Starting up GIPTables Firewall: # Flushing all rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT # Creating custom chains # Creating loopback interface chains iptables -N loopback_in iptables -N loopback_out iptables -A INPUT -i lo -j loopback_in iptables -A OUTPUT -o lo -j loopback_out # Creating interface 0 chains iptables -N interface0_in iptables -N interface0_out iptables -A INPUT -i eth0 -j interface0_in iptables -A OUTPUT -o eth0 -j interface0_out # Creating interface 1 chains iptables -N interface1_in iptables -N interface1_out iptables -A INPUT -i eth1 -j interface1_in iptables -A OUTPUT -o eth1 -j interface1_out # Creating network 1 forward chains iptables -N network1_in iptables -N network1_out iptables -A FORWARD -i eth0 -o eth1 -j network1_in iptables -A FORWARD -i eth1 -o eth0 -j network1_out # Unlimited traffic on the loopback interface iptables -A loopback_in -s 0/0 -j ACCEPT iptables -A loopback_out -d 0/0 -j ACCEPT # Network Ghouls # Syn-flood protection # Limit the number of incoming tcp connections # Interface 0 incoming syn-flood protection iptables -N syn_flood_interface0_in iptables -A interface0_in -p tcp --syn -j syn_flood_interface0_in iptables -A syn_flood_interface0_in -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood_interface0_in -j DROP # Interface 1 incoming syn-flood protection iptables -N syn_flood_interface1_in iptables -A interface1_in -p tcp --syn -j syn_flood_interface1_in iptables -A syn_flood_interface1_in -m limit --limit 3/s --limit-burst 5 -j RETURN iptables -A syn_flood_interface1_in -j DROP # Network 1 forwarded incoming syn-flood protection iptables -N syn_flood_network1_in iptables -A network1_in -p tcp --syn -j syn_flood_network1_in iptables -A syn_flood_network1_in -m limit --limit 5/s --limit-burst 7 -j RETURN iptables -A syn_flood_network1_in -j DROP # Sanity check # Make sure NEW incoming tcp connections are SYN packets iptables -A interface0_in -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-new-no-syn: iptables -A interface0_in -p tcp ! --syn -m state --state NEW -j DROP iptables -A interface1_in -p tcp ! --syn -m state --state NEW -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-new-no-syn: iptables -A interface1_in -p tcp ! --syn -m state --state NEW -j DROP iptables -A network1_in -p tcp ! --syn -m state --state NEW -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-new-no-syn: iptables -A network1_in -p tcp ! --syn -m state --state NEW -j DROP # Drop all incoming fragments iptables -A interface0_in -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-fragments: iptables -A interface0_in -f -j DROP iptables -A interface1_in -f -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-fragments: iptables -A interface1_in -f -j DROP iptables -A network1_in -f -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-fragments: iptables -A network1_in -f -j DROP # Drop all incoming malformed XMAS packets iptables -A interface0_in -p tcp --tcp-flags ALL ALL -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-malformed-xmas: iptables -A interface0_in -p tcp --tcp-flags ALL ALL -j DROP iptables -A interface1_in -p tcp --tcp-flags ALL ALL -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-malformed-xmas: iptables -A interface1_in -p tcp --tcp-flags ALL ALL -j DROP iptables -A network1_in -p tcp --tcp-flags ALL ALL -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-malformed-xmas: iptables -A network1_in -p tcp --tcp-flags ALL ALL -j DROP # Drop all incoming malformed NULL packets iptables -A interface0_in -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-malformed-null: iptables -A interface0_in -p tcp --tcp-flags ALL NONE -j DROP iptables -A interface1_in -p tcp --tcp-flags ALL NONE -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-malformed-null: iptables -A interface1_in -p tcp --tcp-flags ALL NONE -j DROP iptables -A network1_in -p tcp --tcp-flags ALL NONE -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-malformed-null: iptables -A network1_in -p tcp --tcp-flags ALL NONE -j DROP # Spoofing and bad addresses # Bad incoming source ip address 203.131.99.50 iptables -A interface0_in -s 203.131.99.50 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 203.131.99.50 -j DROP iptables -A network1_in -s 203.131.99.50 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 203.131.99.50 -j DROP # Bad incoming source ip address 176.20.9.1 iptables -A interface1_in -s 176.20.9.1 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface1_in -s 176.20.9.1 -j DROP # Bad incoming source ip address 0.0.0.0/8 iptables -A interface0_in -s 0.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 0.0.0.0/8 -j DROP iptables -A network1_in -s 0.0.0.0/8 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 0.0.0.0/8 -j DROP # Bad incoming source ip address 127.0.0.0/8 iptables -A interface0_in -s 127.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 127.0.0.0/8 -j DROP iptables -A interface1_in -s 127.0.0.0/8 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface1_in -s 127.0.0.0/8 -j DROP iptables -A network1_in -s 127.0.0.0/8 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 127.0.0.0/8 -j DROP # Bad incoming source ip address 10.0.0.0/8 iptables -A interface0_in -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 10.0.0.0/8 -j DROP iptables -A interface1_in -s 10.0.0.0/8 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface1_in -s 10.0.0.0/8 -j DROP iptables -A network1_in -s 10.0.0.0/8 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 10.0.0.0/8 -j DROP # Bad incoming source ip address 172.16.0.0/12 iptables -A interface0_in -s 172.16.0.0/12 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 172.16.0.0/12 -j DROP iptables -A interface1_in -s 172.16.0.0/12 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface1_in -s 172.16.0.0/12 -j DROP iptables -A network1_in -s 172.16.0.0/12 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 172.16.0.0/12 -j DROP # Bad incoming source ip address 192.168.0.0/16 iptables -A interface0_in -s 192.168.0.0/16 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 192.168.0.0/16 -j DROP iptables -A network1_in -s 192.168.0.0/16 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 192.168.0.0/16 -j DROP # Bad incoming source ip address 224.0.0.0/3 iptables -A interface0_in -s 224.0.0.0/3 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface0_in -s 224.0.0.0/3 -j DROP iptables -A interface1_in -s 224.0.0.0/3 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A interface1_in -s 224.0.0.0/3 -j DROP iptables -A network1_in -s 224.0.0.0/3 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-spoof: iptables -A network1_in -s 224.0.0.0/3 -j DROP # Loading DNS module # DNS outgoing client request # Interface 0 DNS outgoing client request iptables -A interface0_out -p udp -s 203.131.99.50 --sport 1024:65535 -d 203.172.11.25 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_in -p udp -s 203.172.11.25 --sport 53 -d 203.131.99.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 1024:65535 -d 203.172.11.25 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_in -p tcp -s 203.172.11.25 --sport 53 -d 203.131.99.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface0_out -p udp -s 203.131.99.50 --sport 1024:65535 -d 203.172.11.21 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_in -p udp -s 203.172.11.21 --sport 53 -d 203.131.99.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 1024:65535 -d 203.172.11.21 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_in -p tcp -s 203.172.11.21 --sport 53 -d 203.131.99.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Network 1 DNS forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.25 --dport 53 -j SNAT --to 203.131.99.50 iptables -A network1_out -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.25 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p udp -s 203.172.11.25 --sport 53 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.25 --dport 53 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.25 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 203.172.11.25 --sport 53 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.21 --dport 53 -j SNAT --to 203.131.99.50 iptables -A network1_out -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.21 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p udp -s 203.172.11.21 --sport 53 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.21 --dport 53 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.172.11.21 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 203.172.11.21 --sport 53 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # DNS incoming client request # Loading SSH module # SSH outgoing client request # Interface 1 SSH outgoing client request iptables -A interface1_out -p tcp -s 176.20.9.1 --sport 513:65535 -d 176.20.9.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 22 -d 176.20.9.1 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # Network 1 SSH forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 513:65535 -d 0/0 --dport 22 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 513:65535 -d 0/0 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 22 -d 176.20.9.0/24 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # SSH incoming client request # Interface 1 SSH incoming client request iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 513:65535 -d 203.131.99.50 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 203.131.99.50 --sport 22 -d 176.20.9.0/24 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 513:65535 -d 176.20.9.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 176.20.9.1 --sport 22 -d 176.20.9.0/24 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # Loading SMTP module # SMTP outgoing client request # Interface 0 SMTP outgoing client request iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_in -p tcp -s 0/0 --sport 25 -d 203.131.99.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Network 1 SMTP forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 25 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 25 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # SMTP incoming client request # Interface 0 SMTP incoming client request iptables -A interface0_in -p tcp -s 0/0 --sport 1024:65535 -d 203.131.99.50 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Interface 1 SMTP incoming client request iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 176.20.9.1 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 176.20.9.1 --sport 25 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Loading POP3 module # POP3 outgoing client request # Network 1 POP3 forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 110 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 110 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # POP3 incoming client request # Interface 0 POP3 incoming client request iptables -A interface0_in -p tcp -s 0/0 --sport 1024:65535 -d 203.131.99.50 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Interface 1 POP3 incoming client request iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.131.99.50 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 203.131.99.50 --sport 110 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 176.20.9.1 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 176.20.9.1 --sport 110 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Loading IMAP module # IMAP outgoing client request # Network 1 IMAP forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 143 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 143 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # IMAP incoming client request # Loading HTTP module # HTTP outgoing client request # Network 1 HTTP forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 80 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 80 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # HTTP incoming client request # Interface 0 HTTP incoming client request iptables -A interface0_in -p tcp -s 0/0 --sport 1024:65535 -d 203.131.99.50 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface0_out -p tcp -s 203.131.99.50 --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Interface 1 HTTP incoming client request iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 203.131.99.50 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 203.131.99.50 --sport 80 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A interface1_in -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 176.20.9.1 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A interface1_out -p tcp -s 176.20.9.1 --sport 80 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Loading HTTPS module # HTTPS outgoing client request # Network 1 HTTPS forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 443 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 443 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # HTTPS incoming client request # Loading SQUID module # SQUID outgoing client request # SQUID incoming client request # Loading NNTP module # NNTP outgoing client request # Network 1 NNTP forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 119 -j SNAT --to 203.131.99.50 iptables -A network1_out -p tcp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 119 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A network1_in -p tcp -s 0/0 --sport 119 -d 176.20.9.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # NNTP incoming client request # Loading TRACEROUTE module # TRACEROUTE outgoing client request # Interface 0 TRACEROUTE outgoing client request iptables -A interface0_out -p udp -s 203.131.99.50 --sport 1024:65535 -d 0/0 --dport 33434:33523 -m state --state NEW -j ACCEPT # Interface 1 TRACEROUTE outgoing client request iptables -A interface1_out -p udp -s 176.20.9.1 --sport 1024:65535 -d 176.20.9.0/24 --dport 33434:33523 -m state --state NEW -j ACCEPT # Network 1 TRACEROUTE forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 33434:33523 -j SNAT --to 203.131.99.50 iptables -A network1_out -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 0/0 --dport 33434:33523 -m state --state NEW -j ACCEPT # TRACEROUTE incoming client request # Interface 1 TRACEROUTE incoming client request iptables -A interface1_in -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 203.131.99.50 --dport 33434:33523 -m state --state NEW -j ACCEPT iptables -A interface1_in -p udp -s 176.20.9.0/24 --sport 1024:65535 -d 176.20.9.1 --dport 33434:33523 -m state --state NEW -j ACCEPT # Loading ICMP module # ICMP outgoing client request # Interface 0 ICMP outgoing client request iptables -A interface0_out -p icmp -s 203.131.99.50 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A interface0_in -p icmp -s 0/0 -d 203.131.99.50 -m state --state ESTABLISHED,RELATED -j ACCEPT # Interface 1 ICMP outgoing client request iptables -A interface1_out -p icmp -s 176.20.9.1 -d 176.20.9.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A interface1_in -p icmp -s 176.20.9.0/24 -d 176.20.9.1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Network 1 ICMP forwarded outgoing client request iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 176.20.9.0/24 -d 0/0 -j SNAT --to 203.131.99.50 iptables -A network1_out -p icmp -s 176.20.9.0/24 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A network1_in -p icmp -s 0/0 -d 176.20.9.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP incoming client request # Interface 1 ICMP incoming client request iptables -A interface1_in -p icmp -s 176.20.9.0/24 -d 203.131.99.50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A interface1_out -p icmp -s 203.131.99.50 -d 176.20.9.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A interface1_in -p icmp -s 176.20.9.0/24 -d 176.20.9.1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A interface1_out -p icmp -s 176.20.9.1 -d 176.20.9.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT # Loading custom firewall rules (/etc/rc.d/rc.giptables.custom) iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # LOG & DROP everything from here... just in case iptables -A interface0_in -s 0/0 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix giptables-drop-src-norule: iptables -A interface0_in -s 0/0 -j DROP iptables -A interface1_in -s 0/0 -m limit --limit 7/m --limit-burst 9 -j LOG --log-prefix giptables-drop-src-norule: iptables -A interface1_in -s 0/0 -j DROP iptables -A network1_in -s 0/0 -m limit --limit 9/m --limit-burst 11 -j LOG --log-prefix giptables-drop-src-norule: iptables -A network1_in -s 0/0 -j DROP [ OK ]