script basico iptables

secretsportal
(usa Ubuntu)

Enviado em 05/05/2014 - 16:44h

Ola pessoal, smp q tentei rodar um script do iptables q eu pego na internet sempre fico sem acesso a internet, por isso gostaria que alguem.pudesse me passar um script mais simples possível de iptables que possa simplesmente bloquear tudo, e liberar apenas a internet porta 80e 443 tbm, só preciso disso no momento pessoal, podem me ajudar me passando esse script.

Outra coisa me passem tbm como rodar o mesmo e colocar pra iniciar junto ao sistema, pois pode ser tbm q eu tenha feito alguma coisa errada, então se puderem me ajudar ficarei grato.
Sou iniciante então o.mas simples possível ira me ajudar bastante

Desde já agradeço.

removido
(usa Nenhuma)

Enviado em 05/05/2014 - 17:22h

Não seria melhor aprender a trabalhar com iptables?

Ótimo artigo do Elgio!

Estrutura do Iptables => http://www.vivaolinux.com.br/artigo/Estrutura-do-Iptables/

removido
(usa Nenhuma)

Enviado em 05/05/2014 - 18:15h

Cara no Debian eu uso um script pronto que vem no pacote

arno-iptables-firewall

é tão simples que tem uma interface debconf que pode ser ajustada a qualquer momento com

dpkg-reconfigure


Atente 99% das necessidades, o que precisar personalizar é somente inserir em um arquivo de
customização

Como disse, uso isso no Debian.

secretsportal
(usa Ubuntu)

Enviado em 05/05/2014 - 19:54h

Mas sera q no ubuntu tem isso, vou conferir pra ver , de qualquer maneira quem puder copiar um.script por aqui vai me ajudar mtu.

removido
(usa Nenhuma)

Enviado em 05/05/2014 - 20:16h

É... O negócio no VoL tá feio heim! Tu pensou em fazer um search?

Vou deixar mastigado.

# apt-cache search arno-iptables-firewall

mattos_gru
(usa Debian)

Enviado em 05/05/2014 - 20:48h

Dói.

secretsportal
(usa Ubuntu)

Enviado em 17/05/2014 - 20:33h

Usei o Arno iptables mas nao gostei , o q preciso mesmo e de um script, sera q ningurm pode passar um scrip pra me ajudar.

nunesdutra
(usa Debian)

Enviado em 26/05/2017 - 21:08h

#!/bin/bash
#
#Desabilitando o tráfego entre as placas
#################################
echo 0 > /proc/sys/net/ipv4/ip_forward
#
##Apagando e restaurando as chains e tabelas
######################################
iptables -Z # Zera as regras de todas as chains
iptables -F # Remove as regras de todas as chains
iptables -X # Apaga todas as chains
#iptables -t nat -Z
#iptables -t nat -F
#iptables -t nat -X
#iptables -t mangle -Z
#iptables -t mangle -F
#iptables -t mangle -X
#
##Proteção contra ping, SYN Cookies, IP Spoofing e proteções do kernel
##########################################################
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Syn Flood (DoS)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Port scanners
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Sem resposta remota
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects # Sem redirecionar rotas
echo 0 > $i/accept_source_route # Sem traceroute
echo 1 > $i/log_martians # Loga pacotes suspeitos no kernel
echo 1 > $i/rp_filter # Ip Spoofing
echo 1 > $i/secure_redirects; done # Redirecionamento seguro de pacotes
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Sem ping e tracert
#
# Carregando os módulos - Não é necessário todos os módulos,
# somente aqueles que você irá utilizar.
# O iptables, por padrão, carrega os módulos principais automaticamente.
# Para identificar qual módulo adicional carregar, você deve elaborar todo o script
# e depois de acordo com o nome do alvo utilizado, você carrega o mesmo módulo.
# Por exemplo, se você utilizar a seguinte regra:
# iptables -A FORWARD -p udp -m multiport --dport 80,1024:65535 -j DROP
# o módulo "ipt_multiport" deve ser carregado.
# Abaixo estão quase todos os módulos.
################################
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe iptable_mangle
#
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_gre
#
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_NETMAP
#
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tos
modprobe ipt_mark
modprobe ipt_tcpmss
modprobe ipt_string
modprobe ipt_statistic
#
modprobe nf_nat_pptp
modprobe nf_nat_proto_gre
#
# Definindo políticas padrões
######################
iptables -P INPUT DROP # iptables a política padrão da chain INPUT é proibir tudo
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Liberando a Loopback
####################
iptables -A INPUT -i lo -j ACCEPT
#
## Regras de segurança na internet e acessos
#####################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ethx -j DROP # Interface de entrada da internet
iptables -A FORWARD -m state --state NEW ! -i ethx -j DROP # Interface de entrada da internet
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#
# Redirecionamento para o Squid e mascaramento/compartilhamento
###########################################
iptables -t nat -A PREROUTING -i ethx -p tcp --dport 80 -j REDIRECT --to-port 3128 # Interface da rede interna
iptables -t nat -A POSTROUTING -o ethx -j MASQUERADE # Interface de entrada da internet
#
# A partir daqui você pode inserir as regras de liberação e bloqueio, não esqueça habilitar no final o tráfego entre as placas.
#
# Habilitando o tráfego entre as placas
##########################
echo 1 > /proc/sys/net/ipv4/ip_forward
#

removido
(usa Nenhuma)

Enviado em 26/05/2017 - 21:25h

Muito interessante. Vou dar uma olhada.

----------------------------------------------------------------------------------------------------------------
Nem direita, nem esquerda. Quando se trata de corrupção o Brasil é ambidestro.
(anônimo)

removido
(usa Nenhuma)

Enviado em 26/05/2017 - 22:53h

Esse tal de Arno's é só um scritps com regras para o iptables vem com um conf para os usuários de Rwindows.

http://rocky.eld.leidenuniv.nl/html/">http://rocky.eld.leidenuniv.nl/html/


#!/bin/sh

MY_VERSION="2.0.1f"

# Location of the main configuration file for the firewall
##########################################################
CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf

# ------------------------------------------------------------------------------
# -= Arno's iptables firewall =-
# Single- & multi-homed firewall script with DSL/ADSL support
#
# ~ In memory of my dear father ~
#
# (C) Copyright 2001-2015 by Arno van Amersfoort & Lonnie Abelbeck
# Homepage : http://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!)
# ------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ------------------------------------------------------------------------------

printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$MY_VERSION\033[0m\n"
echo "-------------------------------------------------------------------------------"

# Check if the main config file exists and if so load it
########################################################
if [ -e "$CONFIG_FILE" ]; then
. "$CONFIG_FILE"
else
printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2
exit 2
fi

# Check if the environment file exists and if so, load it
#########################################################
if [ -z "$ENV_FILE" ]; then
if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then
ENV_FILE="/usr/local/share/arno-iptables-firewall/environment"
else
if [ -f /usr/share/arno-iptables-firewall/environment ]; then
ENV_FILE="/usr/share/arno-iptables-firewall/environment"
else
printf "\033[40m\033[1;31mERROR: The environment file (ENV_FILE) has not been specified\033[0m\n" >&2
printf "\033[40m\033[1;31m in the configuration file. Try upgrading your config-file!\033[0m\n" >&2
exit 2
fi
fi
fi

if [ -e "$ENV_FILE" ]; then
. "$ENV_FILE"
else
printf "\033[40m\033[1;31mERROR: Could not read environment file \"$ENV_FILE\"!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2
exit 2
fi


sanity_check()
{
# root check
if [ "$(id -u)" != "0" ]; then
printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2
exit 1
fi

# Check whether the required binaries exist and are executable
##############################################################
check_command_error iptables
if [ "$IPV6_DETECTED" = "1" ]; then
check_command_error ip6tables
fi
check_command_error awk
check_command_error tr
check_command_error ip
check_command_error cut
check_command_error uname
check_command_error sed
check_command_error cat
check_command_error date
check_command_error modprobe
check_command_error sysctl
check_command_error head
check_command_error tail
check_command_error wc
check_command_error logger

check_command_warning dig nslookup

if [ "$IPV6_SUPPORT" = "1" ]; then
if ! kernel_ver_chk 2 6 24; then
printf "\033[40m\033[1;31mWARNING: IPv6 support is enabled but your kernel is rather old (<2.6.24)! This *could* cause problems...\033[0m\n" >&2
fi
fi
}


config_check()
{
# Make sure EXT_IF != ""
########################
if [ -z "$EXT_IF" ]; then
printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" >&2
exit 2
fi

# Check whether EXT_IF exists
#############################
IFS=' ,'
for interface in $EXT_IF; do
if ! check_interface $interface; then
printf "\033[40m\033[1;31mWARNING: External interface $interface does NOT exist (yet?)\033[0m\n" >&2
fi
done

# Check whether INT_IF exists
#############################
IFS=' ,'
for interface in $INT_IF; do
if ! check_interface $interface; then
printf "\033[40m\033[1;31mWARNING: Internal interface $interface does NOT exist (yet?)\033[0m\n" >&2
fi
done

# Check whether DMZ_IF exists
#############################
IFS=' ,'
for interface in $DMZ_IF; do
if ! check_interface $interface; then
printf "\033[40m\033[1;31mWARNING: DMZ interface $interface does NOT exist (yet?)\033[0m\n" >&2
fi
done

# Check whether TRUSTED_IF exists
#################################
IFS=' ,'
for interface in $TRUSTED_IF; do
if ! check_interface $interface; then
printf "\033[40m\033[1;31mWARNING: Trusted interface $interface does NOT exist (yet?)\033[0m\n" >&2
fi
done

# Make sure INT_IF != EXT_IF
############################
IFS=' ,'
for eif in $EXT_IF; do
for iif in $INT_IF; do
if [ "$iif" = "$eif" ]; then
printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" >&2
printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" >&2
exit 3
fi
done
done

# Make sure EXT_IF != lo / 127.0.0.1
####################################
IFS=' ,'
for eif in $EXT_IF; do
if [ "$eif" = "lo" -o "$eif" = "127.0.0.1" ]; then
printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" >&2
printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" >&2
exit 6
fi
done

# Make sure INT_IF != lo / 127.0.0.1
####################################
IFS=' ,'
for iif in $INT_IF; do
if [ "$iif" = "lo" -o "$iif" = "127.0.0.1" ]; then
printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" >&2
printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" >&2
exit 7
fi
done

# If support for an DHCP server serving an external net is enabled, we
# also need to know what the external net is.
##########################################################################
if [ "$EXTERNAL_DHCP_SERVER" = "1" -a -z "$EXTERNAL_NET" ]; then
printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" >&2
printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2
exit 10
fi

# We can only perform NAT if NAT_INTERNAL_NET is defined
if [ "$NAT" = "1" -a -z "$NAT_INTERNAL_NET" ]; then
printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" >&2
exit 11
fi

# If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set
##########################################################################
if [ "$NMB_BROADCAST_FIX" = "1" -a -z "$EXTERNAL_NET" ]; then
printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" >&2
printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2
exit 12
fi

# Warn if no_broadcast variables are used and external net is NOT defined
##########################################################################
if [ -n "$BROADCAST_TCP_NOLOG" -o -n "$BROADCAST_UDP_NOLOG" ]; then
if [ -z "$EXTERNAL_NET" -a -z "$EXT_NET_BCAST_ADDRESS" ]; then
printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but EXTERNAL_NET (or EXT_NET_BCAST_ADDRESS)\033[0m\n" >&2
printf "\033[40m\033[1;31m has NOT been defined!\033[0m\n" >&2
fi
fi

# Check whether we know the plugin binary path
##############################################
if [ ! -d "$PLUGIN_BIN_PATH" ]; then
printf "\033[40m\033[1;31mERROR: The PLUGIN_BIN_PATH ($PLUGIN_BIN_PATH) does not exist!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2
exit 2
fi

# Check whether we know the plugin config path
##############################################
if [ ! -d "$PLUGIN_CONF_PATH" ]; then
printf "\033[40m\033[1;31mERROR: The PLUGIN_CONF_PATH ($PLUGIN_CONF_PATH) does not exist!\033[0m\n" >&2
printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2
exit 2
fi
}


load_modules()
{
unset IFS
# Set indent for functions
INDENT=' '

echo "Checking/probing Iptables modules:"

# Required; all IPv4 modules depend on this one
modprobe ip_tables
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe ip6_tables
fi

# Allows connection tracking state match, which allows you to
# write rules matching the state of a connection
modprobe_multi nf_conntrack ip_conntrack
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe nf_conntrack_ipv6
fi

# Permits active FTP; requires ip_conntrack
modprobe_multi nf_conntrack_ftp ip_conntrack_ftp

# Allows tracking for various protocols, placing entries in the conntrack table etc.
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack"
else
modprobe_multi xt_conntrack ipt_conntrack
fi

# Allows log limits
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_limit "ipt_limit,ip6t_limit"
else
modprobe_multi xt_limit ipt_limit
fi

# Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_state "ipt_state,ip6t_state"
else
modprobe_multi xt_state ipt_state
fi

# Allows packet specifications on multiple ports
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_multiport "ipt_multiport,ip6t_multiport"
else
modprobe_multi xt_multiport ipt_multiport
fi

# Implement the filter table:
modprobe iptable_filter
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe ip6table_filter
fi

# Implement the mangle table
modprobe iptable_mangle
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe ip6table_mangle
fi

# Implement the REJECT target
modprobe ipt_REJECT
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe ip6t_REJECT
fi

# Implement the LOG target
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_LOG "ipt_LOG,ip6t_LOG"
else
modprobe_multi xt_LOG ipt_LOG
fi

if [ "$SET_MSS" != "0" ]; then
# Implement the TCPMSS target
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_TCPMSS "ipt_TCPMSS,ip6t_TCPMSS"
else
modprobe_multi xt_TCPMSS ipt_TCPMSS
fi
fi

if [ "$MANGLE_TOS" != "0" ]; then
# Implement the TOS target
if [ "$IPV6_SUPPORT" = "1" ]; then
modprobe_multi xt_DSCP "ipt_DSCP,ip6t_DSCP" "ipt_TOS,ip6t_TOS"
else
modprobe_multi xt_DSCP ipt_DSCP ipt_TOS
fi
fi

if [ "$PACKET_TTL" = "1" -o "$TTL_INC" = "1" ]; then
# Load the TTL target:
modprobe ipt_TTL
fi

# (Currently) unused modules:
# modprobe ipt_addrtype # Allows matching src/dst address type (BROKEN!)
# modprobe ipt_pkttype # Permits checking for packet type (BROADCAST, MULTICAST etc.) (BROKEN!)
# modprobe ip_queue # Allows queuing packets to user space
# modprobe ipt_owner # Permits user/group checking on OUTPUT packets
# modprobe ipt_mark # Allows use of mark match
# modprobe ip_conntrack_egg

# Implement the NAT table
modprobe iptable_nat

if [ "$NAT" = "1" -o -n "$NAT_FORWARD_TCP" -o -n "$NAT_FORWARD_UDP" -o -n "$NAT_FORWARD_IP" ]; then
# Load the module implementing DNAT/SNAT/NAT support
modprobe_multi nf_nat ip_nat
fi

if [ "$NAT" = "1" ]; then
modprobe_multi nf_nat_ftp ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack & iptable_nat

if [ -z "$NAT_STATIC_IP" ]; then
# Load the MASQUERADE target:
modprobe ipt_MASQUERADE
fi
fi

if [ "$USE_IRC" = "1" ]; then
# echo "Enabling IRC DCC module support..."
modprobe_multi nf_conntrack_irc ip_conntrack_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001

if [ "$NAT" = "1" ]; then
modprobe_multi nf_nat_irc ip_nat_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
fi
fi

echo " Module check done..."
}


setup_misc()
{
# Remove any stale plugin restart file
rm -f "$PLUGIN_LOAD_FILE_RESTART"

# Remove stale host-cache file
rm -f "$HOST_CACHE_FILE"

# Most people don't want to get any firewall logs being spit to the console
# This option makes the kernel ring buffer only log messages with level "panic"
if [ "$DMESG_PANIC_ONLY" = "1" ]; then
echo "Setting the kernel ring buffer to only log panic messages to the console"
# dmesg -c # Clear ring buffer
dmesg -n 1 # Only show panic messages on the console
fi
}


setup_kernel_settings()
{
# Set INDENT value for functions
INDENT=' '

echo "Configuring general kernel parameters:"

# Set the maximum number of connections to track.
# The kernel "default" depends on the available amount of RAM, 128 MB of RAM -> 8192
# possible entries, 256 MB of RAM --> 16376 possible entries, etc...
#######################################################################################
if [ -n "$CONNTRACK" -a "$CONNTRACK" != "0" ]; then
echo " Setting the max. amount of simultaneous connections to $CONNTRACK"
sysctl_multi -w net.nf_conntrack_max=$CONNTRACK \
net.ipv4.netfilter.ip_conntrack_max=$CONNTRACK \
net.ipv4.ip_conntrack_max=$CONNTRACK
fi

# Change some default timings to fix false logs generated by "lost connections"
# Defaults:
# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
# echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
# echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
# echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
# echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
###############################################################################
# echo " Setting default conntrack timeouts"

# This is to fix issues with DNS:
sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout=60 \
net.ipv4.netfilter.ip_conntrack_udp_timeout=60

# sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout_stream=180 \
# net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180

# Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT)
# CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27
sysctl -w net.netfilter.nf_conntrack_acct=1 2>/dev/null

# Always set IPv4 options for IPv4 or IPv4/IPv6
######################################################
echo "Configuring kernel parameters:"

# Disable ICMP send_redirect
############################
echo " Disabling send redirects"
sysctl_set_all "net.ipv4.conf" "send_redirects" 0
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "send_redirects" 0
fi

# Don't accept source routed packets.
# Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
###################################################################################
if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then
echo " DISABLING protection against source routed packets"
sysctl_set_all "net.ipv4.conf" "accept_source_route" 1
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "accept_source_route" 1
fi
else
echo " Enabling protection against source routed packets"
sysctl_set_all "net.ipv4.conf" "accept_source_route" 0
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "accept_source_route" 0
fi
fi

# ICMP Broadcasting protection (smurf amplifier protection)
###########################################################
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# ICMP Dead Error Messages protection
#####################################
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

# IP forwarding (need it to perform for example NAT)
####################################################
if [ "$IP_FORWARDING" = "1" ]; then
echo " Enabling packet forwarding"
sysctl_set_all "net.ipv4.conf" "forwarding" 1 || sysctl -w net.ipv4.ip_forward=1 ||
{
printf "\033[40m\033[1;31m WARNING: net.ipv4.conf.*.forwarding (or net.ipv4.ip_forward) could not be set! If you're using\033[0m\n" >&2
printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n" >&2
}
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "forwarding" 1
echo " Disabling Local IPv6 Auto-Configuration"
sysctl_set_all "net.ipv6.conf" "autoconf" 0
sysctl_set_all "net.ipv6.conf" "accept_ra" 0
fi
elif [ "$IP_FORWARDING" = "0" ]; then
echo " DISABLING packet forwarding"
sysctl_set_all "net.ipv4.conf" "forwarding" 0 2>/dev/null || sysctl -w -e net.ipv4.ip_forward=0 2>/dev/null
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "forwarding" 0 2>/dev/null
if [ "$IPV6_AUTO_CONFIGURATION" != "0" ]; then
echo " Enabling IPv6 Auto-Configuration"
sysctl_set_all "net.ipv6.conf" "autoconf" 1
sysctl_set_all "net.ipv6.conf" "accept_ra" 1
else
echo " DISABLING IPv6 Auto-Configuration"
sysctl_set_all "net.ipv6.conf" "autoconf" 0
sysctl_set_all "net.ipv6.conf" "accept_ra" 0
fi
fi
fi

# Enable some general settings
##############################
echo " Setting some kernel performance options"
sysctl -w net.ipv4.tcp_window_scaling=1
sysctl -w net.ipv4.tcp_timestamps=1
sysctl -w net.ipv4.tcp_sack=1
sysctl -w net.ipv4.tcp_dsack=1
sysctl -w net.ipv4.tcp_fack=1
sysctl -w net.ipv4.tcp_low_latency=0

# Reduce DoS'ing ability by reducing timeouts
#############################################################
if [ "$REDUCE_DOS_ABILITY" = "1" ]; then
echo " Enabling reduction of the DoS'ing ability"

sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_keepalive_time=1800

# Set number of times to retry SYN in a new connection
sysctl -w net.ipv4.tcp_syn_retries=3

# Set number of times to retry a SYN-ACK in a half-open new connections
sysctl -w net.ipv4.tcp_synack_retries=2

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
sysctl -w net.ipv4.tcp_rfc1337=1
elif [ "$REDUCE_DOS_ABILITY" = "0" ]; then
echo " Disabling reduction of the DoS'ing ability"

# Defaults:
sysctl -w net.ipv4.tcp_fin_timeout=60
sysctl -w net.ipv4.tcp_keepalive_time=7200
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_rfc1337=0
fi

# Set out local port range. Kernel default = "1024 4999"
########################################################
if [ -z "$LOCAL_PORT_RANGE" ]; then
LOCAL_PORT_RANGE="32768 61000"
fi
sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE"

# Now we change the LOCAL_PORT_RANGE for further use by iptables (replace space with :)
LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')"

# Add synflood protection?
##########################
if [ "$SYN_PROT" != "0" ]; then
echo " Enabling SYN-flood protection via SYN-cookies"
sysctl -w net.ipv4.tcp_syncookies=1
else
echo " Disabling SYN-flood protection via SYN-cookies"
sysctl -w net.ipv4.tcp_syncookies=0
fi

# Use rp_filter to drop connections from non-routable IPs
######################################################################
if [ "$RP_FILTER" = "2" ]; then
echo " Enabling loose anti-spoof with rp_filter"
sysctl_set_all "net.ipv4.conf" "rp_filter" 2
elif [ "$RP_FILTER" = "1" ]; then
echo " Enabling strict anti-spoof with rp_filter"
sysctl_set_all "net.ipv4.conf" "rp_filter" 1
elif [ "$RP_FILTER" = "0" ]; then
echo " Disabling anti-spoof with rp_filter"
sysctl_set_all "net.ipv4.conf" "rp_filter" 0
fi

# Block ALL ICMP echo requests?
###############################
if [ "$ECHO_IGNORE" = "1" ]; then
echo " Blocking all ICMP echo-requests"
sysctl -w net.ipv4.icmp_echo_ignore_all=1
elif [ "$ECHO_IGNORE" = "0" ]; then
sysctl -w net.ipv4.icmp_echo_ignore_all=0
fi

# Log martians?
###############
if [ "$LOG_MARTIANS" = "1" ]; then
echo " Enabling the logging of martians"
sysctl_set_all "net.ipv4.conf" "log_martians" 1
elif [ "$LOG_MARTIANS" = "0" ]; then
echo " Disabling the logging of martians"
sysctl_set_all "net.ipv4.conf" "log_martians" 0
fi

# Accept ICMP redirect messages?
################################
if [ "$ICMP_REDIRECT" = "1" ]; then
echo " Enabling the acception of ICMP-redirect messages"
sysctl_set_all "net.ipv4.conf" "accept_redirects" 1
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "accept_redirects" 1
fi
elif [ "$ICMP_REDIRECT" = "0" ]; then
echo " Disabling the acception of ICMP-redirect messages"
sysctl_set_all "net.ipv4.conf" "accept_redirects" 0
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl_set_all "net.ipv6.conf" "accept_redirects" 0
fi
fi

# Enable ECN? (Explicit Congestion Notification)
################################################
if [ "$ECN" = "1" ]; then
echo " Enabling ECN (Explicit Congestion Notification)"
sysctl -w net.ipv4.tcp_ecn=1
elif [ "$ECN" = "0" ]; then
echo " Disabling ECN (Explicit Congestion Notification)"
sysctl -w net.ipv4.tcp_ecn=0
fi

# This enables dynamic-address hacking which makes the
# life with Diald and similar programs much easier.
######################################################
if [ "$EXT_IF_DHCP_IP" = "1" ]; then
echo " Enabling kernel support for dynamic IPs"
sysctl -w net.ipv4.ip_dynaddr=1
elif [ "$EXT_IF_DHCP_IP" = "0" ]; then
echo " Disabling kernel support for dynamic IPs"
sysctl -w net.ipv4.ip_dynaddr=0
fi

# In most cases pmtu discovery is ok, but in some rare cases (when having problems)
# you might want to disable it.
if [ "$NO_PMTU_DISCOVERY" = "1" ]; then
echo " Disabling PMTU discovery"
sysctl -w net.ipv4.ip_no_pmtu_disc=1
elif [ "$NO_PMTU_DISCOVERY" = "0" ]; then
echo " Enabling PMTU discovery"
sysctl -w net.ipv4.ip_no_pmtu_disc=0
fi

# Time To Live (TTL) is the term for a data field in the internet protocol.
# TTL is today interpreted to indicate the maximum number of routers a packet may transit.
# Each router that handles a packet will decrement the TTL field by 1.
# Raise if you have a huge network.
# Set the default ttl. (Kernel Default: 64)
###########################################################################################
if [ -n "$DEFAULT_TTL" ]; then
if [ $DEFAULT_TTL -gt 9 -a $DEFAULT_TTL -lt 256 ]; then
echo " Setting default TTL=$DEFAULT_TTL"
sysctl -w net.ipv4.ip_default_ttl=$DEFAULT_TTL
else
printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" >&2
fi
fi

# Increase the default queuelength. (Kernel Default: 1024)
##########################################################
# sysctl -w -e net.ipv4.ip_queue_maxlen=2048

# With eg. open iscsi some systems may have problems under heavy load. Enable tcp_be_liberal to workaround this
if [ "$TCP_BE_LIBERAL" = "1" ]; then
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1
fi

echo " Flushing route table"
sysctl -w net.ipv4.route.flush=1
if [ "$IPV6_SUPPORT" = "1" ]; then
sysctl -w net.ipv6.route.flush=1
fi

echo " Kernel setup done..."

# Return "no error"
return 0
}


init_firewall_chains()
{
echo "Initializing firewall chains"

# Set INDENT for functions
INDENT=' '

# Attempt to flush all IPv4 chains
##################################
ip4tables -F
ip4tables -X

# Flush builtin IPv4 chains
###########################
ip4tables -F INPUT
ip4tables -F OUTPUT
ip4tables -F FORWARD

# Flush rules in nat/mangle tables
##################################
ip4tables -t nat -F
ip4tables -t nat -X
ip4tables -t mangle -F
ip4tables -t mangle -X

if [ "$IPV6_DETECTED" = "1" ]; then
# Attempt to flush all IPv6 chains
##################################
ip6tables -F
ip6tables -X

# Flush builtin IPv6 chains
###########################
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Flush rules in mangle table
#############################
ip6tables -t mangle -F
ip6tables -t mangle -X
fi

# Create our "base" chains
##########################
iptables -N BASE_INPUT_CHAIN
iptables -N BASE_FORWARD_CHAIN
iptables -N BASE_OUTPUT_CHAIN

# Accept packets of ESTABLISHED connections
###########################################
iptables -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
iptables -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
iptables -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT

# Accept packets of RELATED connections
#######################################
iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p icmp -j ACCEPT
iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p icmp -j ACCEPT

# Drop all IPv6 packets with Routing Header Type 0
##################################################
if [ "$IPV6_SUPPORT" = "1" -a "$IPV6_DROP_RH_ZERO" != "0" ]; then
if try_ip6tables -A BASE_INPUT_CHAIN -m rt --rt-type 0 -j DROP; then
ip6tables -A BASE_FORWARD_CHAIN -m rt --rt-type 0 -j DROP
ip6tables -A BASE_OUTPUT_CHAIN -m rt --rt-type 0 -j DROP
else
echo " WARNING: IPv6 Routing Header Type 0 matching not supported"
fi
fi

# Accept all packets for the loopback device
############################################
iptables -A BASE_INPUT_CHAIN -i lo -j ACCEPT
iptables -A BASE_FORWARD_CHAIN -i lo -j ACCEPT
iptables -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT

# Insert our base chains
########################
iptables -A INPUT -j BASE_INPUT_CHAIN
iptables -A FORWARD -j BASE_FORWARD_CHAIN
iptables -A OUTPUT -j BASE_OUTPUT_CHAIN

# Create several chains that we will use later on
#################################################
create_user_chains;

# Reset the iptables counters
iptables -Z
iptables -t mangle -Z
ip4tables -t nat -Z
}


# Check if the base chains are appropriate for the IPV6_SUPPORT setting
#######################################################################
check_for_base_chains()
{
local ipv4_rtn ipv6_rtn

ip4tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1
ipv4_rtn=$?

if [ "$IPV6_DETECTED" = "1" ]; then
ip6tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1
ipv6_rtn=$?
else
# No IPv6 available, therefore no ip6tables call
# Set a return error result of 1 to specify no IPv6 BASE_INPUT_CHAIN
ipv6_rtn=1
fi

if [ "$IPV6_SUPPORT" = "1" ]; then
if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then
echo "yes"
elif [ $ipv4_rtn -eq 0 ]; then
echo "other"
else
echo "no"
fi
else
if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then
echo "other"
elif [ $ipv4_rtn -eq 0 ]; then
echo "yes"
else
echo "no"
fi
fi
}


setup_default_policies()
{
# Set the default policies for the builtin INPUT & FORWARD tables. The
# default for other chains (eg. OUTPUT) is always set to ACCEPT.
#######################################################################
if [ "$DEFAULT_POLICY_DROP" != "0" ]; then
echo " Setting all default policies to DROP while \"setting up firewall rules\""
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
else
echo " WARNING: Setting all default policies to ACCEPT while \"setting up firewall rules\""
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
fi

if [ "$IPV6_SUPPORT" = "1" ]; then
echo "IPv4/IPv6 mixed mode selected"
elif [ "$IPV6_DETECTED" = "1" ]; then
echo "IPv4 mode selected but IPv6 available, DROP all IPv6 packets"
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# Allow IPv6 traffic from the loopback (localhost)
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A FORWARD -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# DROP all IPv6 traffic
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j DROP
else
echo "IPv4 mode selected, no IPv6 available"
fi

# The POST_INPUT_DROP_CHAIN should temporarily DROP for now
# We'll change this once the rules are in place
###########################################################
iptables -A POST_INPUT_DROP_CHAIN -j DROP

# The HOST_BLOCK_DROP chain should always DROP
###########################################################
if [ "$BLOCKED_HOST_LOG" != "0" ]; then
iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked host(s): "
fi
iptables -A HOST_BLOCK_DROP -j DROP

# The LINK_LOCAL_DROP chain should always DROP
###########################################################
if [ "$IPV6_SUPPORT" = "1" ]; then
if [ "$LINK_LOCAL_DROP_LOG" != "0" ]; then
ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped Link-Local: "
fi
ip6tables -A LINK_LOCAL_DROP -j DROP
fi
}


##################################################################################################################
## Chain VALID_CHK - Check packets for invalid flags etc. ##
##################################################################################################################
setup_valid_chk_chain()
{
## Log scanning of nmap etc.
############################
if [ "$SCAN_LOG" != "0" ]; then
echo "Logging of stealth scans (nmap probes etc.) enabled"

# (NMAP) FIN/URG/PSH
####################
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS scan: "

# SYN/RST/ACK/FIN/URG
#####################
iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-PSH scan: "

# ALL/ALL
#########
iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-ALL scan: "

# NMAP FIN Stealth
##################
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth FIN scan: "

# SYN/RST
#########
iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/RST scan: "

# SYN/FIN (probably)
####################
iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/FIN scan?: "

# Null scan
###########
iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE \
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth Null scan: "

else
echo "Logging of stealth scans (nmap probes etc.) disabled"
fi

# Drop (NMAP) scan packets:
###########################

# NMAP FIN/URG/PSH
##################
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j POST_INPUT_DROP_CHAIN

# SYN/RST/ACK/FIN/URG
#####################
iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j POST_INPUT_DROP_CHAIN

# ALL/ALL Scan
##############
iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -j POST_INPUT_DROP_CHAIN

# NMAP FIN Stealth
##################
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -j POST_INPUT_DROP_CHAIN

# SYN/RST
#########
iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN

# SYN/FIN -- Scan(probably)
###########################
iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j POST_INPUT_DROP_CHAIN

# NMAP Null Scan
################
iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -j POST_INPUT_DROP_CHAIN

# Log packets with bad flags?
#############################
if [ "$BAD_FLAGS_LOG" != "0" ]; then
echo "Logging of packets with bad TCP-flags enabled"
iptables -A VALID_CHK -p tcp --tcp-option 64 \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Bad TCP flag(64): "

iptables -A VALID_CHK -p tcp --tcp-option 128 \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Bad TCP flag(128): "
else
echo "Logging of packets with bad TCP-flags disabled"
fi

# Drop packets with bad tcp flags
#################################
iptables -A VALID_CHK -p tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
iptables -A VALID_CHK -p tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN

# These packets are normally from "lost connection" and thus can generate false alarms
# So we might want to ignore such packets
######################################################################################
# if [ "$LOST_CONNECTION_LOG" != "1" ]; then
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j POST_INPUT_DROP_CHAIN
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j POST_INPUT_DROP_CHAIN
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j POST_INPUT_DROP_CHAIN
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j POST_INPUT_DROP_CHAIN
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j POST_INPUT_DROP_CHAIN
# iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j POST_INPUT_DROP_CHAIN
# fi

# Here we add some protection from random packets we receive, such as random sweeps from other
# (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection
###############################################################################################
if [ "$INVALID_TCP_LOG" = "1" ]; then
echo "Logging of INVALID TCP packets enabled"

iptables -A VALID_CHK -p tcp -m state --state INVALID \
-m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID TCP: "
else
echo "Logging of INVALID TCP packets disabled"
fi

if [ "$INVALID_UDP_LOG" = "1" ]; then
echo "Logging of INVALID UDP packets enabled"

iptables -A VALID_CHK -p udp -m state --state INVALID \
-m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID UDP: "
else
echo "Logging of INVALID UDP packets disabled"
fi

if [ "$INVALID_ICMP_LOG" = "1" ]; then
echo "Logging of INVALID ICMP packets enabled"

# Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets
if [ "$ICMP_REQUEST_LOG" != "0" ]; then
iptables -A VALID_CHK -p icmp --icmp-type echo-request -m state --state INVALID \
-m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-request: "
fi

# Only log INVALID ICMP-other when enabled in the config
if [ "$ICMP_OTHER_LOG" != "0" ]; then
iptables -A VALID_CHK -p icmp ! --icmp-type echo-request -m state --state INVALID \
-m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-other: "
fi
else
echo "Logging of INVALID ICMP packets disabled"
fi

# Drop invalid packets
######################
iptables -A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN

# Fragmentation cannot happen with IPV6 (and maybe even not with iptables/ipv4?)
## Log fragmented packets
#########################
if [ "$FRAG_LOG" = "1" ]; then
echo "Logging of fragmented packets enabled"
ip4tables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
else
echo "Logging of IPv4 fragmented packets disabled"
fi

# Drop fragmented packets
#########################
ip4tables -A VALID_CHK -f -j DROP
}


################################################################################################################
## Chain RESERVED_NET_CHK - Check if the source addresses of the packets are (in)valid ##
################################################################################################################
setup_reserved_net_chk_chain()
{
# Log access from reserved addresses
####################################
if [ "$RESERVED_NET_LOG" = "1" ]; then
echo "Logging of access from reserved nets enabled"
ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "

ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "

ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "

ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Link-local address: "

ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: "

ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: "

if [ "$IPV6_SUPPORT" = "1" ]; then
# IPv6 not 2000::/3 is non-Global Unicast
ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv6 non-Global address: "
fi
else
echo "Logging of access from reserved nets disabled"
fi

if [ "$RESERVED_NET_DROP" = "1" ]; then
# rp_filter drops some of these addresses, but just to be sure :)
################################################################
#echo "Denying access from reserved addresses..."
ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN
ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN
ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN
ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN
ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 -j POST_INPUT_DROP_CHAIN
ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 -j POST_INPUT_DROP_CHAIN

if [ "$IPV6_SUPPORT" = "1" ]; then
# IPv6 not 2000::/3 is non-Global Unicast
ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 -j POST_INPUT_DROP_CHAIN
fi
fi
}


################################################################################################################
## Chain SPOOF_CHK - Check if the source address is not spoofed ##
################################################################################################################
setup_spoof_chk_chain()
{
# Anti-spoof protection for the internal net
if [ -n "$INT_IF" -a -n "$INTERNAL_NET" ]; then
if [ "$INTERNAL_NET_ANTISPOOF" != "0" ]; then
printf "Setting up antispoof for INTERNAL net(s): "
IFS=' ,'
for net in $INTERNAL_NET; do
printf "$net "
for interface in $INT_IF; do
# Any internal net is valid
iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
done
iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
done
echo ""
else
echo "Antispoof for INTERNAL net(s) DISABLED!"
fi
fi

# Anti-spoof protection for the DMZ net
if [ -n "$DMZ_IF" -a -n "$DMZ_NET" ]; then
if [ "$DMZ_NET_ANTISPOOF" != "0" ]; then
printf "Setting up antispoof for DMZ net(s): "
IFS=' ,'
for net in $DMZ_NET; do
printf "$net "
for interface in $DMZ_IF; do
# Any dmz net is valid
iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
done
iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
done
echo ""
else
echo "Antispoof for DMZ net(s) DISABLED!"
fi
fi

# Everything else is valid
iptables -A SPOOF_CHK -j RETURN
}


################################################################
# Setup rules to forward INET IPv6 and non-NAT'ed IPv4 traffic #
################################################################
setup_inet_forward_rules()
{
# TCP ports to ALLOW for certain INET hosts
#########################################
unset IFS
for rule in $INET_FORWARD_TCP; do
if parse_rule "$rule" INET_FORWARD_TCP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then

echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) TCP port(s): $ports from $shosts(INET) to $dhosts"

IFS=' ,'
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
done
done
done
done
fi
done

# UDP ports to ALLOW for certain INET hosts
#########################################
unset IFS
for rule in $INET_FORWARD_UDP; do
if parse_rule "$rule" INET_FORWARD_UDP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then

echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) UDP port(s): $ports from $shosts(INET) to $dhosts"

IFS=' ,'
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT
done
done
done
done
fi
done

# (Other) IP protocols to ALLOW for certain INET hosts
######################################################
unset IFS
for rule in $INET_FORWARD_IP; do
if parse_rule "$rule" INET_FORWARD_IP "interfaces:EXT_IF-shosts-dhosts-protos"; then

echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) IP protocol(s): $protos from $shosts(INET) to $dhosts"

IFS=' ,'
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for proto in $protos; do
for interface in $interfaces; do
iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p $proto -j ACCEPT
done
done
done
done
fi
done
}


##################################################
# Setup chain for the DMZ input traffic #
##################################################
setup_dmz_input_chain()
{
# Add TCP ports to allow for certain hosts
##########################################
unset IFS
for rule in $DMZ_HOST_OPEN_TCP; do
if parse_rule "$rule" DMZ_HOST_OPEN_TCP "hosts-ports"; then

echo " Allowing $hosts(DMZ) for TCP port(s): $ports"

IFS=','
for host in `ip_range "$hosts"`; do
for port in $ports; do
iptables -A DMZ_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT
done
done
fi
done

# Add UDP ports to allow for certain hosts
##########################################
unset IFS
for rule in $DMZ_HOST_OPEN_UDP; do
if parse_rule "$rule" DMZ_HOST_OPEN_UDP "hosts-ports"; then

echo " Allowing $hosts(DMZ) for UDP port(s): $ports"

IFS=','
for host in `ip_range "$hosts"`; do
for port in $ports; do
iptables -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT
done
done
fi
done

# Add IP protocols to allow for certain hosts
#############################################
unset IFS
for rule in $DMZ_HOST_OPEN_IP; do
if parse_rule "$rule" DMZ_HOST_OPEN_IP "hosts-protos"; then

echo " Allowing $hosts(DMZ) for IP protocol(s): $protos"

IFS=','
for host in `ip_range "$hosts"`; do
for proto in $protos; do
iptables -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT
done
done
fi
done

# Adding TCP ports NOT to be firewalled
#######################################
if [ -n "$DMZ_OPEN_TCP" ]; then
echo " Allowing TCP port(s): $DMZ_OPEN_TCP"
IFS=' ,'
for port in $DMZ_OPEN_TCP; do
iptables -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
done
fi

# Adding UDP ports NOT to be firewalled
#######################################
if [ -n "$DMZ_OPEN_UDP" ]; then
echo " Allowing UDP port(s): $DMZ_OPEN_UDP"
IFS=' ,'
for port in $DMZ_OPEN_UDP; do
iptables -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT
done
fi

# Adding IP protocols NOT to be firewalled
##########################################
if [ -n "$DMZ_OPEN_IP" ]; then
echo " Allowing IP protocol(s): $DMZ_OPEN_IP"
IFS=' ,'
for proto in $DMZ_OPEN_IP; do
iptables -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT
done
fi

# Allow to send ICMP packets?
#############################
if [ "$DMZ_OPEN_ICMP" != "0" ]; then
echo " Allowing ICMP-requests(ping)"
iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
if [ "$IPV6_SUPPORT" = "1" ]; then
unset IFS
for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
ip6tables -A DMZ_INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
done
fi
fi

# Log incoming ICMP-request packets?
####################################
if [ "$ICMP_REQUEST_LOG" != "0" ]; then
iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
fi

# Drop ICMP packets
iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP

# Log everything else
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ-INPUT denied: "
fi

# Everything else is denied
iptables -A DMZ_INPUT_CHAIN -j DROP
}


##################################################
# Setup chain for the DMZ-to-LAN forward traffic #
##################################################
setup_dmz_lan_forward_chain()
{
echo " Setting up DMZ->LAN policy"

# TCP ports to ALLOW for certain DMZ hosts
##########################################
unset IFS
for rule in $DMZ_LAN_HOST_OPEN_TCP; do
if parse_rule "$rule" DMZ_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then

echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
done
done
done
fi
done

# UDP ports to ALLOW for certain DMZ hosts
##########################################
unset IFS
for rule in $DMZ_LAN_HOST_OPEN_UDP; do
if parse_rule "$rule" DMZ_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then

echo " Allowing $shosts(DMZ) to $dhosts(LAN) for UDP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
done
done
done
fi
done

# IP protocol(s) to ALLOW for certain DMZ hosts
###############################################
unset IFS
for rule in $DMZ_LAN_HOST_OPEN_IP; do
if parse_rule "$rule" DMZ_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then

echo " Allowing $shosts(DMZ) to $dhosts(LAN) for IP protocol(s): $protos"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for proto in $protos; do
iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
done
done
done
fi
done

# Allow ICMP-requests(ping) for DMZ->LAN?
##########################################
if [ "$DMZ_LAN_OPEN_ICMP" = "1" ]; then
echo " Allowing ICMP-requests(ping)"
iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
-m limit --limit 20/second --limit-burst 100 -j ACCEPT
fi

# Log incoming ICMP-request packets?
####################################
if [ "$ICMP_REQUEST_LOG" != "0" ]; then
iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
fi

# Drop ICMP packets
iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP

# Log everything else
if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
iptables -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->LAN denied: "
fi

# Everything else is denied
iptables -A DMZ_LAN_FORWARD_CHAIN -j DROP
}


###################################################
# Setup chain for the INET-to-DMZ forward traffic #
###################################################
setup_inet_dmz_forward_chain()
{
echo " Setting up INET->DMZ policy"

# TCP ports to ALLOW for certain INET hosts
#########################################
unset IFS
for rule in $INET_DMZ_HOST_OPEN_TCP; do
if parse_rule "$rule" INET_DMZ_HOST_OPEN_TCP "interfaces-shosts-dhosts-ports:ANYPORT"; then

echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
done
done
done
done
fi
done

# UDP ports to ALLOW for certain INET hosts
#########################################
unset IFS
for rule in $INET_DMZ_HOST_OPEN_UDP; do
if parse_rule "$rule" INET_DMZ_HOST_OPEN_UDP "interfaces-shosts-dhosts-ports:ANYPORT"; then

echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT
done
done
done
done
fi
done

# (Other) IP protocols to ALLOW for certain INET hosts
######################################################
unset IFS
for rule in $INET_DMZ_HOST_OPEN_IP; do
if parse_rule "$rule" INET_DMZ_HOST_OPEN_IP "interfaces-shosts-dhosts-protos"; then

echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for proto in $protos; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto -j ACCEPT
done
done
done
done
fi
done


# TCP ports to DENY for certain INET hosts
#########################################
unset IFS
for rule in $INET_DMZ_HOST_DENY_TCP; do
if parse_rule "$rule" INET_DMZ_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then

echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port \
-m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port -j DROP
done
done
done
done
fi
done

# UDP ports to DENY for certain INET hosts
#########################################
unset IFS
for rule in $INET_DMZ_HOST_DENY_UDP; do
if parse_rule "$rule" INET_DMZ_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then

echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for port in $ports; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port \
-m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port -j DROP
done
done
done
done
fi
done

# (Other) IP protocols to DENY for certain INET hosts
#####################################################
unset IFS
for rule in $INET_DMZ_HOST_DENY_IP; do
if parse_rule "$rule" INET_DMZ_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then

echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos"

IFS=','
for shost in `ip_range "$shosts"`; do
for dhost in `ip_range "$dhosts"`; do
for proto in $protos; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto \
-m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto -j DROP
done
done
done
done
fi
done

# Allow only certain TCP ports to be used from the INET->DMZ?
#############################################################
unset IFS
for rule in $INET_DMZ_OPEN_TCP; do
if parse_rule "$rule" INET_DMZ_OPEN_TCP "interfaces-destips-ports"; then

echo " $(show_if_ip "$interfaces" "$destips")Allowing TCP port(s): $ports"

IFS=','
for port in $ports; do
for destip in $destips; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -j ACCEPT
done
done
done
fi
done

# Allow only certain UDP ports to be used from the INET->DMZ?
#############################################################
unset IFS
for rule in $INET_DMZ_OPEN_UDP; do
if parse_rule "$rule" INET_DMZ_OPEN_UDP "interfaces-destips-ports"; then

echo " $(show_if_ip "$interfaces" "$destips")Allowing UDP port(s): $ports"

IFS=','
for port in $ports; do
for destip in $destips; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -j ACCEPT
done
done
done
fi
done

# Allow only certain IP protocols to be used from the INET->DMZ?
################################################################
unset IFS
for rule in $INET_DMZ_OPEN_IP; do
if parse_rule "$rule" INET_DMZ_OPEN_IP "interfaces-destips-protos"; then

echo " $(show_if_ip "$interfaces" "$destips")Allowing IP protocol(s): $protos"

IFS=','
for proto in $protos; do
for destip in $destips; do
for interface in $interfaces; do
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -j ACCEPT
done
done
done
fi
done

# Allow ICMP-requests(ping) for INET->DMZ?
##########################################
if [ "$INET_DMZ_OPEN_ICMP" = "1" ]; then
echo " Allowing ICMP-requests(ping)"
iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \
-m limit --limit 20/second --limit-burst 100 -j ACCEPT
fi

# TCP ports to DENY for INET->DMZ
#################################
unset IFS
for rule in $INET_DMZ_DENY_TCP; do
if parse_rule "$rule" INET_DMZ_DENY_TCP "interfaces-destips-ports"; then

echo " $(show_if_ip "$interfaces" "$destips")Denying TCP port(s): $ports"

IFS=','
for port in $ports; do
for destip in $destips; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -j DROP
done
done
done
fi
done

# UDP ports to DENY for INET->DMZ
#################################
unset IFS
for rule in $INET_DMZ_DENY_UDP; do
if parse_rule "$rule" INET_DMZ_DENY_UDP "interfaces-destips-ports"; then

echo " $(show_if_ip "$interfaces" "$destips")Denying UDP port(s): $ports"

IFS=','
for port in $ports; do
for destip in $destips; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -j DROP
done
done
done
fi
done

# IP protocols to DENY for INET->DMZ
####################################
unset IFS
for rule in $INET_DMZ_DENY_IP; do
if parse_rule "$rule" INET_DMZ_DENY_IP "interfaces-destips-protos"; then

echo " $(show_if_ip "$interfaces" "$destips")Denying IP protocol(s): $protos"

IFS=','
for proto in $protos; do
for destip in $destips; do
for interface in $interfaces; do
if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
fi
iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -j DROP
done
done
done
fi
done

# Log incoming ICMP-request packets?
####################################
if [ "$ICMP_REQUEST_LOG" != "0" ]; then
iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \

removido
(usa Nenhuma)

Enviado em 26/05/2017 - 23:07h

Depois teste com:

https://www.vivaolinux.com.br/artigo/Knockd-bate-bate-bate-na-porta-do-ceu/

Vamos ver ser realmente funciona essa dica e esse scritp de firewall.

knockd - pode ser usado para abrir furos em um Firewall.