Problem mit Firewall IPCHAINS
Hallo. Ich habe einen Linux-DSL-Router mit RedHat 7.0. Habe die Ipchains-Firewall mit dem Webmin-Modul installiert. Habe für'n Anfang auf leicht gestellt. Damit ich sicher sein kann, das es kein Masqerading-Problem ist, habe mich an den Router direkt gesetzt. Aber es funktioniert nichtmal ein Ping, weder nach aussen, noch nach innen, weder mit Namen, noch mit IP. Alles andere funktioniert auch nicht. Habe nicht gescheut mir ein Buch zu kaufen und mich im Internet zu informieren. Ich bin einfach zu blöd den Fehler zu finden. Ich habe hier das Script reinkopiert und würde mich freuen, wenn das sich jemand mal anschaut. Die Zeilen sind natürlich beim einfügen hier etwas verrutscht. Noch zur genaueren Information:
Internes Netzwerk ist bei mir 192.168.10.0/24
Karte für Intern/LAN: eth0 192.168.10.6
Karte für Extern/WAN: eth1 192.168.10.7
Vielen Dank im Voraus und hier das Script:
#!/bin/sh
# IPchains Firewalling Script File
# Generated by IPchains Firewalling Webmin Module
# Copyright (C) 1999-2000 by Tim Niemueller, #GPL
# #http://www.niemueller.de/webmin/modules/ipch#ains/
# Created on 22/Oct/2001 21:13
/sbin/ipchains -F
/sbin/ipchains -X
##MODE 1
##LEVEL LOW
##MASQ
##FWTYPE ROUTER
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
#Do not accept packets from private class A #on ext NIC
/sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -d 10.0.0.0/8 -j DENY
/sbin/ipchains -A output -i eth1 -s 10.0.0.0/8 -j DENY
/sbin/ipchains -A output -i eth1 -d 10.0.0.0/8 -j DENY
#Do not accept packets from private class B on ext NIC
/sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY
/sbin/ipchains -A input -i eth1 -d 172.16.0.0/12 -j DENY
/sbin/ipchains -A output -i eth1 -s 172.16.0.0/12 -j DENY
/sbin/ipchains -A output -i eth1 -d 172.16.0.0/12 -j DENY
#Do not accept packets from private class C on ext NIC
/sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -j DENY
/sbin/ipchains -A input -i eth1 -d 192.168.0.0/16 -j DENY
/sbin/ipchains -A output -i eth1 -s 192.168.0.0/16 -j DENY
/sbin/ipchains -A output -i eth1 -d 192.168.0.0/16 -j DENY
# Loopback packets should not be handled from ext NIC
/sbin/ipchains -A input -i eth1 -s 127.0.0.0/8 -j DENY
/sbin/ipchains -A output -i eth1 -s 127.0.0.0/8 -j DENY
#Refuse Bogus Broadcasts
/sbin/ipchains -A input -i eth1 -s 255.255.255.255 -j DENY
/sbin/ipchains -A input -i eth1 -d 0.0.0.0 -j DENY
# Refuse Requests from reserved IANA/ICANN adresses
/sbin/ipchains -A input -i eth1 -s 1.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 2.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 5.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 7.0.0.0/8 -j DENY
# They have the Illuminati number of course
/sbin/ipchains -A input -i eth1 -s 23.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 27.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 31.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 36.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 37.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 39.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 41.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 42.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 58.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 59.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 60.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 67.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 218.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 219.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 68.0.0.0/6 -j DENY
/sbin/ipchains -A input -i eth1 -s 72.0.0.0/5 -j DENY
/sbin/ipchains -A input -i eth1 -s 80.0.0.0/4 -j DENY
/sbin/ipchains -A input -i eth1 -s 96.0.0.0/3 -j DENY
/sbin/ipchains -A input -i eth1 -s 220.0.0.0/6 -j DENY
# Basic ICMP packages are needed for running a network
/sbin/ipchains -A input -i eth1 -p icmp --icmp-type source-quench -d 192.168.10.7 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p icmp --icmp-type source-quench -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp --icmp-type parameter-problem -d 192.168.10.7 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p icmp --icmp-type parameter-problem -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp --icmp-type destination-unreachable -d 192.168.10.7 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p icmp --icmp-type destination-unreachable -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp --icmp-type time-exceeded -d 192.168.10.7 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p icmp --icmp-type time-exceeded -d 0.0.0.0/0 -j ACCEPT
##=> DHCP-infw
##-> Allows DHCP clients in your inside network to retrieve DHCP information
##-> from an DHCP server running on your firewall. Relay agents are not
##-> allowed.
/sbin/ipchains -A input -i eth0 -s 0.0.0.0 68 -d 255.255.255.255 67 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 67 -d 192.168.10.0/255.255.255.0 68 -p udp -j ACCEPT
##=> DNS-infw
##-> Allows clients on the inside network to access a DNS server on the
##-> firewall.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 53 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 53 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
##=> DNS-inout
##-> This allows host in the internal network to lookup hostnames by
##-> querying nameservers in the outside network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 53 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 53 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 53 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 53 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 53 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 53 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 53 -d 192.168.10.7 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 53 -p udp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 53 -p udp -j MASQ
##=> DNS-outfw
##-> Allows clients on the outside network to access a DNS server on the
##-> firewall.
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 53 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 53 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##=> DNS-outin
##-> This allows host in the external network to lookup hostnames by
##-> querying nameservers in the inside network. The inside network will
##-> need adresses that can be routed from outside to do that.
##-> These rules are only enabled if Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 53 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 53 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 53 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 53 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 53 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 53 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##=> DNS-fwin
##-> Allows the firewall host to use DNS server on the inside network to
##-> resolve names and adresses.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 53 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 53 -d 192.168.10.6 1024:65535 -p udp -j ACCEPT
##=> DNS-fwout
##-> Allows the firewall host to use DNS servers on the inside network to
##-> resolve names and adresses.
# Already set in line 114
# Already set in line 113
##=> FTP.Active-infw
##-> Allows clients on the internal network to access a FTP server running
##-> on the firewall host. Be careful with this especially in corporate
##-> networks since passwords are transmitted as clear text.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 21 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 21 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 20 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 20 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##=> FTP.Active-inout
##-> Allows clients on the internal network to access external FTP servers
##-> via active FTP. This is more secure than passive FTP but is still a risk
##-> because FTP passwords are transferred as clear text!
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 21 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 21 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 20 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 20 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 21 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 21 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 21 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 21 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 20 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 20 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 20 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 20 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
if [ -e /lib/modules/$(uname -r)/ipv4/ip_masq_ftp.o ]; then
if [ -x /sbin/insmod ]; then
if ! $(grep -s ip_masq_ftp /proc/modules >/dev/null); then
/sbin/insmod -p -s ip_masq_ftp
fi
fi
fi
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 21 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 21 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 21 -p tcp -j MASQ
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 20 -d 192.168.10.7 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 20 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 20 -p tcp -j MASQ
##=> FTP.Active-outfw
##-> Allows clients on the external network to access a FTP server running
##-> on the firewall host. Be careful with this since passwords are
##-> transmitted as clear text. This makes it especially dangerous for example
##-> when connecting over the internet to the firewall host!
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 21 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 21 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 20 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 20 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##=> FTP.Active-outin
##-> Allows clients on the external network to access internal FTP servers
##-> via active FTP. This is more secure than passive FTP but is still a risk
##-> because FTP passwords are transferred as clear text! These rules will
##-> only be enabled if Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 21 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 21 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 20 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 20 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 21 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 21 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 21 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 21 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 20 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 20 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 20 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 20 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##=> FTP.Active-fwin
##-> Allows connections from the firewall to FTP servers on the inside
##-> network. Be careful with this since passwords are
##-> transmitted as clear text. This makes it especially dangerous for example
##-> when connecting in a corporate network to the firewall host!
##-> These rules maybe useful for a personal firewall.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 21 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 21 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 20 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 20 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> FTP.Active-fwout
##-> Allows connections from the firewall to FTP servers on the outside
##-> network. Be careful with this since passwords are
##-> transmitted as clear text. This makes it especially dangerous for example
##-> when connecting over the internet to the firewall host!
##-> These rules maybe useful for a personal firewall.
# Already set in line 186
# Already set in line 185
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 20 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 20 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
##=> FTP.Passive-infw
##-> Allows clients on the internal network to access a FTP servers running
##-> on the firewall host.
##-> This template allows PASSIVE transfers. To allow passive transfers is
##-> very risky as it allows to open connections to all unpfivileged ports on
##-> the outside network. If it is not absolutely needed you should not enable
##-> this template. Use Active FTP instead. But some FTP clients (as for
##-> example the ones built into webbrowser) do not support active FTP.
##-> Keep in mind that FTP passwords are transferred as clear text!
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> FTP.Passive-inout
##-> Allows clients on the internal network to access external FTP servers.
##-> This template allows PASSIVE transfers. To allow passive transfers is
##-> very risky as it allows to open connections to all unpfivileged ports on
##-> the outside network. If it is not absolutely needed you should not enable
##-> this template. Use Active FTP instead. But some FTP clients (as for
##-> example the ones built into webbrowser) do no support active FTP.
##-> Keep in mind that FTP passwords are transferred as clear text!
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j MASQ
##=> FTP.Passive-outfw
##-> Allows clients on the external network to access a FTP servers running
##-> on the firewall host.
##-> This template allows PASSIVE transfers. To allow passive transfers is
##-> very risky as it allows to open connections to all unprivileged ports on
##-> the outside network. If it is not absolutely needed you should not enable
##-> this template. Use Active FTP instead. But some FTP clients (as for
##-> example the ones built into webbrowser) do not support active FTP.
##-> Keep in mind that FTP passwords are transferred as clear text!
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> FTP.Passive-outin
##-> Allows clients on the external network to access internal FTP servers.
##-> This template allows PASSIVE transfers. To allow passive transfers is
##-> very risky as it allows to open connections to all unpfivileged ports on
##-> the outside network. If it is not absolutely needed you should not enable
##-> this template. Use Active FTP instead. But some FTP clients (as for
##-> example the ones built into webbrowser) do no support active FTP.
##-> Keep in mind that FTP passwords are transferred as clear text!
##-> These rules are only enabled if Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##=> HTTP-infw
##-> Allows clients on the internal network to access a webserver running on
##-> the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 80 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 80 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTP-inout
##-> Allows clients on the internal network to surf the web.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 80 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 80 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 80 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 80 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 80 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 80 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 80 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 80 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 80 -p tcp -j MASQ
##=> HTTP-outfw
##-> Allows clients on the external network to access a webserver running on
##-> the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 80 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 80 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTP-outin
##-> Allows clients on the external network to access webservers in the
##-> inside network. These rules are only enabled if Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 80 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 80 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 80 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 80 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 80 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 80 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTP-fwin
##-> Allows HTTP connections from the firewall to the inside network.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 80 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 80 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTP-fwout
##-> Allows HTTP connections from the firewall to the outside network.
# Already set in line 325
# Already set in line 324
##=> HTTPS-infw
##-> Allows clients on the internal network to access a SSL secured webserver
##-> on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 443 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 443 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTPS-inout
##-> Allows clients on the internal network to surf to websites secured
##-> by SSL on standard port.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 443 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 443 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 443 -d 192.168.10.0/255.255.255.0 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 443 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 443 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 443 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 443 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 443 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 443 -p tcp -j MASQ
##=> HTTPS-outfw
##-> Allows clients on the external network to access a SSL secured webserver
##-> on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 443 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 443 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTPS-outin
##-> Allows clients on the external network to access SSL secured webservers
##-> on the inside network. These rules are only enabled if Masquerading
##-> is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 443 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 443 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 443 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 443 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 443 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 443 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTPS-fwin
##-> Allows SSL secured HTTP connections from the firewall to the inside
##-> network.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 443 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 443 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> HTTPS-fwout
##-> Allows SSL secured HTTP connections from the firewall to the outside
##-> network.
# Already set in line 376
# Already set in line 375
##=> IMAP-infw
##-> Allows clients on the internal network to access an IMAP server running
##-> on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 143 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 143 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> IMAP-inout
##-> Allows clients on the internal network to get mail from IMAP servers
##-> on the external network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 143 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 143 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 143 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 143 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 143 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 143 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 143 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 143 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 143 -p tcp -j MASQ
##=> IMAP-outfw
##-> Allows clients on the external network to access an IMAP server running
##-> on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 143 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 143 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> IMAP-outin
##-> Allows clients on the external network to get mail from IMAP servers
##-> on the internal network. These rules are only enabled if Masquerading
##-> is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 143 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 143 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 143 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 143 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 143 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 143 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> IRC-infw
##-> Allows clients on the internal network to chat by using the firewall host
##-> as the IRC server (IRC server must run of course). It is assumed that
##-> the IRC server listens on the often used default port 6667.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 6667 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 6667 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> IRC-inout
##-> Allows clients on the internal network to chat through servers on the
##-> outside network. This rules do NOT cover DDC. Additionally it is assumed
##-> that port 6667 is used (which is the standard on most IRC servers).
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 6667 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 6667 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 6667 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 6667 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 6667 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 6667 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 6667 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 6667 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 6667 -p tcp -j MASQ
##=> IRC-outfw
##-> Allows clients on the external network to chat by using the firewall host
##-> as the IRC server (IRC server must run of course). It is assumed that
##-> the IRC server listens on the often used default port 6667.
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 6667 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 6667 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> IRC-outin
##-> Allows clients on the external network to chat through servers on the
##-> inside network. It is assumed that port 6667 is used (which is the
##-> standard on most IRC servers). These rules are only enabled if
##-> Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 6667 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 6667 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 6667 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 6667 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 6667 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 6667 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> LDAP-infw
##-> Allows clients on the internal network to access a LDAP server running
##-> on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 389 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 389 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> LDAP-inout
##-> Allows clients on the internal network to use LDAP directory services
##-> from servers on the external network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 389 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 389 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 389 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 389 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 389 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 389 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 389 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 389 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 389 -p tcp -j MASQ
##=> LDAP-outfw
##-> Allows clients on the external network to access a LDAP server running
##-> on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 389 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 389 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> LDAP-outin
##-> Allows clients on the external network to use LDAP directory services
##-> from servers on the internal network. These rules are only enabled if
##-> Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 389 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 389 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 389 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 389 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 389 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 389 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> NFS-infw
##-> Allows clients on the internal network to access a NFS server running
##-> on the firewall host. NFS is very unsecure and is NOT recommended to run
##-> this service on the firewall machine!
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 111 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 111 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1:1023 -d 192.168.10.6 2049 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 2049 -d 192.168.10.0/255.255.255.0 1:1023 -p udp -j ACCEPT
# Allow connections to mountd
PORTS=`rpcinfo -p | grep mountd | awk '{ print $4 }'`
for p in $PORTS; do
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1:1023 -d 192.168.10.6 $p -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 $p -d 192.168.10.0/255.255.255.0 1:1023 -p udp -j ACCEPT
done
##=> NFS-outfw
##-> Allows clients on the external network to access a NFS server running
##-> on the firewall host. NFS is very unsecure and is NOT recommended to run
##-> this service on the firewall machine!
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 111 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 111 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1:1023 -d 192.168.10.7 2049 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 2049 -d ! 192.168.10.6 1:1023 -p udp -j ACCEPT
##=> NTP-infw
##-> Allows clients on the internal network to access a NTP timeserver running
##-> on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 123 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 123 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> NTP-inout
##-> Allows clients on the internal network to synchronize the time with a
##-> timeserver on the outside.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 123 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 123 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 123 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 123 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 123 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 123 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 123 -d 192.168.10.7 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 123 -p udp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 123 -p udp -j MASQ
##=> NTP-outfw
##-> Allows clients on the external network to access a NTP timeserver running
##-> on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 123 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 123 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> NTP-outin
##-> Allows clients on the external network to synchronize the time with a
##-> timeserver on the inside. These rules are only enabled if Masquerading
##-> is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 123 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 123 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 123 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 123 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 123 -p udp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 123 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
##=> NTP-fwin
##-> Allows the firewall host to open connections to NTP time servers on the
##-> inside network.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 123 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 123 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> NTP-fwout
##-> Allows the firewall host to open connections to NTP time servers on the
##-> outside network.
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 123 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 123 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
##=> NetBIOS-infw
##-> Allows Windows machines on the inside network to access a Samba Server
##-> running on the firewall.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 137 -d 192.168.10.255 137 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 137 -d 192.168.10.6 137 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 137 -d 192.168.10.0/255.255.255.0 137 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 137 -d 192.168.10.6 137 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 137 -d 192.168.10.0/255.255.255.0 137 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 138 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 138 -d 192.168.10.0/255.255.255.0 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 139 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 139 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> NetBIOS-outfw
##-> Allows Windows machines on the inside network to access a Samba Server
##-> running on the firewall. Use this with extreme caution. On a bad
##-> configured Samba this could cause access to your Samba from the whole
##-> internet.
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 137 -d 192.168.10.255 137 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 137 -d 192.168.10.7 137 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 137 -d ! 192.168.10.6 137 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 137 -d 192.168.10.7 137 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 137 -d ! 192.168.10.6 137 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 138 -p udp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 138 -d ! 192.168.10.6 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 139 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 139 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> POP3-infw
##-> Allows clients on the internal network to access a POP3 server running
##-> on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 110 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 110 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> POP3-inout
##-> Allows clients on the internal network to fetch emails from POP3
##-> mail servers on the external network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 110 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 110 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 110 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 110 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 110 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 110 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 110 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 110 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 110 -p tcp -j MASQ
##=> POP3-outfw
##-> Allows clients on the external network to access a POP3 server running
##-> on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 110 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 110 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> POP3-outin
##-> Allows clients on the external network to fetch emails from POP3
##-> mail servers on the internal network. These rules are only enabled if
##-> Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 110 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 110 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 110 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 110 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 110 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 110 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> Ping-infw
##-> Allows host on the inside network to ping the firewall host. Usually you
##-> want that to check the connection between computers and the firewall or
##-> if the firewall host is up.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 -d 192.168.10.6 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-reply -j ACCEPT
##=> Ping-inout
##-> Allows clients on the internal network to ping other machines on the
##-> on the external network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-reply -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-reply -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-request -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-request -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 -d 192.168.10.7 -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 -d ! 192.168.10.6 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-request -j MASQ
##=> Ping-outfw
##-> Allows host on the outside network to ping the firewall host. It is more
##-> secure to turn this off. But is is not harmful to enable the ping.
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 -d 192.168.10.7 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 -d ! 192.168.10.6 -p icmp --icmp-type echo-reply -j ACCEPT
##=> Ping-outin
##-> Allows clients on the external network to ping other machines on the
##-> on the internal network.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-request -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-reply -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-reply -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-request -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-request -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 -d ! 192.168.10.6 -p icmp --icmp-type echo-reply -j ACCEPT
##=> Ping-fwin
##-> Allows the firewall to ping hosts on the inside network.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 -d 192.168.10.0/255.255.255.0 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 -d 192.168.10.6 -p icmp --icmp-type echo-reply -j ACCEPT
##=> Ping-fwout
##-> Allows the firewall to ping hosts on the outside network. These rules
##-> maybe useful on a personal firewall.
# Already set in line 705
# Already set in line 704
##=> SMTP-infw
##-> Allows clients on the internal network to access a SMTP server (for
##-> outgoing mail) on the firewall host
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 25 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 25 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> SMTP-inout
##-> Allows clients on the internal network to send emails through a SMTP
##-> server on the external network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 25 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 25 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 25 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 25 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 25 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 25 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 25 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 25 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 25 -p tcp -j MASQ
##=> SMTP-outfw
##-> Allows clients on the external network to access a SMTP server (for
##-> outgoing mail) on the firewall host
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 25 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 25 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> SMTP-outin
##-> Allows clients on the external network to send emails through a SMTP
##-> server on the internal network. These rules are only enabled if
##-> Masquerading is disabled.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 25 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 25 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 25 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 25 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 25 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 25 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> SMTP-fwin
##-> Allows the firewall host to connect to SMTP servers on the inside.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 25 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 25 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> SMTP-fwout
##-> Allows the firewall host to connect to SMTP servers on the outside.
##-> These rules may be useful on a personal firewall.
# Already set in line 757
# Already set in line 756
##=> SSH-infw
##-> Allows SSH conntections from the inside network to your firewall.
/sbin/ipchains -A input -i eth0 -p tcp -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 22 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp ! -y -s 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 1024:65535 -j ACCEPT
/sbin/ipchains -A input -i eth0 -p tcp -s 192.168.10.0/255.255.255.0 513:1023 -d 192.168.10.6 22 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp ! -y -s 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 513:1023 -j ACCEPT
##=> SSH-inout
##-> Allows clients on the internal network to connect to secure shell
##-> servers on the outside network.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 513:1023 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 513:1023 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 513:1023 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 513:1023 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 513:1023 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 22 -d 192.168.10.0/255.255.255.0 513:1023 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 22 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 22 -p tcp -j MASQ
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 22 -d 192.168.10.7 513:1023 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 513:1023 -d ! 192.168.10.6 22 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 513:1023 -d ! 192.168.10.6 22 -p tcp -j MASQ
##=> SSH-outfw
##-> This allows SSH conntections from the outside network to your
##-> firewall.
/sbin/ipchains -A input -i eth1 -p tcp -s ! 192.168.10.6 1024:65535 -d 192.168.10.7 22 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp ! -y -s 192.168.10.7 22 -d ! 192.168.10.6 1024:65535 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp -s ! 192.168.10.6 513:1023 -d 192.168.10.7 22 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp ! -y -s 192.168.10.7 22 -d ! 192.168.10.6 513:1023 -j ACCEPT
##=> SSH-outin
##-> Allows clients on the external network to connect to secure shell
##-> servers on the inside network.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 513:1023 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 513:1023 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 513:1023 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 513:1023 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 513:1023 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 22 -d ! 192.168.10.6 513:1023 ! -y -p tcp -j ACCEPT
##=> SSH-fwin
##-> Allows SSH conntections from the firewall host to the inside network.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 22 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 513:1023 -d 192.168.10.0/255.255.255.0 22 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 22 -d 192.168.10.6 513:1023 ! -y -p tcp -j ACCEPT
##=> SSH-fwout
##-> Allows SSH conntections from the firewall host to the outside network.
# Already set in line 817
# Already set in line 816
# Already set in line 820
# Already set in line 819
##=> Webmin-infw
##-> This will allow you to access the Webmin on the firewall host from your
##-> inside network. You should to that in order to be able to use this
##-> ipchains module to configure the firewall... You may want to disable
##-> this if your are an external consultant or sitting right next to the
##-> firewall with a monitor attached running Netscape with Webmin on localhost.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d 192.168.10.6 10000 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 10000 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##=> Webmin-inout
##-> Allows clients on the internal network to access Webmin host on the
##-> outside port. It allows access only to the same port, this Webmin is
##-> running on, assuming that the numbers are the same.
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 10000 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 10000 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 10000 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 10000 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 10000 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 10000 -d 192.168.10.0/255.255.255.0 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 10000 -d 192.168.10.7 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 1024:65535 -d ! 192.168.10.6 10000 -p tcp -j ACCEPT
/sbin/ipchains -A forward -s 192.168.10.0/255.255.255.0 1024:65535 -d ! 192.168.10.6 10000 -p tcp -j MASQ
##=> Webmin-outfw
##-> Allows traffic to Webmin from the outside network. You should enable
##-> this template, if you want to be able to change the configuration of
##-> Firewall from the outside network.
/sbin/ipchains -A input -i eth1 -d 192.168.10.7 10000 -s ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 192.168.10.7 10000 -d ! 192.168.10.6 1024:65535 -p tcp -j ACCEPT
##=> Webmin-outin
##-> Allows clients on the external network to access Webmin host on the
##-> inside network. It allows access only to the same port, this Webmin is
##-> running on, assuming that the numbers are the same.
##NOMASQ: /sbin/ipchains -A input -i eth1 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 10000 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth1 -s 192.168.10.0/255.255.255.0 10000 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 10000 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A output -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 10000 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth0 -s ! 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 10000 -p tcp -j ACCEPT
##NOMASQ: /sbin/ipchains -A forward -i eth1 -s 192.168.10.0/255.255.255.0 10000 -d ! 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> Webmin-fwin
##-> Allows the firewall host to connect to Webmin Servers on the inside
##-> network. It is assumed that Webmin Servers on the inside network run on
##-> the same port as the Webmin on the firewall host.
/sbin/ipchains -A output -i eth0 -s 192.168.10.6 1024:65535 -d 192.168.10.0/255.255.255.0 10000 -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -s 192.168.10.0/255.255.255.0 10000 -d 192.168.10.6 1024:65535 ! -y -p tcp -j ACCEPT
##=> Webmin-fwout
##-> Allows the firewall host to connect to Webmin Servers on the outside
##-> network. It is assumed that Webmin Servers on the outside network run on
##-> the same port as the Webmin on the firewall host.
# Already set in line 887
# Already set in line 886
Zitieren
:
Lesezeichen