rc.firewall

#!/bin/sh

##################################################################
##################################################################
#
# Credits: 
# 
# I downloaded from: 
## Tony Perrie, tony@involution.com
#
#
#
#
#
# Apparently, he took it from:
## Obsid@sentry.net
## http://www.sentry.net/~obsid/
#
# And he took from:
## 10/20/2000
## The following was adapted from Jean-Sebastien Morisset's excellent IPChains
## firewall script, available at
## http://www.jsmoriss.dyndns.org/linux/rc.firewall
#
# Other resources:
## http://netfilter.kernelnotes.org/
## http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO.html
## http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO.html
## http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html
## http://metalab.unc.edu/pub/Linux/docs/howto/other-formats/html_single/Adv-Routing-HOWTO.html
#
##################################################################
# 
# Modified: 4 Sept 2002
# Massive editing to make things understandable and coherent
# Modified: 28 Mar 2006
# Removed Reserved Net as it is not useful
#
##################################################################
##################################################################

##################################################################
## Variables
##################################################################
IPTABLES="/sbin/iptables"
INTERNAL="eth1"			# Internal Interface
EXTERNAL="eth0"			# External Interface
LOOPBACK="lo"			# Loopback Interface
INTERNAL_NET="192.168.1.0/24"

# Determine my external IP address - not used but kept here
# in case I need to use it in the future
#EXT_IP="`/sbin/ifconfig $EXTERNAL | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

###############################################################################
## Kernel Configuration
###############################################################################

# - Disable IP Forwarding
# In case this script is re-run again and again - 
# especially if this is called from /sbin/ifup
  if [ -e /proc/sys/net/ipv4/ip_forward ]; then
    echo 0 > /proc/sys/net/ipv4/ip_forward
  else
    echo "Punt: /proc/sys/net/ipv4/ip_forward doesn't exist"
    exit 1
  fi

###############################################################################
## Init - flush everything
###############################################################################

## Attempt to Flush All Rules in Filter Table
$IPTABLES -F

## Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

## Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X

## Delete all user-defined chains, reduces dumb warnings if you run
## this script more than once.
$IPTABLES -X

## Set Default Policies
$IPTABLES -P INPUT DROP		## Highly Recommended
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###############################################################################
## Special chain CHK_STATE to handle incoming, outgoing, and
## established connections.
###############################################################################

  $IPTABLES -N CHK_STATE
  $IPTABLES -F CHK_STATE

  ## DROP packets associated with an "INVALID" connection.
  $IPTABLES -A CHK_STATE -m state --state INVALID -j LOG --log-level 6 --log-prefix "INVALID state: " --log-tcp-options --log-ip-options
  $IPTABLES -A CHK_STATE -m state --state INVALID -j DROP

  ## ACCEPT certain packets which are starting a new connection or are
  ## related to an established connection.
  $IPTABLES -A CHK_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT

  ## ACCEPT packets whose input interface is anything but the external 
  ## interface. We should not even care what state it is in.
  ## In fact, may this rule should not be here in the CHK_STATE chain.
  ##$IPTABLES -A CHK_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT
  ##$IPTABLES -A CHK_STATE -i ! $EXTERNAL -j ACCEPT

###############################################################################
## Special chain CHK_FLAG that will DROP and log TCP packets with certain
## TCP flags set.
###############################################################################

  $IPTABLES -N CHK_FLAG
  $IPTABLES -F CHK_FLAG

  ## originally all limited to 5 a minute so that we don't clog logs
  ## I don't want to limit; all remaining limits removed
  ## leaving one line for reference only
  ## I will not DROP matched packets immediately so that there will be 
  ## duplicate logs when the catch all rule logs again

  # limit example
  #$IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NMAP-XMAS FIN+URG+PSH: "

  ## NMAP FIN/URG/PSH
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "NMAP-XMAS FIN+URG+PSH: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  ## Xmas Tree
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL ALL -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "Merry XMAS: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL ALL -j DROP

  ## Another Xmas Tree
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "XMAS wo PSH: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  ## Null Scan(possibly)
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL NONE -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "NULL_SCAN: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags ALL NONE -j DROP

  ## SYN/RST
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "SYN+RST: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  ## SYN/FIN -- Scan(possibly)
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level 6 --log-ip-options --log-tcp-options --log-prefix "SYN+FIN: "
  $IPTABLES -A CHK_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

###############################################################################
## Special Chain BAD_PORT
## This chain will DROP/LOG packets based on port number.
## This chain should be used for incoming packets on the internal interface.
## I should not worry about nmap-ping some machine on the Internet, if
## that's what I needed to do - so outgoing port should be opened.
## 020920 : re-enabled
###############################################################################

  $IPTABLES -N BAD_PORT
  $IPTABLES -F BAD_PORT

  # 021006
  $IPTABLES -A BAD_PORT -p udp --sport ! 137 --dport 137 -j LOG --log-level 6 --log-prefix "NetBios UDP 137 scan: " --log-ip-options
  $IPTABLES -A BAD_PORT -p udp --sport ! 137 --dport 137 -j DROP

  # 020920
  # 021122 Drop these noise
  #$IPTABLES -A BAD_PORT -p udp --sport 137 --dport 137 -j LOG --log-level 6 --log-prefix "NetBios UDP 137 noise: " --log-ip-options
  $IPTABLES -A BAD_PORT -p udp --sport 137 --dport 137 -j DROP
  #$IPTABLES -A BAD_PORT -p udp --sport 138 --dport 138 -j LOG --log-level 6 --log-prefix "NetBios UDP 138 noise: " --log-ip-options
  $IPTABLES -A BAD_PORT -p udp --sport 138 --dport 138 -j DROP

  # 021006
  $IPTABLES -A BAD_PORT -p tcp --dport 139 -j LOG --log-level 6 --log-prefix "NetBios TCP 139: " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 139 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p tcp --dport 9704 -j LOG --log-level 6 --log-prefix "rpc.statd shell (9704): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --dport 9704 -j DROP
  ##$IPTABLES -A BAD_PORT -p tcp --sport 9704 -j LOG --log-level 6 --log-prefix "rpc.statd? (sport 9704): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --sport 9704 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p tcp --dport 20034 -j LOG --log-level 6 --log-prefix "NetBus Pro (20034): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --dport 20034 -j DROP

  ## 021006
  $IPTABLES -A BAD_PORT -p tcp --dport 12345:12346 -j LOG --log-level 6 --log-prefix "NetBus 12345 or 12346: " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 12345:12346 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p tcp --dport 27665 -j LOG --log-level 6 --log-prefix "Trinoo (27665): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --dport 27665 -j DROP
  ##$IPTABLES -A BAD_PORT -p tcp --sport 27665 -j LOG --log-level 6 --log-prefix "Trinoo? (sport=27665): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --sport 27665 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p udp --dport 27444 -j LOG --log-level 6 --log-prefix "Trinoo: " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --dport 27444 -j DROP
  ##$IPTABLES -A BAD_PORT -p udp --sport 27444 -j LOG --log-level 6 --log-prefix "Trinoo? (sport=27444): " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --sport 27444 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p udp --dport 31335 -j LOG --log-level 6 --log-prefix "Trinoo: " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --dport 31335 -j DROP
  ##$IPTABLES -A BAD_PORT -p udp --sport 31335 -j LOG --log-level 6 --log-prefix "Trinoo? (sport=31335): " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --sport 31335 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p tcp --dport 31337 -j LOG --log-level 6 --log-prefix "BackOrifice-TCP: " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --dport 31337 -j DROP
  ##$IPTABLES -A BAD_PORT -p tcp --sport 31337 -j LOG --log-level 6 --log-prefix "BackOrifice? (sport=31337): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --sport 31337 -j DROP

  # 021006
  ##$IPTABLES -A BAD_PORT -p udp --dport 31337 -j LOG --log-level 6 --log-prefix "BackOrifice-UDP: " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --dport 31337 -j DROP
  ##$IPTABLES -A BAD_PORT -p udp --sport 31337 -j LOG --log-level 6 --log-prefix "BackOrifice? (sport=31337): " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --sport 31337 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p tcp --dport 27374 -j LOG --log-level 6 --log-prefix "SubSeven (27374): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 27374 -j DROP

  # 021006
  $IPTABLES -A BAD_PORT -p tcp -d 192.168.9  --dport 22 -j ACCEPT
  $IPTABLES -A BAD_PORT -p tcp -d 192.168.10 --dport 22 -j ACCEPT
  $IPTABLES -A BAD_PORT -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "SSH (22): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 22 -j DROP

  ## 021006
  ## Drop FIN ACK packets that are due to packet crossover 
  ## 021013 Remove the flags check
  #$IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 80 --tcp-flags ALL ACK,FIN -j LOG --log-level 6 --log-prefix "HTTP cross over: " --log-tcp-options --log-ip-options
  #$IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 80 --tcp-flags ALL ACK,FIN -j ACCEPT
  $IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 80 -j ACCEPT
  #$IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 443 --tcp-flags ALL ACK,FIN -j LOG --log-level 6 --log-prefix "HTTPS cross over: " --log-tcp-options --log-ip-options
  #$IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 443 --tcp-flags ALL ACK,FIN -j ACCEPT
  $IPTABLES -A BAD_PORT -i $EXTERNAL -o $INTERNAL -p tcp -d $INTERNAL_NET --sport 443 -j ACCEPT

  # 021006
  $IPTABLES -A BAD_PORT -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "HTTP (80): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 80 -j DROP

  # 021006
  $IPTABLES -A BAD_PORT -p tcp --dport 443 -j LOG --log-level 6 --log-prefix "SSL (443): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 443 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FTP (21): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 21 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p udp --dport 53 -j LOG --log-level 6 --log-prefix "DNS (53): " --log-ip-options
  $IPTABLES -A BAD_PORT -p udp --dport 53 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p tcp --dport 53 -j LOG --log-level 6 --log-prefix "DNS ZONE-TX (53): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 53 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p udp --dport 1433 -j LOG --log-level 6 --log-prefix "MS SQL Server (UDP 1433): " --log-ip-options
  $IPTABLES -A BAD_PORT -p udp --dport 1433 -j DROP

  # 020920
  $IPTABLES -A BAD_PORT -p tcp --dport 1433 -j LOG --log-level 6 --log-prefix "MS SQL Monitor (TCP 1433): " --log-tcp-options --log-ip-options
  $IPTABLES -A BAD_PORT -p tcp --dport 1433 -j DROP

  # 020920
  # 021006
  ##$IPTABLES -A BAD_PORT -p udp --sport 2301 --dport 2301 -d 255.255.255.255 -j LOG --log-level 6 --log-prefix "Compaq Insight Mgr (2301): " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --sport 2301 --dport 2301 -d 255.255.255.255 -j DROP

  # 020920
  # 021006
  ##$IPTABLES -A BAD_PORT -p udp --dport 1211 -j LOG --log-level 6 --log-prefix "Groove-DPP (1211): " --log-ip-options
  ##$IPTABLES -A BAD_PORT -p udp --dport 1211 -j DROP

  # 020920
  # 021006
  ##$IPTABLES -A BAD_PORT -p tcp --dport 3389  -j LOG --log-level 6 --log-prefix "Terminal Services (3389): " --log-tcp-options --log-ip-options
  ##$IPTABLES -A BAD_PORT -p tcp --dport 3389 -j DROP

###############################################################################
## Special Chain INV_SRC
## Rules to Provide Filtering Based on Source IP Address.
## Incoming packets on the External Interface should not have these
## Neither should Outgoing packets on the External Interface (unless I am
## spoofing). 
###############################################################################

  $IPTABLES -N INV_SRC
  $IPTABLES -F INV_SRC

  ## Class A Reserved
  $IPTABLES -A INV_SRC -s 10.0.0.0/8 -j LOG --log-level=6 --log-prefix "Class A SRC: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_SRC -s 10.0.0.0/8 -j DROP

  ## Class B Reserved
  $IPTABLES -A INV_SRC -s 172.16.0.0/12 -j LOG --log-level=6 --log-prefix "Class B SRC: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_SRC -s 172.16.0.0/12 -j DROP

  ## Class C Reserved
  ## Note: This one I am using
  $IPTABLES -A INV_SRC -s 192.168.0.0/16 -j LOG --log-level=6 --log-prefix "Class C SRC: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_SRC -s 192.168.0.0/16 -j DROP
  ##$IPTABLES -A INV_SRC -s 192.168.0.0/16 -j ACCEPT

  ## Class D Reserved: IPv4 Multicast
  $IPTABLES -A INV_SRC -s 224.0.0.0/4 -j LOG --log-level=6 --log-prefix "Class D SRC: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_SRC -s 224.0.0.0/4 -j DROP

  ## Class E Reserved
  $IPTABLES -A INV_SRC -s 240.0.0.0/4 -j LOG --log-level=6 --log-prefix "Class E SRC: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_SRC -s 240.0.0.0/4 -j DROP

###############################################################################
## Special Chain INV_DST
## Rules to Provide Filtering Based on Destination IP Address.
## Outgoing packets on the External interface should NOT have these
## Incoming packets on the External interface should NOT have these either
###############################################################################

  $IPTABLES -N INV_DST
  $IPTABLES -F INV_DST

  ## Class A Reserved
  $IPTABLES -A INV_DST -d 10.0.0.0/8 -j LOG --log-level=6 --log-prefix "Class A DEST: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_DST -d 10.0.0.0/8 -j DROP

  ## Class B Reserved
  $IPTABLES -A INV_DST -d 172.16.0.0/12 -j LOG --log-level=6 --log-prefix "Class B DEST: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_DST -d 172.16.0.0/12 -j DROP

  ## Class C Reserved
  ## Since I am using this, this rule will match all packets forwarded
  ## from External Interface to Internal Interface
  ## Therefore take it out here, and check for incoming packets on the
  ## External Interface with a target of Class C with a separate rule in
  ## the INPUT chain
  ##$IPTABLES -A INV_DST -d 192.168.0.0/16 -j LOG --log-level=6 --log-prefix "Class C DEST: " --log-tcp-options --log-ip-options
  ##$IPTABLES -A INV_DST -d 192.168.0.0/16 -j ACCEPT

  ## Class D Reserved: IPv4 Multicast
  $IPTABLES -A INV_DST -d 224.0.0.0/4 -j LOG --log-level=6 --log-prefix "Class D DEST: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_DST -d 224.0.0.0/4 -j DROP

  ## Class E Reserved
  $IPTABLES -A INV_DST -d 240.0.0.0/4 -j LOG --log-level=6 --log-prefix "Class E DEST: " --log-tcp-options --log-ip-options
  $IPTABLES -A INV_DST -d 240.0.0.0/4 -j DROP
   
###############################################################################
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally.  
## This is not used, but kept for reference.
## Therefore, the chain is removed as well. 
###############################################################################

  ## TOS stuff: (type: iptables -m tos -h)
  ## Minimize-Delay 16 (0x10)
  ## Maximize-Throughput 8 (0x08)
  ## Maximize-Reliability 4 (0x04)
  ## Minimize-Cost 2 (0x02)
  ## Normal-Service 0 (0x00)

  ##----------------------------------------------------------------------##
  ##   - Most of these are the RFC 1060/1349 suggested TOS values
  ##   - To view mangle table, type: iptables -L -t mangle

  ##$IPTABLES -t mangle -N MANGLE_OUTPUT
  ##$IPTABLES -t mangle -F MANGLE_OUTPUT

  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8

###############################################################################
## Special Chain MANGLE_PREROUTING
## Rules to mangle TOS values of packets routed through the firewall.  Only TOS
## values are mangled right now.
## Again, not used but kept for reference
###############################################################################

  ## TOS stuff: (type: iptables -m tos -h)
  ## Minimize-Delay 16 (0x10)
  ## Maximize-Throughput 8 (0x08)
  ## Maximize-Reliability 4 (0x04)
  ## Minimize-Cost 2 (0x02)
  ## Normal-Service 0 (0x00)

  ##$IPTABLES -t mangle -N MANGLE_PREROUTING
  ##$IPTABLES -t mangle -F MANGLE_PREROUTING

  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
  ##$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8

###############################################################################
## Special Chain OK_IN_PT
## Rules to accept packets destined for the external interface based on port
## number.
## This should apply for incoming packets on the External interface. 
###############################################################################

  $IPTABLES -N OK_IN_PT
  $IPTABLES -F OK_IN_PT

  ## IPSec from ra-1.ubswarburg.com is allowed
  ## 020826
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -s 151.191.175.7 -p udp --sport 500 --dport 500 -j LOG --log-level 6 --log-prefix "IPSec: " --log-tcp-options --log-ip-options
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -s 151.191.175.7 -p udp --sport 500 --dport 500 -j ACCEPT

  ## SSH from external disallowed
  ## disallowed 010921
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 22 -j LOG --log-level 6 --log-tcp-options --log-ip-options
  ## This should be  caught by the catch all rule anyway

  ## DHCP from optonline.net allowed
  # 021006: see /etc/dhcpcd/dhcpcd-eth0.info
  # 030313: removed all 10.x addresses as OUTPUT to them will fail anyway
  # 030314: changed back to ACCEPT
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -s 10.141.64.1 -p udp --sport 67 --dport 68 -j ACCEPT
  ## 020904
  ## 030221 Seems to be irrelevant, but there are packets from 10.112.96.1
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -s 10.112.96.1 -p udp --sport 67 --dport 68 -j LOG --log-level 6 --log-prefix "DHCP Svr 10.112.96.1: " --log-tcp-options --log-ip-options
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -s 10.112.96.1 -p udp --sport 67 --dport 68 -j ACCEPT
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -s 167.206.7.194 -p udp --sport 67 --dport 68 -j ACCEPT
  #$IPTABLES -A OK_IN_PT -i $EXTERNAL -p udp --sport 67 --dport 68 -j ACCEPT

  ## NTP from external allowed
  ## 020904
  ## 030221 Tested that NTP seems to work even with this turned off
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p udp --sport 123 --dport 123 -j ACCEPT
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --sport 123 --dport 123 -j ACCEPT

  ## SSH to 8888 from external allowed
  ## Disallowed 26 Feb 2002
  ## change of IP address means I have to update Graeme's machine
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 8888 -j ACCEPT

  ## SSH to 9999 from external allowed
  ## disallowed 010921
  $IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 9999 -j ACCEPT
	
  ## SSH from internal allowed
  ## I should not apply this chain to internal packets
  ##$IPTABLES -A OK_IN_PT -i $INTERNAL -p tcp --dport 22 -j ACCEPT

  ## Removed AUTH
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 113 -j ACCEPT

  ## Removed FTP 
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 21 -j ACCEPT

  ## WWW - REMOVED HTTP
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 80 -j ACCEPT

  ## REJECT port 113 ident requests.
  ##$IPTABLES -A OK_IN_PT -i $EXTERNAL -p tcp --dport 113 -j LOG --log-level=6 --log-tcp-options --log-ip-options

###############################################################################
## Firewall Input Chains
###############################################################################

  $IPTABLES -N EXT_IN
  $IPTABLES -F EXT_IN

  $IPTABLES -A EXT_IN -i $EXTERNAL -j CHK_STATE

  ##------------------------------------------------------------------------##
  ## Check TCP packets coming in on the external interface for wierd flags
  $IPTABLES -A EXT_IN -i $EXTERNAL -p tcp -j CHK_FLAG
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Filter incomming packets based on port number.
  ## 020912 : removed to make firewall rules more simplified
  ## 020920 : re-enabled
  $IPTABLES -A EXT_IN -i $EXTERNAL -j BAD_PORT
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Allow Packets On Certain External Ports
  $IPTABLES -A EXT_IN -i $EXTERNAL -j OK_IN_PT
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Filter out Reserved/Private IP addresses.
  ## Incoming SRC addresses should not be using these IP addresses
  $IPTABLES -A EXT_IN -i $EXTERNAL -j INV_SRC
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Filter out Reserved/Private IP addresses.
  ## Incoming DST addresses should not have these addresses either
  $IPTABLES -A EXT_IN -i $EXTERNAL -j INV_DST
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## ICMP Stuff.  We're going to allow some ICMP.
  ##------------------------------------------------------------------------##

  ## Echo Reply (pong) - Allow as this means we ping'ed somebody
  $IPTABLES -A EXT_IN -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT

  ## Destination Unreachable (blah)
  $IPTABLES -A EXT_IN -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT

  ## Echo Request (ping) 
  ## LOG all pings, without limit ##
  # 021015
  # Just drop PINGs without logging, since dshield ignores them 
  ##$IPTABLES -A EXT_IN -i $EXTERNAL -p icmp --icmp-type 8 -j LOG --log-level 6 --log-prefix "PING: " --log-tcp-options --log-ip-options
  $IPTABLES -A EXT_IN -i $EXTERNAL -p icmp --icmp-type 8 -j DROP

###############################################################################
## New chain for input to the internal interface
###############################################################################

  $IPTABLES -N INT_IN
  $IPTABLES -F INT_IN

  ##------------------------------------------------------------------------##
  ## Check TCP packets coming in on the internal interface for wierd flags
  ## This is not necessary; so what if I am nmapping myself
  ##$IPTABLES -A INT_IN -i $INTERNAL -p tcp -j CHK_FLAG
  ##------------------------------------------------------------------------##

  ## LOG anything coming in from the internal interface without an internal IP
  ## This breaks DHCP!
  ## Removed 020906
  ##$IPTABLES -A INT_IN -i ! $EXTERNAL -s ! $INTERNAL_NET -d 0/0 -j LOG --log-level 6 --log-prefix "Martian: " --log-tcp-options --log-ip-options

  ## ACCEPT all traffic on the Internal interface
  $IPTABLES -A INT_IN -i $INTERNAL -j ACCEPT

###############################################################################
## New chain for input to the loopback interface
###############################################################################

  $IPTABLES -N LO-input
  $IPTABLES -F LO-input

  ## Accept all packets to the loopback interface
  $IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT


###############################################################################
## Firewall Output Chains
###############################################################################

###############################################################################
## New chain for output on the external interface
###############################################################################

  $IPTABLES -N EXT_OUT
  $IPTABLES -F EXT_OUT

  ##------------------------------------------------------------------------##
  ## Filter out Reserved/Private IP addresses.
  $IPTABLES -A EXT_OUT -o $EXTERNAL -p all -j INV_SRC
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Filter out Reserved/Private IP addresses.
  $IPTABLES -A EXT_OUT -o $EXTERNAL -p all -j INV_DST
  ##------------------------------------------------------------------------##

  ##------------------------------------------------------------------------##
  ## Filter outgoing packets based on port number.
  ## Nope - I should be allowed to nmap any IP addresses
  ##$IPTABLES -A EXT_OUT -o $EXTERNAL -p tcp -j BAD_PORT
  ##------------------------------------------------------------------------##

  ## 021206 This should be here instead of EXT_IN
  ## TTL Exceeded (traceroute)
  $IPTABLES -A EXT_OUT -o $EXTERNAL -p icmp --icmp-type 11 -j LOG --log-level 6 --log-prefix "TRACEROUTE: " --log-tcp-options --log-ip-options
  $IPTABLES -A EXT_OUT -o $EXTERNAL -p icmp --icmp-type 11 -j DROP

  ## ACCEPT outgoing packets on the external interface
  $IPTABLES -A EXT_OUT -o $EXTERNAL -j ACCEPT

###############################################################################
## New chain for output across the internal interface
###############################################################################

  $IPTABLES -N INT_OUT
  $IPTABLES -F INT_OUT

  ## ACCEPT all outbound traffic across the internal interfaces
  $IPTABLES -A INT_OUT -o $INTERNAL -j CHK_STATE
  $IPTABLES -A INT_OUT -o $INTERNAL -d $INTERNAL_NET -j ACCEPT

###############################################################################
## New chain for output across the loopback device
###############################################################################

  $IPTABLES -N LO-output
  $IPTABLES -F LO-output

  ## ACCEPT all traffic across loopback device
  $IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT

###############################################################################
## Main Stuff
###############################################################################

  ## INPUT chains.
  $IPTABLES -A INPUT -i $INTERNAL -j INT_IN
  $IPTABLES -A INPUT -i $LOOPBACK -j LO-input
  $IPTABLES -A INPUT -i $EXTERNAL -j EXT_IN
  $IPTABLES -A INPUT -d 192.168.0.0/16 -j LOG --log-level=6 --log-prefix "Class C DEST: " --log-tcp-options --log-ip-options
  $IPTABLES -A INPUT -d 192.168.0.0/16 -j DROP
  ##$IPTABLES -A INPUT -j CHK_STATE

  ## Sort of a Catch-all
  ##$IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j LOG --log-level 6 --log-ip-options --log-prefix "Catch all INPUT: "
  $IPTABLES -A INPUT -j LOG --log-level 6 --log-tcp-options --log-ip-options --log-prefix "Catch all INPUT: "

  ## OUTPUT chains.
  $IPTABLES -A OUTPUT -o $INTERNAL -j INT_OUT
  $IPTABLES -A OUTPUT -o $EXTERNAL -j EXT_OUT
  $IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
  #$IPTABLES -A OUTPUT -j CHK_STATE
  ## 020906
  ## The below is needed for DHCP to work on the internal interface
  $IPTABLES -A OUTPUT -o $INTERNAL -j ACCEPT
  $IPTABLES -A OUTPUT -j LOG --log-level 6 --log-prefix "Catch all OUTPUT: " --log-tcp-options --log-ip-options

  ## Jump to our FORWARD chains.
  #$IPTABLES -A FORWARD -i $EXTERNAL -j EXT_IN
  #$IPTABLES -A FORWARD -o $EXTERNAL -j EXT_OUT
  #$IPTABLES -A FORWARD -i $INTERNAL -j INT_IN
  #$IPTABLES -A FORWARD -o $INTERNAL -j INT_OUT
  #$IPTABLES -A FORWARD -j CHK_STATE
  $IPTABLES -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -j EXT_IN
  $IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
  $IPTABLES -A FORWARD -j LOG --log-level 6 --log-prefix "Catch all FORWARD: " --log-tcp-options --log-ip-options

  ## Jump to mangle table rules
  ##$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
  ##$IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING

### END FIREWALL RULES ###

###############################################################################
## IPTABLES Network Address Translation(NAT) Rules
###############################################################################

## Flush the NAT table.
$IPTABLES -F -t nat

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o $INTERNAL -s $INTERNAL_NET -j MASQUERADE

##------------------------------------------------------------------------##
## Destination NAT -- (DNAT)
##------------------------------------------------------------------------##

  ## "Redirect" packets headed for certain ports on our external interface 
  ## to other machines on the network. (Examples)

  ## Allowing IPSec from ra-1.stm.ubswarburg.com
  ## 020826
  ##$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -s 151.191.175.7 -p udp --dport 500 --sport 500 -j DNAT --to 192.168.1.10

  ## SSH - to earth (192.168.1.9)
  $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 9999 -j DNAT --to-destination 192.168.1.9:22

  ## SSH - to moon (192.168.1.10)
  $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 8888 -j DNAT --to-destination 192.168.1.10:22

  ## WWW
  #$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 80 -j DNAT --to 192.168.1.10:80

  ## WWW - SSL
  #$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 443 -j DNAT --to 192.168.1.10:443

##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##

  ## Source NAT allows us to "masquerade" our internal machines behind our
  ## firewall.

  ## Static IP address ##
  ## Change source address of outgoing packets on external
  ## interface to our IP address.
  ##$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to-source $EXT_IP
 
  ## Dynamic IP address ##
  $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE

  ## Missing rule ##
  $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -j ACCEPT

### END NAT RULES ###

###############################################################################
## Additional Kernel Configuration
###############################################################################

## - Disable source routing of packets
  if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
  	for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
  		echo 0 > $i;
  	done
  fi

## - Enable rp_filter
## "Route verification is where a packet which comes from an unexpected
##  interface is dropped: for example, if your internal network has
##  addresses 10.1.1.0/24, and a packet with that source address comes in
##  your external interface, it will be dropped."
## - http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.txt
  if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  	for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
  		echo 1 > $i;
  	done
  fi

## - Ignore any broadcast icmp echo requests
  if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  fi

## - Log packets with impossible addresses to kernel log.
  if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
  	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  fi

## - Don't accept ICMP redirects
## (You may only want to disable on the external interface)
  if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
  	echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
  fi

## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
  if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
  	echo 1 > /proc/sys/net/ipv4/ip_dynaddr
  fi

## - Enable IP Forwarding
  if [ -e /proc/sys/net/ipv4/ip_forward ]; then
  	echo 1 > /proc/sys/net/ipv4/ip_forward
  else
  	echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist"
  	echo "(That may be a problem)"
  fi