how would you secure slackware ?

mcnalu · 03-21-2008, 04:48 PM

Just found this page which has some good tips on securing slackware:

http://thomasvanwyk.com/linux/?cat=3

dan_slack · 03-21-2008, 05:40 PM

Very nice thread!
Thanks all!

SlackWareWolf · 03-22-2008, 01:42 AM

Quote:

Originally Posted by General Failure

But even if one managed to get access to someones box via some bad browser plugin or something, he would only have user rights on that machine. This reduces the harm that could possibly done to deleting the users downloads from the aforementioned www.penispills-pron-and-warez.com. Of course it's necessary to apply security updates and have strong passwords, but basically the linux security model is strong by itself. It requires the user to think though. (And that's a good thing

)

Heh, that's cute. I'll give you an example:

They get in through there and then have access to only that user's account.

after that they use a local exploit or 0-day to get priv escalation, and THEN they have root though a browser.

For the record I never said Slackware or an OS was at fault for a design flaw on some idiot's plug in, I just said it would work to get you in.

Quote:

And, as you already denoted: The only secure box is of course one that is safely locked away in a room without electricity.

I agree. Even if that DOES make it about as useful as Windows NT.

LOL I'm so funny sometimes

SlackWareWolf · 03-22-2008, 01:49 AM

Quote:

Originally Posted by T3slider

SlackWareWolf, a lot of those attacks you posted are the fault of the web designer and not the OS (SQL injection? That's largely OS-independent and is due to crappy webpage writing).

Read what I said, I didn't say it had a thing to do with the OS. I just said it was a way in.

Quote:

I'd be more than happy to admit Linux is less secure if I found actual evidence, but I don't think that page is it. (I'm also too lazy to go look for more evidence, but if you really want to make your point feel free)

I wouldn't. Linux gives you a chance to do something you can't do in Windows; Become good enough, or hire someone who's good enough, to basically hack the Kernel itself down to NOTHING but what you have to have to run a server, and basically drop ALL packets that aren't related.

That's something you can ONLY do in UNIX as Windows just doesn't give you shit in the way of Kernel configuration.

I have a friend who works in a VERY secure area. He's one of the BEST Hackers I know. He basically has taken a handful of servers, and hacked the server right into the Kernel and stripped out everything else that isn't needed for the machine to boot. All packets not related to that service are dropped, and basically, that us one of the most secure servers around.

By the way, when I say "hacker" I'm not referring in any way to brain dead morons in the media who think a kid downloading a DDOS tool is somehow a hacker. My friend is a true hacker. And one of the few people I know who codes in the Kernel. Which is probably why he makes as much as he does every year heh.

That's how you lock down a box! I can't even begin to think of how I'd do that, but I know it's pretty damn hard to get in after someone has taken time to do it. I mean really they don't even need to update, any packet sent from someone trying to get in is dropped and since the server itself is in the Kernel, you don't need much else. The only thing left is a Kernel basically.

For crappy web page writing, google "goolag" it's basically for that very thing. It's from cDc.

SlackWareWolf · 03-22-2008, 01:55 AM

Quote:

Originally Posted by General Failure

If someone would use iexplore in wine to visit www.penispills-pron-and-warez.com, I'd say it's his own fault.

I agree.

Quote:

This whole topic seems quite a lot of FUD to me.

FUD? About what? FUD generally means someone is spreading crap rumors to make something else look better. I haven't ONCE said any OS was better than any other in this whole thing. Other than when I said UNIX based stuff is way easier to lock down because you have access to every part of the system and can lock each of those parts down.

Quote:

Of course you are vulnerable when running httpd, of course you are when running sshd. And so on. But please someone tell me where one is vulnerable not running services like that and not running as root. Read: An average, mildly security-aware desktop user.

turn off all services and don't run as root and I can tell you flat out someone else will be able to.

It's easy. Say a user has no services but is running... Well anything. I'll use BitchX as an example here. An IRC client is fairly common software so I'll go with that.

Well, say that user is on IRC and accepts something from another user and they use a 0-Day exploit for BitchX that allows them to get in from IRC. Well after they're in, they can do priv escalation to get to root.

That has actually happened to a friend of mine. Someone used a 0-Day to get in from IRC, and it was actually Irssi, and then once they got in they did priv escalation to get to root.

Now, how about some other software? How about a web browser? Well, same thing, every piece of code usually has some type of flaw in it, and someone can get in from the browser. Well even if the user isn't logged in as root, they still have access to that account now.

And priv escalation is one of the OLDEST forms of gaining root access on UNIX, and still works. Once they do that, root.

That is how.

SlackWareWolf · 03-22-2008, 02:04 AM

Quote:

Originally Posted by Tux-Slack

Sure I've rooted machines before too, but all those that I rooted we're old and running really old software, like Slackware 9 when there was already Slackware 11 available and other really old machines, like some Red Hats I don't remember the version but some were around 4-5 or something like it, when there was already Red Hat 8 or 9 available. I never could get a machine with never versions.

Other than the Redhat versions you named off, those are all still supported with security fixes, so that isn't the best point in saying it was because of old software. Now if someone was still running RedHat 8 or 9 NOW, THEN I would say OK that's dumb unless they update and upgrade every part by hand.

Quote:

I know there is some certain % of viruses available for Linux, but Linux has a design which makes it harder to viruses to get through, mainly because no one actually uses root for daily operations, so you infect only your home directory, the system stays stable. And another thing, Linux does have less % of people who use it, but most of all its users are more advanced, more elite if you like it that way. But as Linux becomes more user friendly more "click-click" users migrate from windows to Linux.

That's basically what I said really.

Quote:

And I do realize that just closing down all ports doesn't make it "un-crackable", but it sure makes it harder.

Yup, basically what I said.

Quote:

Oh and brute-force is actually really stupid,

Yea, I believe my wording was "This is usually only done by amateurs against other amateurs who are vulnerable to it" or something like that.

Quote:

I had a couple of laughs when I went through the logs, what kind of usernames it's trying to crack etc. I've applied a protection against it only because it was making log reading so much harder(I don't use any special tools for log checkup, plain VIM), so I've applied blockhosts or what's it called to stop them a little bit. I also disabled root login through SSH, and in /etc/shadow I changed roots password with a *, and configured sudo for my self and my other server admin. I've tried a local brute-force on /etc/shadow to see if I can crack some passwords, left it running for like 5 days or so, none could be cracked. I even control my outbound traffic on the server so I think my box is pretty secure, not un-crackable though, which I think none is.

Nice. One thing you may like, is in SUSE Linux, they have this "seccheck" and "security scripts" that run every night and then it takes the results AND all the logs that are "caution" or whatever (you set the level of logging you want and what you want to look at) and it emails the whole thing to you every night along with a list of SUID and other files to watch for and also runs a password cracker to tell you if any passwords should be changed.

Also it shows open ports too.

I really thought it was great, it made that job MUCH easier. Basically I'd get an email every night (You tell it what email address to use and can tell it to send them to root AND another email addy so you can have a good copy of them sent to a Gmail account or whatever for offsite back ups of logs) and then I cdould sit and read what accounts were there, if any updates were available, everything. It's a great litle set up they have there

Should work fine in Slackware too. SUSE was originally just a German translation of Slackware Linux before they started making their own distro which was actually BASED on Slackware for a long time, and I think it still is but I haven't checked in a while.

They started their company selling Slackware on CD and doing translations into German.

SUSE is the second oldest distro, and that is basically because they didn't start until Slackware. They really liked it obviously

anyway that is the last reply I think, I had to quote everyone since there were so many replies I didn't want to just reply to everything in one.

Enjoy!

And if you get bored reading my replies, my sig on here, the Myspace one, is a link to MY Myspace account for music.

I make music with LMMS on Linux and upload it on there. Enjoy that too, I'm obsessed with Horror movies

Tux-Slack · 03-22-2008, 06:30 AM

Nice ending...

I still prefer the old confirmed way with VIM, but I'll have a look at those scripts you mentioned. But I ussualy have a saying, I don't write 'em, I don't use 'em. I do make exceptions tho.

SlackWareWolf · 03-22-2008, 02:51 PM

Quote:

Originally Posted by Tux-Slack

Nice ending...

I still prefer the old confirmed way with VIM, but I'll have a look at those scripts you mentioned. But I ussualy have a saying, I don't write 'em, I don't use 'em. I do make exceptions tho.

Thanks. And yea they are pretty neat. I do like SUSE quite a bit and use it on a few boxes in here.

My music is actually on topic

it's made with Linux and uses a GPL app called LMMS

lol.

harryhaller · 03-23-2008, 10:52 PM

Quote:

One thing you may like, is in SUSE Linux, they have this "seccheck" and "security scripts" that run every night and then it takes the results AND all the logs that are "caution" or whatever (you set the level of logging you want and what you want to look at) and it emails the whole thing to you every night along with a list of SUID and other files to watch for and also runs a password cracker to tell you if any passwords should be changed.

Also it shows open ports too.

I really thought it was great, it made that job MUCH easier. Basically I'd get an email every night (You tell it what email address to use and can tell it to send them to root AND another email addy so you can have a good copy of them sent to a Gmail account or whatever for offsite back ups of logs) and then I cdould sit and read what accounts were there, if any updates were available, everything. It's a great litle set up they have there

Should work fine in Slackware too. SUSE was originally just a German translation of Slackware Linux before they started making their own distro which was actually BASED on Slackware for a long time, and I think it still is but I haven't checked in a while.

I just googled and found this:

http://sastk.sourceforge.net/sastk.html

SAStk - Slackware Administrators Security tool kit: includes Seccheck, a port of SuSE's security script.

Thanks everyone for an interesting and useful thread.

There were some things I did not understand. I hope it is not too late for a reply.

What is "priv escalation" and how can one hinder it?

What is "0-Day exploit" and how can one hinder it?

tsg · 03-24-2008, 09:13 AM

Quote:

Originally Posted by harryhaller

What is "priv escalation" and how can one hinder it?

A "priv escalation", short for "privilege escalation", is where a person who has low level (eg. normal user) access on a machine exploits a flaw in an application that has higher access to gain access to those resources. For example, using a buffer overflow in a program that is setuid root.

run 'find / -perm +4000' to get a list of programs that are setuid.

SlackWareWolf · 03-24-2008, 04:07 PM

And a 0-day is an exploit not known of yet by the people who support the application it's in. Therefore there is no fix yet. So basically an exploit you can't defend against really.

Carpo · 03-28-2008, 06:03 AM

well the bsd script has stopped alot of people trying to get on the box,

what i am after is this

web - 80
ftp 2010 (443 pasv 9200:9210)
all connects from lan allowed
all others blocked to ip/dns names

and any other way i can make sure that seeing as the box will be web accessable, i make life for any little tit who wants to try and get in as hard as i possibly can, i do have a router which locks everything but that isnt 100% nor is it so when you open up ports on it and let people in

SlackWareWolf · 03-29-2008, 03:23 AM

Quote:

Originally Posted by Carpo

well the bsd script has stopped alot of people trying to get on the box,

what i am after is this

web - 80
ftp 2010 (443 pasv 9200:9210)
all connects from lan allowed
all others blocked to ip/dns names

and any other way i can make sure that seeing as the box will be web accessable, i make life for any little tit who wants to try and get in as hard as i possibly can, i do have a router which locks everything but that isnt 100% nor is it so when you open up ports on it and let people in

Of course it stops someone trying to get in, but if they're already there it won't do much good. And LAN IPs aren't going to stop anyone from the net. It's not the hardest thing in the world to masquerade as a local IP and get in.

Carpo · 03-29-2008, 03:36 AM

it is when you dont have the first clue of iptables, and that's why im asking how the hell would i make a sh script to configure iptables, the lan ips are my other pc(s) and the xbox360 so really only i use them, im more interested in stopping people getting in not so much getting out

Tux-Slack · 03-29-2008, 05:48 AM

I'll empty up my IPv4 iptables script and post it to you here in a few moments.
Here it is:

Code:

#!/bin/bash
#
# To open ports go to PORTS section and fill in new ports as needed.
# Then restart this script. You need to be root to do this.
#
# Copyleft (c) 2007,2008 Tomaz Lovrec
# License: GPL
#

# Interfaces
# Change your interfaces.
EXTIF=ppp0
INTIF=eth1
LPDIF=lo
# Turn to 0 if you don't have an internal interface for Green Zone
INT=1

# NAT and forwarding, set to 0 if you don't want to use forwarding.
FWD=1
FWDIP1=10.0.0.10
FWDIP2=10.0.0.15

# Traffic control on Green Zone
DOWNMAX=512
DOWNCEIL=576
UPMAX=128
UPCEIL=192
BANDMAX=102400
NETMAX=1024000

# VPN. Change to 0 if you don't use VPN
VPN=1
VPNIF=tap0
VPNIPRANGE="10.8.0.0/24"

# Programs
IPT=/usr/sbin/iptables
IP6T=/usr/sbin/ip6tables
IFC=/sbin/ifconfig
G=/usr/bin/grep
SED=/usr/bin/sed
TC=/sbin/tc
IP=/sbin/ip

## Interface preferences
# External
# If you don't use PPPoE or PPP connection change the P-t-P: with Bcast:
EXTIP="`$IFC $EXTIF | $G addr: | $SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF | $G P-t-P: | $SED 's/.*P-t-P:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF | $G Mask: | $SED 's/.*Mask:\([^ ]*\) .*/\1/'`"
EXTNET=$EXTIP/$EXTMSK

# Internal
if [ $INT = "1" ]; then
	INTIP="`$IFC $INTIF | $G addr: | $SED 's/.*addr:\([^ ]*\) .*/\1/'`"
	INTBC="`$IFC $INTIF | $G Bcast: | $SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
	INTMSK="`$IFC $INTIF | $G Mask: | $SED 's/.*Mask:\([^ ]*\) .*/\1/'`"
	INTNET=$INTIP/$INTMSK
fi

# Loopback
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET=$LPDIP/$LPDMSK

# VPN
if [ $VPN = "1" ]; then
	VPNIP="`$IFC $VPNIF | $G addr: | $SED 's/.*addr:\([^ ]*\) .*/\1/'`"
	VPNBC="`$IFC $VPNIF | $G P-t-P: | $SED 's/.*P-t-P:\([^ ]*\) .*/\1/'`"
	VPNMSK="`$IFC $VPNIF | $G Mask: | $SED 's/.*Mask:\([^ ]*\) .*/\1/'`"
	VPNNET=$VPNIP/$VPNMSK
fi


#################
#*****PORTS*****#
#*****PORTS*****#
#*****PORTS*****#
#################


### External
## Input
# TCP
EXTINTCP=""

# UDP
EXTINUDP=""

## Output
# TCP
EXTOUTTCP=""

# UDP
EXTOUTUDP=""

### Internal
## Input
# TCP
INTINTCP=""

# UDP
INTINUDP=""

## Output
# TCP
INTOUTTCP=""

# UDP
INTOUTUDP=""

### Forward ports
## 1st IP
# TCP
FWD1TCP=""

# UDP
FWD1UDP=""

## 2nd IP
# TCP
FWD2TCP=""

# UDP 
FWD2UDP=""


# Flush, erase and set default policies
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Flush NAT table
$IPT --table nat -F
$IPT --table mangle -F

echo "Setting up iptables..."

# Logging

$IPT -N drop_input 2> /dev/null
$IPT -A drop_input -j LOG --log-prefix 'FW DROP INPUT:'
$IPT -A drop_input -j DROP

$IPT -N drop_output 2> /dev/null
$IPT -A drop_output -j LOG --log-prefix 'FW DROP OUTPUT:'
$IPT -A drop_output -j DROP

$IPT -N drop_forward 2> /dev/null
$IPT -A drop_forward -j LOG --log-prefix 'FW DROP FORWARD:'
$IPT -A drop_forward -j DROP

# Allow loopback
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT

# Block broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j drop_input
#$IPT -A INPUT -i $INTIF -d $INTBC -j drop_input
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j drop_output
#$IPT -A OUTPUT -o $INTIF -d $INTBC -j drop_output

# Block ICMP except ping
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j drop_output

####################
# External packets #
####################
## Incoming
# Open TCP ports
for i in $EXTINTCP
do
	$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT 
done

# Open UDP ports
for i in $EXTINUDP
do
	$IPT -A INPUT -i $EXTIF -p udp -d $EXTIP --dport $i -m state --state NEW -j ACCEPT
done

## Special ports
# Allow Protocol 41 for IPv6
$IPT -A INPUT -i $EXTIF -p 41 -s $EXTIP -j ACCEPT

## Outgoing
# Open TCP ports
for i in $EXTOUTTCP
do
	$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done

# Open UDP ports
for i in $EXTOUTUDP
do
	$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done

# Allow Protocol 41 for IPv6
$IPT -A OUTPUT -o $EXTIF -p 41 -s $EXTIP -j ACCEPT


####################
# Internal packets #
####################
## Incoming
# Open TCP ports
for i in $INTINTCP
do
	$IPT -A INPUT -i $INTIF -p tcp -d $INTIP --dport $i -j ACCEPT
	$IPT -A INPUT -i $INTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done

# Open UDP ports
for i in $INTINUDP
do
	$IPT -A INPUT -i $INTIF -p udp -d $INTIP --dport $i -j ACCEPT
	$IPT -A INPUT -i $INTIF -p udp -d $EXTIP --dport $i -m state --state NEW -j ACCEPT
done

## Outgoing
# Open TCP ports
for i in $INTOUTTCP
do
	$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done

# Open UDP ports
for i in $INTOUTUDP
do
	$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done

$IPT -A INPUT -i $INTIF -p 41 -j ACCEPT
#ip6tables -A INPUT -i $INTIF -p ICMPv6 -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p 41 -j ACCEPT
#ip6tables -A OUTPUT -o $INTIF -p ICMPv6 -j ACCEPT

######################
# Forwarding packets #
######################
# Enable IP forwarding
if [ $FWD = "1" ]; then
	echo "Starting NAT (Network Address Translation)..."
	$IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
	$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
	$IPT -A FORWARD -i $VPNIF -o $INTIF -s $VPNIPRANGE -m state --state RELATED,ESTABLISHED -j ACCEPT
	$IPT -A FORWARD -i $INTIF -o $VPNIF -d $VPNIPRANGE -j ACCEPT
	$IPT --table nat -A POSTROUTING -o $VPNIF -d $VPNIPRANGE -j MASQUERADE
	$IPT --table nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# MANGLES for traffic control
	$IPT --table mangle -A INPUT -i $EXTIF -j MARK --set-mark 10
	$IPT --table mangle -A OUTPUT -o $EXTIF -j MARK --set-mark 11
	$IPT --table mangle -A INPUT -i $INTIF -j MARK --set-mark 20
	$IPT --table mangle -A OUTPUT -o $INTIF -j MARK --set-mark 21
	$IPT --table mangle -A FORWARD -i $EXTIF -o $INTIF -j MARK --set-mark 22
	$IPT --table mangle -A POSTROUTING -o $EXTIF -j MARK --set-mark 24
	echo 1 > /proc/sys/net/ipv4/ip_forward

#####
######## Forward rules for Computer 1, FWDIP1.
#####
	# TCP

	for i in $FWD1TCP
	do
		$IPT --table nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport $i -j DNAT --to $FWDIP1:$i
		$IPT -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FWDIP1 --dport $i -j ACCEPT
	done

	# UDP
	for i in $FWD1UDP
	do
		$IPT --table nat -A PREROUTING -p udp -i $EXTIF -d $EXTIP --dport $i -j DNAT --to $FWDIP1:$i
		$IPT -A FORWARD -p udp -i $EXTIF -o $INTIF -d $FWDIP1 --dport $i -j ACCEPT
	done

#####
######## Forward rules for Computer 2, FWDIP2.
#####
	# TCP

	for i in $FWD2TCP
	do
		$IPT --table nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport $i -j DNAT --to $FWDIP2:$i
		$IPT -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FWDIP2 --dport $i -j ACCEPT
	done

	# UDP
	for i in $FWD2UDP
	do
		$IPT --table nat -A PREROUTING -p udp -i $EXTIF -d $EXTIP --dport $i -j DNAT --to $FWDIP2:$i
		$IPT -A FORWARD -p udp -i $EXTIF -o $INTIF -d $FWDIP2 --dport $i -j ACCEPT
	done

	# IPv6
	$IPT -A FORWARD -p 41 -i $EXTIF -o $INTIF -j ACCEPT
	$IPT -A FORWARD -p 41 -i $INTIF -o $EXTIF -j ACCEPT

####
####### Traffic Control
####
	echo "Starting traffic control..."

	# Flush all first
	$TC qdisc del dev $EXTIF root
	$TC qdisc del dev $INTIF root

	# Add roots
	$TC qdisc add dev $EXTIF parent root handle 1:0 htb default 10
	$TC qdisc add dev $INTIF parent root handle 2:0 htb default 22
	$TC class add dev $EXTIF parent 1:0 classid 1:1 htb rate ${NETMAX}kbit quantum 1500
	$TC class add dev $INTIF parent 2:0  classid 2:1 htb rate ${BANDMAX}kbit quantum 1500

	# Download
	$TC class add dev $EXTIF parent 1:1 classid 1:10 htb rate ${NETMAX}kbit
	$TC qdisc add dev $EXTIF parent 1:10 handle 10:0 sfq
	$TC class add dev $INTIF parent 2:1 classid 2:20 htb rate ${BANDMAX}kbit
	$TC qdisc add dev $INTIF parent 2:20 handle 20:0 sfq
	$TC class add dev $INTIF parent 2:1 classid 2:22 htb rate ${DOWNMAX}kbit ceil ${DOWNCEIL}kbit
#	$TC qdisc add dev $INTIF parent 2:22 classid 22:0 sfq

	# Upload
	$TC class add dev $EXTIF parent 1:1 classid 1:11 htb rate ${NETMAX}kbit
        $TC qdisc add dev $EXTIF parent 1:11 handle 11:0 sfq
        $TC class add dev $INTIF parent 2:1 classid 2:21 htb rate ${BANDMAX}kbit
	$TC qdisc add dev $INTIF parent 2:21 handle 21:0 sfq
        $TC class add dev $EXTIF parent 1:1 classid 1:24 htb rate ${UPMAX}kbit ceil ${UPCEIL}kbit
#        $TC qdisc add dev $INTIF parent 2:24 classid 24:0 sfq

	$TC filter add dev $EXTIF parent 1:0 protocol ip handle 10 fw classid 1:10
	$TC filter add dev $EXTIF parent 1:0 protocol ip handle 11 fw classid 1:11
	$TC filter add dev $INTIF parent 2:0 protocol ip handle 20 fw classid 2:20
	$TC filter add dev $INTIF parent 2:0 protocol ip handle 21 fw classid 2:21
	$TC filter add dev $INTIF parent 2:0 protocol ip handle 22 fw classid 2:22
	$TC filter add dev $EXTIF parent 1:0 protocol ip handle 24 fw classid 1:24

	$IP rule add fwmark 24 table 24
	$IP rule add fwmark 22 table 22
	$IP rule add fwmark 21 table 21
	$IP rule add fwmark 20 table 20
	$IP rule add fwmark 11 table 11
	$IP rule add fwmark 10 table 10

fi


###################
# VPN Connections #
###################
# On a VPN we allow everything.
if [ $VPN = "1" ]; then
	$IPT -A INPUT -i $VPNIF -j ACCEPT
	$IPT -A OUTPUT -o $VPNIF -j ACCEPT
fi


# Allow ping in
$IPT -A INPUT -i $EXTIF -p icmp -d $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -d $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT


# Allow existing
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block everything else and log
$IPT -A INPUT -j drop_input
$IPT -A OUTPUT -j drop_output
$IPT -A FORWARD -j drop_forward

# Done.
echo "Done."

Please go through it carefully. Omit the traffic control if you don't ant it, omit VPN if you don't use it.