Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

How To Install A Custom Iptables Firewall


. This guide is to show you how to edit your iptables if you’re running on a server This guide info came from iptables rocks, but i edited a bunch of data to make it suitable for what i want it to do

Check to see if you already have iptables installed

rpm -q iptables

if iptables is installed you should see this outputted in console screen

 iptables-1.3.0-2

If iptables is not installed run use this command

up2date -i iptables

Configuring System Files

This will log kernel (user) usage and activities to a log file so that the admin can look at it later

Open terminal and sign in as root (su-)

Then type mkdir /var/log/firewall. This creates the virual directory where all this information will be stored

gedit /etc/syslog.conf

Edit the log file so that it should look like this

#IPTables logging 
#kernel messages. 
kern.debug;kern.info /var/log/firewall 

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                        /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                                /var/log/secure

# Log all the mail messages in one place.
mail.*                                                        -/var/log/maillog


# Log cron stuff
cron.*                                                        /var/log/cron

# Everybody gets emergency messages
*.emerg                                                        *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                                /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

To activate these configurations type/etc/rc.d/init.d/syslog restart

This will make the kernel log activities

Then to make sure FTP sessions run correctly run this command

insmod ip_conntrack_ftp

//Book page 1//

Further System Preparation

Well, I dont know about you but wouldnt you like a saftey in case something goes bad… I know that i would, because it wont be fun if you’re locked out side of you’re system with all that importent data inside… A friend of mine did that do his dad’s PC once 🙂

Go into terminal and type su – and then enter password

Then enter this command (it creats the script(it resets you’re settings if you screw up)

vi /root/firewall_reset

# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

pressctrl+s

run this command if you lock you’re self out from now on

iptables-restore < /root/firewall_reset

One of the 2 scripts needed

To create script rungedit /root/primary_firewall

#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]

#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP

#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.
#Note how at the end we log any outbound packets that are not accepted.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP

#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish to log any accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP

-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT

#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 1.2.3.4 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

Then enter iptables-restore < /root/primary_firewall

into the terminal (remeber to be root)

The second firewall script

This script is an advanced program that scans ports constantly for hackers/viruses and other undesireables…Together with the above script you will have a very formidable defense system indeed

Sign in as root

Make this directory

mkdir /var/lock/subsys

Edit this file(type in gedit first :)) /etc/init.d/firewall.iptables

Enter in this code

As root enter in this command

chown root:root /etc/init.d/firewall.iptables

chmod 700 /etc/init.d/firewall.iptables

Then enter cd /etc/init.d

And enter /sbin/chkconfig –level 345 firewall.iptables on

Then enter /etc/init.d/firewall.iptables start

 
#!/bin/sh
#
# firewall      Firewall startup/shutdown script
#
# Version:      @(#) /etc/rc.d/init.d/firewall.iptables  23-Dec-2005
#
#
# Translated to iptables format, with several additions and modifications,
# from Craig Zeller's (zeller@fatpenguin.com) ipchains-based firewall script, by
# Bob Sully (rcs@malibyte.net)
#
# Thanks to Jeff Carlson (jeff@ultimateevil.org) for his assistance re:          and several other issues, 
# Rohan Amin (rohan@rohanamin.com) and Erik Wasser (erik.wasser@iquer.com) for help with the port-forwarding 
# routine, and Nate Waddoups for his quick PPTP hack.

#
# Latest revision: 13-Mar-2006
#

# chkconfig: 345 11 91
#
# description: IP Firewall startup/shutdown script for iptables
#
# probe: true
#

#
# CONSTANTS - Do not edit
#

ANYWHERE="0.0.0.0/0"                        # Match any IP address
BROADCAST_SRC="0.0.0.0"                        # Broadcast Source Address
BROADCAST_DEST="255.255.255.255"        # Broadcast Destination Address
CLASS_A="10.0.0.0/8"                        # Class-A Private (RFC-1918) Networks
CLASS_B="172.16.0.0/12"                        # Class-B Private (RFC-1918) Networks
CLASS_C="192.168.0.0/16"                # Class-C Private (RFC-1918) Networks
CLASS_D_MULTICAST="224.0.0.0/4"                # Class-D Multicast Addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"        # Class-E Reserved Addresses
PRIVPORTS="0:1023"                        # Well-Known, Privileged Port Range
UNPRIVPORTS="1024:65535"                # Unprivileged Port Range
TRACEROUTE_SRC_PORTS="32769:65535"        # Traceroute Source Ports
TRACEROUTE_DEST_PORTS="33434:33523"        # Traceroute Destination Ports


#
# The Loopback interface defines should not be
# edited unless your Linux distribution defines
# these differently.
#

LOOPBACK_INTERFACE="lo"                        # The loopback interface
LOOPBACK_NETWORK="127.0.0.0/8"                # Reserved Loopback Address Range



#
# See how we were called.
#

case "$1" in
  start)
        echo "Starting Firewall services"
        echo "firewall: Configuring Firewall Rules using iptables"

         # Remove any existing rules from all chains
            iptables -F
            iptables -F -t nat
            iptables -F -t mangle

            # Remove any pre-existing user-defined chains
            iptables -X
            iptables -X -t nat
            iptables -X -t mangle

        # Zero counts
        iptables -Z

            # Set the default policy to drop
            iptables -P INPUT   DROP
            iptables -P OUTPUT  DROP
            iptables -P FORWARD DROP

        # Allow unlimited traffic on the loopback interface
        iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
        iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

        # A bug that showed up as of the Red Hat 7.2 release results in
            # the following 5 default policies breaking the firewall
            # initialization:

        #     fgrep -q '7.2' /etc/redhat-release
        #     if [ $? -ne 0 ] ; then
        #       iptables -t nat    -P PREROUTING  DROP
        #       iptables -t nat    -P OUTPUT      DROP 
        #       iptables -t nat    -P POSTROUTING DROP

        #       iptables -t mangle -P PREROUTING  DROP
        #       iptables -t mangle -P OUTPUT      DROP
        #     fi


        # Open the configuration file
        if [ -f /etc/firewall/firewall.conf.iptables ]; then
            . /etc/firewall/firewall.conf.iptables
        else
            # Turn off IP Forwarding & Masquerading
            echo 0 >/proc/sys/net/ipv4/ip_forward
        
            # Turn off dynamic IP hacking
            echo "0" > /proc/sys/net/ipv4/ip_dynaddr
        
            echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables; "
            echo "firewall: default policies set to DROP on INPUT/OUTPUT/FORWARD chains."
            exit 1
        fi


        #
        # If your IP address is dynamically assigned by a DHCP server,
        # your DHCP server's IP address and this machine's IP address are
        # obtained from /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
        # /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.
        #


        if [ $DHCP -gt 0 ]; then

          # Grab external IP address if already assigned

          EXTERNAL_IP=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $1}' )
          if [ -n $EXTERNAL_IP ]; then
            EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' )
             EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | grep Network | sed 's/\/[0-9].*//g' | awk '{print $2}' )
BROADCAST_NET=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $2}' )
          fi 

          # Turn on dynamic IP hacking
          echo "1" > /proc/sys/net/ipv4/ip_dynaddr


          # Incoming DHCPOFFER from available DHCP servers
          iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
                   -s 0.0.0.0         --sport 67 \
                   -d 255.255.255.255 --dport 68 -j ACCEPT

          # Initialization of rebinding: No lease or Lease time expired.
          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp   \
                   -s 0.0.0.0         --sport 68 \
                   -d 255.255.255.255 --dport 67 -j ACCEPT

          # Fall back to initialization
          # The client knows its server, but has either lost its
          # lease, or else needs to reconfirm the IP address after
          # rebooting.
          iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
                   -s $DHCP_SERVER_IP --sport 67     \
                   -d 255.255.255.255 --dport 68 -j ACCEPT
          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
                   -s 255.255.255.255 --sport 68 \
                   -d $DHCP_SERVER_IP --dport 67 -j ACCEPT

          # As a result of the above, we're supposed to change our IP
          # address with this message, which is addressed to our new
          # address before the dhcp client has received the update.
          # Depending on the server implementation, the destination
          # address can be the new IP address, the subnet address, or
          # the limited broadcast address.

          # If the network subnet address is used as the destination,
          # the next rule must allow incoming packets destined to the
          # subnet address, and the rule must preceed any general rules
          # that block such incoming broadcast packets.

          iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
                   -s $DHCP_SERVER_IP --sport 67     \
                   --dport 68 -j ACCEPT

          # Lease renewal
          iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
                   -s $DHCP_SERVER_IP --sport 67     \
                   -d $EXTERNAL_IP --dport 68 -j ACCEPT
          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
                   -s $EXTERNAL_IP --sport 68       \
                   -d $DHCP_SERVER_IP --dport 67 -j ACCEPT

          echo "firewall: DHCP Client configured"
          
          else
            # External IP assigned without DHCP (i.e. static); get netmask
            EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' )
          
        fi


        #
          # Refuse directed broadcasts; you may choose not to log these, as they can fill up your logs quickly
        #

#           iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK \
#             -m limit --limit 1/s            \
#             -j LOG --log-prefix "[Directed Broadcast] "
            iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP
#         iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET \
#             -m limit --limit 1/s            \
#             -j LOG --log-prefix "[Directed Broadcast] "
        iptables -A INPUT  -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP

        # Refuse limited broadcasts
#            iptables -A INPUT  -i $EXTERNAL_INTERFACE -d 255.255.255.255 \
#             -m limit --limit 1/s                    \
#             -j LOG --log-prefix "[Limited Broadcast] "
            iptables -A INPUT  -i $EXTERNAL_INTERFACE -d 255.255.255.255 -j DROP



        #
        # Edit these to match the number of servers or connections
        # you support.
        #

        # X Window port allocation begins at 6000 and increments
        # for each additional server running from 6000 to 6063.

        XWINDOW_PORTS="6000:6063"                # (TCP) X Windows

        # SSH starts at 1023 and works down to 513 for each additional
        # simultaneous incoming connection.

        SSH_HI_PORTS="513:1023"                        # SSH Simultaneous Connections


        #
        # Iptables allows creation of customized chains.  The -l (log) flag no longer
        # exists.  This is a custom chain which allows logging of DROPped packets.
        #

        iptables -N LnD                        # Define custom DROP chain

        iptables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] " --log-level=info
        iptables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP drop] " --log-level=info
        iptables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP drop] " --log-level=info
        iptables -A LnD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG drop] " --log-level=info
        iptables -A LnD -j DROP

        #
        # This custom chain logs, then REJECTs packets.
        #

        iptables -N LnR                        # Define custom REJECT chain

        iptables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP reject] " --log-level=info
        iptables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP reject] " --log-level=info
        iptables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP reject] " --log-level=info
         iptables -A LnR -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG reject] " --log-level=info
        iptables -A LnR -j REJECT

        #
        # This chain logs, then DROPs "Xmas" and Null packets which might indicate a port-scan attempt
        #

        iptables -N ScanD                # Define custom chain for possible port-scans

        iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Scan?] "
        iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Scan?] "
        iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan?] "
        iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan?] "
        iptables -A ScanD -j DROP


        #
        # This chain limits the number of new incoming connections to preventing DDoS attacks
        #
                                                                                                                  
        iptables -N DDoS                # Define custom chain for possible DDoS attack or SYN-flood scan
                                                                                                                  
        iptables -A DDoS -m limit --limit 1/s --limit-burst 10 -j RETURN
        iptables -A DDoS -j LOG --log-prefix "[DOS Attack/SYN Scan?] "
        iptables -A DDoS -j DROP


        #
        # This chain drops connections from IANA reserved IP blocks
        #

        iptables -N IANA        

        iptables -A IANA -p tcp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - TCP] " --log-level=info
        iptables -A IANA -p udp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - UDP] " --log-level=info
        iptables -A IANA -p icmp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - ICMP] " --log-level=info
        iptables -A IANA -f -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - FRAG] " --log-level=info
        iptables -A IANA -j DROP


        #
        # This chain drops connections from IPs in the firewall.banned file
        #

        iptables -N Banned        

        iptables -A Banned -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Banned] " --log-level=info
        iptables -A Banned -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Banned] " --log-level=info
        iptables -A Banned -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Banned] " --log-level=info
        iptables -A Banned -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Banned] " --log-level=info
        iptables -A Banned -j DROP


        #
        # Disallow packets frequently used by port-scanners
        # 

        # All of the bits are cleared
            iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD

            # SYN and FIN are both set
            iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD

            # SYN and RST are both set
            iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD

            # FIN and RST are both set
            iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD

            # FIN is the only bit set, without the expected accompanying ACK
            iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD

            # PSH is the only bit set, without the expected accompanying ACK
            iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD

            # URG is the only bit set, without the expected accompanying ACK
            iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD

        # SYN-Flood 
        # (Request for new connection; large number indicate possible DDoS-type attack; 
        #  same as --syn)
        iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS


        # Enable broadcast echo Protection
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        # Disable Source Routed Packets
        for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
               echo 0 > $f
        done

        # Enable TCP SYN Cookie Protection
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies

        # Disable ICMP Redirect Acceptance
        for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
              echo 0 > $f
        done

        # Don't send Redirect Messages
        for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
              echo 0 > $f
        done

        # Disable ICMP Redirect Acceptance
        for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
            echo 0 > $f
        done

        # Drop Spoofed Packets coming in on an interface, which if replied to,
        # would result in the reply going out a different interface.
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
             echo 1 > $f
        done

        # Log packets with impossible addresses.
        for f in /proc/sys/net/ipv4/conf/*/log_martians; do
             echo 1 > $f
        done


        # Disallow fragmented packets.  This may not be as necessary as it once was.
        # Comment it out with # if desired.
#        iptables -A INPUT -f -i $EXTERNAL_INTERFACE -j LnD
#        iptables -A INPUT -f -i $INTERNAL_INTERFACE -j LnD


        #
        # Loopback
        #

        # Unlimited traffic on the loopback interface (lo)

        iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
        iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT


        #
        # Refuse any connections to/from problem sites.
        #
        # /etc/firewall/firewall.banned contains a list of IPs
        # to block all access, both inbound and outbound.
        # The file should contain IP addresses with CIDR
        # netmask, one per line:
        #
        # NOTE: No comments are allowed in the file.
        #
        # 111.0.0.0/8                        - To block a Class-A network
        # 111.222.0.0/16                - To block a Class-B network
        # 111.222.254.0/24                - To block a Class-C network
        # 111.222.254.244/32                - To block a single IP address
        #
        # The CIDR netmask number describes the number of bits
        # in the network portion of the address, and may be on
        # any boundary.
        #

        if [ -f /etc/firewall/firewall.banned ]; then
            while read BANNED; do
                iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j Banned
                iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j Banned
                iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j Banned
                iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j Banned
                iptables -A FORWARD -d $BANNED -j Banned
                iptables -A FORWARD -s $BANNED -j Banned
            done < /etc/firewall/firewall.banned
            echo "firewall: Banned addresses added to rule set"
        
        else
            echo "firewall: Banned address/network file not found."
        fi

        #
        # Refuse connections from IANA-reserved blocks
        #
        
        if [ -f /etc/firewall/firewall.iana-reserved ]; then
            while read RESERVED; do
                iptables -A INPUT -i $EXTERNAL_INTERFACE -s $RESERVED -j IANA
                iptables -A INPUT -i $EXTERNAL_INTERFACE -d $RESERVED -j IANA
                iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $RESERVED -j IANA
                iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $RESERVED -j IANA
            done < /etc/firewall/firewall.iana-reserved
            echo "firewall: Connections from IANA-reserved addresses blocked"

        else
            echo "firewall: IANA-reserved address/network file not found."
        fi

        #
        # Localizations
        #
        # The /etc/firewall/firewall.local file should contain rules in
        # standard 'iptables' format.
        #

        if [ -f /etc/firewall/firewall.local.iptables ]; then
            . /etc/firewall/firewall.local.iptables
            echo "firewall: Local rules added"
        else
            echo "firewall: Local rules file not found."
        fi



        #
        # ICMP
        #

        # (4) Source Quench.
        # Incoming & outgoing requests to slow down (flow control)

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 \
            -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 \
            -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

        if [ $MASQUERADING -gt 0 ]; then
            iptables -A FORWARD -p ICMP --icmp-type 4 -j ACCEPT
        fi

        # (12) Parameter Problem.
        # Incoming & outgoing error messages

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 \
            -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 \
            -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

        if [ $MASQUERADING -gt 0 ]; then
            iptables -A FORWARD -p ICMP --icmp-type 12 -j ACCEPT
        fi

        # (3) Destination Unreachable, Service Unavailable.
        # Incoming & outgoing size negotiation, service or
        # destination unavailability, final traceroute response

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 \
            -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 \
            -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type \
            fragmentation-needed -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

        if [ $MASQUERADING -gt 0 ]; then
            iptables -A FORWARD -p ICMP --icmp-type 3 -j ACCEPT
            iptables -A FORWARD -p ICMP --icmp-type fragmentation-needed -j ACCEPT
        fi

        # (11) Time Exceeded.
        # Incoming & outgoing timeout conditions,
        # also intermediate TTL response to traceroutes

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 \
            -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 \
            -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

        if [ $MASQUERADING -gt 0 ]; then
            iptables -A FORWARD -p ICMP --icmp-type 11 -j ACCEPT
        fi

        # (0 | 8) Allow OUTPUT pings to anywhere.

        if [ $OUTBOUND_PING -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 \
                -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 \
                -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p ICMP --icmp-type 8 -s $INTERNAL_NETWORK -j ACCEPT
               iptables -A FORWARD -p ICMP --icmp-type 0 -d $INTERNAL_NETWORK -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Outbound ping enabled"
            fi

        fi

        # (0 | 8) Allow incoming pings from anywhere
        #       (stops at firewall).

        if [ $INBOUND_PING -gt 0 ]; then

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 \
                -s $ANYWHERE  -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 \
                -s $EXTERNAL_IP  -d $ANYWHERE -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Inbound ping enabled"
            fi

        fi

        #
        # Unprivileged Ports
        # Avoid ports subject to protocol and system administration problems.
        #

        NFS_PORT="2049"                                # (TCP/UDP) NFS
        OPENWINDOWS_PORT="2000"                        # (TCP) Openwindows
        SOCKS_PORT="1080"                        # (TCP) Socks


        # Openwindows: establishing a connection

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $OPENWINDOWS_PORT -s $EXTERNAL_IP -d $ANYWHERE -j LnR

        # Openwindows: incoming connection

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $OPENWINDOWS_PORT -d $EXTERNAL_IP -j LnD

        # X Window: establishing a remote connection

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $XWINDOW_PORTS -s $EXTERNAL_IP -d $ANYWHERE -j LnR

        # X Window: incoming connection attempt

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $XWINDOW_PORTS -d $EXTERNAL_IP -j LnD

        # SOCKS: establishing a connection

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $SOCKS_PORT -s $EXTERNAL_IP -d $ANYWHERE  -j LnR

        # SOCKS: incoming connection

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport        $SOCKS_PORT -d $EXTERNAL_IP -j LnD

        # NFS: TCP connections

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport $NFS_PORT -d $EXTERNAL_IP -j LnD

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --dport        $NFS_PORT -d $ANYWHERE -j LnR

        # NFS: UDP connections

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --dport $NFS_PORT -d $EXTERNAL_IP -j LnD

        # NFS: incoming request (normal UDP mode)

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --dport $NFS_PORT -d $ANYWHERE -j LnR


        #
        # DNAT/SNAT Port Forwarding
        # 

         if [ $PORT_FORWARD -gt 0 ]; then 
           if [ -f /etc/firewall/firewall.nat ]; then
             while read IP_PORT; do
               # extract the protocols, IPs and ports
               NAT_TYPE=$(echo "$IP_PORT" | awk '{print $1}')
               NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $2}')
               NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $3}')
               NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $4}')

               # write the rules!

               # this is the prerouting dnat
               iptables -A PREROUTING -t nat -p $NAT_TYPE -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT \
                --to-destination $NAT_INT_IP:$NAT_INT_PORT

               # This allows packets from external->internal
               iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p $NAT_TYPE  \
                -d $NAT_INT_IP --dport $NAT_INT_PORT -m state \
                --state NEW,ESTABLISHED,RELATED -j ACCEPT

               # This allows packets from internal->external
               iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p $NAT_TYPE  \
                -s $NAT_INT_IP --sport $NAT_INT_PORT -m state \
                --state NEW,ESTABLISHED,RELATED -j ACCEPT

               # This enables access to the 'public' server from the internal network
               iptables -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNAL_NETWORK \
                -p $NAT_TYPE --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP

               echo firewall: dnat: $NAT_TYPE:$EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT

             done < /etc/firewall/firewall.nat

            # unset some variables
              unset IP_PORT
              unset NAT_TYPE
              unset NAT_EXT_PORT
              unset NAT_INT_IP
              unset NAT_INT_PORT

           else
              echo "firewall.nat (port-forwarding table) not found!  Port-forwarding not enabled."
           fi
        fi


        #
        # NOTE:
        #     The symbolic names used in /etc/services for the port numbers
        #     vary by supplier.
        #

        # Required Services

        #
        # DNS client modes (53)
        #

        if [ $DNS_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
                --sport $UNPRIVPORTS --dport 53 -s $EXTERNAL_IP \
                -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -p UDP --sport 53 \
                --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 53 --dport $UNPRIVPORTS -j ACCEPT
            fi

            # TCP client-to-server requests are allowed by the protocol
            # if UDP requests fail. This is rarely seen. Usually, clients
            # use TCP as a secondary name server for zone transfers from
            # their primary name servers, and as hackers.

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport \
                $UNPRIVPORTS --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
                --sport 53 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 53 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: DNS client enabled"
            fi
        fi

        #
        # DNS server modes (53)
        #

        #
        # DNS caching & forwarding name server
        #

        if [ $DNS_CACHING_SERVER -gt 0 ]; then

            # Server-to-server query or response
            # Caching only name server uses UDP, not TCP

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: DNS Caching server enabled"
            fi

        fi

        #
        # DNS full name server
        #

        if [ $DNS_FULL_SERVER -gt 0 ]; then

            # Client-to-server DNS transaction.

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport $UNPRIVPORTS --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT


            # Zone Transfers.
            # Due to the potential danger of zone transfers,
            # allow TCP traffic to only specific secondaries.

            # /etc/firewall/firewall.dns contains a list of
            # secondary, tertiary, etc. domain name servers with which
            # zone transfers are allowed.  The file should contain IP
            # addresses with CIDR netmask, one per line:


        if [ -f /etc/firewall/firewall.dns ]; then
                while read DNS_SECONDARY; do

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
                --sport $UNPRIVPORTS --dport 53 -s $DNS_SECONDARY -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
                --sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $DNS_SECONDARY -j ACCEPT

            done < /etc/firewall/firewall.dns

        else
            echo "firewall: ** No secondary DNS configured **"

        fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: DNS Full server enabled"
            fi

        fi

        #
        # AUTH (113) - Allowing your outgoing AUTH requests as a client
        #

        if [ $AUTH_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 113 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 113 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 113 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 113 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Auth client enabled"
            fi

        fi


        # AUTH server (113)

        if [ $AUTH_SERVER -gt 0 ]; then

            # Accepting incoming AUTH requests

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 113 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 113 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Auth server enabled"
            fi

        else

            # Rejecting incoming AUTH requests

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
                --dport 113 -d $EXTERNAL_IP -j LnR

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Auth server requests will be rejected"
            fi

        fi


        #
        # TCP Services on selected ports.
        #

        #
        # Sending Mail through a remote SMTP server (25)
        #

        if [ $SMTP_REMOTE_SERVER -gt 0 ]; then

           # SMTP client to an ISP account without a local server
           for SMTP_SRVR in ${SMTP_SERVER}; do
         
              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $SMTP_SRVR -j ACCEPT

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 25 --dport $UNPRIVPORTS -s $SMTP_SRVR -d $EXTERNAL_IP -j ACCEPT

              if [ $MASQUERADING -gt 0 ]; then
                 iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SMTP_SRVR --sport $UNPRIVPORTS --dport 25 -j ACCEPT
                 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SMTP_SRVR -d $INTERNAL_NETWORK \
                  --sport 25 --dport $UNPRIVPORTS -j ACCEPT
              fi

              if [ $VERBOSE -gt 0 ]; then
                   echo "firewall: Clients may access remote SMTP server: ${SMTP_SRVR}"
              fi
           done
        fi

        #
        # Sending Mail through a local SMTP server (25)
        #

        if [ $SMTP_LOCAL_SERVER -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 25 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            # Receiving Mail as a Local SMTP server (25)

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 25 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 25 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: SMTP Local server enabled"
            fi

        fi



        #
        # POP3 (110) - Retrieving Mail as a POP3 client
        #

        if [ $POP3_CLIENT -gt 0 ]; then
           for POP_SRVR in ${POP_SERVER}; do
            
               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 110 -s $EXTERNAL_IP -d $POP_SRVR -j ACCEPT

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 110 --dport $UNPRIVPORTS -s $POP_SRVR -d $EXTERNAL_IP -j ACCEPT

               if [ $MASQUERADING -gt 0 ]; then
                  iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP_SRVR --sport $UNPRIVPORTS --dport 110 -j ACCEPT
                  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP_SRVR -d $INTERNAL_NETWORK \
                   --sport 110 --dport $UNPRIVPORTS -j ACCEPT
               fi

               if [ $VERBOSE -gt 0 ]; then
                   echo "firewall: Clients may access remote POP-3 server: ${POP_SRVR}"
               fi
           done

        fi



        #
        # POP3 (110) - Hosting a POP3 server for remote clients
        #

        if [ $POP3_SERVER -gt 0 ]; then
           for MY_POP3_CLIENT in ${MY_POP3_CLIENTS}; do

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 110 -s $MY_POP3_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 110 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3_CLIENT -j ACCEPT

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Remote site ${MY_POP3_CLIENT} may access local POP-3 server"
               fi

           done
        fi



        #
        # POP3S (995) - Retrieving Mail as a POP3S client
        #

        if [ $POP3S_CLIENT -gt 0 ]; then
           for POP3S_SRVR in ${POP3S_SERVERS}; do

               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 995 -s $EXTERNAL_IP -d $POP3S_SRVR -j ACCEPT

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 995 --dport $UNPRIVPORTS -s $POP3S_SRVR -d $EXTERNAL_IP -j ACCEPT

               if [ $MASQUERADING -gt 0 ]; then
                  iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP3S_SRVR --sport $UNPRIVPORTS --dport 995 -j ACCEPT
                  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP3S_SRVR -d $INTERNAL_NETWORK \
                   --sport 995 --dport $UNPRIVPORTS -j ACCEPT
               fi

               if [ $VERBOSE -gt 0 ]; then
                   echo "firewall: Clients may access remote POP-3 secure server: ${POP3S_SRVR}"
               fi
           done

        fi


        #
        # POP3S (995) - Hosting a secure POP3 server for remote clients
        #

        if [ $POP3S_SERVER -gt 0 ]; then
           for MY_POP3S_CLIENT in ${MY_POP3S_CLIENTS}; do

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 995 -s $MY_POP3S_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 995 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3S_CLIENT -j ACCEPT

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Remote site ${MY_POP3S_CLIENT} may access local secure POP-3 server"
               fi

           done
        fi



        #
        # IMAP (143) - Retrieving Mail as an IMAP client
        #

        if [ $IMAP_CLIENT -gt 0 ]; then
           for IMAP_SRVR in ${MY_IMAP_SERVER}; do
                
               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 143 -s $EXTERNAL_IP -d $IMAP_SRVR -j ACCEPT

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 143 --dport $UNPRIVPORTS -s $IMAP_SRVR -d $EXTERNAL_IP -j ACCEPT

               if [ $MASQUERADING -gt 0 ]; then
                  iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAP_SRVR --sport $UNPRIVPORTS --dport 143 -j ACCEPT
                  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAP_SRVR -d $INTERNAL_NETWORK \
                   --sport 143 --dport $UNPRIVPORTS -j ACCEPT
               fi

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Clients may access remote IMAP server: ${IMAP_SRVR}"
               fi
           done

        fi

        #
        # IMAP (143) - Hosting an IMAP server for remote clients
        #

        if [ $IMAP_SERVER -gt 0 ]; then
           for MY_IMAP_CLIENT in ${MY_IMAP_CLIENTS}; do

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 143 -s $MY_IMAP_CLIENT -d $EXTERNAL_IP -j ACCEPT

                 iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 143 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAP_CLIENTS -j ACCEPT

             if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Remote site ${MY_IMAP_CLIENT} may access local IMAP server"
             fi

           done
        fi

        #
        # IMAPS (993) - Retrieving Mail as an Secure IMAP client
        #

        if [ $IMAPS_CLIENT -gt 0 ]; then
           for IMAPS_SRVR in ${MY_IMAPS_SERVER}; do

               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 993 -s $EXTERNAL_IP -d $IMAPS_SRVR -j ACCEPT

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 993 --dport $UNPRIVPORTS -s $IMAPS_SRVR -d $EXTERNAL_IP -j ACCEPT

               if [ $MASQUERADING -gt 0 ]; then
                  iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAP_SRVR --sport $UNPRIVPORTS --dport 993 -j ACCEPT
                  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAPS_SRVR -d $INTERNAL_NETWORK \
                   --sport 993 --dport $UNPRIVPORTS -j ACCEPT
               fi

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Clients may access remote Secure IMAP server: ${IMAPS_SRVR}"
               fi
           done

        fi

        #
        # IMAPS (993) - Hosting a Secure IMAP server for remote clients
        #

        if [ $IMAPS_SERVER -gt 0 ]; then
           for MY_IMAPS_CLIENT in ${MY_IMAPS_CLIENTS}; do

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 993 -s $MY_IMAP_CLIENT -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 993 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAP_CLIENT -j ACCEPT

               if [ $VERBOSE -gt 0 ]; then
                    echo "firewall: Remote site ${MY_IMAPS_CLIENT} may access local Secure IMAP server"
               fi

           done
        fi

        #
        # NNTP (119) - Reading and posting news as a Usenet client
        #

        if [ $NNTP_CLIENT -gt 0 ]; then
           for NEWS_SRVR in ${NEWS_SERVER}; do
              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $NEWS_SRVR -j ACCEPT

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 119 --dport $UNPRIVPORTS -s $NEWS_SRVR -d $EXTERNAL_IP -j ACCEPT

               if [ $MASQUERADING -gt 0 ]; then
                  iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $NEWS_SRVR --sport $UNPRIVPORTS --dport 119 -j ACCEPT
                  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $NEWS_SRVR -d $INTERNAL_NETWORK \
                   --sport 119 --dport $UNPRIVPORTS -j ACCEPT
               fi

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Clients may access remote NNTP server: ${NEWS_SRVR}"
               fi
           done
        fi

        #
        # NNTP (119) - Hosting a Usenet news server for remote clients
        #

        if [ $NNTP_SERVER -gt 0 ]; then
           for NNTP_CLIENT in ${MY_NNTP_CLIENTS}; do
              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 119 -s $NNTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 119 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $NNTP_CLIENT -j ACCEPT

              if [ $VERBOSE -gt 0 ]; then
                 echo "firewall: Remote client ${NNTP_CLIENT} may access local NNTP server"
              fi
           done
        fi

        #
        # NNTP (119) - Allowing peer news feeds for a local Usenet server
        #

        if [ $NNTP_NEWS_FEED -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $MY_NEWS_FEED -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 119 --dport $UNPRIVPORTS -s $MY_NEWS_FEED -d $EXTERNAL_IP -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: External NNTP News feed access enabled"
            fi

        fi

        #
        # Secure NNTP (563) - Reading and posting news as a Usenet client over SSL
        # Submitted by Renaud Colinet
        #

        if [ $NNTPS_CLIENT -gt 0 ]; then
           for SNEWS_SRVR in ${SNEWS_SERVER}; do 
              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 563 -s $EXTERNAL_IP -d $SNEWS_SRVR -j ACCEPT

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 563 --dport $UNPRIVPORTS -s $SNEWS_SERVER -d $EXTERNAL_IP -j ACCEPT

              if [ $MASQUERADING -gt 0 ]; then
                 iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SNEWS_SRVR --sport $UNPRIVPORTS --dport 563 -j ACCEPT
                 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SNEWS_SRVR -d $INTERNAL_NETWORK \
                  --sport 563 --dport $UNPRIVPORTS -j ACCEPT
              fi

              if [ $VERBOSE -gt 0 ]; then
                 echo "firewall: Clients may access remote secure NNTP server: ${SNEWS_SRVR}"
              fi
           done
        fi

        #
        # TELNET (23) - Allowing outgoing client access to remote sites
        #

        if [ $TELNET_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 23 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 23 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 23 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 23 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote TELNET servers"
            fi

        fi

        #
        # TELNET (23) - Allowing incoming access to your local server
        # Note:  Not recommended! Suggest SSH instead!
        #

        if [ $TELNET_SERVER -gt 0 ]; then
           for MY_TELNET_CLIENT in ${MY_TELNET_CLIENTS}; do

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 23 -s $MY_TELNET_CLIENTS -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 23 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_TELNET_CLIENTS -j ACCEPT

               if [ $VERBOSE -gt 0 ]; then
                  echo "firewall: Remote site ${MY_TELNET_CLIENT} may access local TELNET server"
               fi
           done

        fi

        #
        # SSH Client (22) - Allowing client access to remote SSH servers
        #

        if [ $SSH_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 22 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $SSH_HI_PORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 22 --dport $SSH_HI_PORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 22 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 22 --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $SSH_HI_PORTS --dport 22 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 22 --dport $SSH_HI_PORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote SSH servers"
            fi

        fi

        #
        # SSH (see config) - Allowing remote client access to your local SSH server
        #

        if [ $SSH_SERVER -gt 0 ]; then
           for MY_SSH_CLIENT in ${MY_SSH_CLIENTS}; do

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT

               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport $SSH_PORT --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT

               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $SSH_HI_PORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT

               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
            --sport $SSH_PORT --dport $SSH_HI_PORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Remote site ${MY_SSH_CLIENT} may access local SSH server"
            fi
        done

        fi


        #
        # FTP (20, 21) - Allowing outgoing client access to remote FTP servers
        #

        if [ $FTP_CLIENT -gt 0 ]; then

            # Outgoing request

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 21 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
        --sport $UNPRIVPORTS --dport 21 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            # Normal Port mode FTP data channels

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW \
        --sport 20 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport $UNPRIVPORTS --dport 20 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            # Passive mode FTP data channels

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
        --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 20:21 -j ACCEPT
               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 20:21 --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote FTP servers"
            fi

        fi

        #
        # FTP (20, 21) - Allowing incoming access to your local FTP server
        #

      if [ $FTP_SERVER -gt 0 ]; then
         for MY_FTP_CLIENT in ${MY_FTP_CLIENTS}; do
            # Incoming request
          
               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
           --sport $UNPRIVPORTS --dport 21 -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT
        
               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 21 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT
        
            # Normal Port mode FTP data channel responses
            
               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
           --sport 20 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT
            
               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport $UNPRIVPORTS --dport 20 -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT
            
            # Passive mode FTP data channel responses
               
               iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
           --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $MY_FTP_CLIENT -d $EXTERNAL_IP -j ACCEPT
            
               iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_FTP_CLIENT -j ACCEPT
            
             if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Remote site ${MY_FTP_CLIENT} may access local FTP server"
             fi
           done
        fi


        #
        # HTTP (80) - Accessing remote web sites as a client
        #

        if [ $HTTP_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 80 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 80 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 80 -j ACCEPT
               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 80 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote HTTP servers"
            fi

        fi

        #
        # HTTP (80) - Allowing remote access to a local web server
        #

        if [ $HTTP_SERVER -gt 0 ]; then
           for HTTP_CLIENT in ${MY_HTTP_CLIENTS}; do
              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 80 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 80 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 8080 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 8080 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT

              if [ $VERBOSE -gt 0 ]; then
                 echo "firewall: Remote client ${HTTP_CLIENT} may access local HTTP server"
              fi
           done
        fi


        #
        # HTTPS (443) - Accessing remote web sites over SSL as a client
        #

        if [ $HTTPS_CLIENT -gt 0 ]; then        
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 443 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 443 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 443 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 443 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote HTTPS servers"
            fi

        fi

        #
        # HTTPS (443) - Allowing remote access to a local SSL web server
        #

        if [ $HTTPS_SERVER -gt 0 ]; then
           for HTTPS_CLIENT in ${MY_HTTPS_CLIENTS}; do
              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 443 -s $HTTPS_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 443 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTPS_CLIENT -j ACCEPT

              if [ $VERBOSE -gt 0 ]; then
                 echo "firewall: Remote client ${HTTPS_CLIENT} may access local HTTPS server"
              fi
           done
        fi

        #
        # HTTP Proxy Client (8008/8080)
        #

        if [ $HTTP_PROXY -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -s $EXTERNAL_IP -d $WEB_PROXY_SERVER -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -s $WEB_PROXY_SERVER -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote sites via HTTP Proxy Server"
            fi

        fi


        #
        # FINGER (79) - Accessing remote finger servers as a client
        #

        if [ $FINGER_CLIENT -gt 0 ]; then
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 79 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 79 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 79 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 79 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote FINGER servers"
            fi

        fi

        #
        # FINGER (79) - Allowing remote client access to a local finger server (dangerous!)
        #

        if [ $FINGER_SERVER -gt 0 ]; then
           for FINGER_CLIENT in $MY_FINGER_CLIENTS}; do

              iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
           --sport $UNPRIVPORTS --dport 79 -s $FINGER_CLIENT -d $EXTERNAL_IP -j ACCEPT

              iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
           --sport 79 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $FINGER_CLIENT -j ACCEPT

              if [ $VERBOSE -gt 0 ]; then
                 echo "firewall: Remote client ${FINGER_CLIENT} may access local FINGER server"
              fi
           done
        fi

        #
        # WHOIS (43) - Accessing a remote WHOIS server as a client
        #

        if [ $WHOIS_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 43 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 43 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 43 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 43 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote WHOIS servers"
            fi

        fi

        #
        # GOPHER (70) - Accessing a remote GOPHER server as a client
        #

        if [ $GOPHER_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 70 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 70 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 70 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 70 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote GOPHER servers"
            fi

        fi

        #
        # WAIS (210) - Accessing a remote WAIS server as a client
        #

        if [ $WAIS_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
        --sport $UNPRIVPORTS --dport 210 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
        --sport 210 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 210 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 210 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote WAIS servers"
            fi

        fi

        #
        # Real Video (554) - Real Video Client
        #

        if [ $RV_CLIENT -gt 0 ]; then
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
               --sport $UNPRIVPORTS --dport 554 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
               --sport 554 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 554 -j ACCEPT
               iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK \
                --sport 554 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Real Video client enabled"
            fi
        fi

        #
        # PPTP (1723) - Accessing PPTP servers as a client
        #

        if [ $PPTP_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
                --sport $UNPRIVPORTS --dport 1723 \
                -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP  \
                --sport 1723 --dport $UNPRIVPORTS \
                -s $ANYWHERE -d $EXTERNAL_IP \
                -m state --state ESTABLISHED,RELATED -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p 47 -j ACCEPT
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 47 -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A INPUT -i $INTERNAL_INTERFACE -p 47 -j ACCEPT
               iptables -A OUTPUT -o $INTERNAL_INTERFACE -p 47 -j ACCEPT

               iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK \
                  --sport $UNPRIVPORTS --dport 1723 -j ACCEPT

               iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK \
                  -m state --state ESTABLISHED,RELATED \
                  --sport 1723 --dport $UNPRIVPORTS -j ACCEPT

               iptables -A FORWARD -p 47 -s $INTERNAL_NETWORK -j ACCEPT
               iptables -A FORWARD -p 47 -d $INTERNAL_NETWORK -j ACCEPT

            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Clients may access remote PPTP servers"
            fi

        fi



        #
        # UDP - Accept only on selected ports
        #

        #
        # TRACEROUTE
        #
        # Traceroute usually uses -s 32769:65535 -d 33434:33523
        #

        if [ $OUTBOUND_TRACEROUTE -gt 0 ]; then

            # Enable outgoing TRACEROUTE requests

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
        -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS \
                --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_DEST_PORTS \
                --dport $TRACEROUTE_SRC_PORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Outbound TRACEROUTE enabled"
            fi

        fi

        if [ $INBOUND_TRACEROUTE -gt 0 ]; then

            # Enable incoming TRACEROUTE query

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
        -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS \
                --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Inbound TRACEROUTE enabled"
            fi

        fi


        #
        # DHCP Server
        #
        # This assumes that you're running a DHCP server on your firewall to
        # supply IP addresses to your internal network using dhcpd.  See any
        # of several DHCP HowTo sites for the actual server setup.
        #

        if [ $DHCP_SERVER -gt 0 ]; then

            iptables -A INPUT -i $INTERNAL_INTERFACE -p udp -s $BROADCAST_SRC \
        -d $BROADCAST_DEST --sport 67:68 --dport 67:68 -j ACCEPT
            iptables -A OUTPUT -o $INTERNAL_INTERFACE -p udp -s $INTERNAL_IP \
        --sport 67:68 --dport 67:68 -j ACCEPT
            iptables -A FORWARD -p udp -s $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT
            iptables -A FORWARD -p udp -d $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT

           if [ $VERBOSE -gt 0 ]; then
                echo "firewall: DHCP Server enabled"
           fi

        fi


        #
        # NTP (123) - Accessing remote Network Time Servers
        #

        if [ $NTP_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport $UNPRIVPORTS --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 123 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 123 --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 123 --dport 123 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 123 -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: NTP Client enabled"
            fi

        fi


        #
        # ICQ (4000) - The Miribilis ICQ Client
        #

        if [ $ICQ_CLIENT -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport $UNPRIVPORTS --dport 4000 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 4000 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 4000 -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 4000 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: ICQ Client enabled"
            fi

        fi

        #
        # GAMES
        # Half-Life/CounterStrike
        #

        if [ $HALF_LIFE -gt 0 ]; then

            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

            iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        -m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -s $ANYWHERE \
        -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 27000:27050 --dport $UNPRIVPORTS -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK -m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Half-Life/CounterStrike game ports enabled"
            fi

        fi
        
        #
        # Return to Castle Wolfenstein
        #

        if [ $WOLF_CLIENT -gt 0 ]; then

            iptables  -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
        --sport $UNPRIVPORTS --dport 27950:27965 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
            iptables  -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 27950:27965 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT

            if [ $MASQUERADING -gt 0 ]; then
               iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 27950:27965 -j ACCEPT
               iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 27950:27965 --dport $UNPRIVPORTS -j ACCEPT
            fi

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Castle Wolfenstein game ports enabled"
            fi
        fi


        # -------------------------------------------------------------

        #
        # Spoofing and Bad Addresses
        #

        # Refuse spoofed packets.
        # Ignore blatantly illegal source addresses.
        # Protect yourself from sending to bad addresses.

        # Refuse spoofed packets pretending to be from
        # the external interface's IP address.

        iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD

        # Get first two octets of external IP address

        OCT1=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:\([0-9][0-9]*\).*/\1/p' )
        OCT2=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:\([0-9][0-9]*\.[0-9][0-9]*\).*/\1/p' )

        if [ ! $OCT1 = "10" ]; then

           # Refuse packets claiming to be to or from a Class-A private network.

           iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LnD
           iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_A -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_A -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_A -j LnD

        fi

        if [ ! $OCT2 = "172.16" ]; then

           # Refuse packets claiming to be to or from a Class-B private network.

           iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LnD
           iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_B -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_B -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_B -j LnD

        fi

        if [ ! $OCT2 = "192.168" ]; then

           # Refuse packets claiming to be to or from a Class-C private network.

           iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LnD
           iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_C -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_C -j LnD
           iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_C -j LnD

        fi

        # Refuse packets claiming to be from the loopback.

        iptables -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD
        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD

        # Refuse malformed broadcast packets.

        iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
        iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j LnD
        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j LnD

        # Refuse Class-D Multicast addresses.
        # Multicast is only illegal as a source address.
        # Multicast uses UDP.

        iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnD
        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnR

        # Refuse Class-E reserved IP addresses.

        iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j LnD
        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET -j LnR


        # -------------------------------------------------------------

        #
        # DROP (on input), REJECT (output) and LOG anything else on the external (red) interface
        #

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
            -s $ANYWHERE -j LnD

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
            -s $ANYWHERE -j LnR

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
            -s $ANYWHERE -j LnD

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
            -s $ANYWHERE -j LnR

        iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP \
            -s $ANYWHERE -j LnD

        iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP \
            -s $ANYWHERE -j LnR


        #
        # Masquerade internal traffic
        #

        if [ $MASQUERADING -gt 0 ]; then


            # All internal traffic is masqueraded externally

            iptables -t nat -A POSTROUTING -s $INTERNAL_NETWORK -o $EXTERNAL_INTERFACE -j SNAT \
            --to $EXTERNAL_IP

            # Note: some may find this works better on machines with non-static 
            # external IP addresses:
            # iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
 

            # Enable IP Forwarding
        
            echo 1 >/proc/sys/net/ipv4/ip_forward

            #
            # Unlimited traffic within the local network
            #

            # All internal machines have access to the firewall machine

            iptables -A INPUT -i $INTERNAL_INTERFACE -s $INTERNAL_NETWORK -j ACCEPT

            iptables -A OUTPUT -o $INTERNAL_INTERFACE -d $INTERNAL_NETWORK -j ACCEPT

            if [ $VERBOSE -gt 0 ]; then
                echo "firewall: Masquerading internal network"
            fi
        fi


        # -------------------------------------------------------------

        # Zero counts
        iptables -Z

        # -------------------------------------------------------------

        echo "done"
        touch /var/lock/subsys/firewall
        echo
        ;;

  status)
          if [ -f /var/lock/subsys/firewall ]; then
            echo "Firewall started and configured"
        else
            echo "Firewall stopped"
        fi
        exit 0
        ;;

  restart|reload)
        $0 stop
        $0 start
        ;;

  stop)
          echo "Shutting down Firewall services"

        # Turn off IP Forwarding
        echo 0 >/proc/sys/net/ipv4/ip_forward

        # Turn off dynamic IP hacking
              echo 0 > /proc/sys/net/ipv4/ip_dynaddr

        # Flush the rule chains
        iptables -F

        # Delete custom chains
        iptables -X

        # Zero counts
        iptables -Z

        # Set the default policy to DROP
        iptables -P INPUT DROP
        iptables -P OUTPUT DROP
        iptables -P FORWARD DROP

        # Allow unlimited traffic on the loopback interface
        iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
        iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

        # Open the configuration file
        if [ -f /etc/firewall/firewall.conf.iptables ]; then
            . /etc/firewall/firewall.conf.iptables

            if [ $MASQUERADING -gt 0 ]; then
                # Allow unlimited local traffic on the internal interface
                iptables -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT
                iptables -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT
            fi
        else
            echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables"
            exit 1
        fi

        rm -f /var/lock/subsys/firewall
        echo
        ;;
  *)
        echo "Usage: /etc/rc.d/init.d/firewall.iptables {start|stop|status|restart|reload}"
        exit 1
esac

exit 0

Comments

comments