File: bastille-netfilter

package info (click to toggle)
bastille 1:1.3.0-2.1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 1,576 kB
  • ctags: 397
  • sloc: perl: 8,407; sh: 1,879; ansic: 638; makefile: 203; csh: 17
file content (630 lines) | stat: -rw-r--r-- 22,633 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
#!/bin/sh
#
# /sbin/bastille-netfilter	Load/unload netfilter rulesets
#
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-netfilter,v $ 
# Modified by: $Author: peterw $
# $Date: 2002/01/11 02:23:14 $
# $Revision: 1.27 $
#
# Copyright (C) 1999-2001 Peter Watkins
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Thanks to David Ranch, Brad A, Don G, Jay Beale and others 
# (especially the netfilter mailing list!) for their suggestions
#
# This script is designed to be called BY a SysV-style init script.
#
# It should be run with a "start" argument
#	1) BY an rc?.d "S" script, _before_ the "network" script
#	   (normally via the "bastille-firewall" init script; 
#	    as of 2001/02/14, the only purpose of bastille-firewall
#	    is to start this script)
#	2) any time an interface is brought up or changed, e.g.
#	   establishing a PPP conection or renewing a DHCP lease
# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and
#  'ifup-local' to /sbin/ (in addition to the bastille-firewall init script]
#
#   Normally you Do Not _Ever_ Want to run this with a "stop" argument!
#
# Note that running this with "stop" will disable the firewall and open
# your system to all network traffic; if you make changes to these rules,
# apply them by running the script again with a "start" argument.

PATH=/bin:/sbin:/usr/bin:/usr/sbin
IPTABLES=/sbin/iptables
CONFIG=/etc/Bastille/bastille-firewall.cfg

if [ ! -x ${IPTABLES} ]; then
	echo "ERROR: \"${IPTABLES}\" does not exist!"
	if [ -x /sbin/bastille-ipchains ]; then
		# better to fall back to 'ipchains' than do nothing
		unset IPTABLES
		echo "Executing /sbin/bastille-ipchains $1"
		/sbin/bastille-ipchains $1
		exit $?
	fi
	exit 1
fi

if [ ! -f ${CONFIG} ]; then
	echo "ERROR: unable to read configuration file \"${CONFIG}\""
	exit 1
fi

# source the configuration file, which will set environment variables
. ${CONFIG}

if [ -z "${REJECT_METHOD}" ]; then
	echo "ERROR: no reject method specified (corrupt config file?) Exiting!"
	exit 1
fi


#
# Computed values
# 
# These things should be queried/computed at run time
#
# LOCAL_ADDRESSES
#
# LOCAL_ADDRESSES lists all IP addresses for this server 
#  (for the INTERNAL_SERVICES rules); if you have virtual 
#  network devices, you may want to hand-code this, e.g.
# LOCAL_ADDRESSES="127.0.0.0/8"
#
# The following makes a list of all current IP addresses
LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: `
#
#
# DEFAULT_GW_IFACE
#
# The name of the address that is the default gateway (for SNAT)
DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'`
#
#
# INTERNAL_NETWORKS
#
# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES
# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
# The following makes a list of all current internal IP addresses _with netmasks_
for i in ${INTERNAL_IFACES} ; do
	INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`"
	if [ $i = "${DEFAULT_GW_IFACE}" ]; then
		DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'`
	fi
done
#
#
# CALLED_METHOD
#
# Variable to hold $1, for use in functions (which have their own $1 vars)
CALLED_METHOD="$1"
#
#
# REJECT_METHOD
#
# Convert ipchains/DENY to netfilter/DROP
if [ "${REJECT_METHOD}" = "DENY" ]; then
	REJECT_METHOD="DROP"
fi

# counter number to help toubleshoot
RULENUM=0

#
# Shell functions
#
# include_supplemental
# source supplemental (plug-in) firewall scripts
include_supplemental()
{
	# args: $1 = nickname for the supplemental phase
	nickname="$1"
	if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then
		cd /etc/Bastille/firewall.d && . ./${nickname}.sh
	fi
	if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then
		for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do
			cd /etc/Bastille/firewall.d/${nickname}.d && \
			. ${s}
		done
	fi
}
#
# incr_rule_num
# Increment counter number to help toubleshoot
incr_rule_num()
{
	RULENUM=`expr $RULENUM + 1`
	return 0
}
#
# do_masq_mods
# Function to load/unload NAT kernel modules
do_masq_mods()
{
	# args: $1 = "load" or "unload"
	#
	# find the currently loaded modules
	masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'`
	#
	# Step 1: unload unwanted modules
	for m in ${masq_mods} ; do
		UNLOAD_THIS_MOD=Y
		for normal_mod in ${IP_MASQ_MODULES} ; do
			if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then
				# this module is _supposed_ to be loaded
				UNLOAD_THIS_MOD=N
			fi
		done
		if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
			# we're either disabling the firewall or we've disabled masquerading,
			# so we should unload _all_ masq modules
			UNLOAD_THIS_MOD=Y
		fi
		if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
			rmmod ${m} || echo "Error unloading ${m} module"
		fi
	done
	# Step 2: load wanted modules that are not already loaded
	if [ $1 = "load" ]; then
		for normal_mod in ${IP_MASQ_MODULES} ; do
			MOD_LOADED=N
			for m in ${masq_mods} ; do
				if [ "ip_nat_${normal_mod}" = $m ]; then
					MOD_LOADED=Y
				fi
			done
			if [ $MOD_LOADED = "N" ]; then
				insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module"
			fi
			# try to load any _conntrack variants
			modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null
		done
	fi
}

# See how we were called.
case "$1" in
  start|restart|reload)
	#
	# anything to do before resetting?
	include_supplemental pre-reset
	#
	# Make sure we don't have any ipchains rules!
	for c in INPUT OUTPUT FORWARD; do
		ipchains -P ${c} DENY 2>/dev/null
		ipchains -F ${c} 2>/dev/null
	done
	ipchains -X 2>/dev/null
	rmmod ipchains 2>/dev/null
	#
	# For Red Hat users, let's ensure that its firewalls are disabled
	chkconfig=`which chkconfig`
	if [ ! -z "$chkconfig" ]
	then
	        rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on`
		rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on`
		bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on`
		if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then
			echo
	                echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'"
	                echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls."
	                [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off
	                [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off
			echo
	        fi
	fi
	#
	# Make sure the iptables/netfilter kernel module is loaded
	modprobe ip_tables
	#
	# Clean up the default chains
	#
	# we set defaults to DROP to minimize possible interruptions
	# if this script is re-run to reset rules
	#
	for chain in INPUT OUTPUT FORWARD ; do
		${IPTABLES} -P ${chain} DROP
		# flush rules
		${IPTABLES} -F ${chain}
	done
	#
	for chain in PREROUTING POSTROUTING ; do
		${IPTABLES} -t nat -F ${chain}
	done
	${IPTABLES} -t mangle -F PREROUTING
	# Our custom chains
	for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
		${IPTABLES} -N ${chain} 2> /dev/null
		${IPTABLES} -F ${chain}
		${IPTABLES} -A ${chain} -j DROP
	done

	# PAROLE chain is used for TCP services
	${IPTABLES} -N PAROLE 2> /dev/null
	${IPTABLES} -F PAROLE
	if [ "${IP_ALWAYS_USE_STATE}" = "Y" ]; then
		# nmap NULL scans pass the --syn test, but this doesn't seem
		# to catch them, either
		[ "${LOG_FAILURES}" = "Y" ] && \
		${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num
		${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j ${REJECT_METHOD}
		${IPTABLES} -A PAROLE -p tcp -m state --state NEW --syn -j ACCEPT
		[ "${LOG_FAILURES}" = "Y" ] && \
		${IPTABLES} -A PAROLE -p tcp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num
		${IPTABLES} -A PAROLE -p tcp -j ${REJECT_METHOD}
	fi
	${IPTABLES} -A PAROLE -j ACCEPT

        # Run our "early" custom script if it exists
        [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh

	# any new-style "early" plugins?
	include_supplemental early

	# enable stateful rules
	modprobe ip_conntrack
	modprobe ip_conntrack_ftp
	modprobe ipt_LOG

	# from the ipchains HOWTO
	if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
		if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        		echo -n "Setting up IP spoofing protection..."
		        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
            		echo 1 > $f
        		done
        		echo " done."
		else
        		echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
		fi
	fi

	include_supplemental pre-local-block

	# Block any non-local attempts to get localhost addresses
	# per woody@thebunker.net's bugtraq post	
	[ "${LOG_FAILURES}" = "Y" ] && \
	${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num
	${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD}

	# Uncomment this to really, truly block active FTP
	# (shouldn't be necessary if ip_conntrack_ftp does its job)
	#if [ ${FORCE_PASV_FTP} = "Y" ]; then
	#	[ "${LOG_FAILURES}" = "Y" ] && \
	#	${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
	#	${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD}
	#	[ "${LOG_FAILURES}" = "Y" ] && \
	#	${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
	#	${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD}
	#fi

	include_supplemental pre-established

	# Stateful data returns (this should include ICMP messages)
	# ...for data to this box
	${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Fragments
	if [ "${ALLOW_FRAGMENTS}" = "N" ]; then
		[ "${LOG_FAILURES}" = "Y" ] && \
		${IPTABLES} -A INPUT -f -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
		${IPTABLES} -A INPUT -f -j ${REJECT_METHOD}
	fi

	include_supplemental pre-trusted
	
	# Allow all traffic from trusted interfaces
	echo -n "Allowing traffic from trusted interfaces..."
	for t_iface in ${TRUSTED_IFACES} ; do	
		# we could be pickier here, e.g. only allow traffic
		# that looks valid
		${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT
	done
	echo " done. "

	# If you have networks that route traffic to each other through this
	# server, you may want to add some forwarding rules, here, e.g.
	# one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
	#
	# Note: I _think_ this is right; if not, please let me know!
	#
	#${IPTABLES} -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
	# the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
	#${IPTABLES} -A FORWARD -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT	

	include_supplemental pre-mcast-block

	# No packets with multicast source addresses (Joshua K, RFC 1122)
	# (If you want to enable multicast, comment this out!)
	[ "${LOG_FAILURES}" = "Y" ] && \
	${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
	${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD}

	# Forwarding

	include_supplemental pre-nat

	# IP Masquerading/forwarding
	#
	# Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
	#do_masq_mods unload
	#
	if [ -n "${IP_MASQ_NETWORK}" ]; then
		echo -n "Loading NAT modules..."
		modprobe iptable_nat
		echo " done."
		echo -n "Setting up masquerading rules..."	
		# since we've set the default forwarding policy to
		# reject, we can enable forwarding now
		echo 1 > /proc/sys/net/ipv4/ip_forward
		# set up rules for masqueraded networks
		for net in ${IP_MASQ_NETWORK} ; do
			for pub in ${PUBLIC_IFACES} ; do
				# NAT should be one-way, deny traffic from public
				# interfaces that is addresses to masq'ed networks
				[ "${LOG_FAILURES}" = "Y" ] && \
				${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
				${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD}
				# spoofed addreses from outside
				[ "${LOG_FAILURES}" = "Y" ] && \
				${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
				${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD}
				if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then
					# NetBIOS
					[ "${LOG_FAILURES}" = "Y" ] && \
					${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
					${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
					[ "${LOG_FAILURES}" = "Y" ] && \
					${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
					${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
				fi
				# set up a NAT rule with MASQ -- se below for SNAT
				${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
				${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
			done
		done
		# If you have a statuc address for the public interface,
		# you might prefer setting upp static NAT instead of the
		# -j MASQUERADE code above:
		#${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP}
		echo " done."
		echo -n "Loading masquerading modules..."	
		do_masq_mods load
		echo " done."
	fi
	
	include_supplemental pre-chain-split

	echo -n "Setting up chains for public/internal interface traffic..."	

	# Direct PUBLIC interface traffic to the proper chain
	for iface in ${PUBLIC_IFACES} ; do
		${IPTABLES} -A INPUT -i ${iface} -j PUB_IN
		${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT
	done


	# disallow any attempts to get to internal interfaces from outside
	# not good if this is supposed to route between normal networks
	for int in ${INTERNAL_NETWORKS} ; do
		# deny traffic from public
		# interfaces that is addressed to internal networks
		[ "${LOG_FAILURES}" = "Y" ] && \
		${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
		${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD}
		# spoofed addreses from outside
		[ "${LOG_FAILURES}" = "Y" ] && \
		${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
		${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD}
	done
	
	# direct packets to the INTERNAL_* chains
	for iface in ${INTERNAL_IFACES} ; do
		${IPTABLES} -A INPUT -i ${iface} -j INT_IN
		${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT
	done
	echo " done. "
		
	echo -n "Setting up general rules..."	

	include_supplemental pre-dhcp

	# Allow response from DHCP servers
	for iface in ${DHCP_IFACES} ; do
		# make link so dhcpcd runs firewall when IP changes (if no such file already)
		[ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
		if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then
			ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
		fi
	done

	include_supplemental pre-internal

	# internal interface rules
	# Allow accessses to TCP services on this system
	for serv in ${TCP_INTERNAL_SERVICES} ; do
		${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j PAROLE
	done
	# UDP services
	for serv in ${UDP_INTERNAL_SERVICES} ; do
		${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT 
	done
	# ICMP
	# hopefully you don't care about hiding from internal hosts!
	${IPTABLES} -A INT_IN -p icmp -j ACCEPT 
	${IPTABLES} -A INT_OUT -p icmp -j ACCEPT 
	# ...but if you do... try this... (and see the PUB_IN rules below)
	#for type in ${ICMP_ALLOWED_TYPES} ; do
	#	${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT 
	#done
        
	include_supplemental pre-input

	# input rules
	#
	# public interfaces

	# --------------------- ICMP --------------------------
	for type in ${ICMP_ALLOWED_TYPES} ; do
		${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT 
	done

	# --------------------- TCP --------------------------
	for serv in ${TCP_PUBLIC_SERVICES} ; do
		${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j PAROLE
	done
	
	# --------------------- UDP --------------------------
	for serv in ${UDP_PUBLIC_SERVICES} ; do
		${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT 		
	done
	
	include_supplemental pre-audit

	# -------------- Public interface input auditing ---------------
	# Note that this will only audit services that are not actually available
	#
	for service in ${TCP_AUDIT_SERVICES} ; do
		${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
	done   
	for service in ${UDP_AUDIT_SERVICES} ; do
		${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
	done   
	for type in ${ICMP_AUDIT_TYPES} ; do
		${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
	done

	# if you're disallowing ICMP, you may be trying to look 
	# invisible/disable ping, so let's just drop these attempts
	[ "${LOG_FAILURES}" = "Y" ] && \
	${IPTABLES} -A PUB_IN -p icmp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num
	${IPTABLES} -A PUB_IN -p icmp -j DROP

	# --------------------- catch-all --------------------------
	# Reject all other traffic (redundant if not logging)
	if [ ${LOG_FAILURES} = "Y" ]; then
		for chain in INPUT PUB_IN INT_IN ; do
			[ "${LOG_FAILURES}" = "Y" ] && \
 			${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
 			${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
 		done
 	fi

	#
       	echo " done."

	include_supplemental pre-output

	echo -n "Setting up outbound rules..."	
	# 
	# Here you might really lock things down if this is a server,
	# e.g., to keep it from doing anything but connecting to
	# SMTP servers and responding to Web requests, or whatever
	# the specific requirements are. 
	#
	# Such lockdowns are recommended if the situation affords you
	# that flexibility.
	#
	# If you want to only allow the server to respond to requests
	# (and not even make DNS/dhcp/ntp queries!), then uncomment these lines:
	# # Note: if the connection table fills, you won't be able to
	# # respond to requests if you rely on "-m state" with these rules
	# ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	# [ ${LOG_FAILURES} = "Y" ] && \
	# ${IPTABLES} -A OUTPUT -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "OUTPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
	# ${IPTABLES} -A OUTPUT -j REJECT
	#
	# default is to enable outbound traffic
	${IPTABLES} -P OUTPUT ACCEPT

	include_supplemental pre-policy-reset
	
	# Now that all rules are set, we can change the policies
	# to the user preference safely
	[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD}
	[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD}
	# to set default "policies" for PUB_* and INT_* chains, add a final rule
	if [ ${LOG_FAILURES} != "Y" ]; then
		# if LOG_FAILURES were set, we would have already done this
		for chain in PUB_IN INT_IN INPUT FORWARD; do
			[ "${LOG_FAILURES}" = "Y" ] && \
			${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
			${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
		done
	fi
	for chain in PUB_OUT INT_OUT ; do
		${IPTABLES} -A ${chain} -j ACCEPT
	done
	# rule 1 in all of these chains is a deny rule; remove it so other rules work
	for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do
		${IPTABLES} -D ${chain} -j DROP
	done

	include_supplemental post-rule-setup
	
	echo " done."

	;;
  stop)
	include_supplemental pre-drop-rules
	echo
	echo "WARNING: reverting to default settings (dropping firewall)"
	# We should disable NAT/forwarding even if not set to restore defaults
	echo -n "disabling IP forwarding..."	
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo " done."
	echo -n "unloading masquerading modules..."	
	do_masq_mods unload
	echo " done."
	# flushing leaves the default input at ${REJECT_METHOD}
	echo -n "resetting default input rules to accept..."
	${IPTABLES} -P INPUT ACCEPT
	echo " done."
	echo -n "resetting default output rule to accept..."
	${IPTABLES} -P OUTPUT ACCEPT
	echo " done."
	#  We disabled forwarding with the /proc interface, but we
	#  reset FORWARD to ACCEPT because that;s the normal default
	echo -n "resetting default forward rule to accept..."
	${IPTABLES} -P FORWARD ACCEPT
	echo " done."
	for chain in INPUT OUTPUT FORWARD ; do
		echo -n "flushing ${chain} rules..."	
		${IPTABLES} -F ${chain}
		echo " done."
	done
	for chain in PREROUTING POSTROUTING ; do
		${IPTABLES} -t nat -F ${chain}
	done
	${IPTABLES} -t mangle -F PREROUTING
	# flush and delete the user-defined chains
	echo -n "removing user-defined chains..."
	for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do
		${IPTABLES} -F ${chain}
		${IPTABLES} -X ${chain}
	done
	include_supplemental post-drop-rules
	echo " done."
	;;
  status)
	${IPTABLES} -L -v -n
	;;
  *)
	echo "Usage: $0 {start|restart|reload|stop|status}"
	exit 1
esac

exit 0