $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.11.3 ICMP incoming local
    #

    $IPTABLES -A INPUT -p icmp --icmp-type 8 -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state NEW $limit1 -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - accept incoming pings ... $err";

    #
    # 2.11.4 UDP incoming local
    #

    $IPTABLES -A INPUT -p udp -i $LAN_IFACE -s $LAN_IP_RANGE -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - UDP accept ... $err";

    #
    # 2.11.5 FTP Incoming - open port 21 (active and passive)
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport ftp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - FTP ... $err";

    #
    # 2.11.6 SSH Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IP -s $LAN_IP_RANGE -d $LAN_IP --dport ssh -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - SSH ... $err";

    #
    # 2.11.7 TELNET Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport telnet -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - TELNET ... $err";

    #
    # 2.11.8 SMTP Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - SMTP ... $err";

    #
    # 2.11.9 DNS Incoming local when running own DNS - Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport domain -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - DNS ... $err";

    #
    # 2.11.10 HTTP Incoming local when running own Webserver
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport http -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - HTTP ... $err";

    #
    # 2.11.11 POP3 Incoming local when running own POP3 Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - POP3 ... $err";

    #
    # 2.11.12 Portmapper Incoming local when running NFS -server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport portmapper -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - PORTMAPPER ... $err";

    #
    # 2.11.13 NETBIOS-NS Incoming Local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ns -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-NS ... $err";

    #
    # 2.11.14 NETBIOS-DGM Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-dgm -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-DGM ... $err";

    #
    # 2.11.15 NETBIOS-SSN Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ssn -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-SSN ... $err";

    #
    # 2.11.16 IMAP Incoming local when running own IMAP Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imap -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - IMAP ... $err";

    #
    # 2.11.17 HTTPS Incoming local when running own HTTPS Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport https -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - HTTP Secure ... $err";

    #
    # 2.11.18 SWAT (Samba Web Administration Tool) Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport swat -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SWAT ... $err";

    #
    # 2.11.19 IMAP SSL Incoming Local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imaps -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - IMAP Secure ... $err";

    #
    # 2.11.20 POP3 SSL Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3s -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - POP3 Secure ... $err";

    #
    # 2.11.21 SOCKS Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport socks -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SOCKS ... $err";

    #
    # 2.11.22 SQUID Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 3128 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SQUID ... $err";

    #
    # 2.11.23 VNC Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 5901 -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - VNC ... $err";

    #
    # 2.11.24 WEBMIN Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 10000 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - WEBMIN ... $err";

    #
    # 2.11.25 Make sure clients can visit there own server on the external IP address
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $INET_IP -j ACCEPT

    #
    # 2.12 OUTPUT
    #

    echo;

    #
    # 2.12.1 Setting default policy
    #

    $IPTABLES -P OUTPUT DROP
    err=`testresult $?`
    i=$?
    echo "Setting default policy OUTPUT ... $err";

    #
    # 2.12.2 The first thing you want to do is log and drop any suspicous packets
    #

    $IPTABLES -A OUTPUT -o $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check OUTPUT ... $err";

    #
    # 2.12.3 Loopback
    #

    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    #
    # 2.12.4 DHCP
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE --sport bootps --dport bootpc -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

    #
    # 2.13 OUTPUT EXTERNAL
    #

    echo;

    #
    # 2.13.1 Accept outgoing packets on external interface that are related to connections made by the outside world
    #

    $IPTABLES -A OUTPUT -o $INET_IFACE -s $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.13.2 ICMP outgoing
    #

    $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $INET_IFACE -s $INET_IP -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - accept outgoing pings ... $err";

    #
    # 2.13.3 DNS Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport domain -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - allow outgoing dns queries ... $err";

    #
    # 2.13.4 NTP Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport ntp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - NTP ... $err";

    #
    # 2.13.5 SMTP Outgoing
    #

    $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SMTP outgoing ... $err";

    #
    # 2.13.6 AUTH Outgoing
    #

    $path_iptables -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - AUTH outgoing ... $err";

    #
    # 2.13.7 AUTH not Outgoing
    #

    # $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -j REJECT --reject-with tcp-reset
    # err=`testresult $?`
    # i=$?
    # echo "EXT - reject AUTH outgoing ... $err";

    #
    # 2.13.8 GENERAL Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT

    #
    # 2.14 OUTPUT Local
    #

    echo;

    #
    # 2.14.1 Accept outgoing packets on local interface that are related to connections made by client to the server
    #

    $IPTABLES -A OUTPUT -o ! $INET_IFACE -d $LAN_IP_RANGE -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - TOTAL LAN outgoing ... $err";

    #
    # 2.14.2 ICMP Outgoing
    #

    $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $LAN_IFACE -s $LAN_IP -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - accept outgoing pings ... $err";

    #
    # 2.14.3 DNS local outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --sport domain -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - allow outgoing dns queries ... $err";

    #
    # 2.14.4 Netbios local communications
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ns -m state --state NEW -j ACCEPT &&
    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-dgm -m state --state NEW -j ACCEPT &&
    err=`testresult $?`
    i=$?
    echo "LOCAL - allow local netbios communication ... $err";

    #
    # 2.14.5 Making connections to client-shares via samba
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ssn -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-SSN outgoing ... $err";

    #
    # 2.14.6 AUTH Outgoing
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - AUTH outgoing ... $err";

    #
    # 2.14.7 AUTH Not Outgoing
    #

    # $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j REJECT --reject-with tcp-reset
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - reject AUTH outgoing ... $err";

    #
    # 2.14.8 Make sure clients can visit there own server on the external IP Address
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $INET_IP -d $LAN_IP_RANGE -j ACCEPT

    #
    # 2.15 MANGLE OUTPUT
    #

    echo;

    #
    # 2.15.1 Setting default policy
    #

    $IPTABLES -t mangle -P OUTPUT ACCEPT
    err=`testresult $?`
    i=$?
    echo "Setting default policy MANGLE-OUTPUT ... $err";

    #
    # TOS table
    # Options:
    # Normal-Service = 0 (0x00)
    # Minimize-Cost = 2 (0x02)
    # Maximize-Reliability = 4 (0x04)
    # Maximize-Throughput = 8 (0x0
    # Minimize-Delay = 16 (0x10)
    #
    # ToS: Client Applications; data => tos_client
    # Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
    # To view mangle table, type: iptables -L -t mangle
    #

    #
    # 2.15.2 Mangle values of packets created locally
    #

    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
    err=`testresult $?`
    i=$?
    echo "MANGLE - TOS OUTPUT ... $err";

    #
    # 2.15.3 Mark outgoing packets for traffic shaping (optional)
    #

    $IPTABLES -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1
    $IPTABLES -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2

    #
    # 2.16 POSTROUTING
    #

    echo;

    #
    # 2.16.1 Setting default policies
    #

    $IPTABLES -t nat -P POSTROUTING ACCEPT
    err=`testresult $?`
    i=$?
    echo "Setting default policy POSTROUTING ... $err";

    #
    # 2.16.2 Change source addresses to external IP, packets leave firewall with external IP !
    #

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
    err=`testresult $?`
    i=$?
    echo "Enable SOURCE NAT ... $err";

    #
    # 2.17 LOG-FORWARD
    #

    echo;

    #
    # 2.17.1 All remaining packets in FORWARD chain are logged
    #

    $IPTABLES -A FORWARD -j LOG-FORWARD

    $IPTABLES -A LOG-FORWARD -p tcp $limit2 $log "TCP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -p udp $limit2 $log "UDP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -p icmp $limit2 $log "ICMP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -f $limit2 $log "FRAGMENT_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -j LDROP

    #
    # 2.18 LOG-INPUT
    #

    echo;

    #
    # 2.18.1 All remaining packets in INPUT chain are logged
    #

    $IPTABLES -A INPUT -j LOG-INPUT

    $IPTABLES -A LOG-INPUT -p tcp $limit2 $log "TCP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -p udp $limit2 $log "UDP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -p icmp $limit2 $log "ICMP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -f $limit2 $log "FRAGMENT_Dropped_I: "
    $IPTABLES -A LOG-INPUT -j LDROP

    #
    # 2.19 LOG-OUTPUT
    #

    echo;

    #
    # 2.19.1 All remaining packets in OUTPUT chain are logged
    #

    $IPTABLES -A OUTPUT -j LOG-OUTPUT

    $IPTABLES -A LOG-OUTPUT -p tcp $limit2 $log "TCP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -p udp $limit2 $log "UDP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -p icmp $limit2 $log "ICMP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -f $limit2 $log "FRAGMENT_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -j LDROP

    #
    # 2.20 LDROP
    #

    echo;

    #
    # 2.20.1 All other incoming, forwarding and outgoing is denied and logged.
    #

    $IPTABLES -A LDROP -j DROP

    echo;

    if [ "$i" -gt "0" ]; then
    echo "Firewall error" >> /var/log/messages
    echo -e "$datum \033[40m\033[1;31mErrors detected in bringing up firewall!\033[0m" | tee -a /var/log/messages
    echo -e "$datum \033[40m\033[1;31mCheck your configuration.\033[0m" | tee -a /var/log/messages
    else
    echo -e "$datum \033[40m\033[1;32mFirewall is up without errors!\033[0m" | tee -a /var/log/messages
    echo;
    fi


    ;;

    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    stop)

    echo;
    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Shutting down firewall and masquerading" | tee -a /var/log/messages
    echo "$datum WARNING: YOUR MACHINE IS NOW OPEN FOR ATTACKS!!!" | tee -a /var/log/messages
    echo;

    #
    # 3.1 Remove all existing rules belonging to this filter
    #
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    #
    # 3.2 Delete all user-defined chain to this filter
    #
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    #
    # 3.3 Reset the default policy of the filter to accept.
    #
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t mangle -P OUTPUT ACCEPT
    $IPTABLES -t mangle -P PREROUTING ACCEPT

    ;;

    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    status)

    $IPTABLES -v -n -L

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    restart)

    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Firewall restart ..." | tee -a /var/log/messages
    $0 stop
    echo "-----------------------"
    $0 start

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    version)

    datum=`date +'%b %d %k:%M:%S'`;
    echo "**"
    echo "$datum * * Firewall version: `/bin/awk '/Id/ {print $3 $4}' $path_firewall`"

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    *)

    # ************************* WRONG PARAMETERS **************************
    echo;
    echo "Wrong parameter input!"
    echo "Usage: $0 {start|stop|restart|status|version}"

    ;;


    esac
    Computers Are Like Air Conditioners... They\'re both useless with Windows open!

  2. #2
    Linux Engineer
    Join Date
    Dec 2002
    Location
    New Zealand
    Posts
    766
    what i reeda of that looks kind alike the tutuorial version of the nat script right?

    u need to run
    chmod +x sciptname

    then to get it to load at boot u put /etc/init.d/scriptname in /etc/rc.d/rc.local

  3. #3
    Linux Newbie
    Join Date
    Dec 2003
    Location
    Netherlands
    Posts
    193
    Don't know. I've used it from a dutch dsl website.

    I don't wanna use it when my systeem boots. I want to start it, stop it, etc
    Computers Are Like Air Conditioners... They\'re both useless with Windows open!

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer
    Join Date
    Dec 2002
    Location
    New Zealand
    Posts
    766
    to get it to eb executable just run
    chmod +x scriptname
    where of course u replace scriptname with the path/name of the file

    then to run it type /path/to/script/scriptFile
    u dont technically stop it but runnign "service iptables stop" should undo its settings

    jsut a point, if u dont know what that script does, why do u want to run it??

  6. #5
    Linux Engineer
    Join Date
    Dec 2002
    Location
    New Zealand
    Posts
    766
    to get it to eb executable just run
    chmod +x scriptname
    where of course u replace scriptname with the path/name of the file

    then to run it type /path/to/script/scriptFile
    u dont technically stop it but runnign "service iptables stop" should undo its settings

    jsut a point, if u dont know what that script does, why do u want to run it??

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •