###############################################################################
# You should put this config-file in /etc/arno-iptables-firewall/ #
###############################################################################
# --------------------------- Configuration file ------------------------------
# -= Arno's iptables firewall =-
# Single- & multi-homed firewall script with DSL/ADSL support
#
# (C) Copyright 2001-2007 by Arno van Amersfoort
# Homepage :
http://rocky.eld.leidenuniv.nl/
# Freshmeat :
http://freshmeat.net/projects/iptabl.../?topic_id=151
# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
# (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!)
# -----------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
# Place - Suite 330, Boston, MA 02111-1307, USA.
# -----------------------------------------------------------------------------
# Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
# to manually locate it).
# -----------------------------------------------------------------------------
IPTABLES="/sbin/iptables"
###############################################################################
# External (internet) interface settings #
###############################################################################
# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
# -----------------------------------------------------------------------------
EXT_IF="ppp+"
# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
# ISP).
# -----------------------------------------------------------------------------
EXT_IF_DHCP_IP=1
# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should
# only use this if you for example have a corporate network and/or running a
# DHCP server on your external(!) interface. Home users should normally NOT
# touch this setting. Multiple subnets should be space separated.
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
# -----------------------------------------------------------------------------
EXTERNAL_NET=""
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
# on your external subnet. You only need to set this option if you want to use
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have more than one
# external interface) should be space separated.
# -----------------------------------------------------------------------------
EXT_NET_BCAST_ADDRESS=""
# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on
# the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. Don't forget to
# configure the EXTERNAL_NET variable, to make this work.
# -----------------------------------------------------------------------------
EXTERNAL_DHCP_SERVER=0
###############################################################################
# Internal (LAN) interface settings #
###############################################################################
# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
# -----------------------------------------------------------------------------
INT_IF="eth1"
# Specify here the internal subnet which is connected to the internal interface
# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets
# here or specify one big subnet for all internal interfaces. Note that this
# variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
INTERNAL_NET="192.168.0.0/24"
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
# -----------------------------------------------------------------------------
INT_NET_BCAST_ADDRESS=""
# Uncomment & specify here the location of the file that contains the MAC
# addresses of INTERNAL hosts that are allowed. The MAC addresses should be
# written like 00:11:22:33:44:55
# Note that the last line of this
# file should always contain a carriage-return (enter)!
# -----------------------------------------------------------------------------
#MAC_ADDRESS_FILE=/etc/arno-iptables-firewall/mac-addresses
###############################################################################
# (ADSL) Modem settings #
# #
# The MODEM_xxx options should (only) be used when you have an ((A)DSL) #
# modem which works with a ppp-connection between the modem and the #
# host the modem is connected to. #
# #
# You can check whether this applies for your (hardware) setup with #
# 'ifconfig' (a 'ppp' device is shown). #
# This means that if your modem is bridging or an NAT router) or the #
# network interface the modem is connected to doesn't have an IP, you #
# should leave the MODEM_xxx options disabled (=default)! #
###############################################################################
# The physical(!) network interface your ADSL modem is connected to (this is
# not ppp0!).
# -----------------------------------------------------------------------------
MODEM_IF="eth0"
# (optional) The IP of the network interface (MODEM_IF) your ADSL modem is
# connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig').
# -----------------------------------------------------------------------------
#MODEM_IF_IP="10.0.0.150"
# (optional) The IP of your (A)DSL modem itself.
# -----------------------------------------------------------------------------
#MODEM_IP="10.0.0.138"
# (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should
# have access to the (A)DSL modem itself (manage modem settings, if supported
# by your modem!). The default setting ("$INTERNAL_NET") allows access from
# everybody on your LAN.
# -----------------------------------------------------------------------------
#MODEM_INTERNAL_NET="$INTERNAL_NET"
###############################################################################
# DMZ (aka DeMilitarized Zone) settings #
###############################################################################
# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
# -----------------------------------------------------------------------------
DMZ_IF=""
# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
# -----------------------------------------------------------------------------
DMZ_NET=""
###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings #
###############################################################################
# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF).
# -----------------------------------------------------------------------------
NAT=1
# (EXPERT SETTING!). In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IP's here of your static
# external address(es). Note that when multiple IP's are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IP's
# should match the order of interfaces (they belong to) in $EXT_IF!
# -----------------------------------------------------------------------------
#NAT_STATIC_IP="193.2.1.1"
# (EXPERT SETTING!). Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
# -----------------------------------------------------------------------------
NAT_INTERNAL_NET="$INTERNAL_NET"
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
# "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{
ort} \
# {SRCIP3,...:}PORT3,...>DESTIP2
ort}"
#
# IP form:
# "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \
# {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
# NAT_xxx_FORWARD="80>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
# NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
#
# IP protocol forward example:
# (forward protocols 47 & 48 to 192.168.0.10)
# NAT_IP_FORWARD="47,48>192.168.0.10"
#
# NOTE 1: {
ort} is optional. Use it to redirect a specific port to a
# different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
# (inet) IP addresses.
# -----------------------------------------------------------------------------
NAT_TCP_FORWARD=""
NAT_UDP_FORWARD=""
NAT_IP_FORWARD=""
###############################################################################
# General settings #
###############################################################################
# Most people don't want to get any firewall logs being spit to the console.
# This option makes the kernel ring buffer only log messages with level
# "panic".
# -----------------------------------------------------------------------------
DMESG_PANIC_ONLY=1
# Enable this if you want TOS mangling (RFC) (recommended).
# -----------------------------------------------------------------------------
MANGLE_TOS=1
# Enable this if you want to set the maximum packet size via the
# Maximum Segment Size(through MSS field) (recommended).
# -----------------------------------------------------------------------------
SET_MSS=1
# Enable this if you want to increase the TTL value by one in the prerouting
# chain. This hides the firewall when performing eg. traceroutes to internal
# hosts.
# -----------------------------------------------------------------------------
TTL_INC=0
# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
# support. Don't mess with this unless you really know what you are doing!
# -----------------------------------------------------------------------------
#PACKET_TTL="64"
# Enable this to resolve names of DNS IP's etc.
# -----------------------------------------------------------------------------
RESOLV_IPS=0
# Enable this to support the IRC-protocol.
# -----------------------------------------------------------------------------
USE_IRC=0
# (EXPERT SETTING!). Loosen the forward chain for the external interface(s).
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
# less secure.
# -----------------------------------------------------------------------------
LOOSE_FORWARD=1