hello guys. i setup a linux box running slackware 9.1 to act as a router/firewall/gateway using ip tables. heres the basic setup. I have a slack box (router/firewall) with two nics, eth0 is WAN config for dhcp and eth 1 is LAN config 192.168.1.0/24. eth0 is directly connected to cable modem and eth1 to a switch where other lan pcs are connected. i have 2 other comps connected. each of the pcs can get internet access. now the problems.
1. Both LAN PCs can get internet, but no ping nor email (send or recieve)
2. The Slack box (router/firewall) can get dhcp on eth0 but cannot get internet connection.
3. The Slack box cannot ping itself, eth0 or eth1, nor any internet address. The following error shows:
ping: sendmsg: Operation not permitted.
4. A final...quite frankly im not sure how correct my script is.
ill post my iptables config for u to reference. any help is greatly appreciated. thanks.
**IF you copy and paste the script into something like wordpad or word its easier to read. Thanks again.
##==============================
#!/bin/bash
#Kernel 2.4.25
echo "Loading IP Tables..."
# Load appropriate modules
modprobe ip_tables
modprobe ip_conntrack
# Flush rules
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
# Set predefined chains, drop all [default]
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##========================================================
## Definitions
IFACE="eth0"
# Determine WAN IP
external=`ifconfig eth0 | grep inet | cut -d: -f2 | cut -d ' ' -f1`
lan="192.168.1.0/24"
# Determine WAN broadcast
BROADCAST=`ifconfig eth0 | grep inet | cut -d: -f3 | cut -d ' ' -f1`
LOOPBACK="127.0.0.0/8"
##===================================================
## Kernel Flags
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
# Disable ICMP redirect acceptance
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "1" > ${interface}
done
# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
##=======================================================
## RULES
iptables -N ILLEGAL
iptables -F ILLEGAL
# Furtive port scanner
iptables -A ILLEGAL -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Drop illegal flag combinations
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL ALL -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL NONE -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,URG URG -j DROP
# Refuse directed broadcasts
iptables -A ILLEGAL -i $IFACE -d 255.255.255.255 -j DROP
iptables -A ILLEGAL -i $IFACE -d $BROADCAST -j DROP
# Drop unclean packets
# Accept packets on loopback
iptables -A INPUT -m unclean -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## NETBIOS SILENT DROP
# Drop port 137 NETBIOS packets silently
iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP
## Ensure NEW TCP connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
## Drop non-first fragments after logging
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES fragments: "
iptables -A INPUT -i $IFACE -f -j DROP
## SPOOFING
# Drop all IP Spoofing suspects
# Refuse spoofed packets pretending to be from my IP address.
iptables -A INPUT -i $IFACE -s $external -j DROP
# Quench to the loopback
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
## Impossible networks
# Drop all
iptables -A INPUT -d 172.0.0.0/8 -j DROP
iptables -A INPUT -s 172.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.0.0.0/8 -j DROP
iptables -A OUTPUT -s 172.0.0.0/8 -j DROP
iptables -A INPUT -d 192.0.2.0/24 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A OUTPUT -d 192.0.2.0/24 -j DROP
iptables -A OUTPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -d 248.0.0.0/5 -j DROP
iptables -A INPUT -s 248.0.0.0/5 -j DROP
iptables -A OUTPUT -d 248.0.0.0/5 -j DROP
iptables -A OUTPUT -s 248.0.0.0/5 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -A OUTPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 172.16.0.0/12 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -d 10.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s 10.0.0.0/8 -j DROP
##=============================================
## ICMP
# 0: echo reply (pong)
# 3: destination unreachable
# 4: source quench
# 5: redirect
# 8: echo request
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: informaton request
# 16: information reply
# 17: address mask request
# 18: address mask reply
# Allow all ICMP traffic
iptables -A INPUT -i $IFACE -p ICMP -j ACCEPT
iptables -N ICMP
iptables -F ICMP
# Allow limited ICMP traffic
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 0 -j ACCEPT
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 3 -j ACCEPT # Destination Unreachable
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 4 -j ACCEPT # Source Quench
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 8 -j ACCEPT
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 11 -j ACCEPT # Time Exceeded
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 12 -j ACCEPT # Parameter Problem
##===================================================
## NATING
# Allow NATing from TRUSTED network
iptables -A FORWARD -s $lan -i $IFACE -j DROP #spoofing
iptables -A FORWARD -p icmp -d $BROADCAST -j DROP #smurf
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -A POSTROUTING -o $IFACE -p udp -d 68.80.0.5 --dport 53 -j SNAT --to $external #DNS
iptables -t nat -A POSTROUTING -o $IFACE -p udp -d 68.80.0.6 --dport 53 -j SNAT --to $external #DNS
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 80 -j SNAT --to $external #HTTP
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 443 -j SNAT --to $external #HTTPS
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 22 -j SNAT --to $external #SSH
iptables -t nat -A POSTROUTING -o $IFACE -j DROP
##==================================================
## DNS
# Allow UDP packets in for DNS client from Comcast nameservers
iptables -A INPUT -i $IFACE -p udp -s 68.80.0.5/32 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s 68.80.0.6/32 --sport 53 -m state --state ESTABLISHED -j ACCEPT
# Allow UDP packets out to Comcast nameservers from client
iptables -A OUTPUT -o $IFACE -p udp -d 68.80.0.5/32 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d 68.80.0.6/32 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
## SSH
# Allow SSH outbound
iptables -A INPUT -i $IFACE -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow SSH connections
#iptables -A INPUT -i $IFACE -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $IFACE -s 0/0 -p tcp --dport 22 -j ACCEPT
## WWW
# Allow WWW outbound to port 80
iptables -A INPUT -i $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow WWW outbound to port 443
iptables -A INPUT -i $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## TELNET
# Allow telnet outbound
iptables -A INPUT -i $IFACE -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
## FTP
# Allow FTP outbound
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# FTP connection tracking
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
## SMTP
# Allow SMTP outbound
iptables -A INPUT -i $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
## POP3
# Allow POP3 coming inbound
iptables -A INPUT -p tcp -i $IFACE --sport 110 -j ACCEPT
iptables -A OUTPUT -p tcp -o $IFACE --dport 110 -j ACCEPT
## ATUTH server
# Reject IDENT probes with a TCP reset
iptables -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##============================================
## LOGGING
# Any UDP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any ICMP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any TCP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped
# It will be dropped by the default policy anyway...but let's be paranoid
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
## MISC coming in
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES **UNKNOWN**-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES **UNKNOWN**-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
## END
1. Both LAN PCs can get internet, but no ping nor email (send or recieve)
2. The Slack box (router/firewall) can get dhcp on eth0 but cannot get internet connection.
3. The Slack box cannot ping itself, eth0 or eth1, nor any internet address. The following error shows:
ping: sendmsg: Operation not permitted.
4. A final...quite frankly im not sure how correct my script is.
ill post my iptables config for u to reference. any help is greatly appreciated. thanks.
**IF you copy and paste the script into something like wordpad or word its easier to read. Thanks again.
##==============================
#!/bin/bash
#Kernel 2.4.25
echo "Loading IP Tables..."
# Load appropriate modules
modprobe ip_tables
modprobe ip_conntrack
# Flush rules
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
# Set predefined chains, drop all [default]
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##========================================================
## Definitions
IFACE="eth0"
# Determine WAN IP
external=`ifconfig eth0 | grep inet | cut -d: -f2 | cut -d ' ' -f1`
lan="192.168.1.0/24"
# Determine WAN broadcast
BROADCAST=`ifconfig eth0 | grep inet | cut -d: -f3 | cut -d ' ' -f1`
LOOPBACK="127.0.0.0/8"
##===================================================
## Kernel Flags
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
# Disable ICMP redirect acceptance
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "1" > ${interface}
done
# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
##=======================================================
## RULES
iptables -N ILLEGAL
iptables -F ILLEGAL
# Furtive port scanner
iptables -A ILLEGAL -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Drop illegal flag combinations
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL ALL -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL NONE -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A ILLEGAL -i $IFACE -p tcp --tcp-flags ACK,URG URG -j DROP
# Refuse directed broadcasts
iptables -A ILLEGAL -i $IFACE -d 255.255.255.255 -j DROP
iptables -A ILLEGAL -i $IFACE -d $BROADCAST -j DROP
# Drop unclean packets
# Accept packets on loopback
iptables -A INPUT -m unclean -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## NETBIOS SILENT DROP
# Drop port 137 NETBIOS packets silently
iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP
## Ensure NEW TCP connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
## Drop non-first fragments after logging
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES fragments: "
iptables -A INPUT -i $IFACE -f -j DROP
## SPOOFING
# Drop all IP Spoofing suspects
# Refuse spoofed packets pretending to be from my IP address.
iptables -A INPUT -i $IFACE -s $external -j DROP
# Quench to the loopback
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
## Impossible networks
# Drop all
iptables -A INPUT -d 172.0.0.0/8 -j DROP
iptables -A INPUT -s 172.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.0.0.0/8 -j DROP
iptables -A OUTPUT -s 172.0.0.0/8 -j DROP
iptables -A INPUT -d 192.0.2.0/24 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A OUTPUT -d 192.0.2.0/24 -j DROP
iptables -A OUTPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -d 248.0.0.0/5 -j DROP
iptables -A INPUT -s 248.0.0.0/5 -j DROP
iptables -A OUTPUT -d 248.0.0.0/5 -j DROP
iptables -A OUTPUT -s 248.0.0.0/5 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -A OUTPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 172.16.0.0/12 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -d 10.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s 10.0.0.0/8 -j DROP
##=============================================
## ICMP
# 0: echo reply (pong)
# 3: destination unreachable
# 4: source quench
# 5: redirect
# 8: echo request
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: informaton request
# 16: information reply
# 17: address mask request
# 18: address mask reply
# Allow all ICMP traffic
iptables -A INPUT -i $IFACE -p ICMP -j ACCEPT
iptables -N ICMP
iptables -F ICMP
# Allow limited ICMP traffic
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 0 -j ACCEPT
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 3 -j ACCEPT # Destination Unreachable
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 4 -j ACCEPT # Source Quench
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 8 -j ACCEPT
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 11 -j ACCEPT # Time Exceeded
iptables -A ICMP -i $IFACE -p ICMP --icmp-type 12 -j ACCEPT # Parameter Problem
##===================================================
## NATING
# Allow NATing from TRUSTED network
iptables -A FORWARD -s $lan -i $IFACE -j DROP #spoofing
iptables -A FORWARD -p icmp -d $BROADCAST -j DROP #smurf
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -A POSTROUTING -o $IFACE -p udp -d 68.80.0.5 --dport 53 -j SNAT --to $external #DNS
iptables -t nat -A POSTROUTING -o $IFACE -p udp -d 68.80.0.6 --dport 53 -j SNAT --to $external #DNS
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 80 -j SNAT --to $external #HTTP
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 443 -j SNAT --to $external #HTTPS
iptables -t nat -A POSTROUTING -o $IFACE -p tcp --dport 22 -j SNAT --to $external #SSH
iptables -t nat -A POSTROUTING -o $IFACE -j DROP
##==================================================
## DNS
# Allow UDP packets in for DNS client from Comcast nameservers
iptables -A INPUT -i $IFACE -p udp -s 68.80.0.5/32 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s 68.80.0.6/32 --sport 53 -m state --state ESTABLISHED -j ACCEPT
# Allow UDP packets out to Comcast nameservers from client
iptables -A OUTPUT -o $IFACE -p udp -d 68.80.0.5/32 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d 68.80.0.6/32 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
## SSH
# Allow SSH outbound
iptables -A INPUT -i $IFACE -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow SSH connections
#iptables -A INPUT -i $IFACE -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $IFACE -s 0/0 -p tcp --dport 22 -j ACCEPT
## WWW
# Allow WWW outbound to port 80
iptables -A INPUT -i $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow WWW outbound to port 443
iptables -A INPUT -i $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## TELNET
# Allow telnet outbound
iptables -A INPUT -i $IFACE -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
## FTP
# Allow FTP outbound
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# FTP connection tracking
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
## SMTP
# Allow SMTP outbound
iptables -A INPUT -i $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
## POP3
# Allow POP3 coming inbound
iptables -A INPUT -p tcp -i $IFACE --sport 110 -j ACCEPT
iptables -A OUTPUT -p tcp -o $IFACE --dport 110 -j ACCEPT
## ATUTH server
# Reject IDENT probes with a TCP reset
iptables -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##============================================
## LOGGING
# Any UDP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any ICMP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any TCP not already allowed is logged and then dropped
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped
# It will be dropped by the default policy anyway...but let's be paranoid
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
## MISC coming in
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES **UNKNOWN**-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES **UNKNOWN**-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
## END
