Sorry, actually the two lines you posted work perfect, I just forgot to flush my previous rules. The problem is that when I add those lines to my script then they have no effect...(port 1024 to 5000 remain in status closed)
Here is my script:
#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
#
http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=0
# LOGDROP=1
# LOGABORTEDTCP=0
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=1
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [Zone]
# NAME=Servers
# COMMENT=IB servers
# ADDRESS=10.11.0.1
# ADDRESS=195.138.138.4
# ADDRESS=195.138.138.6
# [Zone]
# NAME=mail-news
# COMMENT=mail-news
# ADDRESS=140.117.11.12
# ADDRESS=213.239.180.57
# [ServerZone] Internet
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=dict
# PROTOCOL=https
# PROTOCOL=cddb
# PROTOCOL=icq
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=msnmessenger
# PROTOCOL=nicname
# PROTOCOL=http
# PROTOCOL=vj-traceroute
# [ClientZone] Servers
# CONNECTED=0
# [ClientZone] mail-news
# CONNECTED=0
# [ServerZone] Local
# [ClientZone] Internet
# CONNECTED=1
# PROTOCOL=ping
# PROTOCOL=nicname
# PROTOCOL=vj-traceroute
# [ClientZone] Servers
# CONNECTED=1
# PROTOCOL=ping
# PROTOCOL=nicname
# PROTOCOL=vj-traceroute
# [ClientZone] mail-news
# CONNECTED=1
# PROTOCOL=nntp
# [ServerZone] Servers
# [ClientZone] Internet
# CONNECTED=0
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=nis
# PROTOCOL=esp
# PROTOCOL=https
# PROTOCOL=auth
# PROTOCOL=kerberos
# PROTOCOL=domain
# PROTOCOL=isakmp
# PROTOCOL=redirect
# PROTOCOL=quench
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=syslog
# PROTOCOL=icp
# PROTOCOL=bpalogin
# PROTOCOL=socks
# PROTOCOL=squid
# PROTOCOL=nicname
# PROTOCOL=pptp
# PROTOCOL=privoxy
# PROTOCOL=http
# PROTOCOL=vj-traceroute
# PROTOCOL=ah
# [ClientZone] mail-news
# CONNECTED=0
# [ServerZone] mail-news
# [ClientZone] Internet
# CONNECTED=0
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=smtp
# PROTOCOL=nntp
# PROTOCOL=pop3
# [ClientZone] Servers
# CONNECTED=0
# [End]
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Delete any existing chains
iptables -F
iptables -X
# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr
[[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -j logreject2
# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
iptables -N f0to1
# Create chain to filter traffic going from 'Internet' to 'Servers'
iptables -N f0to2
# Create chain to filter traffic going from 'Internet' to 'mail-news'
iptables -N f0to3
# Create chain to filter traffic going from 'Local' to 'Internet'
iptables -N f1to0
# Create chain to filter traffic going from 'Local' to 'Servers'
iptables -N f1to2
# Create chain to filter traffic going from 'Local' to 'mail-news'
iptables -N f1to3
# Create chain to filter traffic going from 'Servers' to 'Internet'
iptables -N f2to0
# Create chain to filter traffic going from 'Servers' to 'Local'
iptables -N f2to1
# Create chain to filter traffic going from 'Servers' to 'mail-news'
iptables -N f2to3
# Create chain to filter traffic going from 'mail-news' to 'Internet'
iptables -N f3to0
# Create chain to filter traffic going from 'mail-news' to 'Local'
iptables -N f3to1
# Create chain to filter traffic going from 'mail-news' to 'Servers'
iptables -N f3to2
# Add rules to the filter chains
# Traffic from 'Internet' to 'Local'
# Allow 'ping'
# Echo Request
iptables -A f0to1 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f1to0 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'nicname'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f0to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT
# Rejected traffic from 'Internet' to 'Local'
# Traffic from 'Internet' to 'Servers'
# Rejected traffic from 'Internet' to 'Servers'
# Traffic from 'Internet' to 'mail-news'
# Rejected traffic from 'Internet' to 'mail-news'
# Traffic from 'Local' to 'Internet'
# Allow 'dict'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 2628:2628 -m state --state NEW -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'cddb'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 888:888 -m state --state NEW -j ACCEPT
# Allow 'icq'
iptables -A f1to0 -p udp --sport 0:65535 --dport 4000:4000 -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f1to0 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f0to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'msnmessenger'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f1to0 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT
# Rejected traffic from 'Local' to 'Internet'
# Traffic from 'Local' to 'Servers'
# Allow 'nis'
# RPC port mapper service
iptables -A f1to2 -p tcp --sport 0:65535 --dport 111:111 -m state --state NEW -j ACCEPT
# RPC port mapper service
iptables -A f1to2 -p udp --sport 0:65535 --dport 111:111 -j ACCEPT
# General RPC traffic
iptables -A f1to2 -p tcp --sport 0:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
# General RPC traffic
iptables -A f1to2 -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT
# Allow 'esp'
iptables -A f1to2 -p 50 -j ACCEPT
# Allow 'https'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'auth'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 113:113 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
# Allow 'kerberos'
# Ticket requests
iptables -A f1to2 -p udp --sport 1024:5999 --dport 88:88 -j ACCEPT
# Kerberos 5-to-4 ticket conversion
iptables -A f1to2 -p udp --sport 1024:5999 --dport 4444:4444 -j ACCEPT
# Changing password (kpasswd under unix)
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT
# Changing password (under windows, old interface)
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 464:464 -m state --state NEW -j ACCEPT
# Changing password (under windows, new interface)
iptables -A f1to2 -p udp --sport 1024:5999 --dport 464:464 -j ACCEPT
# Running kadmin
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f1to2 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'isakmp'
iptables -A f1to2 -p udp --sport 0:65535 --dport 500:500 -j ACCEPT
# Allow 'redirect'
iptables -A f2to1 -p icmp --icmp-type redirect -j ACCEPT
# Allow 'quench'
iptables -A f1to2 -p icmp --icmp-type source-quench -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f1to2 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f2to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'syslog'
iptables -A f1to2 -p udp --sport 0:65535 --dport 514:514 -j ACCEPT
# Allow 'icp'
iptables -A f1to2 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT
iptables -A f2to1 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT
# Allow 'bpalogin'
# Authentication
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 5050:5050 -m state --state NEW -j ACCEPT
# Heartbeat
iptables -A f2to1 -p udp --sport 5050:5050 --dport 5050:5050 -j ACCEPT
# Allow 'socks'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1080:1080 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 1080:1080 -j ACCEPT
# Allow 'squid'
# default
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 3128:3128 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'pptp'
# Control connection
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1723:1723 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p 47 -j ACCEPT
# Allow 'privoxy'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8118:8118 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f1to2 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT
# Allow 'ah'
iptables -A f1to2 -p 51 -j ACCEPT
# Rejected traffic from 'Local' to 'Servers'
# Traffic from 'Local' to 'mail-news'
# Allow 'smtp'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'nntp'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 119:119 -m state --state NEW -j ACCEPT
# Allow 'pop3'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 110:110 -m state --state NEW -j ACCEPT
# Rejected traffic from 'Local' to 'mail-news'
# Traffic from 'Servers' to 'Internet'
# Rejected traffic from 'Servers' to 'Internet'
# Traffic from 'Servers' to 'Local'
# Allow 'ping'
# Echo Request
iptables -A f2to1 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f1to2 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'nicname'
iptables -A f2to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f2to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT
# Rejected traffic from 'Servers' to 'Local'
# Traffic from 'Servers' to 'mail-news'
# Rejected traffic from 'Servers' to 'mail-news'
# Traffic from 'mail-news' to 'Internet'
# Rejected traffic from 'mail-news' to 'Internet'
# Traffic from 'mail-news' to 'Local'
# Allow 'nntp'
iptables -A f3to1 -p tcp --sport 1024:65535 --dport 119:119 -m state --state NEW -j ACCEPT
# Rejected traffic from 'mail-news' to 'Local'
# Traffic from 'mail-news' to 'Servers'
# Rejected traffic from 'mail-news' to 'Servers'
# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to2 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to2 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to2 -j logdrop
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s0 -d 10.11.0.1 -j f0to2
iptables -A s0 -d 195.138.138.4 -j f0to2
iptables -A s0 -d 195.138.138.6 -j f0to2
iptables -A s0 -d 140.117.11.12 -j f0to3
iptables -A s0 -d 213.239.180.57 -j f0to3
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop
# Chain to split traffic coming from zone 'Local' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s1 -d 10.11.0.1 -j f1to2
iptables -A s1 -d 195.138.138.4 -j f1to2
iptables -A s1 -d 195.138.138.6 -j f1to2
iptables -A s1 -d 140.117.11.12 -j f1to3
iptables -A s1 -d 213.239.180.57 -j f1to3
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Chain to split traffic coming from zone 'Servers' by dest zone
iptables -N s2
for X in $IPS ; do
iptables -A s2 -d $X -j f2to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s2 -d 140.117.11.12 -j f2to3
iptables -A s2 -d 213.239.180.57 -j f2to3
true # make sure this if [] has at least something in it.
fi
iptables -A s2 -j f2to0
# Chain to split traffic coming from zone 'mail-news' by dest zone
iptables -N s3
for X in $IPS ; do
iptables -A s3 -d $X -j f3to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s3 -d 10.11.0.1 -j f3to2
iptables -A s3 -d 195.138.138.4 -j f3to2
iptables -A s3 -d 195.138.138.6 -j f3to2
true # make sure this if [] has at least something in it.
fi
iptables -A s3 -j f3to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
iptables -A srcfilt -s 10.11.0.1 -j s2
iptables -A srcfilt -s 195.138.138.4 -j s2
iptables -A srcfilt -s 195.138.138.6 -j s2
iptables -A srcfilt -s 140.117.11.12 -j s3
iptables -A srcfilt -s 213.239.180.57 -j s3
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0
if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
fi;
true