# We will allow UDP datagrams out on the allowed ports.
$IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $UDPOUT -j accept
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURNET $UDPIN -j accept
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
$IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $UDPOUT -j accept
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ '$LOGGING' ]
then
# Log barred TCP
$IPCHAINS -A input -p tcp -l -j reject
# Log barred UDP
$IPCHAINS -A input -p udp -l -j reject
# Log barred ICMP
$IPCHAINS -A input -p icmp -l -j reject
fi
#
# end.
In our iptables example, we've switched to using the FORWARD ruleset because of the difference in meaning of the INPUT ruleset in the
#!/bin/bash
################################################################# #########
# IPTABLES VERSION
# This sample configuration is for a single host firewall configuration
# with no services supported by the firewall machine itself.
################################################################# #########
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH='/sbin'
# Our internal network address space and its supporting network device.
OURNET='172.29.16.0/24'
OURBCAST='172.29.16.255'
OURDEV='eth0'
# The outside address and the network device that supports it.
ANYADDR='0/0'
ANYDEV='eth1'
# The TCP services we wish to allow to pass - '' empty means all ports
# note: comma separated
TCPIN='smtp,www'
TCPOUT='smtp,www,ftp,ftp-data,irc'
# The UDP services we wish to allow to pass - '' empty means all ports
# note: comma separated
UDPIN='domain'
UDPOUT='domain'
# The ICMP services we wish to allow to pass - '' empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN='0,3,11'
ICMPOUT='8,3,11'
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
################################################################# ##########
# Flush the Input table rules
$IPTABLES -F FORWARD
# We want to deny incoming access by default.
$IPTABLES -P FORWARD deny
# Drop all datagrams destined for this host received from outside.
$IPTABLES -A INPUT -i $ANYDEV -j DROP
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
# SMURF
# Disallow ICMP to our broadcast address to prevent 'Smurf' style attack.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY
# We should accept fragments, in iptables we must do this explicitly.
$IPTABLES -A FORWARD -f -j ACCEPT
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN /
