From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Lawrence G. Hunsicker" Subject: Forwarding and masquerading got broken Date: Tue, 02 Dec 2003 21:54:29 -0600 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3FCD5E75.5020402@mchsi.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------040702050006010603040308" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. --------------040702050006010603040308 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi, folks: I have just used firestarter's wizard to allow access to my web server. This part of things worked correctly, but in the process my machine has stopped forwarding and masquerading traffic from machines inside my firewall to the outside world. All of the interfaces themselves work correctly. I.e., from inside machines I can ping my server and from the server I can see the outside world. But I can't see the outside world from the inside machines. Is there someone out there that can tell me what I have to do to get IP forwarding and masquerading working again? I have attached a copy of my firewall.sh file. Many thanks in advance for any help that you can give me. -- Lawrence G. Hunsicker lhunsicker@mchsi.com --------------040702050006010603040308 Content-Type: application/x-sh; name="firewall.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="firewall.sh" #!/bin/sh # Generated by Firestarter 0.8.2, NETFILTER in use # --------( Initial Setup - Variables (required) )-------- # Type of Service (TOS) parameters # 8: Maximum Throughput - Minimum Delay # 4: Minimize Delay - Maximize Reliability # 16: No Delay - Moderate Throughput - High Reliability TOSOPT=8 # Default Packet Rejection Type # ( do NOT change this here - set it in the GUI instead ) STOP=DENY # --------( Initial Setup - Network Information (required) )-------- IF=eth1 INIF=eth0 IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4` NET=$IP/$MASK INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4` INNET=$INIP/$INMASK # --------( Initial Setup - Firewall Location Check )-------- IPT=/sbin/iptables MPB=/sbin/modprobe LSM=/sbin/lsmod RMM=/sbin/rmmod # --------( Initial Setup - Firewall Modules Check )-------- # Some distributions still load ipchains $LSM | grep ipchains -q -s && $RMM ipchains # --------( Initial Setup - Firewall Modules Autoloader )-------- if ! ( $LSM | /bin/grep ip_conntrack > /dev/null ); then $MPB ip_conntrack fi if ! ( $LSM | /bin/grep ip_conntrack_ftp > /dev/null ); then $MPB ip_conntrack_ftp fi if ! ( $LSM | /bin/grep ip_conntrack_irc > /dev/null ); then $MPB ip_conntrack_irc fi if ! ( $LSM | /bin/grep ipt_REJECT > /dev/null ); then $MPB ipt_REJECT fi if ! ( $LSM | /bin/grep ipt_REDIRECT > /dev/null ); then $MPB ipt_REDIRECT fi if ! ( $LSM | /bin/grep ipt_TOS > /dev/null ); then $MPB ipt_TOS fi if ! ( $LSM | /bin/grep ipt_MASQUERADE > /dev/null ); then $MPB ipt_MASQUERADE fi if ! ( $LSM | /bin/grep ipt_LOG > /dev/null ); then $MPB ipt_LOG fi if ! ( $LSM | /bin/grep iptable_mangle > /dev/null ); then $MPB iptable_mangle fi if ! ( $LSM | /bin/grep iptable_nat > /dev/null ); then $MPB iptable_nat fi # --------( Chain Configuration - Flush Existing Chains )-------- # Delete user made chains. Flush and zero the chains. $IPT -F $IPT -X $IPT -Z # --------( Chain Configuration - Delete Extintct Chains )-------- # Delete `nat' and `mangle' chains. if ( $LSM | /bin/grep iptable_mangle > /dev/null ); then $IPT -t mangle -F fi if ( $LSM | /bin/grep iptable_nat > /dev/null ); then $IPT -t nat -F fi # --------( Chain Configuration - Create Default Result Chains )-------- # Create a new log and drop (LD) convenience chain. $IPT -N LD 2> /dev/null $IPT -F LD $IPT -A LD -j LOG $IPT -A LD -j DROP STOP=LD # --------( Chain Configuration - Create Default Traffic Chains )-------- # Create a new 'unclean module check' (UNCLEAN) convenience chain. $IPT -N UNCLEAN 2> /dev/null $IPT -F UNCLEAN $IPT -A UNCLEAN -j $STOP # Create a new 'stateful module check' (STATE) convenience chain. $IPT -N STATE 2> /dev/null $IPT -F STATE $IPT -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A STATE -m state --state NEW -i ! lo -j ACCEPT $IPT -A STATE -j $STOP # Create a new 'sanity (check, mark and fwd) check' (SANITY) convenience chain. $IPT -N SANITY 2> /dev/null $IPT -F SANITY $IPT -A SANITY -j $STOP # --------( Chain Configuration - Set Default Chain Policy )-------- $IPT -P INPUT DROP $IPT -P OUTPUT DROP # --------( Initial Setup - External Lists )-------- # Allow all traffic from these machines if [ -e /etc/firestarter/allow-all ]; then source /etc/firestarter/allow-all fi # Allow a specific service to a specific machine if [ -e /etc/firestarter/allow-service-machine ]; then source /etc/firestarter/allow-service-machine fi # Allow a specific service to everyone if [ -e /etc/firestarter/allow-service-all ]; then source /etc/firestarter/allow-service-all fi # Portforwarding rules if [ -e /etc/firestarter/portfw ]; then source /etc/firestarter/portfw fi # Deny all traffic from these machines if [ -e /etc/firestarter/deny-all ]; then source /etc/firestarter/deny-all fi # Deny all traffic on these ports, without logging if [ -e /etc/firestarter/block-ports ]; then source /etc/firestarter/block-ports fi # --------( Sysctl Tuning - Recommended Parameters )-------- # Turn off IP forwarding by default # (this will be enabled if you require masquerading) if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 0 > /proc/sys/net/ipv4/ip_forward fi # Log 'odd' IP addresses (excludes 0.0.0.0 & 255.255.255.255) if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians fi # --------( Sysctl Tuning - TCP Parameters )-------- # Turn off TCP Timestamping in kernel if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then echo 0 > /proc/sys/net/ipv4/tcp_timestamps fi # Set TCP Re-Ordering value in kernel to '5' if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then echo 5 > /proc/sys/net/ipv4/tcp_reordering fi # Turn off TCP ACK in kernel if [ -e /proc/sys/net/ipv4/tcp_sack ]; then echo 0 > /proc/sys/net/ipv4/tcp_sack fi #Turn off TCP Window Scaling in kernel if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then echo 0 > /proc/sys/net/ipv4/tcp_window_scaling fi #Set Keepalive timeout to 30 seconds if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time fi #Set FIN timeout to 30 seconds if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then echo 1800 > /proc/sys/net/ipv4/tcp_fin_timeout fi # Set TCP retry count to 3 if [ -e /proc/sys/net/ipv4/tcp_retries1 ]; then echo 3 > /proc/sys/net/ipv4/tcp_retries1 fi #Turn off ECN notification in kernel if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi # --------( Sysctl Tuning - SYN Parameters )-------- # Turn on SYN cookies protection in kernel if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # Set SYN ACK retry attempts to '3' if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then echo 3 > /proc/sys/net/ipv4/tcp_synack_retries fi # Set SYN backlog buffer to '64' if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then echo 64 > /proc/sys/net/ipv4/tcp_max_syn_backlog fi # Set SYN retry attempts to '6' if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then echo 6 > /proc/sys/net/ipv4/tcp_syn_retries fi # --------( Sysctl Tuning - Routing / Redirection Parameters )-------- # Turn on source address verification in kernel if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f done fi # Turn off source routes in kernel if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $f done fi # Do not respond to 'redirected' packets if [ -e /proc/sys/net/ipv4/secure_redirects ]; then echo 0 > /proc/sys/net/ipv4/secure_redirects fi # Do not reply to 'redirected' packets if requested if [ -e /proc/sys/net/ipv4/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/send_redirects fi # Do not reply to 'proxyarp' packets if [ -e /proc/sys/net/ipv4/proxy_arp ]; then echo 0 > /proc/sys/net/ipv4/proxy_arp fi # Set FIB model to be RFC1812 Compliant # (certain policy based routers may break with this - if you find # that you can't access certain hosts on your network - please set # this option to '0' - which is the default) if [ -e /proc/sys/net/ipv4/ip_fib_model ]; then echo 2 > /proc/sys/net/ipv4/ip_fib_model fi # --------( Sysctl Tuning - ICMP/IGMP Parameters )-------- # ICMP Dead Error Messages protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # ICMP Broadcasting protection if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # IGMP Membership 'overflow' protection # (if you are planning on running your box as a router - you should either # set this option to a number greater than 5, or disable this protection # altogether by commenting out this option) if [ -e /proc/sys/net/ipv4/igmp_max_memberships ]; then echo 1 > /proc/sys/net/ipv4/igmp_max_memberships fi # --------( Sysctl Tuning - Miscellanous Parameters )-------- # Set TTL to '64' hops # (If you are running a masqueraded network, or use policy-based # routing - you may want to increase this value depending on the load # on your link.) if [ -e /proc/sys/net/ipv4/conf/all/ip_default_ttl ]; then for f in /proc/sys/net/ipv4/conf/*/ip_default_ttl do echo 64 > $f done fi # Always defragment incoming packets # (Some cable modems [ Optus @home ] will suffer intermittent connection # droputs with this setting. If you experience problems, set this to '0') if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then echo 1 > /proc/sys/net/ipv4/ip_always_defrag fi # Keep packet fragments in memory for 8 seconds # (Note - this option has no affect if you turn packet defragmentation # (above) off!) if [ -e /proc/sys/net/ipv4/ipfrag_time ]; then echo 8 > /proc/sys/net/ipv4/ipfrag_time fi # Do not reply to Address Mask Notification Warnings # (If you are using your machine as a DMZ router or a PPP dialin server # that relies on proxy_arp requests to provide addresses to it's clients # you may wish to disable this option by setting the value to '1' if [ -e /proc/sys/net/ipv4/ip_addrmask_agent ]; then echo 0 > /proc/sys/net/ipv4/ip_addrmask_agent fi # Turn off dynamic TCP/IP address hacking # (Some broken PPPoE clients have issues when this is disabled # If you experience problems with DSL or Cable providers, set this to '1') if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then echo 0 > /proc/sys/net/ipv4/ip_dynaddr fi # --------( Sysctl Tuning - IPTables Specific Parameters )-------- # Doubling current limit for ip_conntrack if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max fi # --------( Rules Configuration - Specific Rule - Loopback Interfaces )-------- # Allow all traffic on the loopback interface $IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT $IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT # --------( Rules Configuration - ICMP - Default Ruleset )-------- # Allowing all ICMP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET -m limit --limit 1/s -j ACCEPT # --------( Rules Configuration - Masquerading )-------- # --------( Rules Configuration - Masquerading - Firewall Modules Autoloader )-------- if ! ( $LSM | /bin/grep ip_nat_ftp > /dev/null ); then $MPB ip_nat_ftp fi if ! ( $LSM | /bin/grep ip_nat_irc > /dev/null ); then $MPB ip_nat_irc fi # --------( Rules Configuration - Masquerading - Sysctl Modifications )-------- #Turn on IP forwarding if [ -e /proc/sys/net/ipv4/ip_forward ] then echo 1 > /proc/sys/net/ipv4/ip_forward fi # --------( Rules Configuration - Masquerading - Default Policy )-------- #Setting forward (masquerading) policy to DENY $IPT -t filter -P FORWARD DROP # --------( Rules Configuration - Masquerading - Default Ruleset )-------- #TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients $IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Incorrect Flags )-------- $IPT -t filter -I FORWARD -m unclean -j UNCLEAN # --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Invalid Flags )-------- $IPT -t filter -A INPUT -m state --state INVALID -j $STOP # --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Excessive Fragmented Packets )-------- $IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP #Forward Int/Ext & Ext/Int Traffic before Masquerading $IPT -t filter -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT $IPT -t filter -A FORWARD -d $INNET -j ACCEPT #Masquerade outgoing traffic $IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE #Don't masq external interface traffic $IPT -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT #Allow traffic from internal network going anywhere $IPT -t filter -A INPUT -s $INNET -d 0/0 -j ACCEPT $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j ACCEPT $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT # --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Incorrect Flags )-------- $IPT -t filter -I INPUT -i $IF -m unclean -j UNCLEAN # --------( Rules Configuration - Inbound Traffic - Block nonroutable IP Addresses )-------- #Block nonroutable IPs $IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 5.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 36.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 37.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 39.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 42.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 58.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 59.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 60.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 69.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 72.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 73.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 74.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 75.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 76.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 77.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 78.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 79.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 82.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 83.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 84.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 85.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 86.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 87.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 89.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 93.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 94.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 95.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 96.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 97.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 98.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 99.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 101.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 102.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 103.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 104.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 105.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 106.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 107.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 108.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 109.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 110.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 113.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 114.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 115.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 116.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 117.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 118.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 119.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 120.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 121.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 122.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 123.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 124.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 125.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 126.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 128.66.0.0/16 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 197.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 221.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 222.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 223.0.0.0/8 -d $NET -i $IF -j $STOP $IPT -t filter -A INPUT -s 240.0.0.0/4 -d $NET -i $IF -j $STOP # --------( Rules Configuration - Inbound Traffic - Block known Trojan Ports )-------- #Block Back Orifice $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP #Block Trinity v3 $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP #Block Subseven (1.7/1.9) $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1234 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 6711 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1234 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 6711 -m limit --limit 2/minute -j $STOP #Block Stacheldraht $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 16660 --syn -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 60001 --syn -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 16660 --syn -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 60001 --syn -m limit --limit 2/minute -j $STOP #Block NetBus $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP #Block MS-RPC (dce) $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP #Block Trin00 $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1524 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 27665 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 27444 -m limit --limit 2/minute -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31335 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1524 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 27665 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 27444 -m limit --limit 2/minute -j $STOP $IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31335 -m limit --limit 2/minute -j $STOP # --------( Rules Configuration - Inbound Traffic - Block Multicast Traffic )-------- # (some cable/DSL providers require their clients to accept multicast transmissions # you should remove the following four rules if you are affected by multicasting $IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j $STOP $IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j $STOP $IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j $STOP $IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j $STOP # --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Stuffed Routing )-------- # (early versions of PUMP - (the DHCP client application included in RH / Mandrake) require # inbound packets to be accepted from a source address of 255.255.255.255. If you have issues # with DHCP clients on your local LAN - either update PUMP, or remove the first rule below) $IPT -t filter -A INPUT -s 255.255.255.255 -j $STOP $IPT -t filter -A INPUT -d 0.0.0.0 -j $STOP $IPT -t filter -A OUTPUT -s 255.255.255.255 -j $STOP $IPT -t filter -A OUTPUT -d 0.0.0.0 -j $STOP # --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Invalid Flags )-------- $IPT -t filter -A INPUT -m state --state INVALID -j $STOP # --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Excessive Fragmented Packets )-------- $IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP # --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )-------- #DHCP $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT #SSH $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 22 -j ACCEPT #HTTP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 80 -j ACCEPT #SSL HTTP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 443 -j ACCEPT #SAMBA $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 137:139 -i $IF -j ACCEPT $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 137:139 -i $IF -j ACCEPT $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -i $IF -j ACCEPT $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 445 -i $IF -j ACCEPT #Block NFS $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -i $IF -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -i $IF -j $STOP #Block Xwindows $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6015 -i $IF -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 6000:6015 -i $IF -j $STOP #Block DHCP $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 67:68 -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 67:68 -j $STOP #Block uPNP $IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 5000 -i $IF -j $STOP $IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 5000 -i $IF -j $STOP # --------( Rules Configuration - Inbound Traffic - Highport Connection Fixes )-------- $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j $STOP #SSH fix $IPT -A INPUT -p tcp --sport 22 --dport 513:65535 ! --syn -m state --state RELATED -j ACCEPT # --------( Rules Configuration - Inbound Traffic - Highport Connections )-------- $IPT -A INPUT -p tcp -s 0/0 -d $NET --dport 1024:65535 -j STATE $IPT -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT # --------( Rules Configuration - Outbound Traffic - Highport Connection Fixes )-------- $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP # --------( Rules Configuration - Outbound Traffic - TTL Mangling )-------- $IPT -A OUTPUT -m ttl --ttl 64 # --------( Rules Configuration - Outbound Traffic - Block Traffic w/ Incorrect Flags )-------- $IPT -t filter -I OUTPUT -o $IF -m unclean -j UNCLEAN # --------( Rules Configuration - Outbound Traffic - Default Ruleset )-------- $IPT -A OUTPUT -p icmp -s $NET -d 0/0 -o $IF -j ACCEPT $IPT -A OUTPUT -j ACCEPT # --------( Catch all Rules (required) )-------- # Deny everything not let through earlier $IPT -A INPUT -j $STOP --------------040702050006010603040308--