FreeS/WAN and firewalls

FreeS/WAN, or other IPSEC implementations, frequently run on gateway machines, the same machines running firewall or packet filtering code. This document discusses the relation between the two.

IPSEC packet types

IPSEC uses three main types of packet:

These protocol numbers are used in the "next protocol" field of the IP header. On most non-IPSEC packets, that field would have one of: These fields form a type of linked list and IPSEC adds additional entries on the list. For example: IPSEC allows various combinations of these to match local policies, including combinations that use both AH and ESP headers or that nest multiple copies of these headers.

For example, suppose my employer has an IPSEC VPN running between two offices so all packets travelling between the gateways for those offices are encrypted. If gateway policies allow it (The admins could block UDP 500 and protocols 50 and 51 to disallow it), I can build an IPSEC tunnel from my desktop to a machine in some remote office. Those packets will have one ESP header throughout their life, for my end-to-end tunnel. For part of the route, however, they will also have another ESP layer for the corporate VPN's encapsulation. The whole header scheme for a packet on the Internet might be:

Filtering rules for IPSEC packets

As a consequence of the above, an IPSEC gateway should have packet filters that allow the following protocols when talking to other IPSEC gateways:

These packets should be both sendable and receivable on the interface that communicates with the other gateway.

It is probably a good idea in many cases to restrict them so that these packets are accepted only from known gateways. This reduces the risk of a denial of service attack on your gateway. However, using such restrictions may not be possible if you are supporting "road warriors", since you do not know their IP addresses. Also, such restrictions will be a good idea for far fewer situations once opportunistic encryption becomes available.

ipsec.conf(5) and firewalling

The ipsec.conf configuration file has two pairs of parameters used to specify an interface between FreeS/WAN and firewalling code:
leftfirewall=
rightfirewall=
indicates that the gateway is doing firewalling and that pluto(8) should poke holes in the firewall as required. To do this, pluto calls our default script _updown with appropriate arguments whenever it: The default _updown script is appropriate for simple cases using the ipfwadm firewalling package.
leftupdown=
rightupdown=
specifies a script to call instead of our default script _updown. This gives you full control via a suitable user-written script.

Your script should take the same arguments and use the same environment variables as _updown. These are described in the pluto(8) man page.

Note that only one of [left|right]firewall=yes and [left|right]updown= should be used; you cannot sensibly use both.

DHR on updown

Here are some mailing list comments from pluto(8) developer Hugh Redelmeier on an earlier draft of this document: 

There are many important things left out

- firewalling is important but must reflect (implement) policy.  Since
  policy isn't the same for all our customers, and we're not experts,
  we should concentrate on FW and MASQ interactions with FreeS/WAN.

- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
  obvious if the components are run on different machines (trace the
  cables).

  IKE input:
        + packet appears on public IF, as UDP port 500
        + input firewalling rules are applied (may discard)
        + Pluto sees the packet.

  IKE output:
        + Pluto generates the packet & writes to public IF, UDP port 500
        + output firewalling rules are applied (may discard)
        + packet sent out public IF

  IPsec input, with encapsulated packet, outer destination of this host:
        + packet appears on public IF, protocol 50 or 51.  If this
          packet is the result of decapsulation, it will appear
          instead on the paired ipsec IF.
        + input firewalling rules are applied (but packet is opaque)
        + KLIPS decapsulates it, writes result to paired ipsec IF
        + input firewalling rules are applied to resulting packet
          as input on ipsec IF
        + if the destination of the packet is this machine, the
          packet is passed on to the appropriate protocol handler.
          If the original packet was encapsulated more than once
          and the new outer destination is this machine, that
          handler will be KLIPS.
        + otherwise:
          * routing is done for the resulting packet.  This may well
            direct it into KLIPS for encoding or encrypting.  What
            happens then is described elsewhere.
          * forwarding firewalling rules are applied
          * output firewalling rules are applied
          * the packet is sent where routing specified

 IPsec input, with encapsulated packet, outer destination of another host:
        + packet appears on some IF, protocol 50 or 51
        + input firewalling rules are applied (but packet is opaque)
        + routing selects where to send the packet
        + forwarding firewalling rules are applied (but packet is opaque)
        + packet forwarded, still encapsulated

  IPsec output, from this host or from a client:
        + if from a client, input firewalling rules are applied as the
          packet arrives on the private IF
        + routing directs the packet to an ipsec IF (this is how the
          system decides KLIPS processing is required)
        + if from a client, forwarding firewalling rules are applied
        + KLIPS eroute mechanism matches the source and destination
          to registered eroutes, yielding a SPI group.  This dictates
          processing, and where the resulting packet is to be sent
          (the destinations SG and the nexthop).
        + output firewalling is not applied to the resulting
          encapsulated packet

- Until quite recently, KLIPS would double encapsulate packets that
  didn't strictly need to be.  Firewalling should be prepared for
  those packets showing up as ESP and AH protocol input packets on
  an ipsec IF.

- MASQ processing seems to be done as if it were part of the
  forwarding firewall processing (this should be verified).

- If a firewall is being used, it is likely the case that it needs to
  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
  a script to do this (and to adjust routing) at suitable times.  The
  default script is only suitable for ipfwadm-managed firewalls.  Under
  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
  but ipchains more powerful if manipulated using the ipchains command.
  In this case, a custom updown script must be used.

  We think that the flexibility of ipchains precludes us supplying an
  updown script that would be widely appropriate.
We do provide a sample script in the next section. It is essentially a transliteration of the version we supply for ipfwadm. Because it doesn't process the command line argument, it cannot be directly subsituted -- it won't support the semantics of *firewall=no. It can be used in [left|right]updown=.

Example updown script for ipchains

Here is an example updown script for use with ipchains. It is intended to be called via an updown= statement in ipsec.conf. 
#! /bin/sh
# sample updown script for ipchains
# Copyright (C) 2000  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See .
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: firewall.html,v 1.10 2000/03/16 04:50:53 sandy Exp $

# check interface version
case "$PLUTO_VERSION" in
1.0)    ;;
*)      echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
        exit 2
        ;;
esac

# check parameter(s)
case "$*" in
'')     ;;
*)      echo "$0: parameters unexpected" >&2
        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
        route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
        route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}

# the big choice
case "$PLUTO_VERB" in
prepare-host|prepare-client)
        # delete possibly-existing route (preliminary to adding a route)
        oops="`route del -net $PLUTO_PEER_CLIENT_NET \
                                        netmask $PLUTO_PEER_CLIENT_MASK 2>&1`"
        status="$?"
        if test " $oops" = " " -a " $status" != " 0"
        then
                oops="silent error in route command, exit status $status"
        fi
        case "$oops" in
        'SIOCDELRT: No such process')
                # This is what route (currently -- not documented!) gives
                # for "could not find such a route".
                status=0
                ;;
        esac
        exit $status
        ;;
route-host|route-client)
        # connection to this host or client being routed
        uproute
        ;;
unroute-host|unroute-client)
        # connection to this host or client being unrouted
        downroute
        ;;
up-host)
        # connection to this host coming up
        ;;
down-host)
        # connection to this host going down
        ;;
up-client)
        # connection to client subnet, through forwarding firewall, coming up
        ipchains -I forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client)
        # connection to client subnet, through forwarding firewall, going down
        ipchains -D forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
*)      echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
        ;;
esac

IPSEC and NAT

Network Address Translation is a method of allocating IP addresses dynamically, typically in circumstances where the total number of machines which need to access the Internet exceeds the supply of IP addresses.

NAT and IPSEC have a basic conflict in some situations. NAT wants to rewrite packet headers as they go by, but IPSEC wants to authenticate them on an end-to-end basis, and the authentication fails if they are rewritten somewhere along the line.

This problem can be avoided by having the IPSEC gateway on the Internet side of the machine which handles NAT. This can be done physically with two machines, or logically with one machine performing both functions.

Avoid trying to build IPSEC connections which pass through a NAT machine. It is possible to make this work sometimes, but it cannot be done entirely reliably.

Example ipchains firewall configuration

Here is one user's (Rob Hutton) firewall configuration, as posted to the mailing list. It is in two files. The script rc.firewall and the data file firewall.conf.

Note that this is quite a different approach from using the [left|right]updown= parameter in ipsec.conf to have pluto control parts of the firewalling code. These scripts set up both firewalling and IPSEC and do not expect [left|right]updown= to be used.

These scripts are based on David Ranch's scripts for his "Trinity OS" for setting up a secure Linux. Check his home page for the latest version and information on his book on securing Linux.

File rc.firewall

#!/bin/sh
#--------------------------------------------------------------------
# Custom version of TrinityOS Firewall Script modified with /etc/firewall.conf to configure
# and support added for FreeS/WAN
#--------------------------------------------------------------------
# Author: David A. Ranch 
# v3.20
#
# -------------------------------------------------------------------
#   You can get this file at:
#
#       http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/rc.firewall-3.20-TrinityOS
# -------------------------------------------------------------------
#
# History:
#
# v3.20 - (9/26/99)
#
#       *CRITICAL* The ordering of the ACCEPT of the HIGH PORTS in the
#                  output ruleset are WRONG!!  Moved them to be AFTER
#                  all the various REJECT lines but before the final
#                  output reject.
#
#       Several comment additions
#
#       Changed the DGW variable to EXTGW, added the XWINDOWS_PORTS
#
#       Put a copy of the actual firewall ruleset up on the WWW site
#
# --
#
# v3.13 - (9/20/99
#         Added a commented FORWARD ruleset to support Diald users that
#               have a SL0 slip interface
#
# --
#
# v3.12 - (9/14/99)
#         Very minor: Aligned the IP examples with the TrinityOS 
#           search/replace section.  
#
#         Fixed the IPCHAINS ruleset to use the $EXTIF variable when doing the
#               dynamic EXTBROAD variable.  It was hard coded to ETH1.  
#
#         Added additional explict OUTPUT filters for NetBus Pro, Win Crash, 
#               Socket De Troye, and the Unknown Trojan Horse (Master's Paradise 
#               [CHR]) trojans in the OUTPUT filter of the IPCHAINS ruleset.
# --
#
# v3.11 - (9/8/99)
#         Enabled external DHCP client access per default for cablemodem
#           and DSL users.  This change involves enabling both INPUT and
#           OUTPUT rules.
# --
#
# v3.10 (9/7/99)
#         - Enabled SYN checking on all HIGH ports.  This is VERY important
#               and I recommend ALL users to use this newer ruleset.
#
#         - Fixed the syntax of the disabled "ipmasqadm portfw" command
#         - Added the enabling of all "rp_filter" anti-IP spoofing mechanisms
#
# v3.00 - Cleaned up parts of the ruleset and re-ordered parts of it
#
# v2.97 - Fixed a typo in the IPCHAINS port that named the external 
#               interface's IP address variable "EXITIP" instead of 
#               the correct "EXTIP".
#
# v2.96 - Some minor formatting changes
#
#       - Changed David's C.'s default behavior of external NIC 
#         having DHCPed IP addresses to STATIC IPs
#
#       - *IMPORTANT* 
#         Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas that 
#         DHCP users should use "dhcpcd" with the -c option to re-run 
#         the ruleset upon lease renews.  It is also mentioned that both
#         DHCP and PPP users need to get their EXTBROAD and DGW addresses
#         dynamically.
# 
#       - Changed the debug system to re-create the debug log each time
#         (removed one of the >'s at the top of the debug setup) 
#
#       - Updated the original IPCHAINS port ruleset to v2.95
#
# -----
#
# v1.01 - Remove row with just -o.
#       - Replace -o with $LOGGING.
#       - Use service names instead of service numbers.
#       - Remove rows that appear to give full access to all protocols.
#       - Add logging option variable.
#       - Make the order a bit more logical.
#
# v1.00 - Original TrinityOS v2.94 firewall port of TrinityOS ruleset 
#           from David Cittadini
#
#--------------------------------------------------------------------
# This configuration assumes the following (DSL / Cablemodem setup):
#
#       1) The external interface is running on "eth0"
#       2) The external IP address is dynamically assigned
#       3) The internal IP Masqueraded network interface is "eth1"
#       4) The internal network is addressed within the private 
#           192.168.0.x TCP/IP addressing scheme per RFC1918
#
#   ****
#   NOTE:  All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation 
#   ****   bug that renders all strong IPCHAINS rulesets void.  It
#          is CRITICAL that users upgrade the Linux kernel to 2.2.11+
#          for proper firewall security.
#
#--------------------------------------------------------------------

#********************************************************************
# Initializing
#********************************************************************
echo -e "\n\nLoading IPCHAINS Firewall Version 3.20"
echo "----------------------------------------------------------------------"

# Load the configuration
[ -f /etc/firewall.conf ] || exit 0
. /etc/firewall.conf

# The loopback interface and address

if [ "$LOOPBACKIP" = "auto" ]; then
  echo -e "- Auto detecting loopback interface IP..."
  LOOPBACKIP=`/sbin/ifconfig | grep -A 4 $LOOPBACKIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
  echo $LOOPBACKIP
fi

# External interface device.  
#
# NOTE: PPP and SLIP users will want to replace this interface
#       with the correct modem interface such as "ppp0" or "sl0"
#
# IP address of the external interface
#
# NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc)
#       will need to install and use a different DHCP client than the stock
#       client called "pump".  One recommended DHCP client is called "dhcpcd"
#       and can found in Appendix A.
#
#       The stock Red Hat DHCP client doesn't allow the ability to have scripts
#       run when DHCP gets a TCP/IP address.  Specifically, DHCP delves out
#       TCP/IP addresses to its clients for a limited amount of time; this
#       called a "lease".  When a DHCP lease expires, the client will query the
#       DHCP server for a lease renewal.  Though the DHCP client will usually
#       get back its original TCP/IP address, this is NOT always guaranteed.
#       With this understood, if you receive a different TCP/IP address than
#       the IPCHAINS firewall was configured for, the firewall will block ALL
#       network access in and out of the Linux server because that was what it
#       was configured to do.
#
#       As mentioned above, the key to solve this problem is to use a DHCP
#       client program that can re-run the /etc/rc.d/rc.firewall ruleset once a
#       new TCP/IP address is set.  The new ruleset will make the required
#       changes to the rulesets to allow network traffic from and to your new
#       TCP/IP address.
#
#       With the dhcpcd program, it will need to executed with the following
#       command line option to have the firewall ruleset re-run upon every DHCP
#       lease renew:
#
#              -c /etc/rc.d/rc.firewall
#
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and DEFAULTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# eg:   EXTIP="100.200.0.212"
#
if [ "$EXTIP" = "auto" ]; then
  echo -e "- Auto detecting External interface IP..."
  EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
  echo $EXTIP
fi

# Broadcast address of the external network
#
# Static TCP/IP addressed users:  
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# eg:   EXTBROAD="100.200.0.255"
#
if [ "$EXTBROAD" = "auto" ]; then
  echo -e "- Auto detecting External broadcast address..."
  EXTBROAD=`/sbin/ifconfig | grep -A 1 $EXTIF | awk '/Bcast/ { print $3 }' | sed -e s/Bcast://`
  echo $EXTBROAD
fi

# Gateway for the external network
#
# Static TCP/IP addressed users:  
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# eg:   DGW="100.200.0.1"
#
if [ "$DEFAULTGW" = "auto" ]; then
  echo -e "- Auto detecting default gateway...."
  DEFAULTGW=`/sbin/route  | grep default | awk '{ print $2}'`
  echo $DEFAULTGW
fi

# IP address on the internal interface
if [ "$INTIP" = "auto" ]; then
  echo -e "- Auto detecting Internal interface IP..."
  INTIP=`/sbin/ifconfig | grep -A 4 $INTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
  echo $INTIP
fi

# Netmask of internal interface to calculate internal network
if [ "$INTNM" = "auto" ]; then
  echo -e "- Auto detecting internal netmask..."
  INTNM=`/sbin/ifconfig | grep -A 4 $INTIF | awk '/inet/ { print $4 } ' | sed -e s/Mask://`
  echo $INTNM
fi

# IP network address of the internal network
if [ "$INTLAN" = "auto" ]; then
  echo -e "- Auto calculating address of internal network..."
  INTLAN=`/bin/ipcalc --network $INTIP $INTNM | sed -e s/NETWORK=//`
  echo $INTLAN
fi

# IP Port Forwarded Addresses
#
# IP address of an internal host that should have external traffic forwarded to
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
#       explain the security issues implied in opening up access like this.
#       Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation.
#
# Disabled by default.
#PORTFWIP="192.168.0.20"

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6010"         

# Logging state.  
#
# Uncomment the " " line and comment the "-l" line if you want to 
# disable logging of some of more important the IPCHAINS rulesets.  
#
# The output of this logging can be found in the /var/log/messages 
# file.  It is recommended that you leave this setting enabled.  
# If you need to reduce some of the logging, edit the rulesets and 
# delete the "$LOGGING" syntax from the ruleset that you aren't 
# interested in.
#
# LOGGING=" "
LOGGING="-l"

#--------------------------------------------------------------------
# Debugging Section
#--------------------------------------------------------------------
# If you are having problems with the firewall, uncomment the lines 
# below and then re-run the firewall to make sure that the firewall 
# is not giving any errors, etc.  The output of this debugging 
# script will be in a file called /tmp/rc.firewall.dump
#--------------------------------------------------------------------
#
echo "Writing /tmp/rc.firewall.dump."
rm -f /tmp/rc.firewall.dump
echo Local TCP/IP Configuration from rc.firewall > /tmp/rc.firewall.dump
echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump
echo Loopback IP: $LOOPBACKIP >> /tmp/rc.firewall.dump
echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump
echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump
echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump
echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
echo External interface name: $EXTIF >> /tmp/rc.firewall.dump
echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump
echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump
echo _____________________________________________________ >> /tmp/rc.firewall.dump
echo Default gateway/route: $DEFAULTGW >> /tmp/rc.firewall.dump
echo ----------------------------------------------------- >> /tmp/rc.firewall.dump

echo Local TCP/IP Configuration from rc.firewall
echo -----------------------------------------------------
echo Loopback interface name: $LOOPBACKIF
echo Loopback IP: $LOOPBACKIP
echo -----------------------------------------------------
echo Internal interface name: $INTIF
echo Internal interface IP: $INTIP
echo Internal LAN address: $INTLAN
echo -----------------------------------------------------
echo External interface name: $EXTIF
echo External interface IP: $EXTIP
echo External interface broadcast IP: $EXTBROAD
echo _____________________________________________________
echo Default gateway/route: $DEFAULTGW
echo -----------------------------------------------------

#--------------------------------------------------------------------
# General
#--------------------------------------------------------------------
# Performs general processing such as setting the multicast route
# and DHCP address hacking.
#
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable multicast
# on their networks), it will be very common in a few more years. Check out
# www.mbone.com for more detail.
#
# Adding this feature is OPTIONAL.
#
# Disabled by default.
if [ "$EXTERNAL_MULTICAST" = "Y" ]; then
  echo "  - Adding multicast route."
  /sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF
fi


# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo "  - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
 echo "1" > $file
done

# Comment the following out of you are not using a dynamic address
if [ "$EXTERNAL_DYNAMICIP" = "Y" ]; then
  echo "  - Enabling dynamic TCP/IP address hacking."
  echo "1" > /proc/sys/net/ipv4/ip_dynaddr
fi

#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds). 
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic 
#
if [ "$MASQ" = "Y" ]; then
  echo "  - Changing IP masquerading timeouts."
  /sbin/ipchains -M -S 7200 10 60
fi

#--------------------------------------------------------------------
# Masq Modules 
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server.  But, some applications need a special 
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work though IP Masquerade server at ALL such
#       as any H.323-based program.  Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
#       The FTP module is loaded by default.
#--------------------------------------------------------------------
if [ "$MASQ" = "Y" ]; then
  echo "  - Loading masquerading modules."

  if [ "$MASQ_CUSEEME" = "Y" ]; then
    echo "    - Loading CUSEEME module."
    /sbin/modprobe ip_masq_cuseeme
  fi

  if [ "$MASQ_FTP" = "Y" ]; then
    echo "    - Loading FTP module."
    /sbin/modprobe ip_masq_ftp
  fi

  if [ "$MASQ_IRC" = "Y" ]; then
    echo "    - Loading IRC module."
    /sbin/modprobe ip_masq_irc 
  fi

  if [ "$MASQ_QUAKE" = "Y" ]; then
    echo "    - Loading Quake module."
    /sbin/modprobe ip_masq_quake
  fi

  if [ "$MASQ_RAUDIO" = "Y" ]; then
    echo "    - Loading Real Audio module."
    /sbin/modprobe ip_masq_raudio
  fi

  if [ "$MASQ_VDOLIVE" = "Y" ]; then
    echo "    - Loading VDO Live module."
    /sbin/modprobe ip_masq_vdolive
  fi
fi

#--------------------------------------------------------------------
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
echo "  - Flushing all old rules and setting all default policies to REJECT "

# Change default policies to REJECT.  
#
# We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the
# firewall.  All other traffic will be implicitly blocked.
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT

# Flush all old rulesets
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

#********************************************************************
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"

#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN.  This means that all input traffic on the local network is valid.  If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through.  A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other.  For example, you might want to allow connections to an external HTTP
# server but not connections from that server.  The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo "  - Setting input filters for traffic on the internal LAN."

# Local interface, local machines, going anywhere is valid.  
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
if [ "$INTERNAL_UNSECURE" = "Y" ]; then
   echo "  - Allow all trafic on internal interface $INTIF"
  /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
fi

# Loopback interface is valid.
echo "  - Allow all traffic on loopback interface $LOOPBACKIF"
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE

############################################################################
# This is an example of how to let input traffic flow through the local 
# LAN if we have rejected all prior requests above.
#
#
# DHCP Server.  
#
# If you have configured a DHCP server on the Linux machine to serve IP 
# addresses to the internal network, you will need to enable this section. 
#
#
# Disabled by default
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps

#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC hosts on
# the internal LAN to access services on the firewall server.  Many people
# might feel that this is extreme but many system attacks occur from the
# INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET. 
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts. You will
# then need to enable the lines below to allow any access at all.
#--------------------------------------------------------------------
#echo "  - Setting input filters for specific internal hosts."

# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet

# Second allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
############################################################################


#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This ruleset will control specific traffic that is allowed in from 
# the external interface.  
#--------------------------------------------------------------------
#
echo "  - Setting input filters for traffic from the external interface."

# Remote interface, claiming to be local machines, IP spoofing, get lost & log
echo "    - Reject and log spoofing."
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING

# IPSec VPN
#
# If you are using an IPSec VPN product, you will need to fill in the
# addresses of the gateways in the IPSECSG
for CURGW in $IPSECSG; do
  echo "    - Allow ISAKMP from $IPSECSG to external interface $EXTIF"
  ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $CURGW isakmp
  echo "    - Allow IPSEC protocol from $IPSECSG on external interface $EXTIF"
  ipchains -A input -j ACCEPT -i $EXTIF -p 50  -s $CURGW
done

for CURIF in $FREESWANVI; do
  echo "    - Allow all traffic to FreeS/WAN Virtual Interface $CURIF" 
  ipchains -A input -j ACCEPT -i $CURIF -s $UNIVERSE -d $UNIVERSE
done

# DHCP Clients. 
#
# If you get a dynamic IP address for your ADSL or Cablemodem connection, you
# will need to enable these lines.
#
# Enabled by default.
if [ "$EXTERNAL_DYNAMICIP" = "Y" ]; then
  echo "    - Accept BOOTPS on external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0  bootpc
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0  bootpc
fi

# FTP: Allow external users to connect to the Linux server ITSELF for 
#      PORT-style FTP services.  This will NOT work for PASV FTP transfers.  
# 
# Disabled by default.
if [ "$EXTERNAL_SERVICES_FTP" = "Y" ]; then
  echo "    - Allow FTP to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data
fi

# HTTP: Allow external users to connect to the Linux server ITSELF for 
#       HTTP services.
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_HTTP" = "Y" ]; then
  echo "    - Allow HTTP to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http
fi

# ICMP: Allow ICMP packets from all external TCP/IP addresses. 
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far more than
# just stop people from pinging your machine.  Many aspects of TCP/IP and its
# associated applications rely on various ICMP messages.  Without ICMP, both
# your Linux server and internal Masq'ed computers might not work.
#
echo "    - Allow ICMP to external interface $EXTIF - DO NOT DISABLE"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP 

# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
if [ "$EXTERNAL_SERVICES_NFS" = "Y" ]; then
  echo "    - Allow NFS to external interface $EXTIF" 
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
fi

# NNTP: Allow external computers to connect to the Linux server ITSELF 
#       for NNTP (news) services.   
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_NNTP" = "Y" ]; then
  echo "    - Allow NNTP to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp
fi
 
# NTP: Allow external computers to connect to the Linux server ITSELF for 
#      NTP (time) updates
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_NTP" = "Y" ]; then
  echo "    - Allow NTP to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp
fi

# TELNET: Allow external computers to connect to the Linux server ITSELF for 
#         TELNET access.
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_TELNET" = "Y" ]; then
  echo "    - Allow TELNET to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet
fi
# SSH server: Allow external computers to connect to the Linux server ITSELF
#             for SSH access.
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_SSH" = "Y" ]; then
  echo "    - Allow SSH to external interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh 
fi

# DNS server: Allow external computers to connect to the Linux server ITSELF
#             for DNS access
#
#      It is recommend to secure DNS by restricting zone transfers and split
#      DNS servers as documented in Step 4.
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_DNS" = "Y" ]; then
  echo "    - Allow DNS to External interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP domain
  /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP domain
fi

# SMTP server: Allow external computers to connect to the Linux server ITSELF
#              for SMTP access
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_SMTP" = "Y" ]; then
  echo "    - Allow SMTP to External Interface $EXTIF"
  /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $EXTIP smtp
fi

#--------------------------------------------------------------------
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces.  This is 
# usually used for what could be considered as public services.  
#--------------------------------------------------------------------
echo "  - Setting input filters for public services (all interfaces)."

# AUTH: Allow the authentication protocol, ident, to function on all 
#       interfaces but disable it in /etc/inetd.conf.  The reason to 
#       allow this traffic in but block it via Inetd is because some 
#       legacy TCP/IP stacks don't deal with REJECTed "auth" requests 
#       properly.
#
echo "    - Allow AUTH on all interfaces"
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth

# BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc


# RIP: Reject all stray RIP traffic.  Many improperly configured
#      networks propagate network routing protocols to the edge of the
#      network.  The follow line will allow you explicitly filter it here
#      without logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route

# SAMBA: Reject all stray SAMBA traffic. Many networks propagate the
#        chatty SMB network protocols to the edge of the network.  The
#        following line will allow you explicitly filter it here without
#        logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-ns
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-dgm
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-ssn

#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out.  See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
#echo "  - Setting input filters for explicit external hosts."

# The secure host
#
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP pop-3
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP telnet
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data

#--------------------------------------------------------------------
# Port Forwarding
#--------------------------------------------------------------------
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
#       explain the security issues implied in opening up access like this.
#       Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation.
#
# Do not use ports greater than 1023 for redirection ports. 
#
# Disabled by default.
#--------------------------------------------------------------------
#echo "  * Enabling Port Forwarding onto internal hosts."
#/usr/sbin/ipmasqadm portfw -f
#echo "  * Forwarding SSH traffic on port 26 to $PORTFWIP"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP 22

# HIGH PORTS: 
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
#       SYN bit set.  In other words, this means that any traffic that is
#       trying to initiate traffic to your server on a HIGH port will be
#       rejected.
#
#       The only HIGH port traffic that will be accepted is either return
#       traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
#        SYN filtering.  Because of this, we must specifically allow it in.
#
echo "  - Enabling all input REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS


#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
echo "  - Deny and log all input not specifically allowed."

# All other incoming is denied and logged. 
/sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING

#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Output Rules:"

#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This ruleset provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out.  Therefore there is no
# requirement to implement individual filters.  However, as with the input
# section above, examples are given for demonstrative purposes.  It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo "  - Setting output filters for traffic on the internal LAN."

for CURIF in $FREESWANVI; do
  echo "    - Allow all trafic from FreeS/WAN virtual interface $CURIF"
  ipchains -A output -j ACCEPT -i $CURIF -s $UNIVERSE -d $UNIVERSE
done

# Local interface, any source going to local net is valid.
if  [ "$INTERNAL_UNSECURE" = "Y" ]; then 
  echo "    - Allow all traffic from internal interface $INTIF to internal network $INTLAN"
  /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
fi

# Loopback interface is valid.
echo "    - Allow all traffic from loopback interface $LOOPBACKIP"
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE


##########################################################################################
# DHCP: If you have configured a DHCP server on this Linux machine, you 
#       will need to enable the following ruleset.
#
# Disabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc

# HTTP: The following is an example of how to allow HTTP traffic to an
#       intranet WWW server without Allow access from the external
#       network.
#
# Disabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN 


#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rulesets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself.  Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET. 
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo "  - Setting output filters for specific internal hosts."

# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet

# Second host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet

#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This ruleset will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
echo "  - Setting output filters for traffic from the external interface."

# IPSec VPN
#
# If you are using an IPSec VPN product, you will need to fill in the
# addresses of the gateways in the IPSECSG
for CURGW in $IPSECSG; do
  echo "    - Allow ISAKMP from external interface $EXTIF to $CURGW"
  ipchains -A output -j ACCEPT -i $EXTIF -p udp -d $CURGW isakmp
  echo "    - Allow IPSEC protocol from $IPSECSG on external interface $EXTIF"
  ipchains -A output -j ACCEPT -i $EXTIF -p 50  -d $CURGW
done

# Reject outgoing traffic to the local net from the remote interface, 
# stuffed routing; deny & log
echo "    - Reject outgoing traffic from external interface $EXTIF to internal network $INTLAN - Stuffed Routing"
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING

# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
echo "    - Reject outgoing traffic from internal network $INTLAN to external interface $EXTIF - Stuffed Masquerading"
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING

# DHCP Client: If your Linux server is connected via DSL or a Cablemodem 
#              connection and you get dynamic DHCP addresses, you will need to 
#              enable the following rulesets.
#
# Enabled by default.
if [ "$EXTERNAL_DYNAMICIP" = "Y" ]; then
  echo "    - Allow BOOTPS from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps
fi

# FTP: Allow FTP traffic (the Linux server is a FTP server)
#
# Disabled by default.
if [ "$EXTERNAL_SERVICES_FTP" = "Y" ]; then
  echo "    - Allow FTP from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE
fi

# HTTP: Allow HTTP traffic (the Linux server is a WWW server) 
#
# Disabled by default
if [ "$EXTERNAL_SERVICES_HTTP" = "Y" ]; then
  echo "    - Allow HTTP traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE 
fi

# NTP: Allow NTP updates (the Linux server is a NTP server)
#
# Disabled by default
if [ "$EXTERNAL_SERVICES_NTP" = "Y" ]; then
  echo "    - Allow NTP traffice from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE
fi

# TELNET: Allow telnet traffic (the Linux server is a TELNET server)
#
# Disabled by default
if [ "$EXTERNAL_SERVICES_TELNET" = "Y" ]; then
  echo "    - Allow TELNET traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE
fi

# SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server)
#
# Disabled by default
if [ "$EXTERNAL_SERVICES_SSH" = "Y" ]; then
  echo "    - Allow SSH traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE
fi

# AUTH: Allow authentication tap indent on all interfaces (but disable it 
#       in /etc/inetd.conf).
#
echo "    - Allow ident traffic from external interface $EXTIF"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE auth -d $UNIVERSE

# DNS: If you your Linux server is an authoritative DNS server, you must 
# enable this ruleset 
#
# Disabled by default
if [ "$EXTERNAL_DNS" = "Y" ]; then
  echo "    - Allow DNS traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE 
  /sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE
fi

# ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far
# more than just stop people from pinging your machine.  Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages.  Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
echo "    - Allow ICMP traffic from external interface $EXTIF - DO NOT DISABLE"
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE

# NNTP: This allows NNTP-based news out.
#
if [ "$EXTERNAL_NNTP" = "Y" ]; then
  echo "    - Allow NNTP traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE
fi

# SMTP: If the Linux servers is either an authoritative SMTP server or 
# relay, you must allow this ruleset.
#
if [ "$EXTERNAL_SMTP" = "Y" ]; then
  echo "    - Allow SMTP traffic from external interface $EXTIF"
  /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
fi

#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rulesets reject specific traffic that you do not want out of
# the system.  
#--------------------------------------------------------------------
echo "  - Reject specific outputs."

# RPC.
#
echo "    - Sun RPC"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING

# Mountd.
#
echo "    - mountd"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING

# PPTP.
#
echo "    - PPTP"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING

# Remote Winsock.
#
echo "    - Remote Winsock"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING

# NFS.
#
echo "    - NFS"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING

# PcAnywhere.
#
echo "    - PCAnywhere"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING

# Xwindows.
#
# NOTE: See variable section above for the example range (6000:6007 by default)
# Xwindows can use far more than just ports 6000-6007.
#
echo "    - Xwindows"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING

# NetBus.
echo "    - NetBus"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING

# NetBus Pro.
echo "    - NetBus Pro"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 20034 $LOGGING

# BackOrofice
echo "    - BackOrofice"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0 31337 $LOGGING

# Win Crash Trojan.
echo "    - Win Crash Trojan"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 5742 $LOGGING

# Socket De Troye.
echo "    - Socket De Troye"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 30303 $LOGGING

# Unknown Trojan Horse (Master's Paradise [CHR])
echo "    - Master's Paradise"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 40421 $LOGGING

#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts (secure hosts).  This example
# implementation allows ssh and pop-3 protocols out to the secure host.  In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host.  See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo "  - Setting output filters for explicit external hosts."

# The secure host
#
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORT


# Allow all High Ports for return traffic.
#
echo "  - Enabling all output REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE


#--------------------------------------------------------------------
# Catch All Rule
#--------------------------------------------------------------------
echo "  - Reject and log all output not specifically alllowed"

# All other outgoing is denied and logged.  This ruleset should catch 
# everything including samba that hasn't already been blocked.
#
/sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING


#********************************************************************
# Forwarding Rules
#********************************************************************
#
echo "----------------------------------------------------------------------"
echo "Forwarding Rules:"

#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------

# Diald Users:
#
#  You need this rule to allow the sl0 SLIP interface to receive 
#  traffic to then bring the interface up.
#
#       Disabled by default
#
#/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN/24 -d $UNIVERSE/0


#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------

# Masquerade from local net on local interface to anywhere.
#
if [ "$MASQ" = "Y" ]; then
  echo "  - Enable IP Masquerading from the internal LAN."
  /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE/0
fi

echo "  - Forward anything from the internal interface"
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $UNIVERSE -d $UNIVERSE

# Forward anything from the IPSEC tunnel
for CURIF in $FREESWANVI; do
   echo "  - Forward anything from FreeS/WAN virtual interface $CURIF"
  /sbin/ipchains -A forward -j ACCEPT -i $CURIF -s $UNIVERSE -d $UNIVERSE
done

# Catch all rule, all other forwarding is denied.
#
echo "  - Deny and log anything not specifically allowed to be forwarded"   
/sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING

# Turn on IP Forwarding in the Linux kernel
#
# There are TWO methods of turning on this feature.  The first method is the
# Red Hat way. Edit the /etc/sysconfig/network file and change the
# "FORWARD_IPV4" line to say:
#
#       FORWARD_IPV4=true
#
# The second method is shown below and can executed at any time while the
# system is running.
#
if [ "$IP_FORWARD" = "Y" ]; then
  echo "  - Enabling IP forwarding."
  echo "1" > /proc/sys/net/ipv4/ip_forward
fi

#********************************************************************
# The end
#********************************************************************
echo "----------------------------------------------------------------------"
echo -e "Firewall implemented. \n\n"

File firewall.conf

# Loopback Device
LOOPBACKIF="lo"
LOOPBACKIP="auto"


# External (Public) Interface
# NOTE: PPP and SLIP users will want to replace this interface
#       with the correct modem interface such as "ppp0" or "sl0"
#
# IP address of the external interface
#
# NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc)
#       will need to install and use a different DHCP client than the stock
#       client called "pump".  One recommended DHCP client is called "dhcpcd"
#       and can found in Appendix A.
#
#       The stock Red Hat DHCP client doesn't allow the ability to have scripts
#       run when DHCP gets a TCP/IP address.  Specifically, DHCP delves out
#       TCP/IP addresses to its clients for a limited amount of time; this
#       called a "lease".  When a DHCP lease expires, the client will query the
#       DHCP server for a lease renewal.  Though the DHCP client will usually
#       get back its original TCP/IP address, this is NOT always guaranteed.
#       With this understood, if you receive a different TCP/IP address than
#       the IPCHAINS firewall was configured for, the firewall will block ALL
#       network access in and out of the Linux server because that was what it
#       was configured to do.
#
#       As mentioned above, the key to solve this problem is to use a DHCP
#       client program that can re-run the /etc/rc.d/rc.firewall ruleset once a
#       new TCP/IP address is set.  The new ruleset will make the required
#       changes to the rulesets to allow network traffic from and to your new
#       TCP/IP address.
#
#       With the dhcpcd program, it will need to executed with the following
#       command line option to have the firewall ruleset re-run upon every DHCP
#       lease renew:
#
#              -c /etc/rc.d/rc.firewall
#
EXTIF="eth0"
EXTIP="auto"
EXTBROAD="auto"

# Default Gateway
DEFAULTGW="auto"


# Internal (Private) Interface
INTIF="eth1"
INTIP="auto"
INTNM="auto"
INTLAN="10.0.0.0/8"


# Masquerading
## Enable masquerading
MASQ="N"

## Load CUSEEME helper
MASQ_CUSEEME="N"

## Load FTP helper
MASQ_FTP="N"

## Load IRC helper
MASQ_IRC="N"

## Load Quake helper
MASQ_QUAKE="N"

## Load ReadAudio helper
MASQ_RAUDIO="N"

## Load VDOLive helper
MASQ_VDOLIVE="N"


# Enable kernel IP Forwarding
IP_FORWARD="N"


# IPSec Gateway [Section 48]
## Space separated list of remote gateways
IPSECSG="208.60.88.66"

## Space separated list of virtual interfaces for FreeS/Wan IPSEC
## implementation.  Only include those that are actually used.  If
## you want to limit the traffic that flows through the tunnels, you
## you must manually edit the rules that are put in place using this
## variable in /etc/rc.d/rc.firewall
FREESWANVI="ipsec0 ipsec1"


# Settings for internal Interface

## Allow open access on the internal interface.  If you answer "N" and you
## want to allow some machines access to the internal interface or access to
## some services on the internal interface, you must edit /etc/rc.d/rc.firewall
## and enter rules in the INTERNAL_UNSECURE section.  There are examples in the
## file
INTERNAL_UNSECURE="Y"


# Settings for External Interface

## Does the external interface use DHCP/BOOTP to get its address
EXTERNAL_DYNAMICIP="N"

## Enable Multicast Routing
EXTERNAL_MULTICAST="Y"

## Enable port forwarding on external interface.  If you do this, you must
## enter rules in the EXTERNAL_PORT_FORWARDING section to specify which
## ports to forward to which IPs
EXTERNAL_PORT_FORWARDING="N"

## This machine is a public FTP server
EXTERNAL_SERVICES_FTP="N"

## This machine is a public Web server
EXTERNAL_SERVICES_HTTP="N"

## This machine is a public NFS server
EXTERNAL_SERVICES_NFS="N"

## This machine is a public NTP server
EXTERNAL_SERVICES_NTP="N"

## This machine is a public Telnet server
EXTERNAL_SERVICES_TELNET="N"

## This machine is a public SSH server
EXTERNAL_SERVICES_SSH="Y"

## This machine is a public DNS server
EXTERNAL_SERVICES_DNS="N"

## This machine is a public email server
EXTERNAL_SERVICES_SMTP="N"

## This machine is a public NNTP server
EXTERNAL_SERVICES_NNTP="N"

## This machine is a public SMTP server
EXTERNAL_SERVICES_SMTP="N"
Click below to go to: