Make your own free website on Tripod.com

How to Turn a 486 66MHz Computer into a Red Hat Linux Firewall NAT Machine

This mini-HOWTO describes how I turned my old 486 66MHZ computer into a firewall and NAT machine.

I have given all the computers on my LAN access to the Internet through an old 486 66MHz computer that I have set up to run a firewall and Network Address Translation (NAT).

In the Linux community, firewall and NAT have been a common item. They typically go by the names firewall and IP masquerading. What we are doing is using the ipchains built into the Linux kernel to create a firewall to protect your computer(s) from marauders on the Internet. We are also using ipchains to do Network Address Translation (NAT).

When the ipchains script is set to forward traffic from the LAN to the Internet and vice versa, the rest of the Internet thinks you have a single machine. The NAT capabilities of ipchains allows you to masquerade as many machines as your firewall machine can reasonably handle. If you have an office with 100 computers that need simple email and world wide web connectivity then you could use a 486 or early Pentium to give them all access on one high speed Internet account. How you service 100 email accounts for your staff I will leave for another mini-HOWTO. You could read other HOWTO's and figure it out yourself instead, that is the great flexibility of Linux.

1. The firewall machine

Here are the specifications of my firewall machine:

 	Compaq Prolinea MT 4/66
 	486 66MHz
 	32 MB RAM
 	330 MB HDD
 	4x CDROM
 	Floppy
 	AOpen ALN-101 ISA 10baseT (x2)
 
 

The most important parts (other than a working computer) are the two ethernet cards (ALN-101). The ALN-101 10baseT ethernet cards are NE clones and use the ne.o driver. I have included all of the NAT specific hardware configuration at the end of this document in Appendix A.

I have also installed the same system on a 386 33MHz computer that has 16MB RAM and a 150MB HDD. It works without any noticeable speed difference compared to the 486 66MHz.

I will call the firewall machine bilbo and the computers on the LAN frodo, merry and pippin.

On bilbo, I used a base install of Red Hat Linux 6.2 with the "Networked Workstation" option also selected. To achieve this, I did a fresh install from the CD. When the option came to select Install Gnome, KDE, Server, or Custom I selected Custom.

2. Installing Red Hat Linux 6.2

The first few install settings are keyboard, language, ... (add more later).

The next few options are fairly straight forward (if you have installed Red Hat Linux many time before). When asked to partition your hard drive you need to make at least two partitions, a swap partition and at least one other partition to hold all of your applications and data. If you hard drive has one partition or more partitions than you will want then you will need to delete them and create new ones. If you have no partitions then you will need to create them.

I will use the 330MB HDD as the basis of the partitioning steps but substitute your HDD size and everything should work out (within reason; it will not be easy to install Red Hat Linux 6.2 on a HDD that is smaller that 100MB. The simplest partitioning scheme, that will work for the firewall system, will have a a swap and a system partition.

Red Hat provides Disk Druid to manipulate partitions and it has an easy to use GUI. Click the Add button and a dialog pops up to allow you to select the size of the partition. Add a 32MB partition and set it to be the swap under the "Partition Type" menu. Now add the second partition with the "Grow to fill disk?" option selected and under "Mount Point" select / (the root partition will be mounted here). Disk Druid likes to juggle partitions around so it doesn't matter in which order you select them. If you want absolute and potentially confusing control over where your partitions go use fdisk (you select fdisk with a check box on the previous menu, the "Install" menu).

You will then be asked to choose which partitions to format and whether you want to check for bad blocks. (add more later)

The next menu lets you decide where to install lilo (add more later).

The next menu lets you configure the networking on your system. You could enter the relevant LAN configuration here but I will be adding it manually after the install is complete.

The next menu gets you to configure the time zone information by having you choose which time zone you are in.

You then have to enter the password for the root user and are able to create user accounts. Create at least one user account. For security reasons you do not want to allow remote login to bilbo (or any machine) from a network connection. The default is to not give root network login.

When you are prompted with the authentification menu, make sure that MD5 and shadow passwords are selected. Also make sure that NIS is not selected. NIS has too many security problems to allow it on bilbo.

Now we can select the packages to install. De-select all of the packages. Select the Networked Workstation only. Also select the "Select individual packages" check box.

The next menu will allow us to see most of the rpm packages that can be installed with Red Hat Linux. The base packages are not shown since the system will not run without them. You should now deselect any packages that are not needed for the firewall. Remove the lpr, ghostscript, all fonts, XFree86-xfs, XFree86-lib, libpng, chkfontpath, rhs-printfilters, yp, nfs, etc.

The installation will tell you if there are any unresolved dependencies for the packages being installed. It is easiest if you allow them to be installed, but make a note of them and the packages that required them.

Since we did not install XFree86 we will not be presented with the X configuration menu.

The next menu is the "Are you really sure you want to do this" menu. If you have not deleted, created or formatted any partitions in the previous steps, you can cancel your installation without making any changes to the computer. You can abort the installation by giving one of the following three-finger salutes: CTRL-ALT-DEL if you are installing in text mode and CTRL-ALT-BKSP if you are installing in GUI mode.

If you did delete, create or format partitions then your system has been irreversibly changed (unless you are a real "low level guru") and so you should just select next and let the system install the packages.

The next menu will show you the progress of the installation. You will be able to see the progress of the whole installation as well as the installation of each package. This will take between ten minutes and one hour depending on the processor speed, the speed of your CDROM and the number of packages you are installing.

After the package installation is complete, you will be prompted to insert a blank floppy to create a boot diskette. You can use a floppy with data on it but the data will be erased. I recommend that you make a boot disk now rather than later. It is not too difficult to make a boot disk but it does take quite a bit of time hunt down and digest the information to create a boot floppy.

The last menu you will see congratulates you, gives you a web site to check for errata (http://www.redhat.com/errata) and tells you to reboot the system by clicking on exit. Take the new boot floppy out before the machine reboots. This allows you to see if lilo installed on the hard drive correctly.

3. Post installation configuration

The post installation configuration includes

 	- basic security configuration
 	- installing OpenSSH for communication
 	- configure the network cards
 	- install the firewall
 	- removing unwanted packages
 	- turning off unwanted services
 
 

Basic Security Configuration

There are a few changes that need to be made before the system can be considered moderately secure.

 	- remove all remote access as root
 	- remove all general access to su (only specific users allowed)
 	- remove unnecessary user and groups
 
 

Where root can log on to your machine from is controlled in the /etc/securetty file. The default is access from local terminals (ttyx) only, no remote access. Do not add any pseudoterminals (ttyp).

Give only selected user access to su. This is done by including them in the "wheel" group in the /etc/group file and then making su only accessible to members of group wheel.

In /etc/group change

 	wheel:x:10:root
 to
 	wheel:x:10:root,fred,wilma
 
 

Change the group that su belongs to from root to wheel

 	chgrp wheel /bin/su
 
 

and run the following command on su

 	chmod 4750 /bin/su
 
 

This changes the access permission bits of su to set the user ID. It also gives root read/write/exectute (rwx) permission and group wheel members rx permission.

The /etc/passwd file contains many users that are not needed on bilbo so they should have their shell set to /bin/false or be removed. An example of a minimal passwd file is

 	root:x:0:0:root:/root:/bin/bash
 	bin:x:1:1:bin:/bin:/bin/false
 	adm:x:3:4:adm:/var/adm:/bin/false
 	sync:x:5:0:sync:/sbin:/bin/sync
 	shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 	halt:x:7:0:halt:/sbin:/sbin/halt
 	mail:x:8:12:mail:/var/spool/mail:/bin/false
 	nobody:x:99:99:Nobody:/:/bin/false
 
 

Make a copy of the password file before you make these changes. If you have some problems you can always copy the original back.

Install OpenSSH

It is easiest to install OpenSSH from the rpms so that is what I did. Go to the OpenSSH web site at http://www.openssh.com/portable.html to download the files you will need. You will need the client, the server and the basic packages as well as the OpenSSL package.

 	openssh-2.1.0p3-1.i386.rpm
 	openssh-clients-2.1.0p3-1.i386.rpm
 	openssh-server-2.1.0p3-1.i386.rpm
 	openssl-0.9.5a-1.i386.rpm
 
 

Install the packages using the rpm -Uvh command line

 	rpm -Uvh openssh-2.1.0p3-1.i386.rpm \
 	 openssh-clients-2.1.0p3-1.i386.rpm \
 	  openssh-server-2.1.0p3-1.i386.rpm \
 	   openssl-0.9.5a-1.i386.rpm
 
 

Remember that the backslash (\) is the line continuation operator and that bash sees this as one long line. Now log in as root and configure ssh for use in your LAN.

Configuring the ssh server daemon: In the /etc/ssh/sshd_config file change "PermitRootLogin yes" to no; include "Protocol 2,1" to make ssh2 the default protocol; make sure X11Forwarding is set to no.

Configuring the ssh client: In the /etc/ssh/ssh_config file use

 	Host *
         	ForwardAgent no
         	ForwardX11 no
         	FallBackToRsh no
         	Protocol 2,1
 
 

This will allow you to log on to bilbo over the network with a regular user account. On your other computers in the LAN the settings can be the same or you can change X11Forwarding to yes. This will allow you to run GUI programs remotely via ssh tunneling of the X11 protocols.

Configure the network cards

The network cards have to be manually configured since they are ISA. The

In /etc/modules.conf you should have

 	alias eth0 ne
 	alias eth1 ne
 	options ne io=0x260,0x280 irq=11,10
 
 

This tells the kernel's module loader to load the ne driver for both ethernet cards using their appropriate IO and IRQ numbers. The following information also has to be entered in the the ifcfg-eth0 and ifcfg-eth1 files in the /etc/sysconfig/network-scripts/ directory

 	#file: /etc/sysconfig/network-scripts/ifcfg-eth0 
 	DEVICE="eth0"
 	IPADDR="192.168.1.1"
 	BOOTPROTO="none"
 	NETWORK="192.168.1.0"
 	ONBOOT="yes"
 	BROADCAST="192.168.1.255"
 
 

This tells the system that ethernet card 0 will have the IP address 192.168.1.1 on the network 192.168.1.0 where the broadcast is 192.168.1.255 and that it should be started on boot. This is the card that will be connected to the LAN.

 	#file: /etc/sysconfig/network-scripts/ifcfg-eth1
 	DEVICE="eth1"
 	IPADDR="22.101.121.10"
 	BOOTPROTO="none"
 	NETMASK="255.255.255.128"
 	ONBOOT="yes"
 
 

This tells the system that ethernet card 1 will have the IP address 22.101.131.10 with the netmask 255.255.255.128 and that it should be started on boot. This is the card that will be connected to the cable modem.

You will also need to put the following information in the network file in the /etc/sysconfig/ directory

 	#file: /etc/sysconfig/network-scripts/network
 	NETWORKING="yes"
 	HOSTNAME="bilbo.hobbiton.home"
 	GATEWAY="22.101.2.1"
 	GATEWAYDEV="eth1"
 
 

This tells the system that this computer's name is bilbo.hobbiton.home, that the gateway computer's IP address is 22.101.2.1 and that the gateway device is eth1.

Now all you need to do is restart the network services. You should shut down eth1 (or your external card) until you are ready to start the firewall. You restart and stop these services by

 	bash# /etc/rc.d/init.d/network restart
 	bash# /sbin/ifdown eth1
 
 

This will ensure that the changes take effect. Now you have a firewall computer with no firewall installed.

Install the firewall

Building a firewall is not a simple task. Lucky for me and you, though, there are some very good books out there on how to do it. The quickest way that I found was to use the book Linux Firewalls: ISBN 0-7357-0900-9 by Robert L. Ziegler to build one. His book lays out a complete firewall under Red Hat Linux 6.x using ipchains. For a comprehensive review of Internet security get the book Building Internet Firewalls 2nd Ed.: ISBN 1-56592-871-7 by Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman.

The firewall script can be downloaded from the authors web site in both ipchains and ipfwadm format.

The firewall script I used is a modified version of MR Ziegler's and is included in Appendix D. I run the firewall script using the runlevel startup method provided by in Red Hat Linux.

I switched bilbo to runlevel 2. This is done by modifying the inittab file from

 	id:3:initdefault:
 
 

to

 	id:2:initdefault:
 
 

Now you can modify /etc/rc.d/rc2.d/ and still have /etc/rc.d/rc3.d/ to fall back on if you should have any problems. I created a symbolic link from /etc/rc.d/rc2.d/S15firewall to /etc/rc.d/init.d/firewall to start the firewall on boot. This will start after the network is up since the network is started as S10network. It would be better for the firewall to start before the network since you are vulnerable to attack for the time it takes the firewall to load. This is possible if you have a static IP address assigned to you by your ISP and if you do not have any names in your firewall that require DNS lookup. If you use dhcp to get your network information or require DNS lookup in your firewall, you will need to start your network before your firewall.

Removing unwanted packages

Turning off processes and daemons is a good way to reclaim your computers processing power, not only an exercise in security. This machine is being dedicated to firewall and NAT duties, therefore, many applications that are running after installation are a waste of RAM, CPU cycles and HDD space. Let's not forget the many single floppy disk Linux distributions out there that can accomplish what I am doing with 113MB of HDD space.

Some packages that should not be installed on bilbo are: telnet, telnet daemon, lpr, ghostscript, all fonts, XFree86-xfs, XFree86-lib, libpng, chkfontpath, rhs-printfilters, yp, nfs, rsh, etc.

To uninstall lpr after installation, as root, run

 	rpm -e lpr
 
 

This will uninstall lpr or complain about dependencies and then fail. If you still don't want it you can use the --force switch with the same command or you can uninstall the dependent packages as well.

 e.g.
 	bash# rpm -e lpr
 	error: removing these packages would break dependencies:
         	lpr >= 0.17 is needed by rhs-printfilters-1.63-1
 		lpr >= 0.16 is needed by printtool-3.44-1
 
 

 	bash# rpm -e --force lpr
 
 

 	or
 
 

 	bash# rpm -e lpr rhs-printfilters printtool
 
 

Continue until you have removed all the packages that you want. If you did your job well your system should have the minimum of packages installed and it still runs.

Turning off unwanted services

I turned off many services by simply not installing the inetd daemon. This is the daemon that acts as the eyes and ears for many programs such as telnet, ftp, talk, etc. In the /etc/rc.d/rc2.d/ directory you should only have

 	K60atd -> ../init.d/atd
 	K75netfs -> ../init.d/netfs
 	K92ipchains -> ../init.d/ipchains
 	S10network -> ../init.d/network
 	S15firewall -> ../init.d/firewall
 	S20random -> ../init.d/random
 	S30syslog -> ../init.d/syslog
 	S40crond -> ../init.d/crond
 	S55sshd -> ../init.d/sshd
 	S75keytable -> ../init.d/keytable
 	S99local -> ../rc.local
 
 

This allows for an increase in security because risky services are not started. This also allows for an decrease in system load by reducing overall system usage.

You can usually turn off services that are installed via their startup scripts in /etc/rc.d/init.d with the following command line

 	/etc/rc.d/init.d/gpm stop
 
 

and keep them from restarting upon reboot by deleting their link from the /etc/rc.d/rc2.d/ directory.

An example of the minimum of processes and services running on the firewall machine are given in Appendix B.

Appendix A - Hardware and software configurations

Configuration files:

The Domain Name Server (DNS) is set in the resolve.conf file.

 e.g.
 	#file: /etc/resolve.conf
 	nameserver 22.101.131.57
 	nameserver 22.101.131.58
 
 

Turning on packet forwarding:

Packet forwarding can be enabled from the command line using

 	bash# echo 1 > /proc/sys/net/ipv4/ip_forward 
 
 

but it is reset to 0 on reboot. A persistent solution is to modify the file /etc/sysctl.conf as seen below

 	#file: /etc/sysctl.conf
 	# Disables packet forwarding
 	net.ipv4.ip_forward = 0			# default
 	...					#line deleted for brevity
 
 

Change to 1 to allow packet forwarding (available upon reboot)

 	...
 	net.ipv4.ip_forward = 1
 	...
 
 

Ethernet card configuration:

Here are the files that need to be filled in for the ethernet cards to work

 	#file: /etc/sysconfig/network-scripts/network
 	NETWORKING="yes"
 	HOSTNAME="bilbo.hobbiton.home"
 	FORWARD="yes"
 	GATEWAY="22.101.2.1"
 	GATEWAYDEV="eth1"
 
 

 	#file: /etc/sysconfig/network-scripts/ifcfg-eth0 
 	DEVICE="eth0"
 	IPADDR="192.168.1.1"
 	BOOTPROTO="none"
 	NETWORK="192.168.1.0"
 	ONBOOT="yes"
 	BROADCAST="192.168.1.255"
 
 

 	#file: /etc/sysconfig/network-scripts/ifcfg-eth1
 	DEVICE="eth1"
 	IPADDR="22.101.121.10"
 	BOOTPROTO="none"
 	NETMASK="255.255.255.128"
 	ONBOOT="yes"
 
 

 bash# ifconfig
 eth0      Link encap:Ethernet  HWaddr 00:C0:DF:C0:5E:33  
           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:2887420 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4700628 errors:0 dropped:0 overruns:0 carrier:0
           collisions:371 txqueuelen:100 
           Interrupt:11 Base address:0x260 
 
 

 eth1      Link encap:Ethernet  HWaddr 00:60:67:25:50:90  
           inet addr:22.101.121.10  Bcast:22.101.121.127  Mask:255.255.255.128
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4698234 errors:0 dropped:0 overruns:0 frame:0
           TX packets:2868672 errors:0 dropped:0 overruns:0 carrier:0
           collisions:881 txqueuelen:100 
           Interrupt:10 Base address:0x280 
 
 

Appendix B - Processes running on bilbo

There should be as few processes running on your firewall machine as possible.

 bash# ps aux
 USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
 root         1  0.0  0.2  1120   64 ?        S    Feb13   0:05 init [2]
 root         2  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kflushd]
 root         3  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kupdate]
 root         4  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kpiod]
 root         5  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kswapd]
 root         6  0.0  0.0     0    0 ?        SW<  Feb13   0:00 [mdrecoveryd]
 root       540  0.0  1.0  1168  332 ?        S    Feb13   0:01 syslogd -m 0
 root       549  0.0  0.5  1436  172 ?        S    Feb13   0:03 klogd
 root       563  0.0  0.4  1328  124 ?        S    Feb13   0:00 crond
 root       573  0.0  1.3  2268  420 ?        S    Feb13   0:48 /usr/sbin/sshd
 root       614  0.0  0.0  1092    0 tty1     SW   Feb13   0:00 [mingetty]
 root       615  0.0  0.0  1092    0 tty2     SW   Feb13   0:00 [mingetty]
 root       616  0.0  0.0  1092    0 tty3     SW   Feb13   0:00 [mingetty]
 
 

Appendix C - Creating a boot floppy after installation

Creating a boot floppy

Insert a blank high density double sided floppy disk (1440KB) into the floppy drive and run the following commands (this works for the first floppy device under /dev/fd0, if the floppy drive you use is the second use /dev/fd1)

 	bash# fdformat /dev/fd0H1440
 	bash# mkfs.ext2 /dev/fd0
 
 

This will format the disk and create the ext2 file system on the floppy. Mount the floppy (e.g. bash# mount -t ext2 /dev/fd0 /mnt/floppy) and erase the lost+found directory (it only takes up space on a floppy). Copy the following files from the /boot directory onto the floppy

 	boot.b
 	lilo.conf
 	map
 	vmlinuz-2.2.14-5.0
 
 

Edit the lilo.conf file to contain the following

 	boot=/dev/fd0
 	map=/mnt/floppy/map
 	install=/mnt/floppy/boot.b
 	timeout=50
 	prompt
 	image=/mnt/floppy/vmlinuz-2.2.14-5.0
         	label=linux
         	root=/dev/hda1
 

This tells lilo to boot off of the floppy using the map, boot.b and vmlinuz files found on the floppy disk. Now run lilo to make the floppy bootable

 e.g.
 	bash# lilo -v -C /mnt/floppy/lilo.conf
 
 

This tells lilo to be verbose (-v) and to use the specified lilo.conf (-C) file. Your floppy will now boot your machine as long as your root (/) directory is on device hda1 (change it if it is different).

Appendix D - The firewall script

 #!/bin/sh
 
 # Source function library.
 . /etc/rc.d/init.d/functions
 
 echo -n "Starting Firewall: "
 
 # ====================================================================
 # ====================================================================
 
 # Originally from Linux Firewalls: ISBN 0-7357-0900-9
 # by Robert L. Ziegler available at 
 # http://www.linux-firewall-tools.com/ftp/firewall/rc.firewall.ipchains
 
 # I have included some extra ipchains that are commented out.
 # This gives me future options without my having to type them
 # in later.  Find them by searching for either of the phrases:
 
 # PETAR'S MODIFICATIONS:
 # or
 # NOT IMPLEMENTED
 
 # They are in the lines:
 
 #  #  #  # PETAR'S MODIFICATIONS:
 # and
 #  #  #  # NOT IMPLEMENTED
 
 # The ipchains that are commented out all have "#  #  #  "
 # in front of them, so they should be easy to find.  The
 # "#  #  #  " is nine columns long.  To implement any of the
 # commented ipchains, search for the pattern of "#  #  #  "
 # and remove it.  Of course I have not triple checked any of
 # those sections ;-).  Some of them also need IP addresses
 # before they can be turned on.
 
 # ====================================================================
 # ====================================================================
 
 # Use variables to store addresses for ease of use
 
 # ______________________________________________________________________
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Replace the IP addresses below with those provided by your ISP
 
 EXTERNAL_INTERFACE="eth1"           # Internet connected interface 
 LOOPBACK_INTERFACE="lo"             # or your local naming convention
 LAN_INTERFACE_1="eth0"              # internal LAN interface
   
 IPADDR="22.101.121.10"              # your IP address
 LAN_1="192.168.1.0/24"              # whatever (private) range you use
 LAN_IPADDR_1="192.168.1.1"          # your internal interface address
 TRUSTED_FROM_LAN_1="192.168.1.2"    # the machine on the LAN that I trust
 TRUSTED_FROM_LAN_2="192.168.1.11"   # the machine on the LAN that I trust
 
 ANYWHERE="any/0"                    # match any IP address
 
 
 MY_ISP="22.101.121.0/24"            # ISP & NOC address range
 NAMESERVER_1="22.101.131.57"        # Primary DNS
 NAMESERVER_2="22.101.131.58"	    # and this is DNS 2
 
 SMTP_SERVER="any/0"                 # external mail server 
 SMTP_GATEWAY="22.101.91.97"         # external mail relay
 POP_SERVER="22.101.91.98"           # external pop server, if any
 NEWS_SERVER="22.101.91.99"          # external news server, if any
 WEB_PROXY_SERVER="22.101.91.1"      # ISP web proxy server, if any
 WEB_PROXY_PORT="8080"               # ISP web proxy port, if any
                                     # typically 8008 or 8080
 
 # Replace the IP addresses above with those provided by your ISP
 # ______________________________________________________________________
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 LOOPBACK="127.0.0.0/8"              # reserved loopback address range
 CLASS_A="10.0.0.0/8"                # class A private networks
 CLASS_B="172.16.0.0/12"             # class B private networks
 CLASS_C="192.168.0.0/16"            # class C private networks
 CLASS_D_MULTICAST="224.0.0.0/4"     # class D multicast addresses
 CLASS_E_RESERVED_NET="240.0.0.0/5"  # class E reserved addresses
 BROADCAST_SRC="0.0.0.0"             # broadcast source address
 BROADCAST_DEST="255.255.255.255"    # broadcast destination address
 PRIVPORTS="0:1023"                  # wellknown, privileged port range
 UNPRIVPORTS="1024:65535"            # unprivileged port range
 TRACEROUTE_SRC_PORTS="32769:65535"
 TRACEROUTE_DEST_PORTS="33434:33523"
 
 # --------------------------------------------------------------------
 # EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS 
 # YOU SUPPORT.
 
 # X Windows port allocation begins at 6000 and increments
 # for each additional server running from 6000 to 6063.
 
 XWINDOW_PORTS="6000:6003"           # (TCP) X windows, allow 4
 
 # SSH starts at 1023 and works down to 513 for
 # each additional simultaneous incoming connection.
 
 SSH_PORTS="1020:1023"               # 4 simultaneous connections
 
 # --------------------------------------------------------------------
 
 SOCKS_PORT="1080"                   # (TCP) socks
 OPENWINDOWS_PORT="2000"             # (TCP) openwindows
 NFS_PORT="2049"                     # (TCP/UDP) NFS
 
 # --------------------------------------------------------------------
 
 # Flush any existing rules from all chains
 ipchains -F
 
 # Set the default policy to deny
 ipchains -P input   DENY
 ipchains -P output  REJECT
 ipchains -P forward REJECT
 
 # Set masquerade timeout to 10 hours for TCP connections.
 ipchains -M -S 36000 0 0
 
 # Disallow Fragmented Packets
 ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY
 
 # Enable TCP SYN Cookie Protection
 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
 
 # Enable IP spoofing protection
 # turn on Source Address Verification
 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
     echo 1 > $f
 done
 
 # Disable ICMP Redirect Acceptance
 for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
     echo 0 > $f
 done
 
 # Disable Source Routed Packets
 for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
     echo 0 > $f
 done
 
 # --------------------------------------------------------------------
 # LOOPBACK
 
 # Unlimited traffic on the loopback interface
 ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
 ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
 
 # --------------------------------------------------------------------
 # Refuse any connections from problem sites
 # This is our black hole
 
 # /etc/rc.d/rc.firewall.blocked contains a list of
 # ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY
 # rules to block all access from offending sites.
 
 # Refuse packets claiming to be from the banned list
 if [ -f /etc/rc.d/rc.firewall.blocked ]; then
     . /etc/rc.d/rc.firewall.blocked
 fi
 
 # --------------------------------------------------------------------
 # SPOOFING & BAD ADDRESSES
 # Refuse spoofed packets.
 # Ignore blatantly illegal source addresses.
 # Protect yourself from sending to bad addresses.
 
 # Refuse spoofed packets pretending to be from 
 # the external interface's IP address. The -l (dash ell)
 # makes the ipchain log any encounter in /var/log/messages
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l 
 
 # Refuse packets claiming to be to or from a Class A private network
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
 ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
 ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
 
 # Refuse packets claiming to be to or from a Class B private network
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
 ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
 ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
 
 # Refuse packets claiming to be to or from a Class C private network
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
 ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
 ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
 
 # Refuse packets claiming to be from the loopback interface
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
 ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
 
 # Refuse malformed broadcast packets
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l 
 ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j DENY -l 
 ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l 
 ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j DENY -l 
 
 # Refuse Class D multicast addresses
 # Multicast is only illegal as a source address.
 # Multicast uses UDP
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
          -j DENY -l
          
 ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
          -j REJECT -l
          
 # Refuse Class E reserved IP addresses
 ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
          -j DENY -l
          
 ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
          -j REJECT
          
 # Refuse addresses defined as reserved by the IANA.
 # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
 # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
 
 ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
 
 # 65: 01000001   - /3 includes 64 - need 65-79 spelled out
 ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
 
 # 80: 01010000   - /4 masks 80-95
 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
 
 # 96: 01100000  - /4 masks 96-111
 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
 
 # 126: 01111110  - /3 includes 127 - need 112-126 spelled out
 ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
 
 # 217: 11011001  - /5 includes 216 - need 217-219 spelled out
 ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
 ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
 
 # 223: 11011111  - /6 masks 220-223
 ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
 
 # --------------------------------------------------------------------
 # ICMP
 
 # (4)  Source_Quench
 #      incoming & outgoing requests to slow down (flow control)
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 4 -d $IPADDR -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 4 -d $ANYWHERE -j ACCEPT
 
 # (12) Parameter_Problem
 #      incoming & outgoing error messages
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 12 -d $IPADDR -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 12 -d $ANYWHERE -j ACCEPT
 
 # (3)  Dest_Unreachable, Service_Unavailable
 #      incoming & outgoing size negotiation, service or 
 #      destination unavailability, final traceroute response 
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 3 -d $IPADDR -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 3 -d $MY_ISP -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT
 
 # (11) Time_Exceeded
 #      incoming & outgoing time out conditions,
 #      also intermediate TTL response to traceroutes
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 11 -d $IPADDR -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 11 -d $MY_ISP -j ACCEPT
 
 # allow outgoing pings to anywhere
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 8 -d $ANYWHERE -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 0 -d $IPADDR -j ACCEPT
 
 # allow incoming pings from trusted hosts
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $MY_ISP 8 -d $IPADDR -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 0 -d $MY_ISP -j ACCEPT
          
 # --------------------------------------------------------------------
 # UNPRIVILEGED PORTS
 # Avoid ports subject to protocol & system administration problems.
 
 # Open Windows: establishing a connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
          -s $IPADDR \
          -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
          
 # Open Windows incoming connection
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
          -d $IPADDR $OPENWINDOWS_PORT -j DENY
          
 # X Windows: establishing a remote connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
          -s $IPADDR \
          -d $ANYWHERE $XWINDOW_PORTS -j REJECT
          
 # X Windows: incoming connection attempt
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
          -d $IPADDR $XWINDOW_PORTS -j DENY -l
          
 # SOCKS: establishing a connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
          -s $IPADDR \
          -d $ANYWHERE $SOCKS_PORT -j REJECT -l
          
 # SOCKS incoming connection
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
          -d $IPADDR $SOCKS_PORT -j DENY
          
 # NFS: TCP connections
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
          -d $IPADDR $NFS_PORT -j DENY -l
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
          -d $ANYWHERE $NFS_PORT -j REJECT -l
          
 # NFS: UDP connections
 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
          -d $IPADDR $NFS_PORT -j DENY -l
          
 # NFS incoming request  (normal UDP mode)
 ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -d $ANYWHERE $NFS_PORT -j REJECT -l
 
 # --------------------------------------------------------------------
 # NOTE:
 #      The symbolic names used in /etc/services for the port numbers 
 #      vary by supplier.  Using them is less error prone and more 
 #      meaningful.
 
 # --------------------------------------------------------------------
 # Required Services
 
 # DNS client modes (53)
 # ---------------------
 # For the primary and secondary DNS's
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_1 53 -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_1 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # PETAR'S MODIFICATIONS:
 # IS THIS CORRECT?  IS IT UDP FOR DNS_2 OR IS IT TCP?
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_2 53 -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_2 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # TCP client to server requests are allowed by the protocol 
 # if UDP requests fail. This is rarely seen. Usually, clients
 # use TCP as a secondary nameserver for zone transfers from
 # their primary nameservers, and as hackers.
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_1 53 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $NAMESERVER_1 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # DNS server modes (53)
 #  #  #  # ---------------------
 #  #  #  
 #  #  #  # DNS caching & forwarding nameserver
 #  #  #  # -----------------------------------
 #  #  #  
 #  #  #  # server to server query or response
 #  #  #  # Caching only name server uses UDP, not TCP
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $IPADDR 53 \
 #  #  #           -d $NAMESERVER_1 53 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $NAMESERVER_1 53 \
 #  #  #           -d $IPADDR 53 -j ACCEPT
 #  #  #  
 #  #  #  # DNS full nameserver
 #  #  #  # -------------------
 #  #  #  
 #  #  #  # client to server DNS transaction
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s <my.dns.clients> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 53 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $IPADDR 53 \
 #  #  #           -d <my.dns.clients> $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # peer-to-peer server DNS transaction 
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s <my.dns.clients> 53 \
 #  #  #           -d $IPADDR 53 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $IPADDR 53 \
 #  #  #           -d <my.dns.clients> 53 -j ACCEPT
 #  #  #  
 #  #  #  # Zone Transfers
 #  #  #  # due to the potential danger of zone transfers,
 #  #  #  # only allow TCP traffic to specific secondaries.
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s <my.dns.secondaries> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 53 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 53 \
 #  #  #           -d <my.dns.secondaries> $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
 # -------------------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 113 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 113 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # AUTH server (113)
 #  #  #  # -----------------
 #  #  #  # Accepting Incoming AUTH Requests
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 113 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 113 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 # OR
 
 # Rejecting Incoming AUTH Requests
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -d $IPADDR 113 -j REJECT
 
 # --------------------------------------------------------------------
 # TCP services on selected ports
 
 # Sending Mail through a remote SMTP gateway (25)
 # -----------------------------------------------
 
 # SMTP client to an ISP account without a local server
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $SMTP_GATEWAY 25 -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $SMTP_GATEWAY 25 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # OR 
 
 # Sending Mail through a local SMTP server
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 25 -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 25 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # Receiving Mail as a Local SMTP server (25)
 #  #  #  # ------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 25 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 25 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # POP (110) - Retrieving Mail as a POP Client
 # -------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $POP_SERVER 110 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $POP_SERVER 110 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # POP (110) - Hosting a POP Server for Remote Clients
 #  #  #  # ---------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s <my.pop.clients> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 110 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 110 \
 #  #  #           -d <my.pop.clients> $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # --------------------------------------------------------------------
 #  #  #  
 #  #  #  # IMAP (143) - Retrieving Mail as an IMAP Client
 #  #  #  # ----------------------------------------------
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $IPADDR $UNPRIVPORTS \
 #  #  #           -d <my.imap.server> 143 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s <my.imap.server> 143 \
 #  #  #           -d $IPADDR $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # IMAP (143) - Hosting an IMAP Server for Remote Clients
 #  #  #  # ------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s <my.imap.clients> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 143 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 143 \
 #  #  #           -d <my.imap.clients> $UNPRIVPORTS -j ACCEPT
 # --------------------------------------------------------------------
 
 # NNTP (119) - Reading and Posting News as a Usenet Client
 # --------------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NEWS_SERVER 119 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $NEWS_SERVER 119 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # NNTP (119) - Hosting a Usenet News Server for Remote Clients
 #  #  #  # ------------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s <my.news.clients> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 119 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 119 \
 #  #  #           -d <my.news.clients> $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server
 #  #  #  # ---------------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $IPADDR $UNPRIVPORTS \
 #  #  #           -d <my.news.feed> 119 -j ACCEPT
 #  #  #           
 #  #  #  ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s <my.news.feed> 119 \
 #  #  #           -d $IPADDR $UNPRIVPORTS -j ACCEPT
 # --------------------------------------------------------------------
 
 # TELNET (23) - Allowing Outgoing Client Access to Remote Sites
 # -------------------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 23 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 23 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # TELNET (23) - Allowing Incoming Access to My Local Server 
 # ---------------------------------------------------------
 
 # ONLY ALLOW IT FROM TRUSTED INTERNAL COMPUTERS
 # ---------------------------------------------
 
 ipchains -A input -i $LAN_INTERFACE_1 -p tcp \
          -s $TRUSTED_FROM_LAN_1 $UNPRIVPORTS \
          -d $LAN_IPADDR 23 -j ACCEPT
 
 ipchains -A output -i $LAN_INTERFACE_1 -p tcp \
          -s $LAN_IPADDR 23 \
          -d $TRUSTED_FROM_LAN_1 $UNPRIVPORTS -j ACCEPT
 
 ipchains -A input -i $LAN_INTERFACE_1 -p tcp \
          -s $TRUSTED_FROM_LAN_2 $UNPRIVPORTS \
          -d $LAN_IPADDR 23 -j ACCEPT
 
 ipchains -A output -i $LAN_INTERFACE_1 -p tcp \
          -s $LAN_IPADDR 23 \
          -d $TRUSTED_FROM_LAN_2 $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # NOT IMPLEMENTED (EVER ???)
 #  #  #  # TELNET (23) - Allowing Incoming Access to Your Local Server
 #  #  #  # -----------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 23 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 23 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # --------------------------------------------------------------------
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # SSH client (22) - Allowing Client Access to Remote SSH Servers
 #  #  #  # --------------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $IPADDR $UNPRIVPORTS \
 #  #  #           -d $ANYWHERE 22 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $ANYWHERE 22 \
 #  #  #           -d $IPADDR $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $IPADDR $SSH_PORTS \
 #  #  #           -d $ANYWHERE 22 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $ANYWHERE 22 \
 #  #  #           -d $IPADDR $SSH_PORTS -j ACCEPT 
 #  #  #  
 # SSH (22) - Allowing Remote Client Access to Your Local SSH Server
 # -----------------------------------------------------------------
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 22 -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 22 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $SSH_PORTS \
          -d $IPADDR 22 -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 22 \
          -d $ANYWHERE $SSH_PORTS -j ACCEPT 
 
 # --------------------------------------------------------------------
 
 # FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
 # --------------------------------------------------------------------
 
 # outgoing request
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 21 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 21 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # Normal Port Mode FTP Data Channels
 # DANGER WILL ROBINSON, DANGER WILL ROBINSON (a.k.a. Bill Mummy)
 # NORMAL PORT MODE DOES NOT WORK FROM THE INTERNAL (PRIVATE)
 # NETWORK, BUT IT DOES WORK FROM THE FIREWALL MACHINE ITSELF
 # requires all NATed ftp trafic to use passive mode (default in
 # web browsers)
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE 20 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 20 -j ACCEPT
 
 # Passive Mode FTP Data Channels
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR $UNPIRVPORTS -j ACCEPT
 
 #  #  #  # PETAR'S MODIFICATIONS
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
 #  #  #  # ----------------------------------------------------------------
 #  #  #  
 #  #  #  # incoming request
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 21 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 21 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  # Normal Port Mode FTP Data Channel Responses
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $IPADDR 20 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 20 -j ACCEPT
 #  #  #  
 #  #  #  # Passive Mode FTP Data Channel Responses
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR $UNPRIVPORTS \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # HTTP (80) - Accessing Remote Web Sites as a Client
 # --------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 80 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 80 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # HTTP (80) - Allowing Remote Access to a Local Web Server
 #  #  #  # --------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 80 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 80 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 # HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
 # -------------------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 443 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 443 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
 #  #  #  # --------------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s $ANYWHERE $UNPRIVPORTS \
 #  #  #           -d $IPADDR 443 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 443 \
 #  #  #           -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # HTTP Proxy client (8008/8080)
 # -----------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $WEB_PROXY_SERVER $WEB_PROXY_PORT \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # FINGER (79) - Accessing Remote finger Servers as a Client
 # ---------------------------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 79 -j ACCEPT
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 79 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # FINGER (79) - Allowing Remote Client Access to a Local finger Server
 #  #  #  # --------------------------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 #  #  #           -s <my.finger.clients> $UNPRIVPORTS \
 #  #  #           -d $IPADDR 79 -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
 #  #  #           -s $IPADDR 79 \
 #  #  #           -d <my.finger.clients> $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # WHOIS client (43)
 # -----------------
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 43 -j ACCEPT
          
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 43 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 # --------------------------------------------------------------------
 
 # Gopher client (70)
 # ------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 70 -j ACCEPT
          
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 70 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 
 # WAIS client (210)
 # -----------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE 210 -j ACCEPT
          
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE 210 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT
 
 # --------------------------------------------------------------------
 # UDP accept only on selected ports
 
 # TRACEROUTE
 # traceroute usually uses -S 32769:65535 -D 33434:33523
 # -----------------------------------------------------
 
 # Enabling Outgoing traceroute Requests
 # -------------------------------------
 
 ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $TRACEROUTE_SRC_PORTS \
          -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
 
 # incoming query from the ISP.
 # All others are denied by default.
 # ---------------------------------
 
 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
          -s $MY_ISP 32769:65535 \
          -d $IPADDR 33434:33523 -j ACCEPT
 
 # --------------------------------------------------------------------
 
 #  #  #  # PETAR'S MODIFICATIONS:
 #  #  #  # NOT IMPLEMENTED
 #  #  #  # NTP (123) - Accessing Remote Network Time Servers
 #  #  #  # -------------------------------------------------
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $IPADDR $UNPRIVPORTS \
 #  #  #           -d <my.time.provider> 123 -j ACCEPT
 #  #  #
 #  #  #  # REPLACE <my.time.provider> WITH IP ADDRESS OF 
 #  #  #  # <my.time.provider>
 #  #  #           
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s <my.time.provider> 123 \
 #  #  #           -d $IPADDR $UNPRIVPORTS -j ACCEPT
 #  #  #  
 #  #  #  ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s $IPADDR 123 \
 #  #  #           -d <my.time.provider> 123 -j ACCEPT
 #  #  #           
 #  #  #  ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 #  #  #           -s <my.time.provider> 123 \
 #  #  #           -d $IPADDR 123 -j ACCEPT
 
 # --------------------------------------------------------------------
 # Unlimited traffic within the local network.
 
 # All internal machines have access to the firewall machine.
 # Change this to restrict specific LAN clients
 
 ipchains -A input  -i $LAN_INTERFACE_1 \
          -s $LAN_1 -j ACCEPT
 
 ipchains -A output -i $LAN_INTERFACE_1 \
          -d $LAN_1 -j ACCEPT
 
 # --------------------------------------------------------------------
 # Masquerade internal traffic.
 
 # This allows packet forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward 
 
 # All internal traffic is masqueraded externally.
 # Change this to restrict specific LAN clients
 # e.g. if a user is using icq to transfer GB of MP3s you could cut out
 # the icq traffic (which it is not allowed now)
 
 ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ
 
 # --------------------------------------------------------------------
 
 # This is one of the functions provided in /etc/rc.d/init.d/functions it
 # gives a nice green [OK] when the firewall script has reached this point
 
 success "firewall startup"
 
 echo
 
 exit 0
 

(C) 2001 Petar Knezevich

Disclaimer

Every attempt has been made to ensure that the information presented in this mini-HOWTO is safe and accurate. However, this information is given without any warranty, either expressed or implied, as to its suitability for a particular use. It is generally considered a GoodThing(TM) to make backups of your system files before changing system configurations and/or files. I suggest you take this precaution "just in case".