[fixed]# Main Options                                                                                                                      
IPTABLES="/sbin/iptables"                                                                                                            
TCP_ALLOW="21 2002 1241 3389 80"                                                                                                    
UDP_ALLOW=""                                                                                                                        
INET_IFACE="ppp0"                                                                                                                    
LAN_IFACE="eth1"                                                                                                                    
INTERNAL_LAN="192.168.0.0/24"                                                                                                        
MASQ_LAN="192.168.0.0/24"                                                                                                            
SNAT_LAN=""                                                                                                                          
DROP="TREJECT"                                                                                                                      
DENY_ALL=""                                                                                                                          
DENY_HOSTWISE_TCP=""                                                                                                                
DENY_HOSTWISE_UDP=""                                                                                                                
BLACKHOLE=""                                                                                                                        
BLACKHOLE_DROP="DROP"                                                                                                                
ALLOW_HOSTWISE_TCP=""                                                                                                                
ALLOW_HOSTWISE_UDP=""                                                                                                                
TCP_FW="3389>192.168.0.4 10000-10005>192.168.0.5 80>192.168.0.5"                                                                    
UDP_FW=""                                                                                                                            
MANGLE_TOS_OPTIMIZE="FALSE"                                                                                                          
DHCP_SERVER="FALSE"                                                                                                                  
BAD_ICMP="5 9 10 15 16 17 18"                                                                                                        
ENABLE="Y"                                                                                                                          
                                                                                                                                     
# Flood Params                                                                                                                      
LOG_FLOOD="2/s"                                                                                                                      
SYN_FLOOD="20/s"                                                                                                                    
PING_FLOOD="1/s"                                                                                                                    
                                                                                                                                     
# Outbound filters                                                                                                                  
# FIXME: Update config help wiki then remove one-liner help                                                                          
ALLOW_OUT_TCP=""                                # Internal hosts allowed to be forwarded out on TCP (do not put this/these host/s in
PROXY=""                                        # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy is "hos
MY_IP=""                                        # Set to the internal IP of this box (with the firewall), only needed for PROXY=  

####################################################################################
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!)            #
####################################################################################
 
# Configuration File for Arno's IPTABLES single & dual homed (ADSL) firewall script (rc.iptables)
# (C) Copyright 2001-2002 by Arno van Amersfoort
# Homepage              : http://rulhmpc57.leidenuniv.nl/projects/iptables-firewall/
# Freshmeat homepage    : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
 
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 
#################################################################################################
## Any suggestions, questions or comments are welcome at: "a r n o v a AT x s 4 a l l DOT n l" ##
#################################################################################################
 
############################################
# Required variables for correct operation #
############################################
IPTABLES="/sbin/iptables"         # Location of the IPTABLES binary
EXT_IF="ppp+"                     # The external interface that will be protected (and used as internet connection)
                                  # This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
                                  # otherwise it should be "ethX" (ex. eth0)
DYNAMIC_IP=1                      # Enable this if your ISP dynamically assigns IP's through DHCP
 
#################################################################################################################
# These options should (only) be used when you have an ADSL/DSL modem ("Alcatal Home" for example.) which works #
# for with a PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection).      #
#                                                                                                               #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown).       #
# This means that if your modem is bridging (a transparant router) or the network interface the modem is        #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)!                   #
#################################################################################################################
MODEM_IF="eth0"                   # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
MODEM_IF_IP="192.168.20.1"          # The IP of the network interface (MODEM_IF) your ADSL modem is connected to (IP shown
                                  # for the modem interface (MODEM_IF) in 'ifconfig')
MODEM_IP=""             # The IP of your (A)DSL modem itself (which should NOT be the same as MODEM_IF_IP!).
                                  # If (you suspect that) your modem doesn't have an IP, than leave MODEM_IP empty(="" )!
 
#####################################
# LAN & NAT (masquerading) settings #
#####################################
INT_IF="eth1"                     # Internal network interface or interfaces (multiple(!) interfaces should be
                                  # space seperated). Rremark this if you don't have any internal network interfaces.
INTERNAL_NET="192.168.0.0/24"     # Your internal subnet which is connected to the internal interface. For multiple
                                  # interfaces(!) you can either specify multiple subnets here or specify one big
                                  # subnet for all internal interfaces. Packets from these subnets are always accepted!
NAT=1                             # Enable this if you want to perform NAT for your internal network (LAN)
                                  # (ie, share your internet connection with your internal net(s) connected to INT_IF)
NAT_INTERNAL_NET=""               # (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
                                  # be able to access the internet. When no value is specified, you're whole internal LAN
                                  # will have access. In both cases its only meaningful of course when NAT is enabled.
MODEM_INTERNAL_NET=$INTERNAL_NET  # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should have
                                  # access to the (A)DSL modem itself (manage modem settings). The default setting
                                  # ($INTERNAL_NET) allows access from everybody on your LAN.
TCP_FORWARD="3389>192.168.0.4, 80>192.168.0.5"                    # TCP forwards, form is "PORT1,PORT2,...>DESTIP1{:port} PORT3,PORT4,...>DESTIP2{:port}"
UDP_FORWARD=""                    # UDP forwards, form is "PORT1,PORT2,...>DESTIP1{:port} PORT3,PORT4,...>DESTIP2{:port}"
                                  # Note that {:port} is optional in TCP/UDP port forwards.
                                  # TCP/UDP port forward example: xxx_FORWARD="20,21>192.168.0.10 81>192.168.0.11:80".
IP_FORWARD=""                     # IP protocol forwards (useful for forwarding non-TCP/UDP/ICMP protocols)
                                  # form is "PROTO1,PROTO2,...>DESTIP1 PROTO3,PROTO4,...>DESTIP2"
                                  # IP protocol forward example: "47,48>192.168.0.10"
OTHER_IF=""                       # (EXPERT SETTING!). Other network interfaces for which ALL IP traffic should be
                                  # ACCEPTED (like with a local loopback) (multiple(!) interfaces should be space
                                  # seperated). Be warned that anything to and from these interfaces is allowed (ACCEPTED)
                                  # so make sure its NOT routable(accessible) from the outside world (internet)!
 
####################
# General settings #
####################
MANGLE_TOS=1                      # Enable this if you want TOS mangling (RFC)
SET_MSS=1                         # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0                      # Enable this to resolve names of DNS/TH IP's etc.
DHCP_BOOTP=0                      # Enable support for DHCP/BOOTP service
USE_IRC=0                         # Enable support for IRC service
LOOSE_FORWARD=0                   # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
                                  # that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1          # Enable this if you want to drop packets originating from a private address. Normally
                                  # this should be enabled(1).
DROP_IANA_RESERVED=1              # Enable this if you want to drop addresses which are registered as reserved by IANA.
                                  # This option exists as the IANA list simply changes too often.
 
#########################################################################
# Logging options - All logging is rate limited to prevent log flooding #
#########################################################################
ICMP_FLOOD_LOG=1                  # Enable logging for ICMP flooding
ICMP_DROP_LOG=1                   # Enable logging for ICMP-packets which are DROPPED
SCAN_LOG=1                        # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=1               # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=1                   # Enable logging for TCP-packets with bad flags
BLOCKED_HOST_LOG=1                # Enable logging for explicitly blocked hosts
CLOSED_PORT_LOG=1                 # Enable logging for explicitly blocked ports
RESERVED_NET_LOG=1                # Enable logging of source IP's with reserved addresses
OPEN_CONNECT_LOG=0                # Enable logging of new connections to TCP/UDP ports open to the whole world
INVALID_PACKET_LOG=1              # Enable logging of invalid packets
FRAG_LOG=1                        # Enable logging of fragmented packets
LOST_CONNECTION_LOG=0             # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
CONNECT_LOG=1                     # Enable logging of connection attempts to privileged (TCP/UDP) ports
UNPRIV_TCP_LOG=1                  # Enable logging of connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=1                  # Enable logging of connection attempts to unprivileged UDP ports
OTHER_IP_LOG=1                    # Enable logging of connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
DHCP_BROADCAST_LOG=0              # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
                                  # have a DHCP server in your subnet but don't use it yourself.
OUTPUT_DENY_LOG=1                 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
LOGLEVEL=info                     # Current log-level ("info": default kernel syslog level)
                                  # "debug": can be used to log to /var/log/firewall,
                                  # but you have to configure syslogd accordingly (see included syslogd.conf example)
 
###########################################
# /proc based settings (EXPERT SETTINGS!) #
###########################################
SYN_PROT=1                        # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1              # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=0                     # Enable if you want to automatically ignore all ICMP echo requests (IPv4)
                                  # this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0                    # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0                   # Enable if you want to accept ICMP redirect messages
                                  # Should be set to "0" in case of a router
HIGHER_CONNTRACK=0                # Enable if you want to handle a huge number of simultanteous connections
                                  # (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0                 # You may need to enable this to get some internet games to work,
                                  # but note that it's *less* secure
ECN=0                             # Enable ECN (Explicit Congestion Notification) TCP flag
                                  # Disabled by default, as some routers are still not compatible with this
RP_FILTER=1                       # Use the rp_filter to drop connections from non-routable IPs. This should be
                                  # disabled(0) when you for example want to use Freeswan (VPN) to route external private
                                  # addresses into your network. Note that for extra security the external interface(s)
                                  # (EXT_IF) is/are always filtered!
 
#################################################################################################################
# Put in the following variable which hosts (subnets) you want have full access via your internet connection(!) #
# NOTE: Don't mistake this variable with the one used for internal nets                                         #
#################################################################################################################
FULL_ACCESS_HOSTS=""
 
#################################################################################################################
# Put in the following variable which DNS servers you use                                                       #
# Only required when you run your own DNS server (for example BIND)                                             #
#################################################################################################################
DNS_SERVERS=""
 
# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
#ROOT_DNS_SERVERS="128.63.2.53    192.33.4.12  192.112.36.4 192.5.5.241  128.9.0.107 \
#                  198.41.0.10    193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
#                  192.203.230.10 128.8.10.90  198.41.0.4"
 
#################################################################################################################
# Put in the following variables which ports you want to leave open to the whole world                          #
#################################################################################################################
OPEN_TCP="2002 21 3389"                        # TCP port(s) the whole world is allowed to connect to
OPEN_UDP=""                        # UDP port(s) the whole world is allowed to connect to
OPEN_IP=""                         # IP protocol(s) (non TCP/UDP) the whole world is allowed to connect to
OPEN_ICMP=0                        # Enable ICMP reply for the whole world (not recommended)
 
#################################################################################################################
# Put in the following variables the tcp/udp ports you want to block for everyone. Also use these variables     #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts)        #
#################################################################################################################
CLOSED_TCP=""
CLOSED_UDP=""
 
#################################################################################################################
# Put in the following variables which ports you want to block for everyone but NOT logged.                     #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm)       #
# and don't want your logs flooded with it.                                                                     #
#################################################################################################################
CLOSED_TCP_NOLOG=""
CLOSED_UDP_NOLOG=""
 
#################################################################################################################
# Put in the following variables which hosts you want to allow for certain services                             #
# TCP/UDP port format (OPEN_HOST_TCP & OPEN_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (OPEN_HOST_IP)                   : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
OPEN_HOST_TCP=""
OPEN_HOST_UDP=""
OPEN_HOST_IP=""
OPEN_HOST_ICMP=""
 
#################################################################################################################
# Put in the following variables which hosts you want to deny for certain services                              #
# TCP/UDP port format (DENY_HOST_TCP & DENY_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
#################################################################################################################
DENY_HOST_TCP=""
DENY_HOST_UDP=""
 
#################################################################################################################
# Put in the following variables the tcp/udp ports TO (remote end-point) which the MASQUERADED machines are NOT #
# permitted to connect to via the external (internet) interface. Examples of usage are for blocking             #
# IRC (tcp 6666:6669)                                                                                           #
#################################################################################################################
DENY_TCP_FORWARD=""
DENY_UDP_FORWARD=""
 
#################################################################################################################
# Put in the following variables the tcp/udp ports TO (remote end-point) which THIS machine is NOT permitted to #
# connect to via the external (internet) interface. Examples of usage are for blocking IRC (tcp 6666:6669)      #
#################################################################################################################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
 
#################################################################################################################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host)  #
#################################################################################################################
BLOCK_HOSTS=""
 
# Location of the BLOCKED HOSTS file (if any):
##############################################
BLOCKED_HOSTS=/etc/iptables-blocked-hosts
 
# Location of the custom IPTABLES rules file (if any):
######################################################
CUSTOM_RULES=/etc/iptables-custom-rules

Setting host and port policies...
---------------------------------
Logging of probable "lost connections" disabled...
Logging of explicitly blocked hosts enabled...
Logging of explicitly blocked ports enabled...
Logging of dropped ICMP packets enabled...
Packets will be checked for private source addresses...
Logging of connections made to ports open for the whole world disabled...
Allowing the whole world to connect to TCP port(s): 2002 21 3389...
Denying the whole world to send ICMP packets...
Logging of possible stealth scans enabled...
Logging of "Normal" connection attempts to PRIVILEGED TCP/UDP ports enabled...
Logging of "Normal" connection attempts to UNPRIVILEGED TCP ports enabled...
Logging of "Normal" connection attempts to UNPRIVILEGED UDP ports enabled...
Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled...
Enabling masquerading(NAT) for internal subnet(s) 192.168.0.0/24 on interface(s) eth1...
Forwarding TCP port(s) 3389 to local host 192.168.0.4...
Forwarding TCP port(s) 80 to local host 192.168.0.5...
Security is ENFORCED on the FORWARD chain...
Enabling mangling TOS...