iptables how can ii apply my firewall to others

[reaky]

Hi all
i'm a new bie in Iptables
so i make a test iptables script
i apply it and it works for my machine
but i want to apply it to anothe machine in my subnet
so i make it's default gateway my ip
but it couldn't loggon to the internet or ping any site
so my network is 10.1.0.0/16
and this's my test script
----------------------------------------------------------------------------------------------------------
#test script
#------------------------------------------------------------------------------------------------

EXTERNAL_INT="eth0" # Internet-connected interfac
EXTERNAL_IP="10.1.1.33" # your IP address
EXTERNAL_SUBNET_BASE="255.255.0.0" # ISP network segment base address
EXTERNAL_SUBNET_BROADCAST="255.255.255.255" # network segment
# broadcast address
LOOPBACK="127.0.0.0/8" # loopback address
RESERVED_IP_10_SPACE="10.1.0.0/16" # RFC1918 10 space
# class A private networks
iptables="/sbin/iptables"
#---------------------------------------------------------------------------------------------------
$iptables --flush
$iptables -t nat --flush
$iptables -t mangle --flush

#---------------------------------------------------------------------------------------------

$iptables --delete-chain
$iptables -t nat --delete-chain
$iptables -t mangle --delete-chain

#---------------------------------------------------------------------------------------------

$iptables -A INPUT -j ACCEPT -p all -s 0/0 -i eth0
$iptables -A OUTPUT -j ACCEPT -p all -s 10.1.0.0/16 -o eth0

#------------------------------------------------------------------------------

$iptables --policy INPUT DROP
$iptables --policy OUTPUT DROP

#------------------------------------------------------------------------------------------

/sbin/depmod -a
# 2.1 Required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
# 2.2 Non-Required modules
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

#-------------------------------------------------------------------------------------------

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

#-------------------------------------------------------------------------------------------

$iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
-j ACCEPT

$iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \
-j ACCEPT

#-----------------------------------------------------------------------------

$iptables -A INPUT -s 0/0 -i eth0 -d 10.1.0.0 -p TCP -j ACCEPT
$iptables -A OUTPUT -s 0/0 -o eth0 -d 10.1.0.0 -p TCP -j ACCEPT

#------------------------------------------------------------------------------

$iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
--------------------------------------------------------------------------------------------------------
so can any one help me to apply the firewall to other clients in my network
Thanks for all

[sarumont]

If you want to use that ruleset on other boxen in your network, then just make it a bash script (add #!/bin/bash as the first line) and run it on the other boxen. If that's not what you want to do, then try to clarify.

[reaky]

yes it's not what i want to make
mm i really run the script and it gave me the result i want on my local machine
put i want to make it applied to other machine in my network
so i change the gateway for another network in my subnet and make it my ip address
but the script not applied to this machine
so i want to apply this script for this machine too
i hope that you understode what i actully want
and sorry for not explain good in the last time
and thanks for help

[Mystic_Slayer]

First of all did you specify

1. DNS Servers.
2. Did you enable ipv4 forwarding.
3. Did you use as gateway address the machine where your internet is at?

Also you didn't specify any rules for you LAN.

This is an example for you to work further with.

This is one rule you certainly need:

echo 1 > /proc/sys/net/ipv4/ip_forward

#!/bin/sh

################################################## ################################################## ###############

function testresult {
let i=i+$1
case $1 in
'0')
echo -e "\033[40m\033[1;32mOK\033[0m"
;;
'1')
echo -e "\033[40m\033[1;31mFailed\033[0m"
;;
'2')
echo -e "\033[40m\033[1;31mFatal Error: 2\033[0m"
;;
*)
echo -e "\033[40m\033[1;31mFatal Error: ?\033[0m"
;;
esac
return $i
}


case "$1" in

################################################## ################################################## ###############
################################################## ################################################## ###############
start)


################################################## ################################################## ###############
# ++++++++++++
# GENERAL
# ++++++++++++

datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Starten firewall iptables ..." | tee -a /var/log/messages

echo -en " Laden modules: "

#
# 1.0 Flushing and deleting existing rules, setting counters to zero
#
# $IPTABLES -F &&
# $IPTABLES -X &&
# $IPTABLES -t nat -F &&
# $IPTABLES -t nat -X &&
# $IPTABLES -t mangle -F &&
# $IPTABLES -t mangle -X
# err=`testresult $?`
# i=$?
# echo "Flushing and clearing rules ... $err";

#
# 1.1 Internet Configuration.
#

INET_IP="xxx.xxx.xxx.xxx" #Internet Ip aders
INET_IFACE="eth1" #Device internet adapter
INET_BROADCAST="xxx.xxx.xxx.xxx" #broadcastadres from your provider


#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.5"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth0"

#
# 1.3 DMZ Configuration.
#

UNPRIVPORTS="1024:65535"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

$IPTABLES -F &&
$IPTABLES -X &&
$IPTABLES -t nat -F &&
$IPTABLES -t nat -X &&
$IPTABLES -t mangle -F &&
$IPTABLES -t mangle -X
err=`testresult $?`
i=$?
echo "Flusing and clearing rules ... $err";

#
# 1.6 Other Configuration.
#

VNC_IP="192.168.0.4"

#
# 1.7 Masq. Machine IP
#

MASQ_IP="192.168.200.20"

#
# 1.8 VNC-server port

VNC_PORT="5901"

#
# 1.9 Setting limit levels for logging
#

limit1="-m limit --limit 1/s"
limit2="-m limit --limit 10/minute"
limit3="-m limit --limit 20/s"
log="-j LOG --log-level 5 --log-prefix"
################################################## #########################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_tos
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

#
# 2.2 NON Required modules
#

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_queue
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_unclean
/sbin/modprobe ipt_ttl
/sbin/modprobe ipt_length
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_ULOG

#
# 2.3 Create New Chains
#

$IPTABLES -N CHECK &&
$IPTABLES -N BLOCK &&
$IPTABLES -N LOG-FORWARD &&
$IPTABLES -N LOG-INPUT &&
$IPTABLES -N LOG-OUTPUT &&
$IPTABLES -N LDROP
err=`testresult $?`
i=$?
echo "Creating new chains ... $err";

#
# 2.4 Setting kernel parameters
#

#
# 2.4.1 Enable IP FORWARDING
#

echo 1 > /proc/sys/net/ipv4/ip_forward

#
# 2.4.2 Enable Syn Cookies protection in kernel
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#
# 2.4.3 ICMP Dead Error Messages Protection
#

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#
# 2.4.4 Set the maximum number of connections to track
#

echo 2048 > /proc/sys/net/ipv4/ip_conntrack_max

#
# 2.4.5 Enable response to ping (ICMP echo)
#

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#
# 2.4.6 Disable response to broadcasts
#

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#
# 2.4.7 Reduce DoS'ing ability by reducing timeouts
#

echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

#
# 2.4.8 Set out local port range
#
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#
# 2.4.9 Time To Live (TTL)
#

echo 64 > /proc/sys/net/ipv4/ip_default_ttl

#
# 2.4.10 Increase the default queuelength. (Kernel default: 1024)
#

echo > 2048 /proc/sys/net/ipv4/ip_queue_maxlen

#
# 2.4.11 Turn on source address verification in kernel
#

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $interface;
done

#
# 2.4.12 Disable ICMP redirect acceptance
#

for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $interface;
done

#
# 2.4.13 Disable ICMP send_redirects
#

for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $interface;
done

#
# 2.4.14 Log spoofed packets, source routed packets, redirect packets
#

for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $interface;
done

echo "Initialiseren kernelparameters ... $err";

#
# 2.5.0 Unclean packet check
#

$IPTABLES -A CHECK -m unclean $limit2 $log "UNCLEAN: " &&
$IPTABLES -A CHECK -m unclean -j DROP &&
err=`testresult $?`
i=$?
echo "Activeren UNCLEAN check ... $err";

#
# 2.5.1 Check for invalid packets
#

$IPTABLES -A CHECK -m state --state INVALID $limit2 $log "INVALID; " &&
$IPTABLES -A CHECK -m state --state INVALID -j DROP &&

#
# 2.5.2 NMAP FN/URG/PSH - XMAS - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH $limit2 $log "NMAP-XMAS: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP &&

#
# 2.5.3 SYN/RST - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags SYN,RST SYN,RST $limit2 $log "SYN/RST: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP &&

#
# 2.5.4 SYN/FIN -- scan(Waarschijnlijk)
#

$IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 $log "SYN/FIN: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP &&

#
# 2.5.5 FIN - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN $limit2 $log "FIN: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN -j DROP &&

#
# 2.5.6 ALL/ALL - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL $limit2 $log "ALL/ALL: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL -j DROP &&

#
# 2.5.7 NULL - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE $limit2 $log "NULL: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE -j DROP &&

#
# 2.5.8 SPOOFING:
#

$IPTABLES -A CHECK -s 0.0.0.0 $log "SPOOFING: " &&
$IPTABLES -A CHECK -s 255.255.255.255 $log "SPOOFING: " &&
$IPTABLES -A CHECK -s 0.0.0.0 -j LDROP &&
$IPTABLES -A CHECK -s 255.255.255.255 -j LDROP &&

#
# 2.5.9 SPOOFING CLASS:
#

$IPTABLES -A CHECK -s 10.0.0.0/8 $log "SPOOFING A CLASS: " &&
$IPTABLES -A CHECK -s 172.16.0.0/12 $log "SPOOFING B CLASS: " &&
$IPTABLES -A CHECK -s 192.168.0.0/16 $log "SPOOFING C CLASS: " &&
$IPTABLES -A CHECK -s 224.0.0.0/4 $log "SPOOFING D CLASS: " &&
$IPTABLES -A CHECK -s 240.0.0.0/5 $log "SPOOFING E CLASS: " &&
$IPTABLES -A CHECK -s 169.254.0.0/16 $log "SPOOFING F CLASS: " &&

$IPTABLES -A CHECK -s 10.0.0.0/8 -j LDROP &&
$IPTABLES -A CHECK -s 172.16.0.0/12 -j LDROP &&
$IPTABLES -A CHECK -s 192.168.0.0/16 -j LDROP &&
$IPTABLES -A CHECK -s 224.0.0.0/4 -j LDROP &&
$IPTABLES -A CHECK -s 240.0.0.0/5 -j LDROP &&
$IPTABLES -A CHECK -s 169.254.0.0/16 -j LDROP

err=`testresult $?`
i=$?
echo "Activeren general check chain (1) ... $err";

#
# 2.5.10 Block all ip addresses reserved by IANA (for the time being)
# this changes regulary, see http://www.iana.org/assignments/ipv4-address-space
# Updated 01 Dec 2001
#

RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

a=0
for NET in $RESERVED_NET; do
$IPTABLES -A CHECK -s $NET $log "IANA: " &&
$IPTABLES -A CHECK -s $NET -j LDROP &&
if [ $? != 0 ]; then
a=1
break;
fi
done;

err=`testresult $?`
i=$?
echo "Activeren general check chain (2) ... $err";



#
# 2.6 BLOCK
#

#
# 2.6.1 Weigeren van sommige common ports
#

common_ports_refused="1080 1984 2000 2049 3128 6000:6063 8080 10000"

a=0

for common_ports in $common_ports_refused;
do
$IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $common_ports -j LOG-INPUT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?

echo "Weigeren connectie naar common ports ... $err";

#
# 2.6.2 Weigeren van Trojan porten
#

# Block Subseven (1.7/1.9) 1243 / 6711:6713
# Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374
# Block NetBus 12345:12346
# Block NetBus 2 Pro 20034
# Block Stacheldraht 16660 / 60001 / 65000
# Block Back Orifice, Deep BO 31337:31338
# Block Back Orifice 2K 54320:54321
# Block Trinity v3\n 33270
# Block Trin00 1524 / 27444 / 27665 / 31335
# Block Cheeseworm 10008
# Block Gamserver.Net 12270 / 12203

trojan_ports="1243 6711:6713 1999 6776 27374 12345:12346 20034 16660 60001 \
65000 31337:31338 54320:54321 33270 1524 27444 27665 31335 10008 \
12203:12270"

a=0
for trojans in $trojan_ports;
do
$IPTABLES -A BLOCK -p tcp -i $INET_IFACE --dport $trojans -j LOG-INPUT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "Blokkeer Trojans ... $err";

$IPTABLES -A BLOCK -j ACCEPT

#
# 2.7 PREROUTING
#
echo;

#
# 2.7.1 Setting default policies
#

$IPTABLES -t nat -P PREROUTING ACCEPT
err=`testresult $?`
i=$?
echo "Zetten van standaard PREROUTING ... $err";

#
# 2.7.4 Zetten van voorbeeld portforwarding, kijk ook naar FORWARD section
#

a=0
for net in $abnamro_net; do
$path_iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -s $net -d $ext_ip --dport 1025:1500 -j DNAT --to $MASQ_IP &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "PREROUTING - ABNAMRO - homenet ... $err";

#
# 2.7.4.1 PREROUTING van VNC Forwarding
#

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 5900 -j DNAT --to-destination 192.168.0.4:5900

$IPTABLES -A PREROUTING -d 212.238.245.120 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.4:5900

#
# 2.7.5 Regels om TOS waarden van packetjes te mangle door de FIREWALL
#

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 5900 -j TOS --set-tos Minimize-Delay &&
err=`testresult $?`
i=$?
echo "MANGLE - TOS PREROUTING ... $err";

#
# 2.8 FORWARDING
#

echo;

#
# 2.8.1 Zetten van default policy
#

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT &&
$IPTABLES -P FORWARD DROP &&
err=`testresult $?`
i=$?
echo "Zetten van default policy FORWARD ... $err";

#
# 2.8.2 Besides MTU, there is yet another way to set the maximum size, the so called Maximum segment.
# This is a field in the TCP Options part of a SYN packet.
# The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally
# 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work.
# In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. The basic commandline is:
#

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#
# 2.8.3 The first thing you want to do is log and drop any suspicious packets:
#

$IPTABLES -A FORWARD -i $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check FORWARD ... $err";

#
# 2.8.4 Allow forwarding of all protocolls incoming on the external interface
# to lan if the connection is initiated by the LAN (LAN = Local Area Network)
#

$IPTABLES -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.8.5 Allow forwarding of all protocols incoming on the local interface coming from the local network
#

$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

#
# 2.8.6 Example rule portforwarding, enable also rule in PREROUTING Section
#

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MASQ_IP --dport 21 -m state --state NEW -j ACCEPT

#
# 2.8.6.1 VNC Portforwarding
#

$IPTABLES -A FORWARD -p tcp -m state --state NEW -s $INET_IFACE -d $VNC_IP --destination-port 5900 -j ACCEPT

#
# 2.8.7 ABN-AMRO Homenet
#

a=0
for net in $abnamro_net; do
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -s $net --sport ftp-data -d $MASQ_IP --dport 1025:1500 -m state --state NEW -j ACCEPT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "FORWARD - ABNAMRO homenet ... $err";

#
# 2.9 INPUT
#

echo;

#
# 2.9.1 Setting default policy
#


$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT &&
$IPTABLES -P INPUT DROP &&
err=`testresult $?`
i=$?
echo "Setting default policy INPUT ... $err";

#
# 2.9.2 The first thing you want to do is log and drop any suspicious packets:
#

$IPTABLES -A INPUT -i $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check INPUT ... $err";

#
# 2.9.3 Loopback
#

$IPTABLES -A INPUT -i lo -j ACCEPT

#
# 2.9.4 DHCP
#

$IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootpc --dport bootps -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

#
# 2.10 INPUT External
#

echo;

#
# 2.10.1 Accept incoming packets on external interface that are related to connections made by the server
#

$IPTABLES -A INPUT -i $INET_IFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.10.2 Reject new connections not started with SYN packet on external interface
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP -m state --state NEW ! --syn -j LDROP

#
# 2.10.3 FTP incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ftp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT -FTP ... $err";

#
# 2.10.4 SSH Incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ssh -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SSH ... $err";

#
# 2.10.5 TELNET Incoming
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport telnet -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - TELNET Incoming

#
# 2.10.6 SMTP Incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SMTP ... $err";

#
# 2.10.7 HTTP Incoming when running own Webserver
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport http -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - HTTP ... $err";

#
# 2.10.8 DNS Incoming when running own DNS server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport domain -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - DNS ... $err";

#
# 2.10.9 POP3 Incoming when running own pop3 server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - POP3 ... $err";

#
# 2.10.10 AUTH Incoming when running own ident-server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - AUTH ... $err";

#
# 2.10.11 When you're not runnig AUTH Incoming then use following rulez:
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j REJECT --reject-with tcp-reset
err=`testresult $?`
i=$?
echo "EXT - reject AUTH ... $err";

#
# 2.10.12 IMAP Incoming when running own IMAP-Server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imap -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - IMAP ... $err";

#
# 2.10.13 HTTPS Incoming when running won HTTPS server
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 80 -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - HTTP Secure ... $err";

#
# 2.10.14 IMAP SSL Incoming when running own IMAP server with SSL
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imaps -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - IMAP Secure ... $err";

#
# 2.10.15 POP3 Incoming when running own server with SSL
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3s -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - POP3 Secure ... $err";

#
# 2.10.16 VNC Incoming when running own VNC server
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 5901 -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - VNC ... $err";

#
# 2.10.17 WEBMIN Incoming when running own WEBMIN Server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 10000 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - WEBMIN ... $err";

#
# 2.10.18 ICQ incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE --sport $UNPRIVPORTS -d $INET_IP --dport $UNPRIVPORTS -m state --state NEW -j BLOCK
err=`testresult $?`
i=$?
echo "EXT - ICQ-filetransfer all ... Caution, opens ALL unpriv_ports !!! ... $err";

#
# 2.11 INPUT Local
#

echo;

#
# 2.11.1 Accept packages for our subnet, we trust our local network (LAN)
#

$IPTABLES -A INPUT -i ! $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - TOTAL LAN ... $err";

#
# 2.11.2 Accept incoming packets on local interface that are related to connections made by the server
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.11.3 ICMP incoming local
#

$IPTABLES -A INPUT -p icmp --icmp-type 8 -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state NEW $limit1 -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - accept incoming pings ... $err";

#
# 2.11.4 UDP incoming local
#

$IPTABLES -A INPUT -p udp -i $LAN_IFACE -s $LAN_IP_RANGE -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - UDP accept ... $err";

#
# 2.11.5 FTP Incoming - open port 21 (active and passive)
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport ftp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - FTP ... $err";

#
# 2.11.6 SSH Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IP -s $LAN_IP_RANGE -d $LAN_IP --dport ssh -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - SSH ... $err";

#
# 2.11.7 TELNET Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport telnet -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - TELNET ... $err";

#
# 2.11.8 SMTP Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - SMTP ... $err";

#
# 2.11.9 DNS Incoming local when running own DNS - Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport domain -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - DNS ... $err";

#
# 2.11.10 HTTP Incoming local when running own Webserver
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport http -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - HTTP ... $err";

#
# 2.11.11 POP3 Incoming local when running own POP3 Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - POP3 ... $err";

#
# 2.11.12 Portmapper Incoming local when running NFS -server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport portmapper -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - PORTMAPPER ... $err";

#
# 2.11.13 NETBIOS-NS Incoming Local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ns -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-NS ... $err";

#
# 2.11.14 NETBIOS-DGM Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-dgm -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-DGM ... $err";

#
# 2.11.15 NETBIOS-SSN Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ssn -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-SSN ... $err";

#
# 2.11.16 IMAP Incoming local when running own IMAP Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imap -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - IMAP ... $err";

#
# 2.11.17 HTTPS Incoming local when running own HTTPS Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport https -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - HTTP Secure ... $err";

#
# 2.11.18 SWAT (Samba Web Administration Tool) Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport swat -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SWAT ... $err";

#
# 2.11.19 IMAP SSL Incoming Local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imaps -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - IMAP Secure ... $err";

#
# 2.11.20 POP3 SSL Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3s -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - POP3 Secure ... $err";

#
# 2.11.21 SOCKS Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport socks -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SOCKS ... $err";

#
# 2.11.22 SQUID Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 3128 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SQUID ... $err";

#
# 2.11.23 VNC Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 5901 -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - VNC ... $err";

#
# 2.11.24 WEBMIN Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 10000 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - WEBMIN ... $err";

#
# 2.11.25 Make sure clients can visit there own server on the external IP address
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $INET_IP -j ACCEPT

#
# 2.12 OUTPUT
#

echo;

#
# 2.12.1 Setting default policy
#

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT &&
$IPTABLES -P OUTPUT DROP &&
err=`testresult $?`
i=$?
echo "Setting default policy OUTPUT ... $err";

#
# 2.12.2 The first thing you want to do is log and drop any suspicous packets
#

$IPTABLES -A OUTPUT -o $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check OUTPUT ... $err";

#
# 2.12.3 Loopback
#

$IPTABLES -A OUTPUT -o lo -j ACCEPT

#
# 2.12.4 DHCP
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE --sport bootps --dport bootpc -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

#
# 2.13 OUTPUT EXTERNAL
#

echo;

#
# 2.13.1 Accept outgoing packets on external interface that are related to connections made by the outside world
#

$IPTABLES -A OUTPUT -o $INET_IFACE -s $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.13.2 ICMP outgoing
#

$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $INET_IFACE -s $INET_IP -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - accept outgoing pings ... $err";

#
# 2.13.3 DNS Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport domain -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - allow outgoing dns queries ... $err";

#
# 2.13.4 NTP Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport ntp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - NTP ... $err";

#
# 2.13.5 SMTP Outgoing
#

$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SMTP outgoing ... $err";

#
# 2.13.6 AUTH Outgoing
#

$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - AUTH outgoing ... $err";

#
# 2.13.7 AUTH not Outgoing
#

# $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -j REJECT --reject-with tcp-reset
# err=`testresult $?`
# i=$?
# echo "EXT - reject AUTH outgoing ... $err";

#
# 2.13.8 GENERAL Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT

#
# 2.14 OUTPUT Local
#

echo;

#
# 2.14.1 Accept outgoing packets on local interface that are related to connections made by client to the server
#

$IPTABLES -A OUTPUT -o ! $INET_IFACE -d $LAN_IP_RANGE -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - TOTAL LAN outgoing ... $err";

#
# 2.14.2 ICMP Outgoing
#

$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $LAN_IFACE -s $LAN_IP -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - accept outgoing pings ... $err";

#
# 2.14.3 DNS local outgoing
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --sport domain -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - allow outgoing dns queries ... $err";

#
# 2.14.4 Netbios local communications
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ns -m state --state NEW -j ACCEPT &&
$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-dgm -m state --state NEW -j ACCEPT &&
err=`testresult $?`
i=$?
echo "LOCAL - allow local netbios communication ... $err";

#
# 2.14.5 Making connections to client-shares via samba
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ssn -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-SSN outgoing ... $err";

#
# 2.14.6 AUTH Outgoing
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - AUTH outgoing ... $err";

#
# 2.14.7 AUTH Not Outgoing
#

# $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j REJECT --reject-with tcp-reset
# err=`testresult $?`
# i=$?
# echo "LOCAL - reject AUTH outgoing ... $err";

#
# 2.14.8 Make sure clients can visit there own server on the external IP Address
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $INET_IP -d $LAN_IP_RANGE -j ACCEPT

#
# 2.15 MANGLE OUTPUT
#

echo;

#
# 2.15.1 Setting default policy
#

$IPTABLES -t mangle -P OUTPUT ACCEPT
err=`testresult $?`
i=$?
echo "Setting default policy MANGLE-OUTPUT ... $err";

#
# TOS table
# Options:
# Normal-Service = 0 (0x00)
# Minimize-Cost = 2 (0x02)
# Maximize-Reliability = 4 (0x04)
# Maximize-Throughput = 8 (0x0
# Minimize-Delay = 16 (0x10)
#
# ToS: Client Applications; data => tos_client
# Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
# To view mangle table, type: iptables -L -t mangle
#

#
# 2.15.2 Mangle values of packets created locally
#

$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
err=`testresult $?`
i=$?
echo "MANGLE - TOS OUTPUT ... $err";

#
# 2.15.3 Mark outgoing packets for traffic shaping (optional)
#

$IPTABLES -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1
$IPTABLES -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2

#
# 2.16 POSTROUTING
#

echo;

#
# 2.16.1 Setting default policies
#

$IPTABLES -t nat -P POSTROUTING ACCEPT
err=`testresult $?`
i=$?
echo "Setting default policy POSTROUTING ... $err";

#
# 2.16.2 Change source addresses to external IP, packets leave firewall with external IP !
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
err=`testresult $?`
i=$?
echo "Enable SOURCE NAT ... $err";

#
# 2.16.3 POSTROUTING VNC
#

$IPTABLES -t nat -A POSTROUTING -o INET_IFACE -s $VNC_IP -d 0/0 -j SNAT --to-source 192.168.0.5

#
# 2.17 LOG-FORWARD
#

echo;

#
# 2.17.1 All remaining packets in FORWARD chain are logged
#

$IPTABLES -A FORWARD -j LOG-FORWARD

$IPTABLES -A LOG-FORWARD -p tcp $limit2 $log "TCP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -p udp $limit2 $log "UDP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -p icmp $limit2 $log "ICMP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -f $limit2 $log "FRAGMENT_Dropped_F: "
$IPTABLES -A LOG-FORWARD -j LDROP

#
# 2.18 LOG-INPUT
#

echo;

#
# 2.18.1 All remaining packets in INPUT chain are logged
#

$IPTABLES -A INPUT -j LOG-INPUT

$IPTABLES -A LOG-INPUT -p tcp $limit2 $log "TCP_Dropped_I: "
$IPTABLES -A LOG-INPUT -p udp $limit2 $log "UDP_Dropped_I: "
$IPTABLES -A LOG-INPUT -p icmp $limit2 $log "ICMP_Dropped_I: "
$IPTABLES -A LOG-INPUT -f $limit2 $log "FRAGMENT_Dropped_I: "
$IPTABLES -A LOG-INPUT -j LDROP

#
# 2.19 LOG-OUTPUT
#

echo;

#
# 2.19.1 All remaining packets in OUTPUT chain are logged
#

$IPTABLES -A OUTPUT -j LOG-OUTPUT

$IPTABLES -A LOG-OUTPUT -p tcp $limit2 $log "TCP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -p udp $limit2 $log "UDP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -p icmp $limit2 $log "ICMP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -f $limit2 $log "FRAGMENT_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -j LDROP

#
# 2.20 LDROP
#

echo;

#
# 2.20.1 All other incoming, forwarding and outgoing is denied and logged.
#

$IPTABLES -A LDROP -j DROP

echo;

if [ "$i" -gt "0" ]; then
echo "Firewall error" >> /var/log/messages
echo -e "$datum \033[40m\033[1;31mErrors detected in bringing up firewall!\033[0m" | tee -a /var/log/messages
echo -e "$datum \033[40m\033[1;31mCheck your configuration.\033[0m" | tee -a /var/log/messages
else
echo -e "$datum \033[40m\033[1;32mFirewall is up without errors!\033[0m" | tee -a /var/log/messages
echo;
fi


;;

################################################## ################################################## ######################################
################################################## ################################################## ######################################
stop)

echo;
datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Shutting down firewall and masquerading" | tee -a /var/log/messages
echo "$datum WARNING: YOUR MACHINE IS NOW OPEN FOR ATTACKS!!!" | tee -a /var/log/messages
echo;

#
# 3.1 Remove all existing rules belonging to this filter
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
# 3.2 Delete all user-defined chain to this filter
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#
# 3.3 Reset the default policy of the filter to accept.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT

;;

################################################## ################################################## ######################################
################################################## ################################################## ######################################
status)

$IPTABLES -v -n -L

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
restart)

datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Firewall restart ..." | tee -a /var/log/messages
$0 stop
echo "-----------------------"
$0 start

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
version)

datum=`date +'%b %d %k:%M:%S'`;
echo "**"
echo "$datum * * Firewall version: `/bin/awk '/Id/ {print $3 $4}' $path_firewall`"

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
*)

# ************************* WRONG PARAMETERS **************************
echo;
echo "Wrong parameter input!"
echo "Usage: $0 {start|stop|restart|status|version}"

;;


esac

[/quote]

[reaky]

you know my friend
i know of course that my script have a lot of things messing
but remmember that there is the first time that i make iptables script in my life
i know that it have'n't rules
but i just try to test it,make it work
i really want to learn iptables
so the problem that faceing me now
i think it's not complex put there is something messing make me can't route to the machines in my network
the problem is i want to make my machine the default gateway to others machine to the internet
how to make them sent and reciever all packets to and from me
i make
echo 1 > /proc/sys/net/ipv4/ip_forward
and change the value of ipv4 forwarding on /etc/sysctl.conf to 1
but other machine still couldn't receive packets from my machine when i connect to ny website
i have a dns server and me and all computers resolving good
there is no problem on it

[Mystic_Slayer]

Try to get a sample script from www.netfilter.org

If this sample works, try to work around with it. Make your own rules in this script.

[GoldenEye]

Just have to enable ipv4 forwarding, like some other user said.

Ip forwardind is a kernel parameter, because these it wont work upon a system reboot. To make it permenet, put it on a init script.

Then with ipforwarding enabled you just need to specify your gateway address to your workstations. Be sure that any iptables rules are blocking forwarded packets. You can also read about NAT (aka MASKERADING) for small private networks.