10mn Guide to IPChains

Setting up a firewall with Linux 2.2.x and IPChains requires typing long, boring lines of instructions to tell it which packets are allowed to go through, and which packets must be kept out. Thankfully, some GUI-based applications make it a snap to set up IPchains.

Rules are gathered in three sets, called chains: INPUT (when a packet enters any network interface on the firewall), FORWARD (when a packet is routed through the firewall), and OUTPUT (when a packet leaves any interface on the firewall.)

Each rule requires setting up a destination ("target"), ie. what to do if the condition matches. Possibles choices are ACCEPT, DENY (ignore), REJECT (reject with an ICMP error message), MASQ (masquerade), REDIRECT (only used in the INPUT chain to provide transparent proxying), RETURN (used in user-defined chains.)

Chains can be handled with the following switches:

Rules can be handled with the following switches: Important: Chain processing stops at the first rule that matches a condition, so order is important.

Basic configuration

#!/bin/sh
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
#              used to provide Firewall network services.

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
        exit 0
fi

if [ ! -x /sbin/ipchains ]; then
    exit 0
fi

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth1"            	# Internet connected interface
LOCAL_INTERFACE_1="eth0"		# Internal LAN interface
LOOPBACK_INTERFACE="lo"                	# Your local naming convention
IPADDR="10.0.0.1"                 	# Your IP address
IPADDR_LOCAL="192.168.0.20"		# Your IP address
LOCALNET_1="192.168.0.0/24"            	# Whatever private range you use

#IPSECSG="my.ipsecsg.address"     	# Space separated list of remote VPN gateways
#FREESWANVI="ipsec0"              	# Space separated list of virtual interfaces
ANYWHERE="any/0"                       	# Match any IP address

NAMESERVER_1="10.0.0.1"		# Everyone must have at least one
NAMESERVER_2="10.0.0.2"		# Your secondary name server
MY_ISP="10.0.0.0/24"       	# ISP & NOC address range

SMTP_SERVER="10.0.0.1"           	# Your Mail Hub Server.
POP_SERVER="10.0.0.1"          	# External pop server, if any

#NEWS_SERVER="my.news.server"        	# External news server, if any
#SYSLOG_SERVER="syslog.internal.server" 	# Your syslog internal server

LOOPBACK="127.0.0.0/8"                 	# Reserved loopback address range
CLASS_A="10.0.0.0/8"                   	# Class A private networks
CLASS_B="172.16.0.0/12"                	# Class B private networks
CLASS_C="192.168.0.0/16"               	# Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"        	# Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"  	# Class E reserved addresses
BROADCAST_SRC="0.0.0.0"                	# Broadcast source address
BROADCAST_DEST="255.255.255.255"      	# Broadcast destination address
PRIVPORTS="0:1023"                     	# Well known, privileged port range
UNPRIVPORTS="1024:65535"               	# Unprivileged port range

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023"             	# range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Clearing all current rules and user defined chains
    ipchains -X

    # Set the default policy of the filter to deny.
    # Don't even bother sending an error message back.
    ipchains -P input  DENY
    ipchains -P output DENY
    ipchains -P forward DENY

    # set masquerade timeout to 10 hours for tcp connections
    ipchains -M -S 36000 0 0

    # Don't forward fragments. Assemble before forwarding.
    ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY

# ----------------------------------------------------------------------------
# MODULES MASQUERADING
# Uncomment bellow all modules lines that you need

    # These modules are necessary to masquerade their respective services.
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
    /sbin/modprobe ip_masq_irc
    #/sbin/modprobe ip_masq_vdolive
    #/sbin/modprobe ip_masq_cuseeme
    #/sbin/modprobe ip_masq_quake

# ----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.
    ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT 
    ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT 

# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks

    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    #if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    #    . /etc/rc.d/rc.firewall.blocked
    #fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse spoofed packets pretending to be from the external address.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

    # Refuse packets claiming to be to or from a Class A private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

    # Refuse packets claiming to be to or from a Class B private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

    # Refuse packets claiming to be to or from a Class C private network
#    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
#    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
#    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
#    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

    # Refuse packets claiming to be from the loopback interface
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

    # Refuse broadcast address SOURCE packets
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

    # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
    # Multicast is illegal as a source address.
    # Multicast uses UDP.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

    # Refuse Class E reserved IP  addresses
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

    # refuse addresses defined as reserved by the IANA
    # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
    # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
    # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

    #65: 01000001    - /3 includes 64 - need 65-79 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

    #80: 01010000   - /4 masks 80-95
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

    # 96: 01100000    - /4 makses 96-111
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

    #126: 01111110    - /3 includes 127 - need 112-126 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

    #217: 11011001    - /5 includes 216 - need 217-219 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

    #223: 11011111    - /6 masks 220-223
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------
# ICMP

    #    To prevent denial of service attacks based on ICMP bombs, filter
    #    incoming Redirect (5) and outgoing Destination Unreachable (3).
    #    Note, however, disabling Destination Unreachable (3) is not
    #    advisable, as it is used to negotiate packet fragment size.

    # For bi-directional ping.
    #     Message Types:  Echo_Reply (0),  Echo_Request (8)
    #     To prevent attacks, limit the src addresses to your ISP range.
    # 
    # For outgoing traceroute.
    #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
    #     default UDP base: 33434 to base+nhops-1
    # 
    # For incoming traceroute.
    #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
    #     To block this, deny OUTGOING 3 and 11

    #  0: echo-reply (pong)
    #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
    #  4: source-quench
    #  5: redirect
    #  8: echo-request (ping)
    # 11: time-exceeded
    # 12: parameter-problem

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 0 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 3 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 4 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 11 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 12 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $MY_ISP 8 -d $IPADDR -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 0 -d $MY_ISP -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 3 -d $MY_ISP -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 4 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 8 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 12 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 11 -d $MY_ISP -j ACCEPT

# ----------------------------------------------------------------------------
    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $MY_ISP $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------
    # DNS client (53)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 53 -j ACCEPT

# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 53 -j ACCEPT

# ----------------------------------------------------------------------------
    # TCP accept only on selected ports
    # ---------------------------------
    # ------------------------------------------------------------------

    # SSH server (22)
    # ---------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 22 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $SSH_PORTS \
             -d $IPADDR 22 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $SSH_PORTS -j ACCEPT 

    # SSH client (22)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 22 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 22 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 22 \
             -d $IPADDR $SSH_PORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $SSH_PORTS \
             -d $ANYWHERE 22 -j ACCEPT 

    # ------------------------------------------------------------------

    # HTTP client (80)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 80 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 80 -j ACCEPT 

    # ------------------------------------------------------------------

    # HTTPS client (443)
    # ------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 443 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 443 -j ACCEPT 

    # ------------------------------------------------------------------
    # NNTP NEWS client (119)
    # ----------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 119 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 119 -j ACCEPT

    # ------------------------------------------------------------------
    # POP client (110)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 110 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 110 -j ACCEPT 

    # ------------------------------------------------------------------
    # SMTP client (25)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 25 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 25 -j ACCEPT 

    # ------------------------------------------------------------------
    # IRC client (6667)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 6667 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 6667 -j ACCEPT 

    # ------------------------------------------------------------------

    # ICQ client (4000)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 2000:4000 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 2000:4000 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE 4000 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 4000 -j ACCEPT 

    # ------------------------------------------------------------------

    # FTP client (20, 21)
    # -------------------

    # outgoing request
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 21 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 21 -j ACCEPT 

    # NORMAL mode data channel
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
            -s $ANYWHERE 20 \
            -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    # NORMAL mode data channel responses
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $IPADDR $UNPRIVPORTS \
            -d $ANYWHERE 20 -j ACCEPT 

    # PASSIVE mode data channel creation
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
            -s $IPADDR $UNPRIVPORTS \
            -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

    # PASSIVE mode data channel responses
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $ANYWHERE $UNPRIVPORTS \
            -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    # ------------------------------------------------------------------

    # RealAudio / QuickTime client
    # ----------------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 554 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 554 -j ACCEPT


    # TCP is a more secure method:  7070:7071

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 7070:7071 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 7070:7071 -j ACCEPT


    # UDP is the preferred method:  6970:6999
    # For LAN machines, UDP requires the RealAudio masquerading module and
    # the ipmasqadm third-party software.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 6970:6999 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # WHOIS client (43)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 43 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 43 -j ACCEPT 

    # ------------------------------------------------------------------

    # OUTGOING TRACEROUTE
    # -------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $TRACEROUTE_SRC_PORTS \
             -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT 

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.

    # All internal machines have access to the firewall machine.

    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -d $IPADDR_LOCAL 3128 -p TCP -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -d $IPADDR_LOCAL $UNPRIVPORTS -p TCP -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -d $ANYWHERE 25 -p TCP -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -d $ANYWHERE 110 -p TCP -j ACCEPT 
    
    ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT 

    ipchains -A input  -i $LOCAL_INTERFACE_1 -s 192.168.0.50 -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s 192.168.0.51 -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s 192.168.0.110 -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s 192.168.0.40 -j ACCEPT 
    ipchains -A input  -i $LOCAL_INTERFACE_1 -s 192.168.0.10 -j ACCEPT 

# ----------------------------------------------------------------------------
    # FreeS/WAN IPSec VPN
    # -------------------

    # If you are using the FreeSWAN IPSec VPN, you will need to fill in the
    # addresses of the gateways in the IPSECSG and the virtual interfaces for
    # FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
    # this firewall script rules file to set the parameters.

    # IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
    # Space separated list of virtual interfaces for FreeS/Wan IPSEC
    # implementation. Only include those that are actually used.

    # Allow IPSEC protocol from remote gateways on external interface
    # IPSEC uses three main types of packet:
    # IKE uses the UDP protocol and port 500,
    # ESP use the protocol number 50, and
    # AH use the protocol number 51

#    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
#             -s $IPSECSG -j ACCEPT

#    ipchains -A output  -i $EXTERNAL_INTERFACE -p udp \
#             -d $IPSECSG -j ACCEPT

#    ipchains -A input  -i $EXTERNAL_INTERFACE -p 50 \
#             -s $IPSECSG -j ACCEPT

#    ipchains -A output  -i $EXTERNAL_INTERFACE -p 50 \
#             -d $IPSECSG -j ACCEPT

#    ipchains -A input  -i $EXTERNAL_INTERFACE -p 51 \
#             -s $IPSECSG -j ACCEPT

#    ipchains -A output  -i $EXTERNAL_INTERFACE -p 51 \
#             -d $IPSECSG -j ACCEPT

    # Allow all traffic to FreeS/WAN Virtual Interface
#    ipchains -A input  -i $FREESWANVI \
#             -s $ANYWHERE \
#             -d $ANYWHERE -j ACCEPT

#    ipchains -A output  -i $FREESWANVI \
#             -s $ANYWHERE \
#             -d $ANYWHERE -j ACCEPT

    # Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
#    ipchains -A forward  -i $FREESWANVI \
#             -s $ANYWHERE \
#             -d $ANYWHERE -j ACCEPT

    # Disable IP spoofing protection to allow IPSEC to work properly
#    echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
#    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

# ----------------------------------------------------------------------------
# Masquerade internal traffic.

    # All internal traffic is masqueraded externally.

    ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
	     -d $IPADDR -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
	     -d $IPADDR $PRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
	     -d $IPADDR $UNPRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 5 -d $IPADDR -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

        ;;
  stop)
        echo -n "Shutting Firewalling Services: "

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Delete all user-defined chain to this filter
    ipchains -X

    # Reset the default policy of the filter to accept.
    ipchains -P input  ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward MASQ

	;;
  status)
        status firewall
	;;
  restart|reload)
	$0 stop
	$0 start
	;;
  *)
	echo "Usage: firewall {start|stop|status|restart|reload}"
	exit 1
esac

exit 0