From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?G=E1sp=E1r_Lajos?= Subject: Re: my script ! Date: Fri, 27 Oct 2006 09:42:19 +0200 Message-ID: <4541B85B.5060409@freemail.hu> References: <45411A9A.6080509@gabrix.ath.cx> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <45411A9A.6080509@gabrix.ath.cx> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: gabrix Cc: netfilter Intresting... :) Take a look on my script also... :) Swifty gabrix =EDrta: > I would like your opinion on my firewall script.I will also list all > services avialable on each machine in lan and how lan is configured... > keep tight !!! > my lan : > =20 =2E.. >> #!/bin/bash -x >> >> >> #LOAD mODULES >> modprobe ip_conntrack_ftp >> modprobe ip_nat_ftp >> modprobe ip_conntrack_irc >> modprobe ip_nat_irc >> >> # ALCUNE VARIABILI PER INIZIARE >> NET1=3D192.168.0.0/16 >> NET2=3D192.168.0.0/30 >> NET3=3D192.168.1.0/29 >> NET4=3D192.168.1.0/24 >> ROUT=3D192.168.0.1/32 >> ARG0=3D192.168.0.2/32 >> ARG1=3D192.168.1.1/32 >> WWW=3D192.168.1.4/32 >> MAIL=3D192.168.6/32 >> MAC=3D192.168.0.3/32 >> DNS1=3D85.37.17.11/32 >> DNS2=3D85.38.28.69/32 >> IPT=3D/sbin/iptables >> IF0=3Deth0 >> IF1=3Deth1 >> >> # FLUSH >> echo "0" > /proc/sys/net/ipv4/ip_forward >> >> $IPT -P INPUT ACCEPT >> $IPT -P FORWARD ACCEPT >> $IPT -P OUTPUT ACCEPT >> =20 Policy: ACCEPT >> $IPT -t nat -P PREROUTING ACCEPT >> $IPT -t nat -P POSTROUTING ACCEPT >> $IPT -t nat -P OUTPUT ACCEPT >> $IPT -t mangle -P PREROUTING ACCEPT >> $IPT -t mangle -P POSTROUTING ACCEPT >> $IPT -t mangle -P INPUT ACCEPT >> $IPT -t mangle -P OUTPUT ACCEPT >> $IPT -t mangle -P FORWARD ACCEPT Default policy is always ACCEPT.... >> $IPT -F >> $IPT -t nat -F >> $IPT -t mangle -F >> $IPT -X >> $IPT -t nat -X >> $IPT -t mangle -X >> >> # DEFAULTS >> $IPT -P INPUT DROP >> $IPT -P OUTPUT DROP >> $IPT -P FORWARD DROP >> =20 Policy: DROP Why ACCEPT before, and DROP now? >> $IPT -t mangle -P PREROUTING ACCEPT >> $IPT -t mangle -P OUTPUT ACCEPT >> $IPT -t nat -P PREROUTING ACCEPT >> $IPT -t nat -P POSTROUTING ACCEPT >> $IPT -t nat -P OUTPUT ACCEPT >> >> >> =20 Default policy >> # FREE_LOCALHOST >> $IPT -A INPUT -j ACCEPT -i lo >> $IPT -A INPUT -j ULOG --ulog-prefix "LOCAL_SPOOF:" -i ! lo -s >> 127.0.0.1/255.0.0.0 >> $IPT -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 >> $IPT -A OUTPUT -j ACCEPT -o lo >> >> >> # LAN eth0 >> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> $IPT -A INPUT -i $IF0 -s $NET2 -j ACCEPT >> $IPT -A INPUT -i $IF0 -s $MAC -j ACCEPT >> $IPT -A INPUT -i $IF0 -s $NET1 -j ULOG --ulog-prefix " ### ETH0__SPOOF= :" >> $IPT -A INPUT -i $IF0 -s $NET1 -j DROP >> >> # LAN eth1 >> $IPT -A INPUT -i eth1 -s 192.168.1.0/29 -j ACCEPT >> >> ## >> WW=3D135,136,137,138,139,445 >> $IPT -t nat -I PREROUTING -p tcp -i $IF0 -d $ARG0 -m multiport --dport= >> $WW -j DROP >> $IPT -t nat -I PREROUTING -p udp -i $IF0 -d $ARG0 -m multiport --dport= >> $WW -j DROP >> >> # MSSQL >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -m limit -j= >> ULOG --ulog-prefix "Firewalled packet: MSSQL " >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -m limit -j= >> ULOG --ulog-prefix "Firewalled packet: MSSQL " >> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -j DROP >> >> # Traceroutes depend on finding a rejected port. DROP the ones it use= s >> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j ULOG >> --ulog-prefix "TRACEROUTE_UDP:" >> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j DROP >> >> >> # GNUTELLA NETWORK >> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 6346:6348 -d $NET2 -j= >> DROP >> >> # PORTS_BLACK_LIST >> PBL=3D1024,1025,1026,1027,33058,34120,40193 >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m multiport >> --dports $PBL -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d $NET2 -m multiport >> --dports $PBL -j DROP >> >> # UDP Traceroute >> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport >> 33434:33523 -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport >> 33434:33523 -j ULOG --ulog-prefix "UDP_TRACEROUTES :" >> >> >> #---------------------------------------------------------------------= --------------# >> # ICMP >> TYPES # >> #---------------------------------------------------------------------= --------------# >> # = =20 >> # >> # 0 =3D Echo Reply, what gets sent back after a type 8 is received >> here # >> # 3 =3D Destination Unreachable (inbound) or Fragmentation Needed >> (out) [RFC792] # >> # 4 =3D Source Quench tells sending IP to slow down its rate to >> destination # >> # 5 =3D Redirect >> [RFC792] # >> # 6 =3D Alternate Host >> Address # >> # 8 =3D Echo Request used for pinging hosts, but see the note >> above # >> # 9 =3D Router Advertisement >> [RFC1256] # >> # 10 =3D Router Selection >> [RFC1256] # >> # 11 =3D Time Exceeded used for traceroute (TTL) or sometimes frag >> packets # >> # 12 =3D Parameter Problem is some error or weirdness detected in >> header # >> # 13 =3D Timestamp=20 >> [RFC792] # >> # 14 =3D Timestamp Reply=20 >> [RFC792] # >> # 15 =3D Information Request=20 >> [RFC792] # >> # 16 =3D Information Reply=20 >> [RFC792] # >> # 17 =3D Address Mask Request=20 >> [RFC950] # >> # 18 =3D Address Mask Reply=20 >> [RFC950] # >> # 30 =3D Traceroute=20 >> [RFC1393] # >> # = =20 >> # >> #---------------------------------------------------------------------= --------------# >> >> # ICMP >> $IPT -t nat -I PREROUTING -i $IF0 -p icmp -d $NET1 -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 0 -m limit >> --limit 3/s -d $NET1 -j ACCEPT >> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 3 -m limit >> --limit 3/s -d $NET1 -j ACCEPT >> >> # CHECK_FLAGS >> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j ULOG --ulog-prefix >> "FRAGMENTS:" >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state >> INVALID -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state >> INVALID -j ULOG --ulog-prefix "INVALID_FLAGS:" >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL >> FIN,URG,PSH -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL >> FIN,URG,PSH -m limit --limit 3/s -j ULOG --ulog-prefix "NMAP-XMAS_SCAN= :" >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST >> SYN,RST -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST >> SYN,RST -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/RST_SCAN: " >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN >> SYN,FIN -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN >> SYN,FIN -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/FIN_SCAN: " >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN >> -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN >> -m limit --limit 3/s -j ULOG --ulog-prefix "FIN_SCAN:" >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL >> -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL >> -m limit --limit 3/s -j ULOG --ulog-prefix "ALL/ALL__SCAN : " >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE= >> -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE= >> -m limit --limit 3/s -j ULOG --ulog-prefix "NULL_SCAN: " >> >> >> # _____________ANTISPOOF >> >> cat /home/gabrix/bogon-bn-nonagg.txt |\ >> egrep -ve >> "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\= =2E\ >> |^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do >> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j DROP >> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j ULOG --ulog-prefix >> 'BOGON_SPOOF:' >> done >> >> # Make laptop get into LAN >> #echo >> "---------------------------------------------------------------------= --------------------------------" >> #$IPT -t nat -A PREROUTING -i eth0 -p ALL -s 192.168.0.3/32 -d >> 192.168.1.0/24 -j DNAT --to-dest 192.168.1.1 >> =20 >> >> # PREROUTING DNAT ################################# ------------------= -- > >> # HTTP & HTTPS per .... www.gabrix.ath.cx >> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 80 -d >> 192.168.0.2/32 -j DNAT --to 192.168.1.4:80 >> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 443 -d >> 192.168.0.2/32 -j DNAT --to 192.168.1.4:443 >> # HTTP ... per .... mail.gabrix.ath.cx >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 80 -m state --state >> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:80 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 443 -m state --state >> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:443 >> >> >> >> # SMTP >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 25 >> -j DNAT --to 192.168.1.6:25 >> >> >> # INN >> #$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.2/32 --dport >> 119 -j DNAT --to 192.168.1.4:119 >> >> >> # IRCD >> IRC=3D6664:6669 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport >> $IRC -j DNAT --to 192.168.1.4:6664-6669 >> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport >> 32768 -j DNAT --to 192.168.1.4:32768 >> >> >> # FTP >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 20 >> -j DNAT --to 192.168.1.4:20 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 21 >> -j DNAT --to 192.168.1.4:21 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport >> 60000:65535 -m state --state ESTABLISHED,RELATED -j DNAT --to >> 192.168.1.4:60000-65534 >> >> >> # POP-SSL >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 995= >> -j DNAT --to 192.168.1.6:995 >> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport 995= >> -j DNAT --to 192.168.1.6:995 >> >> >> # TIM --- DNS >> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS1 -d $ARG0 -j DNAT >> --to 192.168.1.6 >> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS2 -d $ARG0 -j DNAT >> --to 192.168.1.6 >> >> # PROXY >> #$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s $NET3 --dport 80 -j DNAT >> --to 192.168.1.1:8888 >> >> # EMULE >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport >> 18744 -j DNAT --to 192.168.1.2:18744 >> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport >> 57692 -j DNAT --to 192.168.1.2:57692 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport >> 4711 -j DNAT --to 192.168.1.2:4711 >> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport >> 4672 -j DNAT --to 192.168.1.2:4672 >> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport >> 4661:4662 -j DNAT --to 192.168.1.2:4661-4662 >> >> ######################################################################= #################### >> # INPUT ARGO =20 >> SERVICES # >> ######################################################################= #################### >> # I want broadcats to reach only machines in lan and avoid packets to >> go out in the internet and other #machines >> >> # BROADCASTS >> # ETH0 >> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j ULOG --ulog-prefix >> "NET_BROADCASTS:" >> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j DROP >> >> # ETH1 >> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 192.168.1.255/29 >> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_BROADCASTS:" -s >> 192.168.1.0/29 -d 192.168.1.255/32 >> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 192.168.1.255/32 >> >> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 255.255.255.255/2= 9 >> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_NBIOS_BROADCASTS:" -s= >> 192.168.1.0/29 -d 255.255.255.255/32 >> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 255.255.255.255/32 >> >> # MULTICASTS >> $IPT -A INPUT -i $IF0 -j DROP -m state --state NEW -d 224.0.0.0/4 -p != 6 >> >> # INPUT ARGO_SERVICES ----------------------------------------- >> # TOR >> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 22 -j REDIRECT >> --to-port 9090 >> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 110 -j REDIRECT >> --to-port 9091 >> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9090 -j ACCEPT >> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9091 -j ACCEPT >> >> >> # Accetto SSH e prevengo bruteforces >> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m recent >> --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG >> --ulog-prefix "SSH_BRUTEFORCE:" >> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m state >> --state NEW -m recent --set --name SSH -j ACCEPT >> >> >> # TIM_DNS >> $IPT -A INPUT -i eth0 -s $DNS1 -d $ARG0 -j ACCEPT >> $IPT -A INPUT -i eth0 -s $DNS2 -d $ARG0 -j ACCEPT >> >> # DROP Anything else >> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j ULOG >> --ulog-prefix "TCP:" >> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j DROP >> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j ULOG >> --ulog-prefix "UDP:" >> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j DROP >> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j ULOG --ulog-prefix "#######| >> STOP_ALL_ |######:" >> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j DROP >> >> >> # FORWARD >> # >> >> # 192.168.0.0 NETWORK >> $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.0.3 -d 192.168.1.0/29 -j AC= CEPT >> $IPT -A FORWARD -i eth0 -o eth1 -s $ARG0 -d $NET3 -j ACCEPT >> $IPT -A FORWARD -i eth0 -o eth1 -s $ROUT -d $NET3 -j ACCEPT >> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j ULOG >> --ulog-prefix "Forward_SPOOF:" >> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j DROP >> >> # LAN >> $IPT -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT >> >> >> # # Services FORWARD--------> >> >> # TIM DNS >> $IPT -A FORWARD -s $DNS1 -d 192.168.1.0/24 -j ACCEPT >> $IPT -A FORWARD -s $DNS2 -d 192.168.1.0/24 -j ACCEPT >> =20 >> >> # FTP >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 20 -j AC= CEPT >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 21 -j AC= CEPT >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport >> 60000:65534 -j ACCEPT >> >> >> # INN >> #$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 119 -d 192.168.1.4 -j >> ACCEPT >> =20 >> >> # SMTP >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -d 192.168.1.6 -j AC= CEPT >> >> >> # IRCD >> IRC=3D6665:6669 >> $IPT -A FORWARD -i eth0 -p tcp --dport $IRC -d 192.168.1.4/32 -j ACCEP= T >> $IPT -A FORWARD -i eth0 -p udp --dport 32768 -d 192.168.1.4/32 -j ACCE= PT >> >> >> # HTTP >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.4 -j AC= CEPT >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.4 -j >> ACCEPT >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.6 -j AC= CEPT >> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.6 -j >> ACCEPT >> >> >> # POP SSL >> $IPT -A FORWARD -i eth0 -p tcp --dport 995 -d 192.168.1.6 -j ACCEPT >> $IPT -A FORWARD -i eth0 -p udp --dport 995 -d 192.168.1.6 -j ACCEPT >> >> # EMULE >> $IPT -A FORWARD -p tcp -i $IF0 --dport 18744 -d 192.168.1.2 -j ACCEPT >> $IPT -A FORWARD -p udp -i $IF0 --dport 57692 -d 192.168.1.2 -j ACCEPT >> $IPT -A FORWARD -p tcp -i $IF0 --dport 4711 -d 192.168.1.2 -j ACCEPT >> $IPT -A FORWARD -p udp -i $IF0 --dport 4672 -d 192.168.1.2 -j ACCEPT >> $IPT -A FORWARD -p tcp -i $IF0 --dport 4661:4662 -d 192.168.1.2 -j ACC= EPT >> >> # OUTPUT >> $IPT -A OUTPUT -o eth0 -s 192.168.0.2/32 -j ACCEPT >> $IPT -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.0/24 >> $IPT -A OUTPUT -s 192.168.0.0/16 -j ACCEPT >> $IPT -A OUTPUT -s 192.168.1.0/24 -j ACCEPT >> >> $IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j DROP >> $IPT -A OUTPUT -p icmp --icmp-type 0 -j DROP >> >> # MASQUERADE >> $IPT -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE >> >> echo "1" > /proc/sys/net/ipv4/ip_forward >> >> =20 > If you have question just ask .... thanks !!! > > > =20 I do not really believe that this is the best form of a script but if=20 you understand your script (and hopefully you do :D ) then this is=20 good... :) I prefer scripts much like the output of "iptables -vnL" Swifty