Find the answer to your Linux question:
Results 1 to 7 of 7
Hi all i'm a new bie in Iptables so i make a test iptables script i apply it and it works for my machine but i want to apply it ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2004
    Location
    egypt
    Posts
    8

    iptables how can ii apply my firewall to others


    Hi all
    i'm a new bie in Iptables
    so i make a test iptables script
    i apply it and it works for my machine
    but i want to apply it to anothe machine in my subnet
    so i make it's default gateway my ip
    but it couldn't loggon to the internet or ping any site
    so my network is 10.1.0.0/16
    and this's my test script
    ----------------------------------------------------------------------------------------------------------
    #test script
    #------------------------------------------------------------------------------------------------

    EXTERNAL_INT="eth0" # Internet-connected interfac
    EXTERNAL_IP="10.1.1.33" # your IP address
    EXTERNAL_SUBNET_BASE="255.255.0.0" # ISP network segment base address
    EXTERNAL_SUBNET_BROADCAST="255.255.255.255" # network segment
    # broadcast address
    LOOPBACK="127.0.0.0/8" # loopback address
    RESERVED_IP_10_SPACE="10.1.0.0/16" # RFC1918 10 space
    # class A private networks
    iptables="/sbin/iptables"
    #---------------------------------------------------------------------------------------------------
    $iptables --flush
    $iptables -t nat --flush
    $iptables -t mangle --flush

    #---------------------------------------------------------------------------------------------

    $iptables --delete-chain
    $iptables -t nat --delete-chain
    $iptables -t mangle --delete-chain

    #---------------------------------------------------------------------------------------------

    $iptables -A INPUT -j ACCEPT -p all -s 0/0 -i eth0
    $iptables -A OUTPUT -j ACCEPT -p all -s 10.1.0.0/16 -o eth0

    #------------------------------------------------------------------------------

    $iptables --policy INPUT DROP
    $iptables --policy OUTPUT DROP

    #------------------------------------------------------------------------------------------

    /sbin/depmod -a
    # 2.1 Required modules
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_state
    # 2.2 Non-Required modules
    /sbin/modprobe ipt_owner
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_nat_irc

    #-------------------------------------------------------------------------------------------

    $iptables -A INPUT -i lo -j ACCEPT
    $iptables -A OUTPUT -o lo -j ACCEPT

    #-------------------------------------------------------------------------------------------

    $iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
    -j ACCEPT

    $iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \
    -j ACCEPT

    #-----------------------------------------------------------------------------

    $iptables -A INPUT -s 0/0 -i eth0 -d 10.1.0.0 -p TCP -j ACCEPT
    $iptables -A OUTPUT -s 0/0 -o eth0 -d 10.1.0.0 -p TCP -j ACCEPT

    #------------------------------------------------------------------------------

    $iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    --------------------------------------------------------------------------------------------------------
    so can any one help me to apply the firewall to other clients in my network
    Thanks for all

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    If you want to use that ruleset on other boxen in your network, then just make it a bash script (add #!/bin/bash as the first line) and run it on the other boxen. If that's not what you want to do, then try to clarify.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  3. #3
    Just Joined!
    Join Date
    Apr 2004
    Location
    egypt
    Posts
    8
    yes it's not what i want to make
    mm i really run the script and it gave me the result i want on my local machine
    put i want to make it applied to other machine in my network
    so i change the gateway for another network in my subnet and make it my ip address
    but the script not applied to this machine
    so i want to apply this script for this machine too
    i hope that you understode what i actully want
    and sorry for not explain good in the last time
    and thanks for help

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Dec 2003
    Location
    Netherlands
    Posts
    193
    First of all did you specify

    1. DNS Servers.
    2. Did you enable ipv4 forwarding.
    3. Did you use as gateway address the machine where your internet is at?

    Also you didn't specify any rules for you LAN.

    This is an example for you to work further with.

    This is one rule you certainly need:

    echo 1 > /proc/sys/net/ipv4/ip_forward


    #!/bin/sh

    ################################################## ################################################## ###############

    function testresult {
    let i=i+$1
    case $1 in
    '0')
    echo -e "\033[40m\033[1;32mOK\033[0m"
    ;;
    '1')
    echo -e "\033[40m\033[1;31mFailed\033[0m"
    ;;
    '2')
    echo -e "\033[40m\033[1;31mFatal Error: 2\033[0m"
    ;;
    *)
    echo -e "\033[40m\033[1;31mFatal Error: ?\033[0m"
    ;;
    esac
    return $i
    }


    case "$1" in

    ################################################## ################################################## ###############
    ################################################## ################################################## ###############
    start)


    ################################################## ################################################## ###############
    # ++++++++++++
    # GENERAL
    # ++++++++++++

    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Starten firewall iptables ..." | tee -a /var/log/messages

    echo -en " Laden modules: "

    #
    # 1.0 Flushing and deleting existing rules, setting counters to zero
    #
    # $IPTABLES -F &&
    # $IPTABLES -X &&
    # $IPTABLES -t nat -F &&
    # $IPTABLES -t nat -X &&
    # $IPTABLES -t mangle -F &&
    # $IPTABLES -t mangle -X
    # err=`testresult $?`
    # i=$?
    # echo "Flushing and clearing rules ... $err";

    #
    # 1.1 Internet Configuration.
    #

    INET_IP="xxx.xxx.xxx.xxx" #Internet Ip aders
    INET_IFACE="eth1" #Device internet adapter
    INET_BROADCAST="xxx.xxx.xxx.xxx" #broadcastadres from your provider


    #
    # 1.2 Local Area Network configuration.
    #
    # your LAN's IP range and localhost IP. /24 means to only use the first 24
    # bits of the 32 bit IP address. the same as netmask 255.255.255.0
    #

    LAN_IP="192.168.0.5"
    LAN_IP_RANGE="192.168.0.0/16"
    LAN_IFACE="eth0"

    #
    # 1.3 DMZ Configuration.
    #

    UNPRIVPORTS="1024:65535"

    #
    # 1.4 Localhost Configuration.
    #

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    #
    # 1.5 IPTables Configuration.
    #

    IPTABLES="/sbin/iptables"

    $IPTABLES -F &&
    $IPTABLES -X &&
    $IPTABLES -t nat -F &&
    $IPTABLES -t nat -X &&
    $IPTABLES -t mangle -F &&
    $IPTABLES -t mangle -X
    err=`testresult $?`
    i=$?
    echo "Flusing and clearing rules ... $err";

    #
    # 1.6 Other Configuration.
    #

    VNC_IP="192.168.0.4"

    #
    # 1.7 Masq. Machine IP
    #

    MASQ_IP="192.168.200.20"

    #
    # 1.8 VNC-server port

    VNC_PORT="5901"

    #
    # 1.9 Setting limit levels for logging
    #

    limit1="-m limit --limit 1/s"
    limit2="-m limit --limit 10/minute"
    limit3="-m limit --limit 20/s"
    log="-j LOG --log-level 5 --log-prefix"
    ################################################## #########################
    #
    # 2. Module loading.
    #

    #
    # Needed to initially load modules
    #

    /sbin/depmod -a

    #
    # 2.1 Required modules
    #

    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_TOS
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe ipt_tos
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_ftp

    #
    # 2.2 NON Required modules
    #

    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe ip_queue
    /sbin/modprobe ip_nat_irc
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_multiport
    /sbin/modprobe ipt_mark
    /sbin/modprobe ipt_mac
    /sbin/modprobe ipt_owner
    /sbin/modprobe ipt_tcpmss
    /sbin/modprobe ipt_unclean
    /sbin/modprobe ipt_ttl
    /sbin/modprobe ipt_length
    /sbin/modprobe ipt_TCPMSS
    /sbin/modprobe ipt_MIRROR
    /sbin/modprobe ipt_MARK
    /sbin/modprobe ipt_ULOG

    #
    # 2.3 Create New Chains
    #

    $IPTABLES -N CHECK &&
    $IPTABLES -N BLOCK &&
    $IPTABLES -N LOG-FORWARD &&
    $IPTABLES -N LOG-INPUT &&
    $IPTABLES -N LOG-OUTPUT &&
    $IPTABLES -N LDROP
    err=`testresult $?`
    i=$?
    echo "Creating new chains ... $err";

    #
    # 2.4 Setting kernel parameters
    #

    #
    # 2.4.1 Enable IP FORWARDING
    #

    echo 1 > /proc/sys/net/ipv4/ip_forward

    #
    # 2.4.2 Enable Syn Cookies protection in kernel
    #

    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    #
    # 2.4.3 ICMP Dead Error Messages Protection
    #

    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    #
    # 2.4.4 Set the maximum number of connections to track
    #

    echo 2048 > /proc/sys/net/ipv4/ip_conntrack_max

    #
    # 2.4.5 Enable response to ping (ICMP echo)
    #

    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    #
    # 2.4.6 Disable response to broadcasts
    #

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    #
    # 2.4.7 Reduce DoS'ing ability by reducing timeouts
    #

    echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
    echo 0 > /proc/sys/net/ipv4/tcp_sack

    #
    # 2.4.8 Set out local port range
    #
    echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

    #
    # 2.4.9 Time To Live (TTL)
    #

    echo 64 > /proc/sys/net/ipv4/ip_default_ttl

    #
    # 2.4.10 Increase the default queuelength. (Kernel default: 1024)
    #

    echo > 2048 /proc/sys/net/ipv4/ip_queue_maxlen

    #
    # 2.4.11 Turn on source address verification in kernel
    #

    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $interface;
    done

    #
    # 2.4.12 Disable ICMP redirect acceptance
    #

    for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $interface;
    done

    #
    # 2.4.13 Disable ICMP send_redirects
    #

    for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $interface;
    done

    #
    # 2.4.14 Log spoofed packets, source routed packets, redirect packets
    #

    for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $interface;
    done

    echo "Initialiseren kernelparameters ... $err";

    #
    # 2.5.0 Unclean packet check
    #

    $IPTABLES -A CHECK -m unclean $limit2 $log "UNCLEAN: " &&
    $IPTABLES -A CHECK -m unclean -j DROP &&
    err=`testresult $?`
    i=$?
    echo "Activeren UNCLEAN check ... $err";

    #
    # 2.5.1 Check for invalid packets
    #

    $IPTABLES -A CHECK -m state --state INVALID $limit2 $log "INVALID; " &&
    $IPTABLES -A CHECK -m state --state INVALID -j DROP &&

    #
    # 2.5.2 NMAP FN/URG/PSH - XMAS - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH $limit2 $log "NMAP-XMAS: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP &&

    #
    # 2.5.3 SYN/RST - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,RST SYN,RST $limit2 $log "SYN/RST: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP &&

    #
    # 2.5.4 SYN/FIN -- scan(Waarschijnlijk)
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 $log "SYN/FIN: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP &&

    #
    # 2.5.5 FIN - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN $limit2 $log "FIN: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN -j DROP &&

    #
    # 2.5.6 ALL/ALL - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL $limit2 $log "ALL/ALL: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL -j DROP &&

    #
    # 2.5.7 NULL - scan
    #

    $IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE $limit2 $log "NULL: " &&
    $IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE -j DROP &&

    #
    # 2.5.8 SPOOFING:
    #

    $IPTABLES -A CHECK -s 0.0.0.0 $log "SPOOFING: " &&
    $IPTABLES -A CHECK -s 255.255.255.255 $log "SPOOFING: " &&
    $IPTABLES -A CHECK -s 0.0.0.0 -j LDROP &&
    $IPTABLES -A CHECK -s 255.255.255.255 -j LDROP &&

    #
    # 2.5.9 SPOOFING CLASS:
    #

    $IPTABLES -A CHECK -s 10.0.0.0/8 $log "SPOOFING A CLASS: " &&
    $IPTABLES -A CHECK -s 172.16.0.0/12 $log "SPOOFING B CLASS: " &&
    $IPTABLES -A CHECK -s 192.168.0.0/16 $log "SPOOFING C CLASS: " &&
    $IPTABLES -A CHECK -s 224.0.0.0/4 $log "SPOOFING D CLASS: " &&
    $IPTABLES -A CHECK -s 240.0.0.0/5 $log "SPOOFING E CLASS: " &&
    $IPTABLES -A CHECK -s 169.254.0.0/16 $log "SPOOFING F CLASS: " &&

    $IPTABLES -A CHECK -s 10.0.0.0/8 -j LDROP &&
    $IPTABLES -A CHECK -s 172.16.0.0/12 -j LDROP &&
    $IPTABLES -A CHECK -s 192.168.0.0/16 -j LDROP &&
    $IPTABLES -A CHECK -s 224.0.0.0/4 -j LDROP &&
    $IPTABLES -A CHECK -s 240.0.0.0/5 -j LDROP &&
    $IPTABLES -A CHECK -s 169.254.0.0/16 -j LDROP

    err=`testresult $?`
    i=$?
    echo "Activeren general check chain (1) ... $err";

    #
    # 2.5.10 Block all ip addresses reserved by IANA (for the time being)
    # this changes regulary, see http://www.iana.org/assignments/ipv4-address-space
    # Updated 01 Dec 2001
    #

    RESERVED_NET="
    0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
    5.0.0.0/8 \
    7.0.0.0/8 \
    23.0.0.0/8 \
    27.0.0.0/8 \
    31.0.0.0/8 \
    36.0.0.0/8 37.0.0.0/8 \
    39.0.0.0/8 \
    41.0.0.0/8 42.0.0.0/8 \
    58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
    69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
    74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
    82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
    88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
    95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
    102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
    108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
    114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
    120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
    126.0.0.0/8 127.0.0.0/8 \
    197.0.0.0/8 \
    221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
    224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
    230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
    236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
    240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
    246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
    252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

    a=0
    for NET in $RESERVED_NET; do
    $IPTABLES -A CHECK -s $NET $log "IANA: " &&
    $IPTABLES -A CHECK -s $NET -j LDROP &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;

    err=`testresult $?`
    i=$?
    echo "Activeren general check chain (2) ... $err";



    #
    # 2.6 BLOCK
    #

    #
    # 2.6.1 Weigeren van sommige common ports
    #

    common_ports_refused="1080 1984 2000 2049 3128 6000:6063 8080 10000"

    a=0

    for common_ports in $common_ports_refused;
    do
    $IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $common_ports -j LOG-INPUT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?

    echo "Weigeren connectie naar common ports ... $err";

    #
    # 2.6.2 Weigeren van Trojan porten
    #

    # Block Subseven (1.7/1.9) 1243 / 6711:6713
    # Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374
    # Block NetBus 12345:12346
    # Block NetBus 2 Pro 20034
    # Block Stacheldraht 16660 / 60001 / 65000
    # Block Back Orifice, Deep BO 31337:31338
    # Block Back Orifice 2K 54320:54321
    # Block Trinity v3\n 33270
    # Block Trin00 1524 / 27444 / 27665 / 31335
    # Block Cheeseworm 10008
    # Block Gamserver.Net 12270 / 12203

    trojan_ports="1243 6711:6713 1999 6776 27374 12345:12346 20034 16660 60001 \
    65000 31337:31338 54320:54321 33270 1524 27444 27665 31335 10008 \
    12203:12270"

    a=0
    for trojans in $trojan_ports;
    do
    $IPTABLES -A BLOCK -p tcp -i $INET_IFACE --dport $trojans -j LOG-INPUT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "Blokkeer Trojans ... $err";

    $IPTABLES -A BLOCK -j ACCEPT

    #
    # 2.7 PREROUTING
    #
    echo;

    #
    # 2.7.1 Setting default policies
    #

    $IPTABLES -t nat -P PREROUTING ACCEPT
    err=`testresult $?`
    i=$?
    echo "Zetten van standaard PREROUTING ... $err";

    #
    # 2.7.4 Zetten van voorbeeld portforwarding, kijk ook naar FORWARD section
    #

    a=0
    for net in $abnamro_net; do
    $path_iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -s $net -d $ext_ip --dport 1025:1500 -j DNAT --to $MASQ_IP &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "PREROUTING - ABNAMRO - homenet ... $err";

    #
    # 2.7.4.1 PREROUTING van VNC Forwarding
    #

    $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 5900 -j DNAT --to-destination 192.168.0.4:5900

    $IPTABLES -A PREROUTING -d 212.238.245.120 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.4:5900

    #
    # 2.7.5 Regels om TOS waarden van packetjes te mangle door de FIREWALL
    #

    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 5900 -j TOS --set-tos Minimize-Delay &&
    err=`testresult $?`
    i=$?
    echo "MANGLE - TOS PREROUTING ... $err";

    #
    # 2.8 FORWARDING
    #

    echo;

    #
    # 2.8.1 Zetten van default policy
    #

    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT &&
    $IPTABLES -P FORWARD DROP &&
    err=`testresult $?`
    i=$?
    echo "Zetten van default policy FORWARD ... $err";

    #
    # 2.8.2 Besides MTU, there is yet another way to set the maximum size, the so called Maximum segment.
    # This is a field in the TCP Options part of a SYN packet.
    # The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally
    # 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work.
    # In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. The basic commandline is:
    #

    $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    #
    # 2.8.3 The first thing you want to do is log and drop any suspicious packets:
    #

    $IPTABLES -A FORWARD -i $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check FORWARD ... $err";

    #
    # 2.8.4 Allow forwarding of all protocolls incoming on the external interface
    # to lan if the connection is initiated by the LAN (LAN = Local Area Network)
    #

    $IPTABLES -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.8.5 Allow forwarding of all protocols incoming on the local interface coming from the local network
    #

    $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

    #
    # 2.8.6 Example rule portforwarding, enable also rule in PREROUTING Section
    #

    $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MASQ_IP --dport 21 -m state --state NEW -j ACCEPT

    #
    # 2.8.6.1 VNC Portforwarding
    #

    $IPTABLES -A FORWARD -p tcp -m state --state NEW -s $INET_IFACE -d $VNC_IP --destination-port 5900 -j ACCEPT

    #
    # 2.8.7 ABN-AMRO Homenet
    #

    a=0
    for net in $abnamro_net; do
    $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -s $net --sport ftp-data -d $MASQ_IP --dport 1025:1500 -m state --state NEW -j ACCEPT &&
    if [ $? != 0 ]; then
    a=1
    break;
    fi
    done;
    err=`testresult $?`
    i=$?
    echo "FORWARD - ABNAMRO homenet ... $err";

    #
    # 2.9 INPUT
    #

    echo;

    #
    # 2.9.1 Setting default policy
    #


    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT &&
    $IPTABLES -P INPUT DROP &&
    err=`testresult $?`
    i=$?
    echo "Setting default policy INPUT ... $err";

    #
    # 2.9.2 The first thing you want to do is log and drop any suspicious packets:
    #

    $IPTABLES -A INPUT -i $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check INPUT ... $err";

    #
    # 2.9.3 Loopback
    #

    $IPTABLES -A INPUT -i lo -j ACCEPT

    #
    # 2.9.4 DHCP
    #

    $IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootpc --dport bootps -j ACCEPT
    $IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

    #
    # 2.10 INPUT External
    #

    echo;

    #
    # 2.10.1 Accept incoming packets on external interface that are related to connections made by the server
    #

    $IPTABLES -A INPUT -i $INET_IFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.10.2 Reject new connections not started with SYN packet on external interface
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP -m state --state NEW ! --syn -j LDROP

    #
    # 2.10.3 FTP incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ftp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT -FTP ... $err";

    #
    # 2.10.4 SSH Incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ssh -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SSH ... $err";

    #
    # 2.10.5 TELNET Incoming
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport telnet -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - TELNET Incoming

    #
    # 2.10.6 SMTP Incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SMTP ... $err";

    #
    # 2.10.7 HTTP Incoming when running own Webserver
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport http -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - HTTP ... $err";

    #
    # 2.10.8 DNS Incoming when running own DNS server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport domain -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - DNS ... $err";

    #
    # 2.10.9 POP3 Incoming when running own pop3 server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - POP3 ... $err";

    #
    # 2.10.10 AUTH Incoming when running own ident-server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - AUTH ... $err";

    #
    # 2.10.11 When you're not runnig AUTH Incoming then use following rulez:
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j REJECT --reject-with tcp-reset
    err=`testresult $?`
    i=$?
    echo "EXT - reject AUTH ... $err";

    #
    # 2.10.12 IMAP Incoming when running own IMAP-Server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imap -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - IMAP ... $err";

    #
    # 2.10.13 HTTPS Incoming when running won HTTPS server
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 80 -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - HTTP Secure ... $err";

    #
    # 2.10.14 IMAP SSL Incoming when running own IMAP server with SSL
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imaps -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - IMAP Secure ... $err";

    #
    # 2.10.15 POP3 Incoming when running own server with SSL
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3s -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - POP3 Secure ... $err";

    #
    # 2.10.16 VNC Incoming when running own VNC server
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 5901 -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - VNC ... $err";

    #
    # 2.10.17 WEBMIN Incoming when running own WEBMIN Server
    #

    # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 10000 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "EXT - WEBMIN ... $err";

    #
    # 2.10.18 ICQ incoming
    #

    $IPTABLES -A INPUT -p tcp -i $INET_IFACE --sport $UNPRIVPORTS -d $INET_IP --dport $UNPRIVPORTS -m state --state NEW -j BLOCK
    err=`testresult $?`
    i=$?
    echo "EXT - ICQ-filetransfer all ... Caution, opens ALL unpriv_ports !!! ... $err";

    #
    # 2.11 INPUT Local
    #

    echo;

    #
    # 2.11.1 Accept packages for our subnet, we trust our local network (LAN)
    #

    $IPTABLES -A INPUT -i ! $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - TOTAL LAN ... $err";

    #
    # 2.11.2 Accept incoming packets on local interface that are related to connections made by the server
    #

    $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.11.3 ICMP incoming local
    #

    $IPTABLES -A INPUT -p icmp --icmp-type 8 -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state NEW $limit1 -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - accept incoming pings ... $err";

    #
    # 2.11.4 UDP incoming local
    #

    $IPTABLES -A INPUT -p udp -i $LAN_IFACE -s $LAN_IP_RANGE -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - UDP accept ... $err";

    #
    # 2.11.5 FTP Incoming - open port 21 (active and passive)
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport ftp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - FTP ... $err";

    #
    # 2.11.6 SSH Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IP -s $LAN_IP_RANGE -d $LAN_IP --dport ssh -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - SSH ... $err";

    #
    # 2.11.7 TELNET Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport telnet -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - TELNET ... $err";

    #
    # 2.11.8 SMTP Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - SMTP ... $err";

    #
    # 2.11.9 DNS Incoming local when running own DNS - Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport domain -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - DNS ... $err";

    #
    # 2.11.10 HTTP Incoming local when running own Webserver
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport http -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - HTTP ... $err";

    #
    # 2.11.11 POP3 Incoming local when running own POP3 Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - POP3 ... $err";

    #
    # 2.11.12 Portmapper Incoming local when running NFS -server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport portmapper -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - PORTMAPPER ... $err";

    #
    # 2.11.13 NETBIOS-NS Incoming Local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ns -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-NS ... $err";

    #
    # 2.11.14 NETBIOS-DGM Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-dgm -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-DGM ... $err";

    #
    # 2.11.15 NETBIOS-SSN Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ssn -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-SSN ... $err";

    #
    # 2.11.16 IMAP Incoming local when running own IMAP Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imap -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - IMAP ... $err";

    #
    # 2.11.17 HTTPS Incoming local when running own HTTPS Server
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport https -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - HTTP Secure ... $err";

    #
    # 2.11.18 SWAT (Samba Web Administration Tool) Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport swat -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SWAT ... $err";

    #
    # 2.11.19 IMAP SSL Incoming Local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imaps -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - IMAP Secure ... $err";

    #
    # 2.11.20 POP3 SSL Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3s -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - POP3 Secure ... $err";

    #
    # 2.11.21 SOCKS Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport socks -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SOCKS ... $err";

    #
    # 2.11.22 SQUID Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 3128 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - SQUID ... $err";

    #
    # 2.11.23 VNC Incoming local
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 5901 -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - VNC ... $err";

    #
    # 2.11.24 WEBMIN Incoming local
    #

    # $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 10000 -m state --state NEW -j ACCEPT
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - WEBMIN ... $err";

    #
    # 2.11.25 Make sure clients can visit there own server on the external IP address
    #

    $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $INET_IP -j ACCEPT

    #
    # 2.12 OUTPUT
    #

    echo;

    #
    # 2.12.1 Setting default policy
    #

    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT &&
    $IPTABLES -P OUTPUT DROP &&
    err=`testresult $?`
    i=$?
    echo "Setting default policy OUTPUT ... $err";

    #
    # 2.12.2 The first thing you want to do is log and drop any suspicous packets
    #

    $IPTABLES -A OUTPUT -o $INET_IFACE -j CHECK &&
    err=`testresult $?`
    i=$?
    echo "Activeren general check OUTPUT ... $err";

    #
    # 2.12.3 Loopback
    #

    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    #
    # 2.12.4 DHCP
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE --sport bootps --dport bootpc -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

    #
    # 2.13 OUTPUT EXTERNAL
    #

    echo;

    #
    # 2.13.1 Accept outgoing packets on external interface that are related to connections made by the outside world
    #

    $IPTABLES -A OUTPUT -o $INET_IFACE -s $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # 2.13.2 ICMP outgoing
    #

    $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $INET_IFACE -s $INET_IP -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - accept outgoing pings ... $err";

    #
    # 2.13.3 DNS Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport domain -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - allow outgoing dns queries ... $err";

    #
    # 2.13.4 NTP Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport ntp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - NTP ... $err";

    #
    # 2.13.5 SMTP Outgoing
    #

    $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --dport smtp -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - SMTP outgoing ... $err";

    #
    # 2.13.6 AUTH Outgoing
    #

    $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "EXT - AUTH outgoing ... $err";

    #
    # 2.13.7 AUTH not Outgoing
    #

    # $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -j REJECT --reject-with tcp-reset
    # err=`testresult $?`
    # i=$?
    # echo "EXT - reject AUTH outgoing ... $err";

    #
    # 2.13.8 GENERAL Outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT

    #
    # 2.14 OUTPUT Local
    #

    echo;

    #
    # 2.14.1 Accept outgoing packets on local interface that are related to connections made by client to the server
    #

    $IPTABLES -A OUTPUT -o ! $INET_IFACE -d $LAN_IP_RANGE -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - TOTAL LAN outgoing ... $err";

    #
    # 2.14.2 ICMP Outgoing
    #

    $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $LAN_IFACE -s $LAN_IP -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - accept outgoing pings ... $err";

    #
    # 2.14.3 DNS local outgoing
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --sport domain -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - allow outgoing dns queries ... $err";

    #
    # 2.14.4 Netbios local communications
    #

    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ns -m state --state NEW -j ACCEPT &&
    $IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-dgm -m state --state NEW -j ACCEPT &&
    err=`testresult $?`
    i=$?
    echo "LOCAL - allow local netbios communication ... $err";

    #
    # 2.14.5 Making connections to client-shares via samba
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ssn -m state --state NEW -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - NETBIOS-SSN outgoing ... $err";

    #
    # 2.14.6 AUTH Outgoing
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j ACCEPT
    err=`testresult $?`
    i=$?
    echo "LOCAL - AUTH outgoing ... $err";

    #
    # 2.14.7 AUTH Not Outgoing
    #

    # $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j REJECT --reject-with tcp-reset
    # err=`testresult $?`
    # i=$?
    # echo "LOCAL - reject AUTH outgoing ... $err";

    #
    # 2.14.8 Make sure clients can visit there own server on the external IP Address
    #

    $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $INET_IP -d $LAN_IP_RANGE -j ACCEPT

    #
    # 2.15 MANGLE OUTPUT
    #

    echo;

    #
    # 2.15.1 Setting default policy
    #

    $IPTABLES -t mangle -P OUTPUT ACCEPT
    err=`testresult $?`
    i=$?
    echo "Setting default policy MANGLE-OUTPUT ... $err";

    #
    # TOS table
    # Options:
    # Normal-Service = 0 (0x00)
    # Minimize-Cost = 2 (0x02)
    # Maximize-Reliability = 4 (0x04)
    # Maximize-Throughput = 8 (0x0
    # Minimize-Delay = 16 (0x10)
    #
    # ToS: Client Applications; data => tos_client
    # Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
    # To view mangle table, type: iptables -L -t mangle
    #

    #
    # 2.15.2 Mangle values of packets created locally
    #

    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
    err=`testresult $?`
    i=$?
    echo "MANGLE - TOS OUTPUT ... $err";

    #
    # 2.15.3 Mark outgoing packets for traffic shaping (optional)
    #

    $IPTABLES -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1
    $IPTABLES -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2

    #
    # 2.16 POSTROUTING
    #

    echo;

    #
    # 2.16.1 Setting default policies
    #

    $IPTABLES -t nat -P POSTROUTING ACCEPT
    err=`testresult $?`
    i=$?
    echo "Setting default policy POSTROUTING ... $err";

    #
    # 2.16.2 Change source addresses to external IP, packets leave firewall with external IP !
    #

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
    err=`testresult $?`
    i=$?
    echo "Enable SOURCE NAT ... $err";

    #
    # 2.16.3 POSTROUTING VNC
    #

    $IPTABLES -t nat -A POSTROUTING -o INET_IFACE -s $VNC_IP -d 0/0 -j SNAT --to-source 192.168.0.5

    #
    # 2.17 LOG-FORWARD
    #

    echo;

    #
    # 2.17.1 All remaining packets in FORWARD chain are logged
    #

    $IPTABLES -A FORWARD -j LOG-FORWARD

    $IPTABLES -A LOG-FORWARD -p tcp $limit2 $log "TCP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -p udp $limit2 $log "UDP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -p icmp $limit2 $log "ICMP_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -f $limit2 $log "FRAGMENT_Dropped_F: "
    $IPTABLES -A LOG-FORWARD -j LDROP

    #
    # 2.18 LOG-INPUT
    #

    echo;

    #
    # 2.18.1 All remaining packets in INPUT chain are logged
    #

    $IPTABLES -A INPUT -j LOG-INPUT

    $IPTABLES -A LOG-INPUT -p tcp $limit2 $log "TCP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -p udp $limit2 $log "UDP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -p icmp $limit2 $log "ICMP_Dropped_I: "
    $IPTABLES -A LOG-INPUT -f $limit2 $log "FRAGMENT_Dropped_I: "
    $IPTABLES -A LOG-INPUT -j LDROP

    #
    # 2.19 LOG-OUTPUT
    #

    echo;

    #
    # 2.19.1 All remaining packets in OUTPUT chain are logged
    #

    $IPTABLES -A OUTPUT -j LOG-OUTPUT

    $IPTABLES -A LOG-OUTPUT -p tcp $limit2 $log "TCP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -p udp $limit2 $log "UDP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -p icmp $limit2 $log "ICMP_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -f $limit2 $log "FRAGMENT_Dropped_O: "
    $IPTABLES -A LOG-OUTPUT -j LDROP

    #
    # 2.20 LDROP
    #

    echo;

    #
    # 2.20.1 All other incoming, forwarding and outgoing is denied and logged.
    #

    $IPTABLES -A LDROP -j DROP

    echo;

    if [ "$i" -gt "0" ]; then
    echo "Firewall error" >> /var/log/messages
    echo -e "$datum \033[40m\033[1;31mErrors detected in bringing up firewall!\033[0m" | tee -a /var/log/messages
    echo -e "$datum \033[40m\033[1;31mCheck your configuration.\033[0m" | tee -a /var/log/messages
    else
    echo -e "$datum \033[40m\033[1;32mFirewall is up without errors!\033[0m" | tee -a /var/log/messages
    echo;
    fi


    ;;

    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    stop)

    echo;
    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Shutting down firewall and masquerading" | tee -a /var/log/messages
    echo "$datum WARNING: YOUR MACHINE IS NOW OPEN FOR ATTACKS!!!" | tee -a /var/log/messages
    echo;

    #
    # 3.1 Remove all existing rules belonging to this filter
    #
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    #
    # 3.2 Delete all user-defined chain to this filter
    #
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    #
    # 3.3 Reset the default policy of the filter to accept.
    #
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t mangle -P OUTPUT ACCEPT
    $IPTABLES -t mangle -P PREROUTING ACCEPT

    ;;

    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    status)

    $IPTABLES -v -n -L

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    restart)

    datum=`date +'%b %d %k:%M:%S'`;
    echo "$datum Firewall restart ..." | tee -a /var/log/messages
    $0 stop
    echo "-----------------------"
    $0 start

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    version)

    datum=`date +'%b %d %k:%M:%S'`;
    echo "**"
    echo "$datum * * Firewall version: `/bin/awk '/Id/ {print $3 $4}' $path_firewall`"

    ;;


    ################################################## ################################################## ######################################
    ################################################## ################################################## ######################################
    *)

    # ************************* WRONG PARAMETERS **************************
    echo;
    echo "Wrong parameter input!"
    echo "Usage: $0 {start|stop|restart|status|version}"

    ;;


    esac
    [/quote]
    Computers Are Like Air Conditioners... They\'re both useless with Windows open!

  6. #5
    Just Joined!
    Join Date
    Apr 2004
    Location
    egypt
    Posts
    8
    you know my friend
    i know of course that my script have a lot of things messing
    but remmember that there is the first time that i make iptables script in my life
    i know that it have'n't rules
    but i just try to test it,make it work
    i really want to learn iptables
    so the problem that faceing me now
    i think it's not complex put there is something messing make me can't route to the machines in my network
    the problem is i want to make my machine the default gateway to others machine to the internet
    how to make them sent and reciever all packets to and from me
    i make
    echo 1 > /proc/sys/net/ipv4/ip_forward
    and change the value of ipv4 forwarding on /etc/sysctl.conf to 1
    but other machine still couldn't receive packets from my machine when i connect to ny website
    i have a dns server and me and all computers resolving good
    there is no problem on it

  7. #6
    Linux Newbie
    Join Date
    Dec 2003
    Location
    Netherlands
    Posts
    193
    Try to get a sample script from www.netfilter.org

    If this sample works, try to work around with it. Make your own rules in this script.
    Computers Are Like Air Conditioners... They\'re both useless with Windows open!

  8. #7
    Just Joined!
    Join Date
    Jun 2004
    Location
    Leiria - Portugal
    Posts
    72

    Just ipforwardind

    Just have to enable ipv4 forwarding, like some other user said.

    Ip forwardind is a kernel parameter, because these it wont work upon a system reboot. To make it permenet, put it on a init script.

    Then with ipforwarding enabled you just need to specify your gateway address to your workstations. Be sure that any iptables rules are blocking forwarded packets. You can also read about NAT (aka MASKERADING) for small private networks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •