Troubleshooting iptables script

I've got the following script, but i've got some problems. I've tried alot of
permissions. I don't know what permissions you really need.

I've putted my iptables script in my /etc/init.d as rc.firewall.iptables

Can someone please help me?

I've tried also #!/bin/bash maybe there is something wrong with it?

thnx alot allready

Quote:

---

#!/bin/sh

################################################## ################################################## ###############
#
# $Id: firewall.iptables,v 1.39 2004/04/12
#
################################################## ################################################## ###############

function testresult {
let i=i+$1
case $1 in
'0')
echo -e "\033[40m\033[1;32mOK\033[0m"
;;
'1')
echo -e "\033[40m\033[1;31mFailed\033[0m"
;;
'2')
echo -e "\033[40m\033[1;31mFatal Error: 2\033[0m"
;;
*)
echo -e "\033[40m\033[1;31mFatal Error: ?\033[0m"
;;
esac
return $i
}


case "$1" in

################################################## ################################################## ###############
################################################## ################################################## ###############
start)


################################################## ################################################## ###############
# ++++++++++++
# GENERAL
# ++++++++++++

datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Starten firewall iptables ..." | tee -a /var/log/messages

echo -en " Laden modules: "


#

#
# 1.1 Internet Configuration.
#

INET_IP="xxx.xxx.xxx.xxx"
INET_IFACE="eth1"
INET_BROADCAST="xxx.xxx.xxx.xxx"


#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.5"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth0"

#
# 1.3 DMZ Configuration.
#

UNPRIVPORTS="1024:65535"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

#
# 1.6 Other Configuration.
#

VNC_IP="192.168.0.4"

#
# 1.7 Masq. Machine IP
#

MASQ_IP=192.168.200.20

#
# 1.8 VNC-server port

VNC_PORT=5901

#
# 1.9 Setting limit levels for logging
#

limit1="-m limit --limit 1/s"
limit2="-m limit --limit 10/minute"
limit3="-m limit --limit 20/s"
log="-j LOG --log-level 5 --log-prefix"
################################################## #########################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_nat_ftp
/sbin/modprobe ipt_conntrack_ftp

#
# 2.2 NON Required modules
#

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_queue
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_unclean
/sbin/modprobe ipt_ttl
/sbin/modprobe ipt_length
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_ULOG

#
# 2.3 Create New Chains
#

$IPTABLES -N CHECK &&
$IPTABLES -N BLOCK &&
$IPTABLES -N LOG-FORWARD &&
$IPTABLES -N LOG-INPUT &&
$IPTABLES -N LOG-OUTPUT &&
$IPTABLES -N LDROP
err=`testresult $?`
i=$?
echo "Creating new chains ... $err";

#
# 2.4 Setting kernel parameters
#

#
# 2.4.1 Enable IP FORWARDING
#

echo 1 > /proc/sys/net/ipv4/ip_forward

#
# 2.4.2 Enable Syn Cookies protection in kernel
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#
# 2.4.3 ICMP Dead Error Messages Protection
#

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#
# 2.4.4 Set the maximum number of connections to track
#

echo 2048 > /proc/sys/net/ipv4/ip_conntrack_max

#
# 2.4.5 Enable response to ping (ICMP echo)
#

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#
# 2.4.6 Disable response to broadcasts
#

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#
# 2.4.7 Reduce DoS'ing ability by reducing timeouts
#

echo 10 > /proc/sys/net/ipv4/tcp_fin_timout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

#
# 2.4.8 Set out local port range
#
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#
# 2.4.9 Time To Live (TTL)
#

echo 64 > /proc/sys/net/ipv4/ip_default_ttl

#
# 2.4.10 Increase the default queuelength. (Kernel default: 1024)
#

echo > 2048 /proc/sys/net/ipv4/ip_queue_maxlen

#
# 2.4.11 Turn on source address verification in kernel
#

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $interface;
done

#
# 2.4.12 Disable ICMP redirect acceptance
#

for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $interface;
done

#
# 2.4.13 Disable ICMP send_redirects
#

for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $interface;
done

#
# 2.4.14 Log spoofed packets, source routed packets, redirect packets
#

for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $interface;
done

echo "Initialiseren kernelparameters ... $err";

#
# 2.5.0 Unclean packet check
#

$IPTABLES -A CHECK -m unclean $limit2 $log "UNCLEAN: " &&
$IPTABLES -A CHECK -m unclean $-j DROP &&
err=`testresult $?`
i=$?
echo "Activeren UNCLEAN check ... $err";

#
# 2.5.1 Check for invalid packets
#

$IPTABLES -A CHECK -m state --state INVALID $limit2 $log "INVALID; " &&
$IPTABLES -A CHECK -m state --state INVALID -j DROP &&

#
# 2.5.2 NMAP FN/URG/PSH - XMAS - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH $limit2 $log "NMAP-XMAS: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP &&

#
# 2.5.3 SYN/RST - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL SYN,RST SYN,RST $limit2 $log "SYN/RST: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL SYN,RST SYN,RST -j DROP &&

#
# 2.5.4 SYN/FIN -- scan(Waarschijnlijk)
#

$IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 $log "SYN/FIN: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN $limit2 -j DROP &&

#
# 2.5.5 FIN - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN $limit2 $log "FIN: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL FIN -j DROP &&

#
# 2.5.6 ALL/ALL - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL $limit2 $log "ALL/ALL: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL ALL -j DROP &&

#
# 2.5.7 NULL - scan
#

$IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE $limit2 $log "NULL: " &&
$IPTABLES -A CHECK -p tcp --tcp-flags ALL NONE -j DROP &&

#
# 2.5.8 SPOOFING:
#

$IPTABLES -A CHECK -s 0.0.0.0 $log "SPOOFING: " &&
$IPTABLES -A CHECK -s 255.255.255.255 $log "SPOOFING: " &&
$IPTABLES -A CHECK -s 0.0.0.0 -j LDROP &&
$IPTABLES -A CHECK -s 255.255.255.255 -j LDROP &&

#
# 2.5.9 SPOOFING CLASS:
#

$IPTABLES -A CHECK -s 10.0.0.0/8 $log "SPOOFING A CLASS: " &&
$IPTABLES -A CHECK -s 172.16.0.0/12 $log "SPOOFING B CLASS: " &&
$IPTABLES -A CHECK -s 192.168.0.0/16 $log "SPOOFING C CLASS: " &&
$IPTABLES -A CHECK -s 224.0.0.0/4 $log "SPOOFING D CLASS: " &&
$IPTABLES -A CHECK -s 240.0.0.0/5 $log "SPOOFING E CLASS: " &&
$IPTABLES -A CHECK -s 169.254.0.0/16 $log "SPOOFING F CLASS: " &&

$IPTABLES -A CHECK -s 10.0.0.0/8 -j LDROP &&
$IPTABLES -A CHECK -s 172.16.0.0/12 -j LDROP &&
$IPTABLES -A CHECK -s 192.168.0.0/16 -j LDROP &&
$IPTABLES -A CHECK -s 224.0.0.0/4 -j LDROP &&
$IPTABLES -A CHECK -s 240.0.0.0/5 -j LDROP &&
$IPTABLES -A CHECK -s 169.254.0.0/16 -j LDROP

err=`testresult $?`
i=$?
echo "Activeren general check chain (1) ... $err";

#
# 2.5.10 Block all ip addresses reserved by IANA (for the time being)
# this changes regulary, see http://www.iana.org/assignments/ipv4-address-space
# Updated 01 Dec 2001
#

RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

a=0
for NET in $RESERVED_NET; do
$IPTABLES -A CHECK -s $NET $log "IANA: " &&
$IPTABLES -A CHECK -s $NET $NET -j LDROP &&
if [ $? != 0 ]; then
a=1
break;
fi
done;

err=`testresult $?`
i=$?
echo "Activeren general check chain (2) ... $err";

fi;

#
# 2.6 BLOCK
#

#
# 2.6.1 Weigeren van sommige common ports
#

common_ports_refused="1080 1984 2000 2049 3128 6000:6063 8080 10000"

a=0

for common_ports in $common_ports_refused;
do
$IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $common_ports -j LOG-INPUT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?

echo "Weigeren connectie naar common ports ... $err";

#
# 2.6.2 Weigeren van Trojan porten
#

# Block Subseven (1.7/1.9) 1243 / 6711:6713
# Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374
# Block NetBus 12345:12346
# Block NetBus 2 Pro 20034
# Block Stacheldraht 16660 / 60001 / 65000
# Block Back Orifice, Deep BO 31337:31338
# Block Back Orifice 2K 54320:54321
# Block Trinity v3\n 33270
# Block Trin00 1524 / 27444 / 27665 / 31335
# Block Cheeseworm 10008

trojan_ports="1243 6711:6713 1999 6776 27374 12345:12346 20034 16660 60001 \
65000 31337:31338 54320:54321 33270 1524 27444 27665 31335 10008"

a= 0
for trojans in $trojan_ports;
do
$IPTABLES -A BLOCK -p tcp -i INET_IFACE --dport $trojans -j LOG-INPUT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "Blokkeer Trojans ... $err";

$IPTABLES -A BLOCK -j ACCEPT

#
# 2.7 PREROUTING
#
echo;

#
# 2.7.1 Setting default policies
#

$IPTABLES -t nat -p PREROUTING ACCEPT
err=`testresult $?`
i=$?
echo "Zetten van standaard PREROUTING ... $err";

#
# 2.7.4 Zetten van voorbeeld portforwarding, kijk ook naar FORWARD section
#

a=0
for net in $abnamro_net; do
$path_iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -s $net -d $ext_ip --dport 1025:1500 -j DNAT --to $MASQ_IP &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "PREROUTING - ABNAMRO - homenet ... $err";

#
# 2.7.5 Regels om TOS waarden van packetjes te mangle door de FIREWALL
#

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput &&
err=`testresult $?`
i=$?
echo "MANGLE - TOS PREROUTING ... $err";

#
# 2.8 FORWARDING
#

echo;

#
# 2.8.1 Zetten van default policy
#

$IPTABLES -P FORWARD DROP
err=`testresult $?`
i=$?
echo "Zetten van default policy FORWARD ... $err";

#
# 2.8.2 Besides MTU, there is yet another way to set the maximum size, the so called Maximum segment.
# This is a field in the TCP Options part of a SYN packet.
# The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally
# 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work.
# In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. The basic commandline is:
#

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#
# 2.8.3 The first thing you want to do is log and drop any suspicious packets:
#

$IPTABLES -A FORWARD -i $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check FORWARD ... $err";

#
# 2.8.4 Allow forwarding of all protocolls incoming on the external interface
# to lan if the connection is initiated by the LAN (LAN = Local Area Network)
#

$IPTABLES -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.8.5 Allow forwarding of all protocols incoming on the local interface coming from the local network
#

$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

#
# 2.8.6 Example rule portforwarding, enable also rule in PREROUTING Section
#

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MASQ_IP --dport 21 -m state --state NEW -j ACCEPT

#
# 2.8.7 ABN-AMRO Homenet
#

a=0
for net in $abnamro_net; do
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -s $net --sport ftp-data -d $MASQ_IP --dport 1025:1500 -m state --state NEW -j ACCEPT &&
if [ $? != 0 ]; then
a=1
break;
fi
done;
err=`testresult $?`
i=$?
echo "FORWARD - ABNAMRO homenet ... $err";

#
# 2.9 INPUT
#

echo;

#
# 2.9.1 Setting default policy
#

$IPTABLES -P INPUT DROP
err=`testresult $?`
i=$?
echo "Setting default policy INPUT ... $err";

#
# 2.9.2 The first thing you want to do is log and drop any suspicious packets:
#

$IPTABLES -A INPUT -i $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check INPUT ... $err";

#
# 2.9.3 Loopback
#

$IPTABLES -A INPUT -i lo -j ACCEPT

#
# 2.9.4 DHCP
#

$IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootpc --dport bootps -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

#
# 2.10 INPUT External
#

echo;

#
# 2.10.1 Accept incoming packets on external interface that are related to connections made by the server
#

$IPTABLES -A INPUT -i $INET_IFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.10.2 Reject new connections not started with SYN packet on external interface
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP -m state --state NEW ! --syn -j LDROP

#
# 2.10.3 FTP incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ftp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT -FTP ... $err";

#
# 2.10.4 SSH Incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport ssh -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SSH ... $err";

#
# 2.10.5 TELNET Incoming
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport telnet -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - TELNET Incoming

#
# 2.10.6 SMTP Incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SMTP ... $err";

#
# 2.10.7 HTTP Incoming when running own Webserver
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport http -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - HTTP ... $err";

#
# 2.10.8 DNS Incoming when running own DNS server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport domain -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - DNS ... $err";

#
# 2.10.9 POP3 Incoming when running own pop3 server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - POP3 ... $err";

#
# 2.10.10 AUTH Incoming when running own ident-server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - AUTH ... $err";

#
# 2.10.11 When you're not runnig AUTH Incoming then use following rulez:
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport auth -m state --state NEW -j REJECT --reject-with tcp-reset
err=`testresult $?`
i=$?
echo "EXT - reject AUTH ... $err";

#
# 2.10.12 IMAP Incoming when running own IMAP-Server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imap -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - IMAP ... $err";

#
# 2.10.13 HTTPS Incoming when running won HTTPS server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport https -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - HTTP Secure ... $err";

#
# 2.10.14 IMAP SSL Incoming when running own IMAP server with SSL
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport imaps -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - IMAP Secure ... $err";

#
# 2.10.15 POP3 Incoming when running own server with SSL
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport pop3s -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - POP3 Secure ... $err";

#
# 2.10.16 VNC Incoming when running own VNC server
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 5901 -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - VNC ... $err";

#
# 2.10.17 WEBMIN Incoming when running own WEBMIN Server
#

# $IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport 10000 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "EXT - WEBMIN ... $err";

#
# 2.10.18 ICQ incoming
#

$IPTABLES -A INPUT -p tcp -i $INET_IFACE --sport $UNPRIVPORTS -d $INET_IP --dport $UNPRIVPORTS -m state --state NEW -j BLOCK
err=`testresult $?`
i=$?
echo "EXT - ICQ-filetransfer all ... Caution, opens ALL unpriv_ports !!! ... $err";

#
# 2.11 INPUT Local
#

echo;

#
# 2.11.1 Accept packages for our subnet, we trust our local network (LAN)
#

$IPTABLES -A INPUT -i ! $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - TOTAL LAN ... $err";

#
# 2.11.2 Accept incoming packets on local interface that are related to connections made by the server
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.11.3 ICMP incoming local
#

$IPTABLES -A INPUT -p icmp --icmp-type 8 -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP -m state --state NEW $limit1 -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - accept incoming pings ... $err";

#
# 2.11.4 UDP incoming local
#

$IPTABLES -A INPUT -p udp -i $LAN_IFACE -s $LAN_IP_RANGE -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - UDP accept ... $err";

#
# 2.11.5 FTP Incoming - open port 21 (active and passive)
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport ftp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - FTP ... $err";

#
# 2.11.6 SSH Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IP -s $LAN_IP_RANGE -d $LAN_IP --dport ssh -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - SSH ... $err";

#
# 2.11.7 TELNET Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport telnet -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - TELNET ... $err";

#
# 2.11.8 SMTP Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - SMTP ... $err";

#
# 2.11.9 DNS Incoming local when running own DNS - Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport domain -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - DNS ... $err";

#
# 2.11.10 HTTP Incoming local when running own Webserver
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport http -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - HTTP ... $err";

#
# 2.11.11 POP3 Incoming local when running own POP3 Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - POP3 ... $err";

#
# 2.11.12 Portmapper Incoming local when running NFS -server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport portmapper -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - PORTMAPPER ... $err";

#
# 2.11.13 NETBIOS-NS Incoming Local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ns -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-NS ... $err";

#
# 2.11.14 NETBIOS-DGM Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-dgm -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-DGM ... $err";

#
# 2.11.15 NETBIOS-SSN Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport netbios-ssn -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-SSN ... $err";

#
# 2.11.16 IMAP Incoming local when running own IMAP Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imap -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - IMAP ... $err";

#
# 2.11.17 HTTPS Incoming local when running own HTTPS Server
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport https -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - HTTP Secure ... $err";

#
# 2.11.18 SWAT (Samba Web Administration Tool) Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport swat -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SWAT ... $err";

#
# 2.11.19 IMAP SSL Incoming Local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport imaps -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - IMAP Secure ... $err";

#
# 2.11.20 POP3 SSL Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport pop3s -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - POP3 Secure ... $err";

#
# 2.11.21 SOCKS Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport socks -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SOCKS ... $err";

#
# 2.11.22 SQUID Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 3128 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - SQUID ... $err";

#
# 2.11.23 VNC Incoming local
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 5901 -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - VNC ... $err";

#
# 2.11.24 WEBMIN Incoming local
#

# $IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 10000 -m state --state NEW -j ACCEPT
# err=`testresult $?`
# i=$?
# echo "LOCAL - WEBMIN ... $err";

#
# 2.11.25 Make sure clients can visit there own server on the external IP address
#

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d $INET_IP -j ACCEPT

#
# 2.12 OUTPUT
#

echo;

#
# 2.12.1 Setting default policy
#

$IPTABLES -P OUTPUT DROP
err=`testresult $?`
i=$?
echo "Setting default policy OUTPUT ... $err";

#
# 2.12.2 The first thing you want to do is log and drop any suspicous packets
#

$IPTABLES -A OUTPUT -o $INET_IFACE -j CHECK &&
err=`testresult $?`
i=$?
echo "Activeren general check OUTPUT ... $err";

#
# 2.12.3 Loopback
#

$IPTABLES -A OUTPUT -o lo -j ACCEPT

#
# 2.12.4 DHCP
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE --sport bootps --dport bootpc -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INET_IFACE --sport bootps --dport bootpc -j ACCEPT

#
# 2.13 OUTPUT EXTERNAL
#

echo;

#
# 2.13.1 Accept outgoing packets on external interface that are related to connections made by the outside world
#

$IPTABLES -A OUTPUT -o $INET_IFACE -s $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 2.13.2 ICMP outgoing
#

$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $INET_IFACE -s $INET_IP -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - accept outgoing pings ... $err";

#
# 2.13.3 DNS Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport domain -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - allow outgoing dns queries ... $err";

#
# 2.13.4 NTP Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --dport ntp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - NTP ... $err";

#
# 2.13.5 SMTP Outgoing
#

$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --dport smtp -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - SMTP outgoing ... $err";

#
# 2.13.6 AUTH Outgoing
#

$path_iptables -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "EXT - AUTH outgoing ... $err";

#
# 2.13.7 AUTH not Outgoing
#

# $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport auth -j REJECT --reject-with tcp-reset
# err=`testresult $?`
# i=$?
# echo "EXT - reject AUTH outgoing ... $err";

#
# 2.13.8 GENERAL Outgoing
#

$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -s $INET_IP --sport $UNPRIVPORTS -m state --state NEW -j ACCEPT

#
# 2.14 OUTPUT Local
#

echo;

#
# 2.14.1 Accept outgoing packets on local interface that are related to connections made by client to the server
#

$IPTABLES -A OUTPUT -o ! $INET_IFACE -d $LAN_IP_RANGE -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - TOTAL LAN outgoing ... $err";

#
# 2.14.2 ICMP Outgoing
#

$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -o $LAN_IFACE -s $LAN_IP -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - accept outgoing pings ... $err";

#
# 2.14.3 DNS local outgoing
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --sport domain -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - allow outgoing dns queries ... $err";

#
# 2.14.4 Netbios local communications
#

$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ns -m state --state NEW -j ACCEPT &&
$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-dgm -m state --state NEW -j ACCEPT &&
err=`testresult $?`
i=$?
echo "LOCAL - allow local netbios communication ... $err";

#
# 2.14.5 Making connections to client-shares via samba
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport netbios-ssn -m state --state NEW -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - NETBIOS-SSN outgoing ... $err";

#
# 2.14.6 AUTH Outgoing
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j ACCEPT
err=`testresult $?`
i=$?
echo "LOCAL - AUTH outgoing ... $err";

#
# 2.14.7 AUTH Not Outgoing
#

# $IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $LAN_IP -d $LAN_IP_RANGE --dport auth -j REJECT --reject-with tcp-reset
# err=`testresult $?`
# i=$?
# echo "LOCAL - reject AUTH outgoing ... $err";

#
# 2.14.8 Make sure clients can visit there own server on the external IP Address
#

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE -s $INET_IP -d $LAN_IP_RANGE -j ACCEPT

#
# 2.15 MANGLE OUTPUT
#

echo;

#
# 2.15.1 Setting default policy
#

$IPTABLES -t mangle -P OUTPUT ACCEPT
err=`testresult $?`
i=$?
echo "Setting default policy MANGLE-OUTPUT ... $err";

#
# TOS table
# Options:
# Normal-Service = 0 (0x00)
# Minimize-Cost = 2 (0x02)
# Maximize-Reliability = 4 (0x04)
# Maximize-Throughput = 8 (0x08)
# Minimize-Delay = 16 (0x10)
#
# ToS: Client Applications; data => tos_client
# Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
# To view mangle table, type: iptables -L -t mangle
#

#
# 2.15.2 Mangle values of packets created locally
#

$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay &&
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
err=`testresult $?`
i=$?
echo "MANGLE - TOS OUTPUT ... $err";

#
# 2.15.3 Mark outgoing packets for traffic shaping (optional)
#

$IPTABLES -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1
$IPTABLES -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2

#
# 2.16 POSTROUTING
#

echo;

#
# 2.16.1 Setting default policies
#

$IPTABLES -t nat -P POSTROUTING ACCEPT
err=`testresult $?`
i=$?
echo "Setting default policy POSTROUTING ... $err";

#
# 2.16.2 Change source addresses to external IP, packets leave firewall with external IP !
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
err=`testresult $?`
i=$?
echo "Enable SOURCE NAT ... $err";

#
# 2.17 LOG-FORWARD
#

echo;

#
# 2.17.1 All remaining packets in FORWARD chain are logged
#

$IPTABLES -A FORWARD -j LOG-FORWARD

$IPTABLES -A LOG-FORWARD -p tcp $limit2 $log "TCP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -p udp $limit2 $log "UDP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -p icmp $limit2 $log "ICMP_Dropped_F: "
$IPTABLES -A LOG-FORWARD -f $limit2 $log "FRAGMENT_Dropped_F: "
$IPTABLES -A LOG-FORWARD -j LDROP

#
# 2.18 LOG-INPUT
#

echo;

#
# 2.18.1 All remaining packets in INPUT chain are logged
#

$IPTABLES -A INPUT -j LOG-INPUT

$IPTABLES -A LOG-INPUT -p tcp $limit2 $log "TCP_Dropped_I: "
$IPTABLES -A LOG-INPUT -p udp $limit2 $log "UDP_Dropped_I: "
$IPTABLES -A LOG-INPUT -p icmp $limit2 $log "ICMP_Dropped_I: "
$IPTABLES -A LOG-INPUT -f $limit2 $log "FRAGMENT_Dropped_I: "
$IPTABLES -A LOG-INPUT -j LDROP

#
# 2.19 LOG-OUTPUT
#

echo;

#
# 2.19.1 All remaining packets in OUTPUT chain are logged
#

$IPTABLES -A OUTPUT -j LOG-OUTPUT

$IPTABLES -A LOG-OUTPUT -p tcp $limit2 $log "TCP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -p udp $limit2 $log "UDP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -p icmp $limit2 $log "ICMP_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -f $limit2 $log "FRAGMENT_Dropped_O: "
$IPTABLES -A LOG-OUTPUT -j LDROP

#
# 2.20 LDROP
#

echo;

#
# 2.20.1 All other incoming, forwarding and outgoing is denied and logged.
#

$IPTABLES -A LDROP -j DROP

echo;

if [ "$i" -gt "0" ]; then
echo "Firewall error" >> /var/log/messages
echo -e "$datum \033[40m\033[1;31mErrors detected in bringing up firewall!\033[0m" | tee -a /var/log/messages
echo -e "$datum \033[40m\033[1;31mCheck your configuration.\033[0m" | tee -a /var/log/messages
else
echo -e "$datum \033[40m\033[1;32mFirewall is up without errors!\033[0m" | tee -a /var/log/messages
echo;
fi


;;

################################################## ################################################## ######################################
################################################## ################################################## ######################################
stop)

echo;
datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Shutting down firewall and masquerading" | tee -a /var/log/messages
echo "$datum WARNING: YOUR MACHINE IS NOW OPEN FOR ATTACKS!!!" | tee -a /var/log/messages
echo;

#
# 3.1 Remove all existing rules belonging to this filter
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
# 3.2 Delete all user-defined chain to this filter
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#
# 3.3 Reset the default policy of the filter to accept.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT

;;

################################################## ################################################## ######################################
################################################## ################################################## ######################################
status)

$IPTABLES -v -n -L

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
restart)

datum=`date +'%b %d %k:%M:%S'`;
echo "$datum Firewall restart ..." | tee -a /var/log/messages
$0 stop
echo "-----------------------"
$0 start

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
version)

datum=`date +'%b %d %k:%M:%S'`;
echo "**"
echo "$datum * * Firewall version: `/bin/awk '/Id/ {print $3 $4}' $path_firewall`"

;;


################################################## ################################################## ######################################
################################################## ################################################## ######################################
*)

# ************************* WRONG PARAMETERS **************************
echo;
echo "Wrong parameter input!"
echo "Usage: $0 {start|stop|restart|status|version}"

;;


esac

---

what i reeda of that looks kind alike the tutuorial version of the nat script right?

u need to run
chmod +x sciptname

then to get it to load at boot u put /etc/init.d/scriptname in /etc/rc.d/rc.local

Don't know. I've used it from a dutch dsl website.

I don't wanna use it when my systeem boots. I want to start it, stop it, etc

to get it to eb executable just run
chmod +x scriptname
where of course u replace scriptname with the path/name of the file

then to run it type /path/to/script/scriptFile
u dont technically stop it but runnign "service iptables stop" should undo its settings

jsut a point, if u dont know what that script does, why do u want to run it??

to get it to eb executable just run
chmod +x scriptname
where of course u replace scriptname with the path/name of the file

then to run it type /path/to/script/scriptFile
u dont technically stop it but runnign "service iptables stop" should undo its settings

jsut a point, if u dont know what that script does, why do u want to run it??