Any examples ?
Brad Chapman
kakadu@earthlink.net
Mon, 16 Jul 2001 10:12:37 -0400
This is a multi-part message in MIME format.
--------------060802080209040907070109
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Mr. Hastings,
Here you are. I called my functional script `firewall-stable'. When
you load it,
though, it will fail when setting policies for the mangle table, since
three of the
chains it references don't exist. To fix that, I'm attaching a patch
along with the
firewall script, called mangle5hooks, that will allow you to add the
missing chains.
Also, parts of the script are commented out, like the TCPMSS rule, since
I don't need
them (yet).
Good luck on your learning experience.
Brad
Gareth Hastings wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes please, FAQ's & HOWTO's are ok but I seem to learn more from real
> life examples.
>
> Thanks
>
> - -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Brad Chapman
> Sent: 16 July 2001 10:04
> To: Gareth Hastings
> Cc: netfilter@lists.samba.org
> Subject: Re: Any examples ?
>
>
> Mr. Hastings,
>
> Would you like to see my firewall script? It's a good script
> written in the Red Hat chkconfig/init.d style, but it's very complex
> and difficult to read. I'm currently in the process of fixing and
> upgrading it, but my current upgraded copy has bugs. Would you still
> like to have a look?
>
> Brad
>
> Gareth Hastings wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I've finally got round to upgrading my kernel to 2.4.6 with
>> iptables 1.2.2, I was wondering are they any good examples of stock
>> firewall configs I could look at/butcher.
>>
>> All my Linux box does it a bit of masquerading and fire walling, I
>> only allow 1 external IP address to connect via SSH and that's
>> about it so if anyone has any scripts I could look at I'd be
>> grateful.
>> Thanks
>> Gareth
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGPfreeware 7.0.3 for non-commercial use
>> <http://www.pgp.com>
>>
>> iQA/AwUBO1MBuSGB8Ri4BtJMEQIhtwCgyVmtyDcybKB7NGrVskHOZM4X3SkAn3sM
>> qbJAeV1cyyuyI67sC1M74xwR
>> =seV7
>> -----END PGP SIGNATURE-----
>>
>> PGPexch.rtf.asc
>>
>> Content-Type:
>>
>> application/octet-stream
>> Content-Encoding:
>>
>> base64
>>
>>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO1MDwSGB8Ri4BtJMEQIneQCgtU8XXbptyiHiX/bYjGjxdQP5EewAn2Ea
> pZOJ+rSu78diwn6sPzEwBemi
> =K3pE
> -----END PGP SIGNATURE-----
>
>
>
--------------060802080209040907070109
Content-Type: application/octet-stream;
name="mangle5hooks.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="mangle5hooks.tgz"
H4sIAF/ZPDsAA+1be3PaSBLPv/Ap+pyqHFgCSwIGQx4Xr+Mk3tiYIs6mrnIpnQyDUSFLKj2c
+Pb83a9nRgIJhIRt4r3dMIkto5np6enpl/onrgz70qKtieNM/b0nP6YpSlNpt1p4xT+01DVu
T5R2Q22rrWZL1Z4oqqq2lSfQ+kH8pFroB4YH8OQXzxg9xnr/Z+0qef7JD3Wt7hrBcLKBNRRV
UUizuer8G80mic5fbbXaOE5ttlvkCSgbWLuw/eTnX6vVIPSp57vGkO5Z5oXpBkNxbQbD+rD0
1jPhwEUJEVBbXU3pavugKYpaliTpLjNVtdvsiJmvX0Ot0WnIHZDYRVPh9esylKFUsuElXNJA
H04M09apPapMZFCqz0WfJDqpHXg3rMOu1l7Z9HugO+OxT4PnZalUMnxkKahMaq9Me+zUmSqL
CV96b/Xjvn5ydnhwoh/3vsLLl0gA57BZmevy3k2t+/Zs8Plg8Gajy8K62z37dD5bGMq1Uomd
W0QGWVhj9vPHkVL/7OO5PsAFj3vv0qJak+MUAdzsU3M8omMQnW8GZ/0+dqDgboFaPgVzDBU/
8IZX7own27iiMuyMPMfdqTIWlCr8niHqa8MyRzp3lWxURYUXLxbWqSLzOfZFZlbyq2EDtEBF
49K6rU6hfYmZ55OQ25eq4YSu0phZJrevhiqrTTQwvGqEG1ipBKKl2SV6f3AUy4yNYsP+C8kB
Mz2oxgq0twvv+db9iRNaI7igMDY9P4Bg4lEKu3vszFYOGpvXfEyxAqeY+yqO4/kj+QryRzkL
8gd5C/Iwd0H+fP6CLDmMyDNwaV04uDaXwR8dpX9cW53/bSr7K8r/tDZpz/O/ZqvN8j/SULf5
32M0Fp/2Qt/b8z0WXOzw+55Ngz3TvW6yP8amFVAPPwbGhUV1oSBx1Apt0DqAiZ2y32005lEr
czSPVA1Qm10Fk8FEpNJkApKGySCLUbAL5xPTB/wfTCionU4HPPrNMwMKzhiO+/DWxM+Ghaxe
ymCYV3iFsePBlHo2tUCrN+rf64wQJ3bouDeeeTkJoHJYFeT6RmjBvwd47jd/B7z41LLgGZya
6KaQwK916NGQkS9LSAR/eBAD+t01bN90bBg5NoWLG2AaA4cTw8V98nGnzii0KLiGhzkEii17
JPDI99S0h1Y4ovBCCH3o2GPzsj55tdx1xcmyLiYuVZPbIKktFt2ZxOaj2bl5ThjQTCqmy2+X
a08xITKRr9OD3ruTI/23g5PjN/r7s7MPH6GSzGISgbeK+UCyK5EPlKV70vsX89I8I1mmfNxb
PSIKjUUkGHMrhySdPttCWcJU5TfqjcxhwNSMqV60DvDgVecZDXqKwByCaQdM474Z3ghDC1I8
ODw86p/ztATpfAwMe8T6eJzhMwFzzBBJo2HoftQdZWkymoLUxIeglsjREiOp5zmejt4JwySI
C65xy9Zh/J6FwwnURC41Msdj6uGCwH33P+DUuMFsK2CmNE++DBBaBo4boCLXWQO0/18OIyb5
9gQHZZ70JrjxqGthIgrsimltKWNLfMcm9b9oPP7njWjxWLu4WUCjuWJ7RBmbgWlYOnckoOvs
88gIjHLtJfyO/3aEb9mRM9ROhoZcrolU1zf/Q51xJYOVKhqsBlLGCM5KVS5L6yxFcNw6S7Vy
l4oS89/hy5KtfIWSgtspLT/QlYo2d4u8lZaee/OmJSbMUtCiZZYWWYe5RmJWOokrmNhku9qK
K97tHaSlyND7dHIio9huZ7eZkbMr+pOEEJk7YO6p1WKxua3JmhY9QSpsOv5SkMKMUCk+DvHv
uH+uo4m861VWMxe5tWoVH7V3OJk5tVJt5lPRv6nithSzGZ8M98hi6XjhiKmMy86O+EnfVeR4
KyxKKPx3ho0yN15d0ZlShUzpSA+Xjpwily+eOGz9vNKJQ/NMNpBWHVRxUXvYkHC4VXBzITw1
62BqFgXzfJE8ijnVsvSlUIuSPuYnVqUMEfEl4itK6mgwOBtwfdqQgJgitTtMhSRVU2JVWsjO
+CZEbuQawykNomctrwwiaRGenv3mi85SmGepxKrOkrkoV8pKbgafWYz6oH/qscvRm5jic5Hz
rDfl/P3xR/307M2nk6P5fJEqn2Oe/c3xppiXXlF86LNhglksjD3nCmYPn/VhPZmehvgQdmnT
EUvDyzUmB5byVpK3eRLMVD+Wlj/VL8LxGHZ3XX96wXswE/aDuB/X0kf02sT0dte08/vxAYsP
YOtUdp3p2K5WFpdhzxQ8Z2ZPYyv5ixV2FZez/lxei0dxjmfDCvjmGYFHg9CzuZKNHKEqFc6T
4BxpyMCowrO09onzZRWz2+hZVZVVFRUZPaMqUJ7bhC4vH6XlDFE3kXTOoZZWS0x0Fhxt7pDo
dEvFgpLm/P75DjjFrCeqwyE+ZAX7Oj5qOv5zcXzNNsv/1P19jGs8oGEXOpgK55+Vayd1053U
XvEZIBQH+++vNxLSQL8woNxyeF3noPdP9gxuX1LhBkoMs2Hr/I0/ezOsBZ49g/mdj+dnJ0e9
KIxiT2WJXd8YjTw2mv8httoSLldT1DjZvV32uvaYn7XuuD7fJF6/fI0fSRedbuyaZOhj3t47
OpeXCyHzW8e68KY8ZsehZJlg2kCWSM8yHK7Ey7TjZ9os0nNnJUMph+UMstEzcB7L2XTjZB57
7kg1we0i0SgFlrMEsC6n2YwywW6Q0WSWlUU3LvaI4Kn3DwanlSi7xZhu7giDSVSlRJ2EF08q
1445iqx9buToJdC83rF6Eobeq8V6JYft0hnCvKRTF7lS/Tqqk72EZKqdsN1L02fERHrCTXbu
FryoN3IOC36Ag3exfb8ApSpsc59HD0ljUKYoE6cHYSJ96QQODC1q2KHLha2I3YqV0W5nC3Nn
/Sy2Xu0rh6NS5KQMcqqAlYrINdYkp61HrrkmuYaQfhS2o6OupcTRRR1NTenGdStgDIR27o7S
zK85VVuequLUUt4cdXkOsg65cxQ2Z7ZbrljJ3UY3UGdwfILISg1ckORqhISkEBKyAHqcOjaH
SFB1Va3b3O+qnSREsjg8jaioja6iJTESbgCy1oxRkuP+NYlyf+A0GA7CScpggOt4s0I2jmyK
ITSySdQeNn0FSIKLKgy0eI9uwRrBZ4r7gxeWgcZ+SV9f2uGVY0/9On569XCExA9dzusdkJI5
HCLdAUSZnZTODw7lLxTAZ6Nra6MiJAcWIQu4yDIHImHLZB0zFMzQFrqYnvnOcJpxewb0LFFi
++Mda0MzS5vKRE1IMThDCtEZsgY8QxbxGeDv8YCKl2hDb45++fSuX/mOuu5d+vV6vVpyPQxz
08qHo0FP592AvU+f8gFRHGlypLEdQY2raWEftUfmOAJa8oChtXAhqRgXIglgCGM2x4YIz0hb
WvyCXB4+Q3IAGlKM0GQNWYBoyKNhNKQYpCFz6KQWV30yXxhKYAGpt1ty17z9UVQfiCiRYkgp
IRgpdwuiCrf0otNS5W1pC6XFd5Typ6QQD5ILeZCVmAcpAD0WZjZvf/bdR9nZ/SGf9l0hH7Kq
2Eo2DvqkStFRtTWmdoeP9y9Vk9xaNblfsfphArwLLLSVX7b87gUc/UD5pYAlVodTlPilnyKp
PZLZ3hlG2qremr5vNc7E9GG/wd8B0zpRXXZjYApZXXiXRJKZi2jASsQFChCXvH5e3mbb7oht
N+Jt52EJZB0wQUqMW72nHMABigGHgiGzzalNTYB++/trV6BJYQmaLBSKiZzxyJe4t1YZekm2
GeQzKtFkzVI0Sdei8znPIp1TjyXpevQKto978t3p5vI8q0n/CHaZlO8hiHwhL9emyV+7OE3u
WZ0mLVGcU/c3WJ0mGy5Pkw3Xp8kmCtSLZV7pbgXq1J4WC9QrKsYpua5ZmSbJ0vSalWmSLE0v
lqKljNI0uVdt+uHv/xd8/6M+oZb70DUKvv+rtGff/2g1W4qK41ut5vb7H4/SDsJg4njdVOEd
KlNjaoxCfeg5w9c3BupDHZPKavkjevPQ7wpIAT1zwBNOX47RCLwRvW3O7pfL/KscXI8EODAS
3+qww6sL9MHOGGKFx4xLfJMSnXb5wgkmc+QCZwny6NoZuODHddjoWyZ+hG2URUiA4wAMy3fE
slQsGH15kl09w7thAIjr0WsMH2XfwIhyAzh0OIWxYVqhR/16mSXTNv0G0RLfTMsCZzgM3Ruk
bomX7mdJNee97Dq+yV6r99l7DlCwiTocIJNy2TKnlA+LKEUIjpidWNsYDqmLO4vCYnkeFpmn
5a9HcDLXebXq0HXschRXLccY1f/C32vbtm3btm3btm3btm3btm3btm3btnT7HyQneu8AUAAA
--------------060802080209040907070109
Content-Type: text/plain;
name="firewall-stable"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="firewall-stable"
#!/bin/sh
#
# This script contains the complete netfilter firewall
# for this network. This firewall is designed to be run
# 24 hours a day for full protection.
#
# chkconfig: 2345 11 92
# description: Contains the complete netfilter \
# firewall for this network.
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
[ ! -f `which iptables` ] && exit 1
TABLE=
CHAIN=
RETVAL=
SCAN_FLAGS="SYN,RST RST"
STATE=ESTABLISHED,RELATED
STATE2=NEW,ESTABLISHED
STATE3=NEW,ESTABLISHED,RELATED
# Now, see how we were called
case "$1" in
start)
echo -n "Loading netfilter firewall: "
# Load any required modules
echo -n "modules "
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_FTOS
modprobe ipt_LOG
modprobe ipt_MASQUERADE
# modprobe ipt_TCPMSS
# ----------------------------------------------------------------------------------------------------------------------- #
# filter table
TABLE=filter
echo -n "$TABLE "
CHAIN=INPUT
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -A $CHAIN -p ip -i ! ppp0 -j RETURN #1
iptables -t $TABLE -A $CHAIN -p tcp --source-port ssh -i ppp0 -m state --state $STATE -j ACCEPT #2
iptables -t $TABLE -A $CHAIN -p udp --source-port ssh -i ppp0 -m state --state $STATE -j ACCEPT
iptables -t $TABLE -A $CHAIN -p tcp --source-port smtp -i ppp0 -j ACCEPT
iptables -t $TABLE -A $CHAIN -p tcp --source-port domain -i ppp0 -j ACCEPT
iptables -t $TABLE -A $CHAIN -p udp --source-port domain -i ppp0 -j ACCEPT
iptables -t $TABLE -A $CHAIN -p tcp --source-port pop3 -i ppp0 -j ACCEPT #7
iptables -t $TABLE -A $CHAIN -p udp --source-port pop3 -i ppp0 -j ACCEPT #8
iptables -t $TABLE -A $CHAIN -p tcp --source-port ssmtp -i ppp0 -j ACCEPT #9
iptables -t $TABLE -A $CHAIN -p 1 --icmp-type redirect -i ppp0 -m limit --limit 2/s -j LOG #10
iptables -t $TABLE -A $CHAIN -p 1 --icmp-type redirect -i ppp0 -j DROP
iptables -t $TABLE -A $CHAIN -p 1 --icmp-type ! redirect -i ppp0 -j ACCEPT #12
iptables -t $TABLE -A $CHAIN -p tcp --tcp-flags $SCAN_FLAGS -i ppp0 -m limit --limit 1/s -j ACCEPT #13
iptables -t $TABLE -A $CHAIN -p ip -i ppp0 -j DROP #14
CHAIN=FORWARD
iptables -t $TABLE -P $CHAIN ACCEPT
# iptables -t $TABLE -A $CHAIN -p tcp --tcp-flags $SCAN2FLAGS -j TCPMSS --clamp-mss-to-pmtu
CHAIN=OUTPUT
iptables -t $TABLE -P $CHAIN ACCEPT
# ----------------------------------------------------------------------------------------------------------------------- #
# nat table
TABLE=nat
echo -n "$TABLE "
CHAIN=PREROUTING
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=POSTROUTING
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -A $CHAIN -p ip -o ! ppp0 -j RETURN #1
iptables -t $TABLE -A $CHAIN -p tcp --dport ftp-data -o ppp0 -m state --state $STATE3 -j MASQUERADE #2
iptables -t $TABLE -A $CHAIN -p tcp --dport ftp -o ppp0 -m state --state $STATE2 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport ssh -o ppp0 -m state --state $STATE3 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p udp --dport ssh -o ppp0 -m state --state $STATE3 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport smtp -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport domain -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p udp --dport domain -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport http -o ppp0 -m state --state $STATE2 -j MASQUERADE #9
iptables -t $TABLE -A $CHAIN -p tcp --dport pop3 -o ppp0 -j MASQUERADE #10
iptables -t $TABLE -A $CHAIN -p udp --dport pop3 -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport auth -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport nntp -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport ntp -o ppp0 -j MASQUERADE #14
iptables -t $TABLE -A $CHAIN -p tcp --dport https -o ppp0 -j MASQUERADE #15
iptables -t $TABLE -A $CHAIN -p udp --dport https -o ppp0 -j MASQUERADE
iptables -t $TABLE -A $CHAIN -p tcp --dport ssmtp -o ppp0 -j MASQUERADE #17
iptables -t $TABLE -A $CHAIN -p tcp --dport cvspserver -o ppp0 -j MASQUERADE #18
iptables -t $TABLE -A $CHAIN -p udp --dport cvspserver -o ppp0 -j MASQUERADE #19
iptables -t $TABLE -A $CHAIN -p tcp --dport deathmatch -o ppp0 -j MASQUERADE #20
iptables -t $TABLE -A $CHAIN -p tcp --dport ctf -o ppp0 -j MASQUERADE #21
iptables -t $TABLE -A $CHAIN -p icmp --icmp-type redirect -o ppp0 -m limit --limit 2/s -j LOG #22
iptables -t $TABLE -A $CHAIN -p icmp --icmp-type redirect -o ppp0 -j DROP
iptables -t $TABLE -A $CHAIN -p icmp --icmp-type ! redirect -o ppp0 -j MASQUERADE #24
iptables -t $TABLE -A $CHAIN -p ip -o ppp0 -j DROP #25
# ----------------------------------------------------------------------------------------------------------------------- #
# mangle table
TABLE=mangle
echo -n "$TABLE "
CHAIN=PREROUTING
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=INPUT
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=FORWARD
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -A $CHAIN -p tcp --dport ssh -o ppp0 -m state --state $STATE3 -j FTOS --set-ftos 4 #1
iptables -t $TABLE -A $CHAIN -p udp --dport ssh -o ppp0 -m state --state $STATE3 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p tcp --dport smtp -o ppp0 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p tcp --dport domain -o ppp0 -j FTOS --set-ftos 16
iptables -t $TABLE -A $CHAIN -p udp --dport domain -o ppp0 -j FTOS --set-ftos 16 #5
iptables -t $TABLE -A $CHAIN -p tcp --dport pop3 -o ppp0 -j FTOS --set-ftos 4 #6
iptables -t $TABLE -A $CHAIN -p udp --dport pop3 -o ppp0 -j FTOS --set-ftos 4 #7
CHAIN=POSTROUTING
iptables -t $TABLE -P $CHAIN ACCEPT
# iptables -t $TABLE -A $CHAIN -p ip -o ! ppp0 -j RETURN #1
iptables -t $TABLE -A $CHAIN -p tcp --dport ftp-data -o ppp0 -m state --state $STATE3 -j FTOS --set-ftos 8 #2
iptables -t $TABLE -A $CHAIN -p tcp --dport ftp -o ppp0 -m state --state $STATE2 -j FTOS --set-ftos 8
iptables -t $TABLE -A $CHAIN -p tcp --dport ssh -o ppp0 -m state --state $STATE3 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p udp --dport ssh -o ppp0 -m state --state $STATE3 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p tcp --dport smtp -o ppp0 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p tcp --dport domain -o ppp0 -j FTOS --set-ftos 16
iptables -t $TABLE -A $CHAIN -p udp --dport domain -o ppp0 -j FTOS --set-ftos 16
iptables -t $TABLE -A $CHAIN -p tcp --dport http -o ppp0 -m state --state $STATE2 -j FTOS --set-ftos 4 #9
iptables -t $TABLE -A $CHAIN -p tcp --dport pop3 -o ppp0 -j FTOS --set-ftos 4 #10
iptables -t $TABLE -A $CHAIN -p udp --dport pop3 -o ppp0 -j FTOS --set-ftos 4
iptables -t $TABLE -A $CHAIN -p tcp --dport nntp -o ppp0 -j FTOS --set-ftos 4 #12
# iptables -t $TABLE -A $CHAIN -p ip -o ppp0 -j DROP #13
# ----------------------------------------------------------------------------------------------------------------------- #
echo ": done."
touch /var/lock/subsys/firewall
RETVAL=0
;;
stop)
echo -n "Unloading netfilter firewall: "
# ----------------------------------------------------------------------------------------------------------------------- #
# filter table
TABLE=filter
echo -n "$TABLE "
CHAIN=INPUT
iptables -t $TABLE -F $CHAIN
CHAIN=FORWARD
iptables -t $TABLE -F $CHAIN
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# nat table
TABLE=nat
echo -n "$TABLE "
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
CHAIN=POSTROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# mangle table
TABLE=mangle
echo -n "$TABLE "
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
CHAIN=INPUT
iptables -t $TABLE -F $CHAIN
CHAIN=FORWARD
iptables -t $TABLE -F $CHAIN
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
CHAIN=POSTROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# Unload any modules we loaded
echo -n "modules "
# modprobe -r ipt_TCPMSS 2> /dev/null
modprobe -r ipt_MASQUERADE 2> /dev/null
modprobe -r ipt_LOG 2> /dev/null
modprobe -r ipt_FTOS 2> /dev/null
modprobe -r ipt_state 2> /dev/null
modprobe -r ipt_limit 2> /dev/null
modprobe -r iptable_nat 2> /dev/null
modprobe -r iptable_mangle 2> /dev/null
modprobe -r iptable_filter 2> /dev/null
modprobe -r ip_nat_ftp 2> /dev/null
modprobe -r ip_conntrack_ftp 2> /dev/null
modprobe -r ip_conntrack 2> /dev/null
# ----------------------------------------------------------------------------------------------------------------------- #
echo ": done."
rm -f /var/lock/subsys/firewall
RETVAL=0
;;
restart)
$0 stop
$0 start
touch /var/lock/subsys/firewall
RETVAL=0
;;
list)
[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
iptables -t $2 -L
[ -f /var/lock/subsys/firewall ] && touch /var/lock/subsys/firewall
RETVAL=0
;;
listc)
[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
iptables -t $2 -L $3
[ -f /var/lock/subsys/firewall ] && touch /var/lock/subsys/firewall
RETVAL=0
;;
*)
echo "Usage: $0 {start|stop|restart|list table|listc table chain}"
RETVAL=0
;;
esac
exit $RETVAL
--------------060802080209040907070109--