Help !!!
Jimmy Yap
ni88798@yahoo.com
Fri, 21 Dec 2001 07:46:20 -0800 (PST)
--0-1243998197-1008949580=:88607
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi,
I have build a small LAN:
EXT NETWORK - FIREWALL - INT NETWORK
I have the following script but i seem to have problem
FTP from my EXT NETWORK to my FIREWALL. Can someone
please help me !
Cheers !
PS : My script is attached with this email !
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
--0-1243998197-1008949580=:88607
Content-Type: text/plain; name=ipt-2
Content-Description: ipt-2
Content-Disposition: inline; filename=ipt-2
#!/bin/sh
# Set the location of ipchains
IPTABLES="/sbin/iptables"
# Define the network and loopback interface
INT_INTERFACE="eth1"
EXT_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
# Internal network address
INT_NETWORK="192.168.1.0/24"
INT_ADDRESS="192.168.1.1"
EXT_ADDRESS="111.222.111.1"
NAMESERVER_1="192.168.1.20"
SUBNET_BASE="192.168.1.0"
SUBNET_BROADCAST="192.168.1.255"
ANYWHERE="ANY/0"
# Define the reserved address range
LOOPBACK="127.0.0.1/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
LOG_LEVEL="notice"
# --------------------------------------------------------------------------------------------
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable Always Defragment Protection
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable Bad Error Message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packet, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# --------------------------------------------------------------------------------------------
# Install all required IPTables modules
# Needed to initially load modules
/sbin/depmod -a
# Add iptables target - LOG, REJECT and MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
# Add support for owner matching
/sbin/modprobe ipt_owner
# Add support for connection tracking of FTP and IRC
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# --------------------------------------------------------------------------------------------
# Flush everything in the ruleset
# Input - Incoming packets from outside world
# Output - Outgoing packts from the internal network
# Forward - Forwarding
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
# Delete all user-defined chains
$IPTABLES -X
# --------------------------------------------------------------------------------------------
# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -s $INT_NETWORK -j SNAT --to-source $EXT_ADDRESS
#$IPTABLES -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp -d $EXT_ADDRESS --dport 21 -j DNAT --to-destination 131.227.179.15:21
# --------------------------------------------------------------------------------------------
# Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# --------------------------------------------------------------------------------------------
#Define User Chain - KEEP_STATE to handle incoming, outgoing and established connection
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
# DROP packets associated with an "INVALID" connection
$IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
# DROP packet with UNCLEAN match target
$IPTABLES -A KEEP_STATE -m unclean -j DROP
# ACCEPT packets which are related to an established connection
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
# --------------------------------------------------------------------------------------------
# Define User Chain - CHECK_FLAG that DROP/LOG TCP packets with certain TCP flags set
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
# NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# --------------------------------------------------------------------------------------------
# Define User Chain - DENY_PORTS that DROP/LOG packets based on port number
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
# TCP PORT
DENIED_PORTS_TCP="137:139 2049 6000:6063 20034 12345:12346 27374 27665 27444 31335 10498 12754"
for PORT in $DENIED_PORTS_TCP; do
$IPTABLES -A DENY_PORTS -p tcp --dport $PORT -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p tcp --sport $PORT -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p tcp --dport $PORT -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport $PORT -j DROP
done
#UDP PORT
DENIED_PORTS_UDP="2049 10498 27444 31335 31337 "
for PORT in $DENIED_PORTS_UDP; do
$IPTABLES -A DENY_PORTS -p udp --dport $PORT -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p udp --sport $PORT -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p udp --dport $PORT -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport $PORT -j DROP
done
# --------------------------------------------------------------------------------------------
# Define User Chain - ALLOW_PORTS to allow packets based on port number
$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS
# TCP Port
TCP_PORTS="20 21 22 23 53"
for PORT in $TCP_PORTS; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp --dport $PORT -j ACCEPT
done
# UDP Port
UDP_PORTS="53"
for PORT in $UDP_PORTS; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp --dport $PORT -j ACCEPT
done
# --------------------------------------------------------------------------------------------
# Define User Chain - ALLOW_ICMP to allow/drop specific types of ICMP datagrams
$IPTABLES -N ALLOW_ICMP
$IPTABLES -F ALLOW_ICMP
# Echo Reply(ping)
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
# Destination Unreachable
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
# Echo Request (ping) Options
# Accept Pings
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
# Accept Pings at the rate of one per second
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "PING:"
# TTL Exceeded (traceroute)
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
# --------------------------------------------------------------------------------------------
# Define User Chain - SRC_EGRESS to provide egress filtering based on Source IP Address
$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS
# Drop all reserved private IP address
# Class A Reserved
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
# Class B Reserved
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
# Class C Reserved
$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP
# Class D Reserved
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP
# Class E Reserved
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
# --------------------------------------------------------------------------------------------
# Define User Chain - DST_EGRESS to provide egress filtering based on Destination IP Address
$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS
# Drop all reserved private IP address
# Class A Reserved
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP
# Class B Reserved
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
# Class C Reserved
$IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP
# Class D Reserved
$IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP
# Class E Reserved
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
# --------------------------------------------------------------------------------------------
# Define User Chain - MANGLE_OUPUT to mangle values of packets created locally
# TOS stuff: (type: iptables -m tos -h)
# Minimize-Delay 16 (0x10)
# Maximize-Throughput 8 (0x08)
# Maximize-Reliability 4 (0x04)
# Minimize-Cost 2 (0x02)
# Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_OUTPUT
$IPTABLES -t mangle -F MANGLE_OUTPUT
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
# --------------------------------------------------------------------------------------------
# Define User Chain - MANGLE_PREROUTING to manage TOS values of packets routing through the firewall
# TOS stuff: (type: iptables -m tos -h)
# Minimize-Delay 16 (0x10)
# Maximize-Throughput 8 (0x08)
# Maximize-Reliability 4 (0x04)
# Minimize-Cost 2 (0x02)
# Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_PREROUTING
$IPTABLES -t mangle -F MANGLE_PREROUTING
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
# --------------------------------------------------------------------------------------------
# Define User Chain - EXTERNAL_INPUT for routing of input packets from external interface
$IPTABLES -N EXTERNAL_INPUT
$IPTABLES -F EXTERNAL_INPUT
# Deny Hosts - Block hosts/subnets
# Reject all unwanted host here
#$IPTABLES -A EXTERNAL_INPUT -i $EXT_INTERFACE -s 123.123.123.0/24 -j DROP
# Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL_INPUT -i $EXT_INTERFACE -p tcp -j CHECK_FLAGS
# Filter incoming packets based on port number
$IPTABLES -A EXTERNAL_INPUT -i $EXT_INTERFACE -p ! icmp -j DENY_PORTS
# --------------------------------------------------------------------------------------------
# Define User Chain - INTERNAL_INPUT for routing of input packets from internal interface
$IPTABLES -N INTERNAL_INPUT
$IPTABLES -F INTERNAL_INPUT
# DROP anything not coming from the internal network
$IPTABLES -A INTERNAL_INPUT -i $INT_INTERFACE -s ! $INT_NETWORK -j DROP
# Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A INTERNAL_INPUT -i $INT_INTERFACE -p tcp -j CHECK_FLAGS
# Filter incoming packets based on port number
$IPTABLES -A INTERNAL_INPUT -i $INT_INTERFACE -p ! icmp -j DENY_PORTS
# --------------------------------------------------------------------------------------------
# Define User Chain - LO_INPUT for routing of input packets from loopback interface
$IPTABLES -N LO_INPUT
$IPTABLES -F LO_INPUT
# Accept packets to the loopback interface
$IPTABLES -A LO_INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------------------------------
# Define User Chain - EXTERNAL_OUTPUT for routing of output packets from external interface
$IPTABLES -N EXTERNAL_OUTPUT
$IPTABLES -F EXTERNAL_OUTPUT
# Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL_OUTPUT -o $EXT_INTERFACE -p tcp -j CHECK_FLAGS
# Filter outgoing packets based on port number
$IPTABLES -A EXTERNAL_OUTPUT -o $EXT_INTERFACE -p ! icmp -j DENY_PORTS
# Check TCP packets going out on the internal interface for wierd flags
$IPTABLES -A EXTERNAL_OUTPUT -o $EXT_INTERFACE -p tcp -j CHECK_FLAGS
# --------------------------------------------------------------------------------------------
# Define User Chain - INTERNAL_OUTPUT for routing of output packets from internal interface
$IPTABLES -N INTERNAL_OUTPUT
$IPTABLES -F INTERNAL_OUTPUT
# DROP packets not destined for the internal network
$IPTABLES -A INTERNAL_OUTPUT -o $INT_INTERFACE -d ! $INT_NETWORK -j DROP
# Filter outgoing packets based on port number
$IPTABLES -A INTERNAL_OUTPUT -o $INT_INTERFACE -p ! icmp -j DENY_PORTS
# Check TCP packets going out on the internal interface for wierd flags
$IPTABLES -A INTERNAL_OUTPUT -o $INT_INTERFACE -p tcp -j CHECK_FLAGS
# --------------------------------------------------------------------------------------------
# Define User Chain - LO_OUTPUT for routing of output packets from loopback interface
$IPTABLES -N LO_OUTPUT
$IPTABLES -F LO_OUTPUT
# ACCEPT all traffic across loopback device
$IPTABLES -A LO_OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A INTERNAL_INPUT -i $INT_INTERFACE -p tcp -j CHECK_FLAGS
# Filter incoming packets based on port number
$IPTABLES -A INTERNAL_INPUT -i $INT_INTERFACE -p ! icmp -j DENY_PORTS
# --------------------------------------------------------------------------------------------
# INPUT CHAINS RULES
# Jump to the mangle table rules
$IPTABLES -t mangle -A OUTPUT -o $EXT_INTERFACE -j MANGLE_OUTPUT
$IPTABLES -t mangle -A PREROUTING -i $INT_INTERFACE -j MANGLE_PREROUTING
# LOG and DROP TCP packets with no flags set
# Possible NULL scan.
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
# INPUT to loopback interface
# ---------------------------
# Jump to our LO_INPUT Chain
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j LO_INPUT
# INPUT to internal interface
# ---------------------------
# DROP packets not destined for the internal IP address of the firewall
$IPTABLES -A INPUT -i $INT_INTERFACE -d ! $INT_ADDRESS -j DROP
# Jump to our INTERNAL_INPUT Chain
$IPTABLES -A INPUT -i $INT_INTERFACE -j INTERNAL_INPUT
# DROP/ACCEPT packets based on the state of the connection
$IPTABLES -A INPUT -i $INT_INTERFACE -j KEEP_STATE
# ACCEPT packets based on port number
$IPTABLES -A INPUT -i $INT_INTERFACE -s $INT_NETWORK -d $INT_ADDRESS -p ! icmp -j ALLOW_PORTS
# Jump to ALLOW_ICMP for general rules relating to the ICMP protocol
$IPTABLES -A INPUT -i $INT_INTERFACE -p icmp -j ALLOW_ICMP
# INPUT to the external Interface
# -------------------------------
# Filter out Reserved/Private IP addresses based on source IP
$IPTABLES -A INPUT -i $EXT_INTERFACE -j SRC_EGRESS
# Filter out Reserved/Private IP addresses based on destination IP
$IPTABLES -A INPUT -i $EXT_INTERFACE -j DST_EGRESS
# Jump to our EXTERNAL_INPUT Chain.
$IPTABLES -A INPUT -i $EXT_INTERFACE -j EXTERNAL_INPUT
# DROP/ACCEPT packets based on the state of the connection
$IPTABLES -A INPUT -i $EXT_INTERFACE -j KEEP_STATE
# ACCEPT packets based on port number
$IPTABLES -A INPUT -i $EXT_INTERFACE -p ! icmp -j ALLOW_PORTS
# Jump to ALLOW_ICMP for general rules relating to the ICMP protocol
$IPTABLES -A INPUT -i $EXT_INTERFACE -p icmp -j ALLOW_ICMP
# --------------------------------------------------------------------------------------------
# OUTPUT CHAINS RULES
# OUTPUT to loopback interface
# ----------------------------
# Jump to our LO_OUTPUT Chain
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j LO_OUTPUT
# OUTPUT to internal interface
# ----------------------------
# Jump to our INTERNAL_OUTPUT Chain
$IPTABLES -A OUTPUT -o $INT_INTERFACE -j INTERNAL_OUTPUT
# DROP anything not coming from the firewall.
$IPTABLES -A OUTPUT -o $INT_INTERFACE -s ! $INT_ADDRESS -j DROP
# Jump to the KEEP_STATE chain for generic state-based packet filtering
$IPTABLES -A OUTPUT -o $INT_INTERFACE -j KEEP_STATE
# ACCEPT NEW connections from the firewall to the internal network
$IPTABLES -A OUTPUT -o $INT_INTERFACE -s $INT_ADDRESS -d $INT_NETWORK -m state --state NEW -j ACCEPT
# OUTPUT to external interface
# ----------------------------
# Filter out Reserved/Private IP addresses based on source IP
$IPTABLES -A OUTPUT -o $EXT_INTERFACE -j SRC_EGRESS
# Filter out Reserved/Private IP addresses based on destination IP
$IPTABLES -A OUTPUT -o $EXT_INTERFACE -j DST_EGRESS
# Jump to our EXTERNAL_OUTPUT Chain
$IPTABLES -A OUTPUT -o $EXT_INTERFACE -j EXTERNAL_OUTPUT
# Jump to the KEEP_STATE chain for generic state-based packet filtering
$IPTABLES -A OUTPUT -o $EXT_INTERFACE -j KEEP_STATE
# Accept outgoing packets establishing a NEW connection
$IPTABLES -A OUTPUT -o $EXT_INTERFACE -m state --state NEW -j ACCEPT
# --------------------------------------------------------------------------------------------
# FORWARD CHAINS RULES
# Jump to the respective user chains
$IPTABLES -A FORWARD -i $EXT_INTERFACE -j EXTERNAL_INPUT
$IPTABLES -A FORWARD -i $INT_INTERFACE -j INTERNAL_INPUT
$IPTABLES -A FORWARD -o $EXT_INTERFACE -j EXTERNAL_OUTPUT
$IPTABLES -A FORWARD -o $INT_INTERFACE -j INTERNAL_OUTPUT
# DROP NEW connection from external interface
$IPTABLES -A FORWARD -i $EXT_INTERFACE -d $INT_NETWORK -m state --state NEW -j DROP
#DROP NEW connection from internal interface
$IPTABLES -A FORWARD -o $INT_INTERFACE -d $INT_NETWORK -m state --state NEW -j DROP
# DROP echo reply packets coming into the internal interface
$IPTABLES -A FORWARD -o $INT_INTERFACE -p icmp --icmp-type echo-request -j DROP
# DROP all packet not headed to internal network
$IPTABLES -A FORWARD -i $EXT_INTERFACE -d ! $INT_NETWORK -j DROP
# Filter out Reserved/Private IP addresses based on Source IP.
$IPTABLES -A FORWARD -i $EXT_INTERFACE -j SRC_EGRESS
$IPTABLES -A FORWARD -o $EXT_INTERFACE -s ! $INT_NETWORK -j SRC_EGRESS
# Filter out Reserved/Private IP addresses based on destination IP.
$IPTABLES -A FORWARD -o $EXT_INTERFACE -j DST_EGRESS
# Filter out Reserved/Private IP addresses based on Destination IP.
$IPTABLES -A FORWARD -i $INT_INTERFACE -j DST_EGRESS
$IPTABLES -A FORWARD -o $INT_INTERFACE -j SRC_EGRESS
# Basic State Based Rules.
$IPTABLES -A FORWARD -j KEEP_STATE
# Accept outgoing packets establishing a NEW connection.
$IPTABLES -A FORWARD -o $EXT_INTERFACE -m state --state NEW -j ACCEPT
# Jump to ALLOW_ICMP for general rules relating to the ICMP protocol.
$IPTABLES -A FORWARD -p icmp -j ALLOW_ICMP
--0-1243998197-1008949580=:88607--