• I.1. Ïðèìåð rc.firewall
  • I.2. Ïðèìåð rc.DMZ.firewall
  • I.3. Ïðèìåð rc.UTIN.firewall
  • I.4. Ïðèìåð rc.DHCP.firewall
  • I.5. Ïðèìåð rc.flush-iptables
  • I.6. Ïðèìåð rc.test-iptables
  • Ïðèëîæåíèå I. Ïðèìåðû ñöåíàðèåâ

    I.1. Ïðèìåð rc.firewall

    #!/bin/sh

    #

    # rc.firewall – Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA

    #


    ###########################################################################

    #

    # 1. Configuration options.

    #


    #

    # 1.1 Internet Configuration.

    #


    INET_IP="194.236.50.155"

    INET_IFACE="eth0"

    INET_BROADCAST="194.236.50.255"


    #

    # 1.1.1 DHCP

    #


    #

    # 1.1.2 PPPoE

    #


    #

    # 1.2 Local Area Network configuration.

    #

    # your LAN's IP range and localhost IP. /24 means to only use the first 24

    # bits of the 32 bit IP address. the same as netmask 255.255.255.0

    #


    LAN_IP="192.168.0.2"

    LAN_IP_RANGE="192.168.0.0/16"

    LAN_IFACE="eth1"


    #

    # 1.3 DMZ Configuration.

    #


    #

    # 1.4 Localhost Configuration.

    #


    LO_IFACE="lo"

    LO_IP="127.0.0.1"


    #

    # 1.5 IPTables Configuration.

    #


    IPTABLES="/usr/sbin/iptables"


    #

    # 1.6 Other Configuration.

    #


    ###########################################################################

    #

    # 2. Module loading.

    #


    #

    # Needed to initially load modules

    #


    /sbin/depmod -a


    #

    # 2.1 Required modules

    #


    /sbin/modprobe ip_tables

    /sbin/modprobe ip_conntrack

    /sbin/modprobe iptable_filter

    /sbin/modprobe iptable_mangle

    /sbin/modprobe iptable_nat

    /sbin/modprobe ipt_LOG

    /sbin/modprobe ipt_limit

    /sbin/modprobe ipt_state


    #

    # 2.2 Non-Required modules

    #


    #/sbin/modprobe ipt_owner

    #/sbin/modprobe ipt_REJECT

    #/sbin/modprobe ipt_MASQUERADE

    #/sbin/modprobe ip_conntrack_ftp

    #/sbin/modprobe ip_conntrack_irc

    #/sbin/modprobe ip_nat_ftp

    #/sbin/modprobe ip_nat_irc


    ###########################################################################

    #

    # 3. /proc set up.

    #


    #

    # 3.1 Required proc configuration

    #


    echo "1" > /proc/sys/net/ipv4/ip_forward


    #

    # 3.2 Non-Required proc configuration

    #


    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

    #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

    #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    ###########################################################################

    #

    # 4. rules set up.

    #


    ######

    # 4.1 Filter table

    #


    #

    # 4.1.1 Set policies

    #


    $IPTABLES -P INPUT DROP

    $IPTABLES -P OUTPUT DROP

    $IPTABLES -P FORWARD DROP


    #

    # 4.1.2 Create userspecified chains

    #


    #

    # Create chain for bad tcp packets

    #


    $IPTABLES -N bad_tcp_packets


    #

    # Create separate chains for ICMP, TCP and UDP to traverse

    #


    $IPTABLES -N allowed

    $IPTABLES -N tcp_packets

    $IPTABLES -N udp_packets

    $IPTABLES -N icmp_packets


    #

    # 4.1.3 Create content in userspecified chains

    #


    #

    # bad_tcp_packets chain

    #


    $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

    –m state –state NEW -j REJECT –reject-with tcp-reset

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

    –log-prefix «New not syn:»

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP


    #

    # allowed chain

    #


    $IPTABLES -A allowed -p TCP –syn -j ACCEPT

    $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A allowed -p TCP -j DROP


    #

    # TCP rules

    #


    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed


    #

    # UDP ports

    #


    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT

    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT


    #

    # In Microsoft Networks you will be swamped by broadcasts. These lines

    # will prevent them from showing up in the logs.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \

    #–destination-port 135:139 -j DROP


    #

    # If we get DHCP requests from the Outside of our network, our logs will

    # be swamped as well. This rule will block them from getting logged.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \

    #–destination-port 67:68 -j DROP


    #

    # ICMP rules

    #


    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT


    #

    # 4.1.4 INPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets


    #

    # Rules for special networks not part of the Internet

    #


    $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


    #

    # Special rule for DHCP requests from LAN, which are not caught properly

    # otherwise.

    #


    $IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT


    #

    # Rules for incoming packets from the internet.

    #


    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED \

    –j ACCEPT

    $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

    $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

    $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


    #

    # If you have a Microsoft Network on the outside of your firewall, you may

    # also get flooded by Multicasts. We drop them so we do not get flooded by

    # logs

    #


    #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT INPUT packet died: "


    #

    # 4.1.5 FORWARD chain

    #


    #

    # Bad TCP packets we don't want

    #


    $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


    #

    # Accept the packets we actually want to forward

    #


    $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT FORWARD packet died: "


    #

    # 4.1.6 OUTPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


    #

    # Special OUTPUT rules to decide which IP's to allow.

    #


    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT OUTPUT packet died: "


    ######

    # 4.2 nat table

    #


    #

    # 4.2.1 Set policies

    #


    #

    # 4.2.2 Create user specified chains

    #


    #

    # 4.2.3 Create content in user specified chains

    #


    #

    # 4.2.4 PREROUTING chain

    #


    #

    # 4.2.5 POSTROUTING chain

    #


    #

    # Enable simple IP Forwarding and Network Address Translation

    #


    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP


    #

    # 4.2.6 OUTPUT chain

    #


    ######

    # 4.3 mangle table

    #


    #

    # 4.3.1 Set policies

    #


    #

    # 4.3.2 Create user specified chains

    #


    #

    # 4.3.3 Create content in user specified chains

    #


    #

    # 4.3.4 PREROUTING chain

    #


    #

    # 4.3.5 INPUT chain

    #


    #

    # 4.3.6 FORWARD chain

    #


    #

    # 4.3.7 OUTPUT chain

    #


    #

    # 4.3.8 POSTROUTING chain

    #


    I.2. Ïðèìåð rc.DMZ.firewall

    #!/bin/sh

    #

    # rc.DMZ.firewall – DMZ IP Firewall script for Linux 2.4.x and iptables

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA

    #


    ###########################################################################

    #

    # 1. Configuration options.

    #


    #

    # 1.1 Internet Configuration.

    #


    INET_IP="194.236.50.152"

    HTTP_IP="194.236.50.153"

    DNS_IP="194.236.50.154"

    INET_IFACE="eth0"


    #

    # 1.1.1 DHCP

    #


    #

    # 1.1.2 PPPoE

    #


    #

    # 1.2 Local Area Network configuration.

    #

    # your LAN's IP range and localhost IP. /24 means to only use the first 24

    # bits of the 32 bit IP address. the same as netmask 255.255.255.0

    #


    LAN_IP="192.168.0.1"

    LAN_IFACE="eth1"


    #

    # 1.3 DMZ Configuration.

    #


    DMZ_HTTP_IP="192.168.1.2"

    DMZ_DNS_IP="192.168.1.3"

    DMZ_IP="192.168.1.1"

    DMZ_IFACE="eth2"


    #

    # 1.4 Localhost Configuration.

    #


    LO_IFACE="lo"

    LO_IP="127.0.0.1"


    #

    # 1.5 IPTables Configuration.

    #


    IPTABLES="/usr/sbin/iptables"


    #

    # 1.6 Other Configuration.

    #


    ###########################################################################

    #

    # 2. Module loading.

    #


    #

    # Needed to initially load modules

    #

    /sbin/depmod -a




    #

    # 2.1 Required modules

    #


    /sbin/modprobe ip_tables

    /sbin/modprobe ip_conntrack

    /sbin/modprobe iptable_filter

    /sbin/modprobe iptable_mangle

    /sbin/modprobe iptable_nat

    /sbin/modprobe ipt_LOG

    /sbin/modprobe ipt_limit

    /sbin/modprobe ipt_state


    #

    # 2.2 Non-Required modules

    #


    #/sbin/modprobe ipt_owner

    #/sbin/modprobe ipt_REJECT

    #/sbin/modprobe ipt_MASQUERADE

    #/sbin/modprobe ip_conntrack_ftp

    #/sbin/modprobe ip_conntrack_irc

    #/sbin/modprobe ip_nat_ftp

    #/sbin/modprobe ip_nat_irc


    ###########################################################################

    #

    # 3. /proc set up.

    #


    #

    # 3.1 Required proc configuration

    #


    echo "1" > /proc/sys/net/ipv4/ip_forward


    #

    # 3.2 Non-Required proc configuration

    #


    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

    #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

    #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    ###########################################################################

    #

    # 4. rules set up.

    #


    ######

    # 4.1 Filter table

    #


    #

    # 4.1.1 Set policies

    #


    $IPTABLES -P INPUT DROP

    $IPTABLES -P OUTPUT DROP

    $IPTABLES -P FORWARD DROP


    #

    # 4.1.2 Create userspecified chains

    #


    #

    # Create chain for bad tcp packets

    #


    $IPTABLES -N bad_tcp_packets


    #

    # Create separate chains for ICMP, TCP and UDP to traverse

    #


    $IPTABLES -N allowed

    $IPTABLES -N icmp_packets


    #

    # 4.1.3 Create content in userspecified chains

    #


    #

    # bad_tcp_packets chain

    #


    $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

    –m state –state NEW -j REJECT –reject-with tcp-reset

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

    –log-prefix «New not syn:»

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP


    #

    # allowed chain

    #


    $IPTABLES -A allowed -p TCP –syn -j ACCEPT

    $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A allowed -p TCP -j DROP


    #

    # ICMP rules

    #


    # Changed rules totally

    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT


    #

    # 4.1.4 INPUT chain

    #


    #

    # Bad TCP packets we don't want

    #


    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets


    #

    # Packets from the Internet to this box

    #


    $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


    #

    # Packets from LAN, DMZ or LOCALHOST

    #


    #

    # From DMZ Interface to DMZ firewall IP

    #


    $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT


    #

    # From LAN Interface to LAN firewall IP

    #


    $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT


    #

    # From Localhost interface to Localhost IP's

    #


    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


    #

    # Special rule for DHCP requests from LAN, which are not caught properly

    # otherwise.

    #


    $IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT


    #

    # All established and related packets incoming from the internet to the

    # firewall

    #


    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED \

    –j ACCEPT


    #

    # In Microsoft Networks you will be swamped by broadcasts. These lines

    # will prevent them from showing up in the logs.

    #


    #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \

    #–destination-port 135:139 -j DROP


    #

    # If we get DHCP requests from the Outside of our network, our logs will

    # be swamped as well. This rule will block them from getting logged.

    #


    #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \

    #–destination-port 67:68 -j DROP


    #

    # If you have a Microsoft Network on the outside of your firewall, you may

    # also get flooded by Multicasts. We drop them so we do not get flooded by

    # logs

    #


    #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT INPUT packet died: "


    #

    # 4.1.5 FORWARD chain

    #


    #

    # Bad TCP packets we don't want

    #


    $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets



    #

    # DMZ section

    #

    # General rules

    #


    $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \

    –state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \

    –state ESTABLISHED,RELATED -j ACCEPT


    #

    # HTTP server

    #


    $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \

    –dport 80 -j allowed

    $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \

    –j icmp_packets


    #

    # DNS server

    #


    $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \

    –dport 53 -j allowed

    $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \

    –dport 53 -j ACCEPT

    $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \

    –j icmp_packets


    #

    # LAN section

    #


    $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT FORWARD packet died: "


    #

    # 4.1.6 OUTPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


    #

    # Special OUTPUT rules to decide which IP's to allow.

    #


    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT OUTPUT packet died: "


    ######

    # 4.2 nat table

    #


    #

    # 4.2.1 Set policies

    #


    #

    # 4.2.2 Create user specified chains

    #


    #

    # 4.2.3 Create content in user specified chains

    #


    #

    # 4.2.4 PREROUTING chain

    #


    $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP –dport 80 \

    –j DNAT –to-destination $DMZ_HTTP_IP

    $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP –dport 53 \

    –j DNAT –to-destination $DMZ_DNS_IP

    $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP –dport 53 \

    –j DNAT –to-destination $DMZ_DNS_IP


    #

    # 4.2.5 POSTROUTING chain

    #


    #

    # Enable simple IP Forwarding and Network Address Translation

    #


    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP


    #

    # 4.2.6 OUTPUT chain

    #


    ######

    # 4.3 mangle table

    #


    #

    # 4.3.1 Set policies

    #


    #

    # 4.3.2 Create user specified chains

    #


    #

    # 4.3.3 Create content in user specified chains

    #


    #

    # 4.3.4 PREROUTING chain

    #


    #

    # 4.3.5 INPUT chain

    #


    #

    # 4.3.6 FORWARD chain

    #


    #

    # 4.3.7 OUTPUT chain

    #


    #

    # 4.3.8 POSTROUTING chain

    #

    I.3. Ïðèìåð rc.UTIN.firewall

    #!/bin/sh

    #

    # rc.firewall – UTIN Firewall script for Linux 2.4.x and iptables

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA

    #


    ###########################################################################

    #

    # 1. Configuration options.

    #


    #

    # 1.1 Internet Configuration.

    #


    INET_IP="194.236.50.155"

    INET_IFACE="eth0"

    INET_BROADCAST="194.236.50.255"


    #

    # 1.1.1 DHCP

    #


    #

    # 1.1.2 PPPoE

    #


    #

    # 1.2 Local Area Network configuration.

    #

    # your LAN's IP range and localhost IP. /24 means to only use the first 24

    # bits of the 32 bit IP address. the same as netmask 255.255.255.0

    #


    LAN_IP="192.168.0.2"

    LAN_IP_RANGE="192.168.0.0/16"

    LAN_IFACE="eth1"


    #

    # 1.3 DMZ Configuration.

    #


    #

    # 1.4 Localhost Configuration.

    #


    LO_IFACE="lo"

    LO_IP="127.0.0.1"


    #

    # 1.5 IPTables Configuration.

    #


    IPTABLES="/usr/sbin/iptables"


    #

    # 1.6 Other Configuration.

    #


    ###########################################################################

    #

    # 2. Module loading.

    #


    #

    # Needed to initially load modules

    #


    /sbin/depmod -a


    #

    # 2.1 Required modules

    #


    /sbin/modprobe ip_tables

    /sbin/modprobe ip_conntrack

    /sbin/modprobe iptable_filter

    /sbin/modprobe iptable_mangle

    /sbin/modprobe iptable_nat

    /sbin/modprobe ipt_LOG

    /sbin/modprobe ipt_limit

    /sbin/modprobe ipt_state


    #

    # 2.2 Non-Required modules

    #


    #/sbin/modprobe ipt_owner

    #/sbin/modprobe ipt_REJECT

    #/sbin/modprobe ipt_MASQUERADE

    #/sbin/modprobe ip_conntrack_ftp

    #/sbin/modprobe ip_conntrack_irc

    #/sbin/modprobe ip_nat_ftp

    #/sbin/modprobe ip_nat_irc


    ###########################################################################

    #

    # 3. /proc set up.

    #


    #

    # 3.1 Required proc configuration

    #


    echo "1" > /proc/sys/net/ipv4/ip_forward


    #

    # 3.2 Non-Required proc configuration

    #


    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

    #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

    #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    ###########################################################################

    #

    # 4. rules set up.

    #


    ######

    # 4.1 Filter table

    #


    #

    # 4.1.1 Set policies

    #


    $IPTABLES -P INPUT DROP

    $IPTABLES -P OUTPUT DROP

    $IPTABLES -P FORWARD DROP


    #

    # 4.1.2 Create userspecified chains

    #


    #

    # Create chain for bad tcp packets

    #


    $IPTABLES -N bad_tcp_packets


    #

    # Create separate chains for ICMP, TCP and UDP to traverse

    #


    $IPTABLES -N allowed

    $IPTABLES -N tcp_packets

    $IPTABLES -N udp_packets

    $IPTABLES -N icmp_packets


    #

    # 4.1.3 Create content in userspecified chains

    #


    #

    # bad_tcp_packets chain

    #


    $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

    –m state –state NEW -j REJECT –reject-with tcp-reset

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

    –log-prefix «New not syn:»

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP


    #

    # allowed chain

    #


    $IPTABLES -A allowed -p TCP –syn -j ACCEPT

    $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A allowed -p TCP -j DROP


    #

    # TCP rules

    #


    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed


    #

    # UDP ports

    #


    #$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT

    #$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 123 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 2074 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 4000 -j ACCEPT


    #

    # In Microsoft Networks you will be swamped by broadcasts. These lines

    # will prevent them from showing up in the logs.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \

    #–destination-port 135:139 -j DROP


    #

    # If we get DHCP requests from the Outside of our network, our logs will

    # be swamped as well. This rule will block them from getting logged.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \

    #–destination-port 67:68 -j DROP


    #

    # ICMP rules

    #


    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT


    #

    # 4.1.4 INPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets


    #

    # Rules for special networks not part of the Internet

    #


    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


    #

    # Rules for incoming packets from anywhere.

    #


    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED \

    –j ACCEPT

    $IPTABLES -A INPUT -p TCP -j tcp_packets

    $IPTABLES -A INPUT -p UDP -j udp_packets

    $IPTABLES -A INPUT -p ICMP -j icmp_packets


    #

    # If you have a Microsoft Network on the outside of your firewall, you may

    # also get flooded by Multicasts. We drop them so we do not get flooded by

    # logs

    #


    #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT INPUT packet died: "


    #

    # 4.1.5 FORWARD chain

    #


    #

    # Bad TCP packets we don't want

    #


    $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


    #

    # Accept the packets we actually want to forward

    #


    $IPTABLES -A FORWARD -p tcp –dport 21 -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -p tcp –dport 80 -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -p tcp –dport 110 -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT FORWARD packet died: "


    #

    # 4.1.6 OUTPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


    #

    # Special OUTPUT rules to decide which IP's to allow.

    #


    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT OUTPUT packet died: "


    ######

    # 4.2 nat table

    #


    #

    # 4.2.1 Set policies

    #


    #

    # 4.2.2 Create user specified chains

    #


    #

    # 4.2.3 Create content in user specified chains

    #


    #

    # 4.2.4 PREROUTING chain

    #


    #

    # 4.2.5 POSTROUTING chain

    #


    #

    # Enable simple IP Forwarding and Network Address Translation

    #


    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP


    #

    # 4.2.6 OUTPUT chain

    #


    ######

    # 4.3 mangle table

    #


    #

    # 4.3.1 Set policies

    #


    #

    # 4.3.2 Create user specified chains

    #


    #

    # 4.3.3 Create content in user specified chains

    #


    #

    # 4.3.4 PREROUTING chain

    #


    #

    # 4.3.5 INPUT chain

    #


    #

    # 4.3.6 FORWARD chain

    #


    #

    # 4.3.7 OUTPUT chain

    #


    #

    # 4.3.8 POSTROUTING chain

    #

    I.4. Ïðèìåð rc.DHCP.firewall

    #!/bin/sh

    #

    # rc.firewall – DHCP IP Firewall script for Linux 2.4.x and iptables

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA

    #


    ###########################################################################

    #

    # 1. Configuration options.

    #


    #

    # 1.1 Internet Configuration.

    #


    INET_IFACE="eth0"


    #

    # 1.1.1 DHCP

    #


    #

    # Information pertaining to DHCP over the Internet, if needed.

    #

    # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP

    # over the Internet set this variable to yes, and set up the proper IP

    # address for the DHCP server in the DHCP_SERVER variable.

    #


    DHCP="no"

    DHCP_SERVER="195.22.90.65"


    #

    # 1.1.2 PPPoE

    #


    # Configuration options pertaining to PPPoE.

    #

    # If you have problem with your PPPoE connection, such as large mails not

    # getting through while small mail get through properly etc, you may set

    # this option to «yes» which may fix the problem. This option will set a

    # rule in the PREROUTING chain of the mangle table which will clamp

    # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).

    #

    # Note that it is better to set this up in the PPPoE package itself, since

    # the PPPoE configuration option will give less overhead.

    #


    PPPOE_PMTU="no"


    #

    # 1.2 Local Area Network configuration.

    #

    # your LAN's IP range and localhost IP. /24 means to only use the first 24

    # bits of the 32 bit IP address. the same as netmask 255.255.255.0

    #


    LAN_IP="192.168.0.2"

    LAN_IP_RANGE="192.168.0.0/16"

    LAN_IFACE="eth1"


    #

    # 1.3 DMZ Configuration.

    #


    #

    # 1.4 Localhost Configuration.

    #


    LO_IFACE="lo"

    LO_IP="127.0.0.1"


    #

    # 1.5 IPTables Configuration.

    #


    IPTABLES="/usr/sbin/iptables"


    #

    # 1.6 Other Configuration.

    #


    ###########################################################################

    #

    # 2. Module loading.

    #


    #

    # Needed to initially load modules

    #


    /sbin/depmod -a


    #

    # 2.1 Required modules

    #


    /sbin/modprobe ip_conntrack

    /sbin/modprobe ip_tables

    /sbin/modprobe iptable_filter

    /sbin/modprobe iptable_mangle

    /sbin/modprobe iptable_nat

    /sbin/modprobe ipt_LOG

    /sbin/modprobe ipt_limit

    /sbin/modprobe ipt_MASQUERADE


    #

    # 2.2 Non-Required modules

    #


    #/sbin/modprobe ipt_owner

    #/sbin/modprobe ipt_REJECT

    #/sbin/modprobe ip_conntrack_ftp

    #/sbin/modprobe ip_conntrack_irc

    #/sbin/modprobe ip_nat_ftp

    #/sbin/modprobe ip_nat_irc


    ###########################################################################

    #

    # 3. /proc set up.

    #


    #

    # 3.1 Required proc configuration

    #


    echo "1" > /proc/sys/net/ipv4/ip_forward


    #

    # 3.2 Non-Required proc configuration

    #


    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

    #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

    #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    ###########################################################################

    #

    # 4. rules set up.

    #


    ######

    # 4.1 Filter table

    #


    #

    # 4.1.1 Set policies

    #


    $IPTABLES -P INPUT DROP

    $IPTABLES -P OUTPUT DROP

    $IPTABLES -P FORWARD DROP


    #

    # 4.1.2 Create userspecified chains

    #


    #

    # Create chain for bad tcp packets

    #


    $IPTABLES -N bad_tcp_packets


    #

    # Create separate chains for ICMP, TCP and UDP to traverse

    #


    $IPTABLES -N allowed

    $IPTABLES -N tcp_packets

    $IPTABLES -N udp_packets

    $IPTABLES -N icmp_packets


    #

    # 4.1.3 Create content in userspecified chains

    #


    #

    # bad_tcp_packets chain

    #


    $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

    –m state –state NEW -j REJECT –reject-with tcp-reset

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

    –log-prefix «New not syn:»

    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP


    #

    # allowed chain

    #


    $IPTABLES -A allowed -p TCP –syn -j ACCEPT

    $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A allowed -p TCP -j DROP


    #

    # TCP rules

    #


    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

    $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed


    #

    # UDP ports

    #


    $IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT

    if [ $DHCP == «yes» ] ; then

    $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER –sport 67 \

    –dport 68 -j ACCEPT

    fi


    #$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT

    #$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 123 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 2074 -j ACCEPT

    $IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 4000 -j ACCEPT


    #

    # In Microsoft Networks you will be swamped by broadcasts. These lines

    # will prevent them from showing up in the logs.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \

    #–destination-port 135:139 -j DROP


    #

    # If we get DHCP requests from the Outside of our network, our logs will

    # be swamped as well. This rule will block them from getting logged.

    #


    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \

    #–destination-port 67:68 -j DROP


    #

    # ICMP rules

    #


    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT


    #

    # 4.1.4 INPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets


    #

    # Rules for special networks not part of the Internet

    #


    $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT


    #

    # Special rule for DHCP requests from LAN, which are not caught properly

    # otherwise.

    #


    $IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT


    #

    # Rules for incoming packets from the internet.

    #


    $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED \

    –j ACCEPT

    $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

    $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

    $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


    #

    # If you have a Microsoft Network on the outside of your firewall, you may

    # also get flooded by Multicasts. We drop them so we do not get flooded by

    # logs

    #


    #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT INPUT packet died: "


    #

    # 4.1.5 FORWARD chain

    #


    #

    # Bad TCP packets we don't want

    #


    $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


    #

    # Accept the packets we actually want to forward

    #


    $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

    $IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT FORWARD packet died: "


    #

    # 4.1.6 OUTPUT chain

    #


    #

    # Bad TCP packets we don't want.

    #


    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


    #

    # Special OUTPUT rules to decide which IP's to allow.

    #


    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

    $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT


    #

    # Log weird packets that don't match the above.

    #


    $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

    –log-level DEBUG –log-prefix "IPT OUTPUT packet died: "


    ######

    # 4.2 nat table

    #


    #

    # 4.2.1 Set policies

    #


    #

    # 4.2.2 Create user specified chains

    #


    #

    # 4.2.3 Create content in user specified chains

    #


    #

    # 4.2.4 PREROUTING chain

    #


    #

    # 4.2.5 POSTROUTING chain

    #


    if [ $PPPOE_PMTU == «yes» ] ; then

    $IPTABLES -t nat -A POSTROUTING -p tcp –tcp-flags SYN,RST SYN \

    –j TCPMSS –clamp-mss-to-pmtu

    fi

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


    #

    # 4.2.6 OUTPUT chain

    #


    ######

    # 4.3 mangle table

    #


    #

    # 4.3.1 Set policies

    #


    #

    # 4.3.2 Create user specified chains

    #


    #

    # 4.3.3 Create content in user specified chains

    #


    #

    # 4.3.4 PREROUTING chain

    #


    #

    # 4.3.5 INPUT chain

    #


    #

    # 4.3.6 FORWARD chain

    #


    #

    # 4.3.7 OUTPUT chain

    #


    #

    # 4.3.8 POSTROUTING chain

    #

    I.5. Ïðèìåð rc.flush-iptables

    #!/bin/sh

    #

    # rc.flush-iptables – Resets iptables to default values.

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA


    #

    # Configurations

    #

    IPTABLES="/usr/sbin/iptables"


    #

    # reset the default policies in the filter table.

    #

    $IPTABLES -P INPUT ACCEPT

    $IPTABLES -P FORWARD ACCEPT

    $IPTABLES -P OUTPUT ACCEPT


    #

    # reset the default policies in the nat table.

    #

    $IPTABLES -t nat -P PREROUTING ACCEPT

    $IPTABLES -t nat -P POSTROUTING ACCEPT

    $IPTABLES -t nat -P OUTPUT ACCEPT


    #

    # reset the default policies in the mangle table.

    #

    $IPTABLES -t mangle -P PREROUTING ACCEPT

    $IPTABLES -t mangle -P OUTPUT ACCEPT


    #

    # flush all the rules in the filter and nat tables.

    #

    $IPTABLES -F

    $IPTABLES -t nat -F

    $IPTABLES -t mangle -F

    #

    # erase all chains that's not default in filter and nat table.

    #

    $IPTABLES -X

    $IPTABLES -t nat -X

    $IPTABLES -t mangle -X

    I.6. Ïðèìåð rc.test-iptables

    #!/bin/bash

    #

    # rc.test-iptables – test script for iptables chains and tables.

    #

    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

    #

    # This program is free software; you can redistribute it and/or modify

    # it under the terms of the GNU General Public License as published by

    # the Free Software Foundation; version 2 of the License.

    #

    # This program is distributed in the hope that it will be useful,

    # but WITHOUT ANY WARRANTY; without even the implied warranty of

    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    # GNU General Public License for more details.

    #

    # You should have received a copy of the GNU General Public License

    # along with this program or from the site that you downloaded it

    # from; if not, write to the Free Software Foundation, Inc., 59 Temple

    # Place, Suite 330, Boston, MA 02111-1307 USA

    #


    #

    # Filter table, all chains

    #

    iptables -t filter -A INPUT -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="filter INPUT:"

    iptables -t filter -A INPUT -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="filter INPUT:"

    iptables -t filter -A OUTPUT -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="filter OUTPUT:"

    iptables -t filter -A OUTPUT -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="filter OUTPUT:"

    iptables -t filter -A FORWARD -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="filter FORWARD:"

    iptables -t filter -A FORWARD -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="filter FORWARD:"


    #

    # NAT table, all chains except OUTPUT which don't work.

    #

    iptables -t nat -A PREROUTING -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="nat PREROUTING:"

    iptables -t nat -A PREROUTING -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="nat PREROUTING:"

    iptables -t nat -A POSTROUTING -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="nat POSTROUTING:"

    iptables -t nat -A POSTROUTING -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="nat POSTROUTING:"

    iptables -t nat -A OUTPUT -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="nat OUTPUT:"

    iptables -t nat -A OUTPUT -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="nat OUTPUT:"


    #

    # Mangle table, all chains

    #

    iptables -t mangle -A PREROUTING -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="mangle PREROUTING:"

    iptables -t mangle -A PREROUTING -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="mangle PREROUTING:"

    iptables -t mangle -I FORWARD 1 -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="mangle FORWARD:"

    iptables -t mangle -I FORWARD 1 -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="mangle FORWARD:"

    iptables -t mangle -I INPUT 1 -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="mangle INPUT:"

    iptables -t mangle -I INPUT 1 -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="mangle INPUT:"

    iptables -t mangle -A OUTPUT -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="mangle OUTPUT:"

    iptables -t mangle -A OUTPUT -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="mangle OUTPUT:"

    iptables -t mangle -I POSTROUTING 1 -p icmp –icmp-type echo-request \

    –j LOG –log-prefix="mangle POSTROUTING:"

    iptables -t mangle -I POSTROUTING 1 -p icmp –icmp-type echo-reply \

    –j LOG –log-prefix="mangle POSTROUTING:"










    Ãëàâíàÿ |  èçáðàííîå | Íàø E-MAIL | Äîáàâèòü ìàòåðèàë | Íàø¸ë îøèáêó | Íàâåðõ