shorewall dropping/rejecting wanted connections (squid/webmin)

win32sux · 07-24-2003, 07:41 PM

i'm running shorewall on a mandrake 9.1 box. the box's main purpose is a cacheing proxy (squid) for a windows xp network...

i installed shorewall on the proxy to provide cover for it (not for the network, the windows boxes still use a router provided by the isp)... right now i don't need the mandrake box to do any routing for the network...

the windows boxes have two ip addresses each... one internet ip (200.46.x.x) and one local ip (192.168.75.x)... i gave them the local addresses for the sole purpose of having them use the proxy through the lan without having to go through the isp router (the isp router is located at the isp's headquarters)...

the mandrake box has two nics... one goes to the isp, the other goes to the local switch... the local address for the proxy is 192.168.75.1, and the external address is 200.46.x.x... the browsers on the windows boxes have all been told to use proxy 192.168.75.1 port 3128...

the shorewall i'm using is the one made directly by shorewall (1.4.5-1), not the one that comes with mandrake...

so basically i set up the shorewall to open port 3128 (squid) and 22 (ssh) on the local network... and only port 22 on the internet connection (sometimes i'll open the ftp or webmin ports temporarily).

+++++++++++++++++++++++++++++++++++++++++++++++++++++

the problem is that i was checking /var/log/messages and i'm seeing a lot of DROPS on port 3128... which is weird to me, cuz the windoze boxes *SEEM* to be surfing happily with no problems...

the problem got weirder when upon adding port 10000 on the external nic to the rules file (to access webmin from afar via internet) i get REJECTED...

Jul 24 18:01:07 nikita kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=200.75.x.x DST=200.46.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=54132 DF PROTO=TCP SPT=33570 DPT=10000 WINDOW=5840 RES=0x00 SYN URGP=0

eth1??? eth1 is the local card! i'm connecting to eth0 via internet!

i smell something funky going on here...

check it out, here's some recent squid "droppings":

Jul 24 17:30:23 nikita kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.75.103 DST=192.168.75.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=32693 DF PROTO=TCP SPT=1756 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0

Jul 24 17:31:16 nikita kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.75.109 DST=192.168.75.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=5526 DF PROTO=TCP SPT=3130 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0

Jul 24 17:31:43 nikita kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.75.105 DST=192.168.75.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53586 DF PROTO=TCP SPT=1698 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0

Jul 24 17:33:10 nikita kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.75.107 DST=192.168.75.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53002 DF PROTO=TCP SPT=1960 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0

why is shorewall dropping these? and why does it say they are "net2fw" when i believe they are supposed to be "loc2fw"??? i mean, the ips are from the lan, why would they be getting dropped on eth0 which is the internet card???

luckily i still have ssh access via lan and internet...

so anyways, on the mozilla i use to hook-up to the webmin via https://200.46.x.x:10000, i just get the typical connection refused message... and once again, wouldn't the wall be supposed to pick something up like that as a "net2fw"? why "all2all"???

if i punch open port 21 on the external nic i can connect to the pro ftp daemon via internet...

here's my configs, please help me out if you can, i'm a newbie and i would really apreciate it if someone would make some sense of what's happening to me...

*****************IFCONFIG

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx:xx
inet addr:200.46.x.x Bcast:200.46.x.x Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:640386 errors:0 dropped:0 overruns:0 frame:0
TX packets:2027576 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:454413216 (433.3 Mb) TX bytes:293558649 (279.9 Mb)
Interrupt:5 Base address:0xd400

eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx:xx
inet addr:192.168.75.1 Bcast:192.168.75.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3403037 errors:0 dropped:0 overruns:0 frame:0
TX packets:2384428 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1606297651 (1531.8 Mb) TX bytes:2024601722 (1930.8 Mb)
Interrupt:11 Base address:0xbf00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16975 errors:0 dropped:0 overruns:0 frame:0
TX packets:16975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:712008 (695.3 Kb) TX bytes:712008 (695.3 Kb)

**********************SHOREWALL CONFIG

COMMON.DEF (i left it as it came)
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p udp --dport 135 -j reject
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject
run_iptables -A common -p udp --dport 1900 -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
iptables -A common -p tcp --dport 113 -j reject
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

INTERFACES
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect

POLICY
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw all ACCEPT
net fw DROP info
all all REJECT info

RULES
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT net fw tcp 21,22,10000 -
ACCEPT loc fw tcp 3128,22,21 -

ZONES
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#dmz DMZ Demilitarized zone

SHOREWALL.CONF (the options i changed from default)
NAT_ENABLED=No
MANGLE_ENABLED=No
IP_FORWARDING=Off

ICMP.DEF
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT

the shorewall files i've not posted haven't been edited from their default state...

SQUID.CONF
cache_effective_user squid
cache_effective_group squid
cache_dir ufs /mnt/squid 512 32 256
http_port 192.168.75.1:3128
cache_mem 96 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_store_log none
dns_timeout 3 minutes

please let me know if there's any other info which i need to post.

oh yeah, the internet nic is a sis900 and the local nic is a realtek 8139...

a million thanks in advance!

unSpawn · 08-01-2003, 01:49 PM

//moderator.note: moving to Linux - Networking for exposure.

dubman · 08-01-2003, 02:57 PM

just off the top of my head, by looking at your packet traces...it looks like shorewall is having problems negotiating the two ips on your nics. Why not implement NAT on your firewall and make things easier, and much more secure. I'm not familiar with shorewall, I only use iptables. here is what I have done in iptables to allow for what you are trying to do...may be this will help.

(in a nutshell)

$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT

#this allows all traffic between the firewall and the secured network...either you trust your firewall or you don't...:-)

$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT

#this allows only a system on my secured network outside access. and only allows return traffic if it is an established and related connection.

$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE

#this takes care of my nat.

$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $WSIP:22
$IPT -A FORWARD -i $PUBIF -p tcp -d $WSIP --dport 22 -j ACCEPT

#This is forwarding port 22 for ssh access...(which I only allow rsa public key authentication...yes, i know, im paronoid :-) This line can be replicated for any other ports that need to be forwarded.

There are many other tricks for acomplishing what you are wanting to do. If I were you, I would look at my topology. Having your securded network accessible with public ip's kinda takes the security of a firewall out of it. I would use nat and hide your secure network from the rest of the world, and get your firewall into stealth mode. For instance, don't tell it to reject, just have it drop. If it rejects it is responding...that is what you don't want it to do.

My topology is this:
ISP to a cable modem directly connected to a RH9 firewall with IPtables. My firewall has 3 nics, one to the cbl modem, one to my secured network, and one to my DMZ network where I host web, ftp, mail, etc. I only allow outside initiated connections to my DMZ on the specific ports I am hosting. The DMZ server is not allowed to initiate any connections on its own (in the event someone did take the DMZ). My secured network is only allowed to initiate connections, which means no outside initiated connections are allowed to my secured network what-so-ever. More than all this, my firewall dosn't run ANY services exept IPTABLES, yes this inclueds ssh (why take the chance?). And my firewall will not respond to a single request, it either forwards or drops...it dosn't exist as far as the real world is concerned. I mean if your firewall gets comprimised, the whole show is over anyways.

Here is a pretty thourogh (although rough) script that may help point you int he right direction:

#!/bin/bash

#

IPT=/sbin/iptables
PRIVIF="eth1"
PUBIF="eth0"
PRIVIP="192.168.100.254/32"
PUBIP=""
PRIVNET="192.168.100.0/22"
PUBLICNET=""
WSIP="192.168.100.10/32"
LG_OPTIONS="-m limit --limit 5/minute --log-level 3 --log-prefix "
LG_OPTIONS_MORE="-m limit --limit 20/minute --log-level 3 --log-prefix "
LG_OPTIONS_LESS="-m limit --limit 1/minute --log-level 3 --log-prefix "
PLACE_WE_HATE="www.aol.com"

# Load modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Clean Start
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

#Define Policy
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

## NAT Postrouting SNAT
##Implemented in Forwarding section
##$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
##$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j SNAT --to-source $PUBIP

# Allow loopback
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

# Connections between firewall and internal network
$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT

# No Cross-Forwarding
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j LOG $LG_OPTIONS "IPTABLES-X-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j DROP

# No Spoofed souce addresses
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j DROP
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j DROP
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j DROP
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j DROP

# Port Scans
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG $LG_OPTIONS_MORE "IPTABLES-PORT-SCAN: "
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

# NMAP FIN/URG/PSH
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG $LG_OPTIONS_MORE "IPTABLES-NMAP-FIN-URG-PSH: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

#SYN/RST
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG $LG_OPTIONS_MORE "IPTABLES-SYN-RST: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

#SYN/FIN
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG $LG_OPTIONS_MORE "IPTABLES-SYN-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j LOG $LG_OPTIONS_MORE "IPTABLES-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP

echo Input
########################################
###########INPUT########################
########################################

#Accept DHCP lease
$IPT -A INPUT -i $PUBIF -p udp --source-port 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $PUBIF -p udp --source-port 68 --dport 67 -j ACCEPT

#Silently Drop broadcast and multicast traffic
$IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP
$IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP

# Reject IDENTD 113 from xcaliber
#$IPT -A INPUT -i $PUBIF -p tcp --source 64.161.52.90 --destination-port 113 -j REJECT

#Drop all invalid incoming packets

$IPT -A INPUT -m unclean -j LOG $LG_OPTIONS "IPTABLES-UNCLEAN: "
$IPT -A INPUT -m state --state INVALID -j LOG $LG_OPTIONS "IPTABLES-INVALID-INPUT: "
$IPT -A INPUT -m unclean -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP

#Drop all packets not addressed to the firewall itself
#Not logging as this is verbose
##$IPT -A INPUT -i $PUBIF -d ! $PUBIP -j LOG $LG_OPTIONS "IPTABLES-NAddr-PUBIF: "
##$IPT -A INPUT -i $PRIVIF -d ! $PRIVIP -j LOG $LG_OPTIONS "IPTABLES-NAddr-PRIV: "
# Not using because we do not know the firewall's public address
#$IPT -A INPUT -i $PUBIF -d ! $PUBIP -j DROP
#$IPT -A INPUT -i $PRIVIF -d ! $PRIVIP -j DROP

#NTP Time
#$IPT -A OUTPUT -o $PUBIF -p udp --dport 123 -j ACCEPT
#$IPT -A INPUT -i $PUBIF -p udp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT

#DNS
#$IPT -A OUTPUT -o $PUBIF -p udp --dport 53 -j ACCEPT
#$IPT -A INPUT -i $PUBIF -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

#Echo rquest outgoing ping
$IPT -A OUTPUT -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
#Echo Reply
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT

#Destination Unreachable
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Outgoing Traceroute #****###****#
$IPT -A OUTPUT -o $PUBIF -p udp -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT

# Accept pings at the rate of one per second
# I will choose stealth and turn this off
#$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
#$IPT -A OUTPUT -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT

# Specific Nasty Ports
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j LOG $LG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j LOG $LG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j DROP #MS Networking
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j LOG $LG_OPTIONS "IPTALBES-NFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j LOG $LG_OPTIONS "IPTALBES-NFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j DROP # NFS
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j LOG $LG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j LOG $LG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j DROP # Xwindows
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j LOG $LG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j LOG $LG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j DROP # X Font Server
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j LOG $LG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j LOG $LG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j DROP # Back Orifice
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j LOG $LG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j LOG $LG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j DROP # NetBus
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j DROP

$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j LOG $LG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j LOG $LG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j DROP # SubSeven
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j DROP

# Web
$IPT -A INPUT -p tcp -i $PUBIF --dport 80 -j LOG $LG_OPTIONS_LESS "IPTABLES-WEBCRAWLER: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 80 -j DROP #

#INCOMING
# Do not allow any other connections on the external interface, including traceroute
$IPT -A INPUT -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-CONN-TO-FIREWALL: "
$IPT -A INPUT -i $PUBIF -j DROP
# Do not allow any other connections OUT from the firewall
$IPT -A OUTPUT -o $PUBIF -j DROP

echo Forwarding
#########################################################
############ Forwarding #################################
#########################################################
#Drop all invalid incoming packets
$IPT -A FORWARD -m unclean -j LOG $LG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: "
$IPT -A FORWARD -m unclean -j DROP
#log
$IPT -A FORWARD -m state --state INVALID -j LOG $LG_OPTIONS "IPTABLES-INVALID-FORWARD: "
$IPT -A FORWARD -m state --state INVALID -j DROP

#Block outgoing connections to places we hate
#$IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP

#BLOCK outgoing connections by port (last resort defense agains DoS)
$IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP

#Allow otherwise unrestricted outgoing connections
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT

# NAT Postrouting SNAT
$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j SNAT --to-source $PUBIP

# NAT Prerouting DNAT #########PORT FORWARDING##############
# is it --to-destination ???
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $WSIP:22
$IPT -A FORWARD -i $PUBIF -p tcp -d $WSIP --dport 22 -j ACCEPT

# Trusted Networks
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -s $TRUSTEDIP -d $WSIP -j ACCEPT
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp -s $TRUSTEDIP -d $WSIP --dport 20:21 -j ACCEPT

# Banned Networks
#$IPT -A FORWARD -i $PUBIF -s $BANNEDIP -j DROP
#$IPT -A FORWARD -i $PUBIF -p icmp -s $BANNEDIP -j DROP

#See no Evil; Forward no Evil ## Could this break MS ???
# Pikus destination was public range 1.2.3.0/24 -d 1.2.3.0/24--dport 135:139 -j DROP
# This could break things
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP # NFS
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP # Xwindows
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP # X Font Server
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP # Back Orifice
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP # NetBus
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP

#INCOMING
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp -d 1.2.3.5 --dport
#ETC

#Set ssh, DNS, and FTP for minimum delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p udp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay

#Set ftp-data and web traffic for maximum throughput
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput

# Deny ICMP Redirects
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-ICMP-REDIRECT: "
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP

#Echo rquest outgoing ping
$IPT -A FORWARD -o $PUBIF -i $PRIVIF -p icmp --icmp-type echo-request -j ACCEPT
#Echo Reply
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT

#Destination Unreachable
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Outgoing Traceroute #****###****#
#$IPT -A FORWARD -o $PUBIF -i $PRIVIF -p udp -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type time-exceeded -j ACCEPT

# Accept pings at the rate of one per second
# I will choose stealth and turn this off
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
#$IPT -A FORWARD -o $PRIVIF -i $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT

#Guestbook Log all TCP SYN connections
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp --tcp-flags SYN,ACK SYN -j LOG $LG_OPTIONS "IPTABLES-SYN-CONN: "

# Do not allow any other connections on the external interface, including traceroute
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LG_OPTIONS "IPTABLES-CONN-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP

# Complete

You can also check out

#http://eressea.pikus.net/~pikus/plug...all/page0.html
for more help.

Hope this helps...

--dubman