sg_fw

root@slackware:~# cat /etc/firewall
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

INET_IFACE="eth1"
INET_NET="192.168.231.0/24"
INET_ADDRESS="192.168.231.165" #eth1   address

LOCAL_IFACE="eth0"
LOCAL_IP="192.168.112.112"
LOCAL_NET="192.168.112.0/24"
LOCAL_BCAST="192.168.112.255"

VPN_IFACE="tun+"
VPN_LOC_IP="192.168.26.1"
VPN_NET="192.168.26.0/24"
VPN_BCAST="192.168.26.255"

HOME_NET="192.168.114.0/24"
DSA_NET="192.168.18.0/24"

STARGAZE="192.168.112.112"
MODEM="192.168.231.117"

LO_IFACE="lo"
LO_IP="127.0.0.1"

DISK_IFACE="eth2"
DISK_IP="192.168.113.113"
DISK_NET="192.168.113.0/24"
DISK_BCAST="192.168.113.255"

if [ "$1" = "save" ]
then
	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
	$IPTS > /etc/sysconfig/iptables
	echo "done"
	exit 0
elif [ "$1" = "restore" ]
then
	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
	$IPTR < /etc/sysconfig/iptables
	echo "done"
	exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
	echo "Firewall completely flushed!  Now running with no firewall."
	exit 0
fi

#firewall starts HERE

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_fwdbound
$IPT -N udp_infwdbound
$IPT -t nat -N udp_prebound
$IPT -N udp_vpnbound
$IPT -N tcp_inbound
$IPT -N tcp_fwdbound
$IPT -N tcp_infwdbound
$IPT -N tcp_vpnbound
$IPT -t nat -N tcp_prebound

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j ULOG --ulog-prefix "Illegal source: " --ulog-nlgroup 1
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j ULOG --ulog-prefix "Invalid packet: " --ulog-nlgroup 1
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j ULOG --ulog-prefix "New not syn: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN

$IPT -A icmp_packets --fragment -p ICMP -j ULOG --ulog-prefix "ICMP Fragment: " --ulog-nlgroup 1
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT #requested by openvpn AS : ICMP Destination Unreachable: Fragmentation Needed (ICMP Type 3, Code 4)
$IPT -A icmp_packets --fragment -p ICMP -j DROP
#$IPT -A icmp_packets -p ICMP -s $LOCAL_NET -d $VPN_NET --icmp-type 0 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34567 -j ACCEPT #KTORRENT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34568 -j ACCEPT #KTORRENT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34569 -j ACCEPT #KTORRENT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 32386 -j ACCEPT #OPENVPN
$IPT -A udp_inbound -p UDP -s $MODEM --destination-port 123 -j ACCEPT #NTP
$IPT -A udp_inbound -p UDP -j RETURN

#$IPT -t nat -A udp_prebound --destination-port 31286 -j DNAT --to-destination $RODOS
$IPT -t nat -A udp_prebound -p UDP -j RETURN

#$IPT -A udp_infwdbound --destination-port 32386 -j ACCEPT #intranet vpn
$IPT -A udp_infwdbound -p UDP -j RETURN

$IPT -A udp_fwdbound -p UDP -j RETURN

$IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT #DNS for vpn clients and zone tranfers
$IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 137:139 -j ACCEPT #samba
$IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 445 -j ACCEPT #samba
#$IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 34122:34128 -j ACCEPT #vpn nfs
$IPT -A udp_vpnbound -p UDP -j RETURN

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
#$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 80 -j ACCEPT #APACHE
#$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 3128 -j ACCEPT #SQUID
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 51237 -j ACCEPT #SSH
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 34567 -j ACCEPT #KTORRENT
$IPT -A udp_inbound -p TCP -s 0/0 --destination-port 34568 -j ACCEPT #KTORRENT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3551 -j ACCEPT #APCUPSD
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT #WEBMIN
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 18083 -j ACCEPT #VBOXweb
# Email Servers:SMTP(25),POP3(110),IMAP4(143),SSL-POP3(995),SSL-IMAP4(993)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN

#$IPT -t nat -A tcp_prebound --destination-port 51236 -j DNAT --to-destination $SAMOTHRAKI
#$IPT -t nat -A tcp_prebound -p TCP -s 0/0 --destination-port 12321 -j DNAT --to-destination 192.168.112.163
#$IPT -t nat -A tcp_prebound --destination-port 21 -j DNAT --to-destination $SAMOTHRAKI
#$IPT -t nat -A tcp_prebound --destination-port 62000:62100 -j DNAT --to-destination $SAMOTHRAKI
#$IPT -t nat -A tcp_prebound -p TCP -s 0/0 --destination-port 29397 -j DNAT --to-destination $STARGAZE #torrent
$IPT -t nat -A tcp_prebound -p TCP -j RETURN

#$IPT -A tcp_infwdbound --destination-port 51236 -j ACCEPT
$IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 12321 -j ACCEPT
#$IPT -A tcp_infwdbound --destination-port 21 -j ACCEPT
#$IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
#$IPT -A tcp_infwdbound --destination-port 62000:62100 -j ACCEPT
#$IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 29397 -j ACCEPT #torrent
$IPT -A tcp_infwdbound -p TCP -j RETURN

$IPT -A tcp_fwdbound -p TCP -j RETURN

$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT #HTTP
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 3389:3391 -j ACCEPT #vboxRDP vms
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 3395 -j ACCEPT #xRDP
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 5901 -j ACCEPT #VNC
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 5801 -j ACCEPT #VNC browser
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 8080 -j ACCEPT #HTTP
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 6600 -j ACCEPT #MPD
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT #WEBMIN
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 38000 -j ACCEPT #ICECAST
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT #SSH
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 51237 -j ACCEPT #SSH STARGAZE
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT #vpn smb-cifs
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT #vpn smb-cifs (secure)
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT #DNS zone transfers
#$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 111 -j ACCEPT #vpn nfs for other clients
#$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 2049 -j ACCEPT #vpn nfs for other clients
$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 34122:34128 -j ACCEPT #vpn nfs
$IPT -A tcp_vpnbound -j RETURN

echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $VPN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ICMP -i $LOCAL_IFACE -j icmp_packets
$IPT -A INPUT -p ALL -i $DISK_IFACE -j ACCEPT
$IPT -A INPUT -p TCP -i $VPN_IFACE -s $VPN_NET -j tcp_vpnbound
$IPT -A INPUT -p TCP -i $VPN_IFACE -s $HOME_NET -j tcp_vpnbound
$IPT -A INPUT -p TCP -i $VPN_IFACE -s $DSA_NET -j tcp_vpnbound
$IPT -A INPUT -p UDP -i $VPN_IFACE -s $VPN_NET -j udp_vpnbound
$IPT -A INPUT -p UDP -i $VPN_IFACE -s $HOME_NET -j udp_vpnbound
$IPT -A INPUT -p UDP -i $VPN_IFACE -s $DSA_NET -j udp_vpnbound
$IPT -A INPUT -p ALL -i $VPN_IFACE -d $VPN_BCAST -j ACCEPT
$IPT -A INPUT -p ICMP -i $VPN_IFACE -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "INPUT packet died: " --ulog-nlgroup 1

echo "Process FORWARD chain ..."
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_fwdbound
$IPT -A FORWARD -i $DISK_IFACE -j ACCEPT
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_fwdbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT #accept whats not blocked above
$IPT -A FORWARD -p tcp -i $VPN_IFACE -s $VPN_NET -j tcp_vpnbound
$IPT -A FORWARD -p tcp -i $VPN_IFACE -s $HOME_NET -j tcp_vpnbound
$IPT -A FORWARD -p tcp -i $VPN_IFACE -s $DSA_NET -j tcp_vpnbound
$IPT -A FORWARD -p udp -i $VPN_IFACE -s $VPN_NET -j udp_vpnbound
$IPT -A FORWARD -p udp -i $VPN_IFACE -s $HOME_NET -j udp_vpnbound
$IPT -A FORWARD -p udp -i $VPN_IFACE -s $DSA_NET -j udp_vpnbound
$IPT -A FORWARD -p icmp -i $VPN_IFACE -j icmp_packets
$IPT -A FORWARD -p tcp -i $INET_IFACE -j tcp_infwdbound
$IPT -A FORWARD -p udp -i $INET_IFACE -j udp_infwdbound
$IPT -A FORWARD -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "FORWARD packet died: " --ulog-nlgroup 1

echo "Process nat table in OUTPUT chain"
#$IPT -A OUTPUT -t nat -p TCP --dport 80 -m owner --uid-owner root -j ACCEPT #accept root request, but redirect all other local requests below
#$IPT -A OUTPUT -t nat -p TCP --dport 80 -m owner --uid-owner squid -j ACCEPT #accept squid request, but redirect all other local requests below
#$IPT -A OUTPUT -t nat -p TCP --dport 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY for local browsers

echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $DISK_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $VPN_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "OUTPUT packet died: " --ulog-nlgroup 1

echo "Load rules for nat table ..."
#$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --destination-port 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY
#$IPT -t nat -A PREROUTING -p tcp -i $LO_IFACE --destination-port 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY for local browsers
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE -j udp_prebound
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE -j tcp_prebound

#$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

echo "Load rules for mangle table ..."
root@slackware:~#