[Firewall] forwarding doesn't work

Greg Talbot gtalbot at centerone.com
Tue Oct 3 12:45:16 MDT 2006


I am having teh same problem.  I have even tried a custom script, on 2
different versions of your script, and I cant get forwarding to work.

I inserted,
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 165.236.149.5
                 --dport 88 -j DNAT --to 10.10.0.66:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 10.10.0.66 --dport 80 -j ACCEPT

and when I look at the tables,

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
           tcp  --  anywhere             165.236.149.5

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
MASQUERADE  all  --  10.10.0.0/24        !10.10.0.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Hope someone can help with this.
--gt





> As far as I can tell the config is correct. And the firewall seems to be
> working either. How did you test whether the portforwarding was working
> (or not)?
>
> a.
>
> Lányi Róbert wrote:
>> Hi,
>>
>> thanks for your reply. I send the output of the start script,
>> /etc/arno-iptables-firewall.debconf and
>> /etc/default/arno-iptables-firewall.
>>
>> I have forgotten (although in my case I think it's obvious) that
>> /etc/arno-firewall-custom-rules is empty.
>>
>> Rob.
>>
>> Arno van Amersfoort wrote:
>>
>>> Could you please post your complete config file + the output of
>>> "arno-iptables-firewall start" ?
>>>
>>> a.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ###############################################################################
>>> # You should put this config-file in /etc/
>>>       #
>>> ###############################################################################
>>>
>>> # --------------------------- Configuration file
>>> ------------------------------
>>> #                       -= Arno's iptables firewall =-
>>> #         Single- & multi-homed firewall script with DSL/ADSL support
>>> #
>>> # (C) Copyright 2001-2006 by Arno van Amersfoort
>>> # Homepage  : http://rocky.eld.leidenuniv.nl/
>>> # Freshmeat :
>>> http://freshmeat.net/projects/iptables-firewall/?topic_id=151
>>> # Email     : arnova AT rocky DOT eld DOT leidenuniv DOT nl
>>> #             (note: you must remove all spaces and substitute the @
>>> and the .
>>> #              at the proper locations!)
>>> #
>>> -----------------------------------------------------------------------------
>>> # This program is free software; you can redistribute it and/or modify
>>> it under
>>> # the terms of the GNU General Public License as published by the Free
>>> Software
>>> # Foundation; either version 2 of the License, or (at your option) any
>>> later
>>> # version.
>>>
>>> # This program is distributed in the hope that it will be useful, but
>>> WITHOUT
>>> # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
>>> # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
>>> for
>>> # more details.
>>>
>>> # You should have received a copy of the GNU General Public License
>>> along with
>>> # this program; if not, write to the Free Software Foundation Inc., 59
>>> Temple
>>> # Place - Suite 330, Boston, MA 02111-1307, USA.
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>>
>>> # Location of the iptables-binary (use 'locate iptables' or 'whereis
>>> iptables'
>>> # to manually locate it).
>>> #
>>> -----------------------------------------------------------------------------
>>> IPTABLES="/sbin/iptables"
>>>
>>> ###############################################################################
>>> # External (internet) interface settings
>>>       #
>>> ###############################################################################
>>>
>>> # The external interface(s) that will be protected (and used as
>>> internet
>>> # connection). This is probably ppp+ for non-transparent(!) (A)DSL
>>> modems
>>> # otherwise it should be "ethX" (eg. eth0). Multiple interfaces should
>>> be space
>>> # separated.
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> EXT_IF="$DC_EXT_IF"
>>>
>>> # Enable if THIS machines (dynamically) obtains its IP through DHCP
>>> (from your
>>> # ISP).
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP
>>>
>>> # (EXPERT SETTING!) Here you can specify your external(!) subnet(s).
>>> You should
>>> # only use this if you for example have a corporate network and/or
>>> running a
>>> # DHCP server on your external(!) interface. Home users should normally
>>> NOT
>>> # touch this setting. Multiple subnets should be space separated.
>>> # Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
>>> #
>>> -----------------------------------------------------------------------------
>>> EXTERNAL_NET=""
>>>
>>> # (EXPERT SETTING!) Here you can specify the IP address used for
>>> broadcasts
>>> # on your external subnet. You only need to set this option if you want
>>> to use
>>> # the BROADCAST_XXX_NOLOG variables AND you use a non-standard
>>> broadcast
>>> # address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally
>>> leaving
>>> # this empty should work fine. Multiple addresses (if you have more
>>> than one
>>> # external interface) should be space separated.
>>> #
>>> -----------------------------------------------------------------------------
>>> EXT_NET_BCAST_ADDRESS=""
>>>
>>> # Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a
>>> subnet on
>>> # the external(!) interface. Note that you don't need this for internal
>>> # subnets, as for these nets everything is accepted by default. Don't
>>> forget to
>>> # configure the EXTERNAL_NET variable, to make this work.
>>> #
>>> -----------------------------------------------------------------------------
>>> EXTERNAL_DHCP_SERVER=0
>>>
>>>
>>> ###############################################################################
>>> # Internal (LAN) interface settings
>>>       #
>>> ###############################################################################
>>>
>>> # Internal network interface or interfaces (multiple(!) interfaces
>>> should be
>>> # space separated). Remark this if you don't have any internal network
>>> # interfaces. Note that ALL traffic is accepted from these interfaces.
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> INT_IF="$DC_INT_IF"
>>>
>>> # Specify here the internal subnet which is connected to the internal
>>> interface
>>> # (INT_IF). For multiple interfaces(!) you can either specify multiple
>>> subnets
>>> # here or specify one big subnet for all internal interfaces.
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> INTERNAL_NET="$DC_INTERNAL_NET"
>>>
>>> # (EXPERT SETTING!) Here you can specify the IP address used for
>>> broadcasts
>>> # on your internal subnet. You only need to set this option if you want
>>> to use
>>> # the MAC filter AND you use a non-standard broadcast address
>>> # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
>>> # this empty should work fine. Multiple addresses (if you have more
>>> than one
>>> # external interface) should be space separated.
>>> #
>>> -----------------------------------------------------------------------------
>>> INT_NET_BCAST_ADDRESS=""
>>>
>>> # Uncomment & specify here the location of the file that contains the
>>> MAC
>>> # addresses of INTERNAL hosts that are allowed. The MAC addresses
>>> should be
>>> # written like 00:11:22:33:44:55
>>> # Note that the last line of this
>>> # file should always contain a carriage-return (enter)!
>>> #
>>> -----------------------------------------------------------------------------
>>> #MAC_ADDRESS_FILE=/etc/arno-firewall-mac-addresses
>>>
>>>
>>> ###############################################################################
>>> # DMZ (aka DeMilitarized Zone) settings
>>>       #
>>> ###############################################################################
>>>
>>> # Put in the following variable the network interfaces that are
>>> DMZ-classified.
>>> # You can also use this interface if you want to shield your Wireless
>>> network
>>> # from your LAN.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_IF=""
>>>
>>> # Specify here the subnet which is connected to the DMZ interface
>>> (DMZ_IF).
>>> # For multiple interfaces(!) you can either specify multiple subnets
>>> here or
>>> # specify one big subnet for all DMZ interfaces.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_NET=""
>>>
>>>
>>> ###############################################################################
>>> # NAT (Masquerade, SNAT, DNAT) settings
>>>       #
>>> ###############################################################################
>>>
>>> # Enable this if you want to perform NAT (masquerading) for your
>>> internal
>>> # network (LAN) (eg. share your internet connection with your internal
>>> # net(s) connected to eg. INT_IF).
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> NAT=$DC_NAT
>>>
>>> # (EXPERT SETTING!). By default only the first external interface
>>> (EXT_IF)
>>> # is used for masquerading (NAT). By enabling this option ALL external
>>> # interfaces *can* be used (load balancing / multi-route). Note that
>>> you should
>>> # properly configure your route-table to make this work. Check the
>>> INSTALL file
>>> # for more info.
>>> #
>>> -----------------------------------------------------------------------------
>>> MASQ_MULTI_ROUTE=0
>>>
>>> # (EXPERT SETTING!). In case you would like to use SNAT instead of
>>> # MASQUERADING then uncomment and set the IP or IP's here of your
>>> static
>>> # external address(es). Note that when multiple IP's are specified,
>>> SNAT
>>> # multiroute is enabled (load balancing over multiple external
>>> (internet)
>>> # interfaces, check the README file for more info). Note that the order
>>> of IP's
>>> # should match the order of interfaces (they belond to) in $EXT_IF!
>>> #
>>> -----------------------------------------------------------------------------
>>> #NAT_STATIC_IP="193.2.1.1"
>>>
>>> # (EXPERT SETTING!). Use this variable only if you want specific
>>> subnets or
>>> # hosts to be able to access the internet. When no value is specified,
>>> your
>>> # whole internal net will have access. In both cases it's obviously
>>> only
>>> # meaningful when NAT is enabled. Note that you can also use this
>>> variable if
>>> # you want to use NAT for your DMZ.
>>> #
>>> -----------------------------------------------------------------------------
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> NAT_INTERNAL_NET="$DC_NAT_INTERNAL_NET"
>>>
>>> # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway
>>> to
>>> # an internal client through (D)NAT. Note that you can also use these
>>> # variables to forward ports to DMZ hosts
>>> #
>>> # TCP/UDP form:
>>> #       "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} \
>>> #        {SRCIP3,...:}PORT3,...>DESTIP2:port}"
>>> #
>>> # IP form:
>>> #       "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \
>>> #        {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"
>>> #
>>> # TCP/UDP port forward examples:
>>> # Simple (forward port 80 to internal host 192.168.0.10):
>>> #       NAT_xxx_FORWARD="80>192.168.0.10"
>>> # Advanced (forward port 20 & 21 to 192.168.0.10 and
>>> #           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
>>> #       NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
>>> #
>>> # IP protocol forward example:
>>> #        "47,48>192.168.0.10" (forward protocols 47 & 48 to
>>> 192.168.0.10
>>> #
>>> # NOTE 1: {:port} is optional. Use it to redirect a specific port to a
>>> #         different port on the internal client.
>>> # NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific
>>> source
>>> #         IP addresses.
>>> # NOTE 3: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030"
>>> would
>>> #         include ports 1024 until 1030).
>>> #
>>> -----------------------------------------------------------------------------
>>> NAT_TCP_FORWARD="22,443>192.168.0.99"
>>> NAT_UDP_FORWARD=""
>>> NAT_IP_FORWARD=""
>>>
>>>
>>> ###############################################################################
>>> # (ADSL) Modem settings
>>>       #
>>> #
>>>       #
>>> # The MODEM_xxx options should (only) be used when you have an ((A)DSL)
>>>       #
>>> # modem which works with a ppp-connection between the modem and the
>>>       #
>>> # host the modem is connected to.
>>>       #
>>> #
>>>       #
>>> # You can check whether this applies for your (hardware) setup with
>>>       #
>>> # 'ifconfig' (a 'ppp' device is shown).
>>>       #
>>> # This means that if your modem is bridging or an NAT router) or the
>>>       #
>>> # network interface the modem is connected to doesn't have an IP, you
>>>       #
>>> # should leave the MODEM_xxx options disabled (=default)!
>>>       #
>>> ###############################################################################
>>>
>>> # The physical(!) network interface your ADSL modem is connected to
>>> (this is
>>> # not ppp0!).
>>> #
>>> -----------------------------------------------------------------------------
>>> #MODEM_IF="eth1"
>>>
>>> # (optional) The IP of the network interface (MODEM_IF) your ADSL modem
>>> is
>>> # connected to (IP shown for the modem interface (MODEM_IF) in
>>> 'ifconfig').
>>> #
>>> -----------------------------------------------------------------------------
>>> #MODEM_IF_IP="10.0.0.150"
>>>
>>> # (optional) The IP of your (A)DSL modem itself.
>>> #
>>> -----------------------------------------------------------------------------
>>> #MODEM_IP="10.0.0.138"
>>>
>>> # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that
>>> should
>>> # have access to the (A)DSL modem itself (manage modem settings). The
>>> default
>>> # setting ($INTERNAL_NET) allows access from everybody on your LAN.
>>> #
>>> -----------------------------------------------------------------------------
>>> MODEM_INTERNAL_NET=$INTERNAL_NET
>>>
>>>
>>> ###############################################################################
>>> # General settings
>>>       #
>>> ###############################################################################
>>>
>>> # Most people don't want to get any firewall logs being spit to the
>>> console.
>>> # This option makes the kernel ring buffer only log messages with level
>>> # "panic".
>>> #
>>> -----------------------------------------------------------------------------
>>> DMESG_PANIC_ONLY=1
>>>
>>> # Enable this if you want TOS mangling (RFC) (recommended).
>>> #
>>> -----------------------------------------------------------------------------
>>> MANGLE_TOS=1
>>>
>>> # Enable this if you want to set the maximum packet size via the
>>> # Maximum Segment Size(through MSS field) (recommended).
>>> #
>>> -----------------------------------------------------------------------------
>>> SET_MSS=1
>>>
>>> # Enable this if you want to increase the TTL value by one in the
>>> prerouting
>>> # chain. This hides the firewall when performing eg. traceroutes to
>>> internal
>>> # hosts.
>>> #
>>> -----------------------------------------------------------------------------
>>> TTL_INC=0
>>>
>>> # (EXPERT SETTING!) Enable this if you want to set the TTL value for
>>> packets in
>>> # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6
>>> kernels
>>> # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL
>>> target
>>> # support. Don't mess with this unless you really know what you are
>>> doing!
>>> #
>>> -----------------------------------------------------------------------------
>>> #PACKET_TTL="64"
>>>
>>> # Enable this to resolve names of DNS IP's etc.
>>> #
>>> -----------------------------------------------------------------------------
>>> RESOLV_IPS=0
>>>
>>> # Enable this to support the IRC-protocol.
>>> #
>>> -----------------------------------------------------------------------------
>>> USE_IRC=0
>>>
>>> # (EXPERT SETTING!). Loosen the forward chain for the external
>>> interface(s).
>>> # Enable it to allow the use of protocols like UPnP. Note that it
>>> *could* be
>>> # less secure.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOOSE_FORWARD=0
>>>
>>> # (EXPERT SETTING!). Enable this if you want to drop packets
>>> originating from a
>>> # private address.
>>> #
>>> -----------------------------------------------------------------------------
>>> DROP_PRIVATE_ADDRESSES=0
>>>
>>> # (EXPERT SETTING!). Protect this machine from being abused for a
>>> DRDOS-attack
>>> # ("Distributed Reflection Denial Of Service"-attack). (STILL
>>> EXPERIMENTAL!)
>>> #
>>> -----------------------------------------------------------------------------
>>> DRDOS_PROTECT=0
>>>
>>> # Enable this if you want to allow/enable IPv6 traffic. Note that my
>>> firewall
>>> # does NOT filter IPv6 traffic (yet), and thus NO checking is performed
>>> on it!
>>> #
>>> -----------------------------------------------------------------------------
>>> IPV6_SUPPORT=0
>>>
>>> # This option fixes problems with SMB broadcasts when using nmblookup
>>> #
>>> -----------------------------------------------------------------------------
>>> NMB_BROADCAST_FIX=0
>>>
>>> # (EXPERT SETTING!). Enter your remote Freeswan subnet(s) here to
>>> enable
>>> # "Virtual IP" support for Freeswan. This allows you to have remote
>>> # "Virtual IP's" which are in the same subnet as yourself, to be routed
>>> into
>>> # your network (via NAT). Make sure you understand what this is and
>>> that you
>>> # really want this (else leave it empty)!
>>> #
>>> -----------------------------------------------------------------------------
>>> FREESWAN_NET=""
>>>
>>> # (EXPERT SETTING!). (Other) trusted network interfaces for which ALL
>>> IP
>>> # traffic should be ACCEPTED. (multiple(!) interfaces should be space
>>> # separated). Be warned that anything TO and FROM these interfaces is
>>> allowed
>>> # (ACCEPTED) so make sure it's NOT routable(accessible) from the
>>> outside world
>>> # (internet)!
>>> #
>>> -----------------------------------------------------------------------------
>>> TRUSTED_IF=""
>>>
>>> # (EXPERT SETTING!). Put here the (internal) interfaces that should
>>> trust
>>> # (accept forward traffic) each other.
>>> #
>>> -----------------------------------------------------------------------------
>>> INT_IF_TRUST=""
>>>
>>> # Location of the custom iptables rules file (if any).
>>> #
>>> -----------------------------------------------------------------------------
>>> CUSTOM_RULES=/etc/arno-firewall-custom-rules
>>>
>>>
>>> ###############################################################################
>>> # Logging options - All logging is rate limited to prevent log flooding
>>>       #
>>> ###############################################################################
>>>
>>> # Enable logging for explicitly blocked hosts.
>>> #
>>> -----------------------------------------------------------------------------
>>> BLOCKED_HOST_LOG=1
>>>
>>> # Enable logging for various stealth scans (reliable).
>>> #
>>> -----------------------------------------------------------------------------
>>> SCAN_LOG=1
>>>
>>> # Enable logging for possible stealth scans (less reliable).
>>> #
>>> -----------------------------------------------------------------------------
>>> POSSIBLE_SCAN_LOG=1
>>>
>>> # Enable logging for TCP-packets with bad flags.
>>> #
>>> -----------------------------------------------------------------------------
>>> BAD_FLAGS_LOG=1
>>>
>>> # Enable logging of invalid packets.
>>> #
>>> -----------------------------------------------------------------------------
>>> INVALID_PACKET_LOG=1
>>>
>>> # Enable logging of source IP's with reserved addresses.
>>> #
>>> -----------------------------------------------------------------------------
>>> RESERVED_NET_LOG=1
>>>
>>> # Enable logging of fragmented packets.
>>> #
>>> -----------------------------------------------------------------------------
>>> FRAG_LOG=1
>>>
>>> # Enable logging of (probable) "lost TCP connections". Keep disabled to
>>> # reduce false alarms.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOST_CONNECTION_LOG=0
>>>
>>> # Enable logging of denied local (OUTPUT) connections.
>>> #
>>> -----------------------------------------------------------------------------
>>> OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied LAN output (FORWARD) connections.
>>> #
>>> -----------------------------------------------------------------------------
>>> LAN_OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied DMZ output (FORWARD) connections.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied DMZ input (FORWARD) connections.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_INPUT_DENY_LOG=1
>>>
>>> # Enable logging of dropped ICMP-request packets (ping).
>>> #
>>> -----------------------------------------------------------------------------
>>> ICMP_REQUEST_LOG=1
>>>
>>> # Enable logging of dropped "other" ICMP packets.
>>> #
>>> -----------------------------------------------------------------------------
>>> ICMP_OTHER_LOG=1
>>>
>>> # Enable logging of normal connection attempts to privileged TCP ports.
>>> #
>>> -----------------------------------------------------------------------------
>>> PRIV_TCP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to privileged UDP ports.
>>> #
>>> -----------------------------------------------------------------------------
>>> PRIV_UDP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to unprivileged TCP
>>> ports.
>>> #
>>> -----------------------------------------------------------------------------
>>> UNPRIV_TCP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to unprivileged UDP
>>> ports.
>>> #
>>> -----------------------------------------------------------------------------
>>> UNPRIV_UDP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to "other-IP"-protocols
>>> (non
>>> # TCP/UDP/ICMP).
>>> #
>>> -----------------------------------------------------------------------------
>>> OTHER_IP_LOG=1
>>>
>>> # Enable logging for ICMP flooding.
>>> #
>>> -----------------------------------------------------------------------------
>>> ICMP_FLOOD_LOG=1
>>>
>>> # Enable logging for not-allowed MAC addresses (if used).
>>> #
>>> -----------------------------------------------------------------------------
>>> MAC_ADDRESS_LOG=1
>>>
>>> # (EXPERT SETTING!). The location of the dedicated firewall log file.
>>> When
>>> # enabled the firewall script will also log start/stop etc. info to
>>> this file
>>> # as well. Note that in order to make this work, you should also
>>> configure
>>> # syslogd to log firewall messages to this file (see LOGLEVEL below for
>>> further
>>> # info).
>>> #
>>> -----------------------------------------------------------------------------
>>> #FIREWALL_LOG=/var/log/firewall
>>>
>>> # (EXPERT SETTING!). Current log-level ("info": default kernel syslog
>>> level)
>>> # "debug": can be used to log to /var/log/firewall.log, but you have to
>>> configure
>>> # syslogd accordingly (see included syslogd.conf examples).
>>> #
>>> -----------------------------------------------------------------------------
>>> LOGLEVEL=info
>>>
>>> # Put in the following variables which hosts you want to log certain
>>> incoming
>>> # connection attempts for.
>>> # TCP/UDP port format (LOG_HOST_xxx_INPUT):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (LOG_HOST_IP_INPUT):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_HOST_TCP_INPUT=""
>>> LOG_HOST_UDP_INPUT=""
>>> LOG_HOST_IP_INPUT=""
>>>
>>> # Put in the following variables which hosts you want to log certain
>>> outgoing
>>> # connection attempts for.
>>> # TCP/UDP port format (LOG_HOST_xxx_OUTPUT):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (LOG_HOST_IP_OUTPUT):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_HOST_TCP_OUTPUT=""
>>> LOG_HOST_UDP_OUTPUT=""
>>> LOG_HOST_IP_OUTPUT=""
>>>
>>> # Put in the following variables which services you want to log
>>> incoming
>>> # connection attempts for.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_TCP_INPUT=""
>>> LOG_UDP_INPUT=""
>>> LOG_IP_INPUT=""
>>>
>>> # Put in the following variables which services you want to log
>>> outgoing
>>> # connection attempts for.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_TCP_OUTPUT=""
>>> LOG_UDP_OUTPUT=""
>>> LOG_IP_OUTPUT=""
>>>
>>> # Put in the following variable which hosts you want to log incoming
>>> connection
>>> # (attempts) for.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_HOST_INPUT=""
>>>
>>> # Put in the following variable which hosts you want to log outgoing
>>> connection
>>> # (attempts) to.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_HOST_OUTPUT=""
>>>
>>>
>>> ###############################################################################
>>> # /proc based settings (EXPERT SETTINGS!)
>>>       #
>>> ###############################################################################
>>>
>>> # Enable for synflood protection (through /proc/.../tcp_syncookies).
>>> #
>>> -----------------------------------------------------------------------------
>>> SYN_PROT=1
>>>
>>> # Enable this to reduce the ability of others DOS'ing your machine.
>>> #
>>> -----------------------------------------------------------------------------
>>> REDUCE_DOS_ABILITY=1
>>>
>>> # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
>>> #
>>> -----------------------------------------------------------------------------
>>> ECHO_IGNORE=0
>>>
>>> # Enable to log packets with impossible addresses to the kernel log.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOG_MARTIANS=0
>>>
>>> # Only disable this if you're NOT using forwarding (required for NAT
>>> etc.) for
>>> # increased security.
>>> #
>>> -----------------------------------------------------------------------------
>>> IP_FORWARDING=1
>>>
>>> # Enable if you want to accept ICMP redirect messages. Should be set to
>>> "0" in
>>> # case of a router.
>>> #
>>> -----------------------------------------------------------------------------
>>> ICMP_REDIRECT=0
>>>
>>> # Enable/modify this if you want to be a able to handle a larger (or
>>> smaller)
>>> # number of simultaneous connections. For high traffic machines I
>>> recommend to
>>> # use a value of at least 16384 (note that a higher value (obviously)
>>> also uses
>>> # more memory).
>>> #
>>> -----------------------------------------------------------------------------
>>> CONNTRACK=16384
>>>
>>> # You may need to enable this to get some internet games to work, but
>>> note that
>>> # it's *less* secure.
>>> #
>>> -----------------------------------------------------------------------------
>>> LOOSE_UDP_PATCH=0
>>>
>>> # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by
>>> default,
>>> # as some routers are still not compatible with this.
>>> #
>>> -----------------------------------------------------------------------------
>>> ECN=0
>>>
>>> # Enable to drop connections from non-routable IP's, eg. prevent source
>>> # routing. By default the firewall itself also provides rules against
>>> source
>>> # routing. Note than when you use eg. VPN (Freeswan), you should
>>> probably
>>> # disable this setting.
>>> #
>>> -----------------------------------------------------------------------------
>>> RP_FILTER=1
>>>
>>> # Protect against source routed packets. Attackers can use source
>>> routing to
>>> # generate traffic pretending to be from inside your network, but which
>>> is
>>> # routed back along the path from which it came, namely outside, so
>>> attackers
>>> # can compromise your network. Source routing is rarely used for
>>> legitimate
>>> # purposes, so normally you should always leave this enabled(1)!
>>> #
>>> -----------------------------------------------------------------------------
>>> SOURCE_ROUTE_PROTECTION=1
>>>
>>> # Here we set the local port range (ports from which connections are
>>> # initiated from our site). Don't mess with this unless you really know
>>> what
>>> # you are doing!
>>> #
>>> -----------------------------------------------------------------------------
>>> LOCAL_PORT_RANGE="32768 61000"
>>>
>>> # Here you can change the default TTL used for sending packets. The
>>> value
>>> # should be between 10 and 255. Don't mess with this unless you really
>>> know
>>> # what you are doing!
>>> #
>>> -----------------------------------------------------------------------------
>>> DEFAULT_TTL=64
>>>
>>> # In most cases pmtu discovery is ok, but in some rare cases (when
>>> having
>>> # problems) you might want to disable it.
>>> #
>>> -----------------------------------------------------------------------------
>>> NO_PMTU_DISCOVERY=0
>>>
>>>
>>> ###############################################################################
>>> # (Transparent) proxy settings (EXPERT SETTINGS!)
>>>       #
>>> ###############################################################################
>>> #HTTP_PROXY_PORT="3128"
>>> HTTPS_PROXY_PORT=""
>>> FTP_PROXY_PORT=""
>>> SMTP_PROXY_PORT=""
>>> POP3_PROXY_PORT=""
>>>
>>>
>>> ###############################################################################
>>> # Firewall policies for the LAN (EXPERT SETTINGS!)
>>>       #
>>> ###############################################################################
>>>
>>> ###############################################################################
>>> # LAN_INET_xxx = LAN->internet access rules (forward)
>>>       #
>>> #
>>>       #
>>> # Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for that protocol/port is accept (unless
>>> denied    #
>>> # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)!
>>>       #
>>> ###############################################################################
>>>
>>> # Put in the following variables the TCP/UDP ports or IP
>>> # protocols TO (remote end-point) which the LAN hosts are
>>> # permitted to connect to via the external (internet) interface.
>>> #
>>> -----------------------------------------------------------------------------
>>> LAN_INET_OPEN_TCP=""
>>> LAN_INET_OPEN_UDP=""
>>> LAN_INET_OPEN_IP=""
>>>
>>> # Put in the following variables the TCP/UDP ports or IP protocols TO
>>> (remote
>>> # end-point) which the LAN hosts are NOT permitted to connect to
>>> # via the external (internet) interface. Examples of usage are for
>>> blocking
>>> # IRC (TCP 6666:6669) for the internal network.
>>> #
>>> -----------------------------------------------------------------------------
>>> LAN_INET_DENY_TCP=""
>>> LAN_INET_DENY_UDP=""
>>> LAN_INET_DENY_IP=""
>>>
>>> # Put in the following variables the TCP/UDP ports or IP
>>> # protocols TO (remote end-point) which certain LAN hosts are
>>> # permitted to connect to via the external (internet) interface. Note
>>> that
>>> # any ports/protocols specified here are made "exclusively" for the
>>> accompaning
>>> # host(s), meaning that nobody else can use them!
>>> #
>>> # TCP/UDP port format (LAN_INET_HOST_OPEN_xxx):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (LAN_INET_HOST_OPEN_xxx):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> LAN_INET_HOST_OPEN_TCP=""
>>> LAN_INET_HOST_OPEN_UDP=""
>>> LAN_INET_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables the TCP/UDP ports or IP protocols TO
>>> (remote
>>> # end-point) which certain LAN hosts are NOT permitted to connect to
>>> # via the external (internet) interface.
>>> #
>>> # TCP/UDP port format (LAN_INET_HOST_DENY_xxx):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (LAN_INET_HOST_DENY_xxx):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> LAN_INET_HOST_DENY_TCP=""
>>> LAN_INET_HOST_DENY_UDP=""
>>> LAN_INET_HOST_DENY_IP=""
>>>
>>>
>>> ###############################################################################
>>> # Firewall policies for the DMZ (EXPERT SETTINGS!)
>>>       #
>>> ###############################################################################
>>>
>>> ###############################################################################
>>> # INET_DMZ_xxx = Internet->DMZ access rules (forward)
>>>       #
>>> # DMZ_INET_xxx = DMZ->internet access rules (forward)
>>>       #
>>> # DMZ_LAN_xxx  = DNZ->LAN access rules (forward)
>>>       #
>>> # DMZ_xxx      = DMZ->local(this machine) access rules (input)
>>>       #
>>> #
>>>       #
>>> # Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for that protocol/port is accept (unless
>>> denied    #
>>> # through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)!
>>>       #
>>> ###############################################################################
>>>
>>> # Put in the following variables which INET hosts are permitted to
>>> connect to
>>> # certain the TCP/UDP ports or IP protocols in the DMZ.
>>> #
>>> -----------------------------------------------------------------------------
>>> INET_DMZ_OPEN_TCP=""
>>> INET_DMZ_OPEN_UDP=""
>>> INET_DMZ_OPEN_IP=""
>>>
>>> # Put in the following variables which INET hosts are NOT permitted to
>>> connect
>>> # to certain the TCP/UDP ports or IP protocols in the DMZ.
>>> #
>>> -----------------------------------------------------------------------------
>>> INET_DMZ_DENY_TCP=""
>>> INET_DMZ_DENY_UDP=""
>>> INET_DMZ_DENY_IP=""
>>>
>>> # Put in the following variables which INET hosts you want to allow for
>>> certain
>>> # services. By default all services are allowed for DMZ hosts.
>>> # TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP &
>>> INET_DMZ_HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (INET_DMZ_HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> INET_DMZ_HOST_OPEN_TCP=""
>>> INET_DMZ_HOST_OPEN_UDP=""
>>> INET_DMZ_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which INET hosts you want to deny for
>>> certain
>>> # services (and logged). By default all services are allowed for DMZ
>>> # hosts.
>>> # TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP &
>>> INET_DMZ_HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (INET_DMZ_HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> INET_DMZ_HOST_DENY_TCP=""
>>> INET_DMZ_HOST_DENY_UDP=""
>>> INET_DMZ_HOST_DENY_IP=""
>>>
>>> ###############################################################################
>>> # Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for that protocol/port is accept (unless
>>> denied    #
>>> # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)!
>>>       #
>>> ###############################################################################
>>>
>>> # Put in the following variables the TCP/UDP ports or IP
>>> # protocols TO (remote end-point) which the DMZ hosts are
>>> # permitted to connect to via the external (internet) interface.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_INET_OPEN_TCP=""
>>> DMZ_INET_OPEN_UDP=""
>>> DMZ_INET_OPEN_IP=""
>>>
>>> # Put in the following variables the TCP/UDP ports or IP protocols TO
>>> (remote
>>> # end-point) which the DMZ hosts are NOT permitted to connect to
>>> # via the external (internet) interface. Examples of usage are for
>>> blocking
>>> # IRC (TCP 6666:6669) for the internal network.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_INET_DENY_TCP=""
>>> DMZ_INET_DENY_UDP=""
>>> DMZ_INET_DENY_IP=""
>>>
>>> # Put in the following variables which DMZ hosts you want to allow to
>>> connect
>>> # to certain internet hosts for services. By default all inet services
>>> are
>>> # allowed for DMZ hosts.
>>> #
>>> # TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP &
>>> DMZ_INET_HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (DMZ_INET_HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_INET_HOST_OPEN_TCP=""
>>> DMZ_INET_HOST_OPEN_UDP=""
>>> DMZ_INET_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which DMZ hosts you want to deny to
>>> connect
>>> # to certain internet hosts for services.
>>> #
>>> # TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP &
>>> DMZ_INET_HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (DMZ_INET_HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_INET_HOST_DENY_TCP=""
>>> DMZ_INET_HOST_DENY_UDP=""
>>> DMZ_INET_HOST_DENY_IP=""
>>>
>>> # (EXPERT SETTING!) DMZ-to-LAN TCP/UDP/IP open ports/protocols. Open
>>> particular
>>> #  ports / protocols on LAN hosts(on INT_IF) for certain DMZ hosts.:
>>> # TCP/UDP form:
>>> #       "SRCIP1,SRCIP2,...>DESTIP1:port \
>>> #        SRCIP3,...>DESTIP2:port"
>>> #
>>> # IP form:
>>> #       "SRCIP1,SRCIP2,...>DESTIP1:protocol \
>>> #        SRCIP3,...>DESTIP2:protocol"
>>> #
>>> # TCP/UDP examples:
>>> # Simple (open port 80 on host 192.168.0.10 for all DMZ hosts):
>>> #       DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:80"
>>> # Advanced (open port 20 & 21 on 192.168.0.10 for all DMZ hosts and
>>> #           open port 80 on 192.168.0.11 for host 1.2.3.4 only:
>>> #       DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:20,21
>>> 1.2.3.4>192.168.0.11:80"
>>> #
>>> # IP protocol forward example:
>>> #        "192.168.0.10:47,48" (open protocols 47 & 48 on 192.168.0.10
>>> #                              for all DMZ hosts)
>>> #
>>> # NOTE 1: {SRCIPx} is optional. Use it to restrict access to specific
>>> #         source IP addresses.
>>> # NOTE 2: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030"
>>> would
>>> #         include ports 1024 until 1030).
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_LAN_HOST_OPEN_TCP=""
>>> DMZ_LAN_HOST_OPEN_UDP=""
>>> DMZ_LAN_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which DMZ hosts are permitted to
>>> connect to
>>> # certain the TCP/UDP ports, IP protocols or ICMP. By default all
>>> (local)
>>> # services are blocked for DMZ hosts.
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_OPEN_TCP=""
>>> DMZ_OPEN_UDP=""
>>> DMZ_OPEN_IP=""
>>> DMZ_OPEN_ICMP=0
>>>
>>> # Put in the following variables which DMZ hosts you want to allow for
>>> certain
>>> # services. By default all (local) services are blocked for DMZ hosts.
>>> # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (DMZ_HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (DMZ_HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> DMZ_HOST_OPEN_TCP=""
>>> DMZ_HOST_OPEN_UDP=""
>>> DMZ_HOST_OPEN_IP=""
>>> DMZ_HOST_OPEN_ICMP=""
>>>
>>>
>>> ###############################################################################
>>> # Firewall policies for the external (inet) interface (default policy =
>>> drop) #
>>> ###############################################################################
>>>
>>> # Put in the following variable which hosts (subnets) you want have
>>> full access
>>> # via your internet (EXT_IF) connection(!). This is especially meant
>>> for
>>> # networks/servers which use NIS/NFS, as these protocols require all
>>> ports
>>> # to be open.
>>> # NOTE: Don't mistake this variable with the one used for internal
>>> nets.
>>> #
>>> -----------------------------------------------------------------------------
>>> FULL_ACCESS_HOSTS=""
>>>
>>> # Put in the following variables which ports or IP protocols you want
>>> to leave
>>> # open to the whole world.
>>> #
>>> -----------------------------------------------------------------------------
>>> # OPEN_TCP and OPEN_UDP are handled by Debconf. If you want to add more
>>> open TCP
>>> # or UDP ports use 'dpkg-reconfigure arno-iptables-firewall'. For more
>>> complex
>>> # setup add them (space separated) after $DC_OPEN_PORTS.
>>> OPEN_TCP="$DC_OPEN_TCP"
>>> OPEN_UDP="$DC_OPEN_UDP"
>>>
>>>
>>> OPEN_IP=""
>>> # THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE
>>> UNLESS YOU
>>> # KNOW WHAT YOU ARE DOING.
>>> # Use 'dpkg-reconfigure arno-iptables-firewall' instead.
>>> OPEN_ICMP=$DC_OPEN_ICMP
>>>
>>> # Put in the following variables the TCP/UDP ports you want to
>>> DENY(DROP) for
>>> # everyone (and logged). Also use these variables if you want to log
>>> connection
>>> # attempts to these ports from everyone (also trusted/full access
>>> hosts).
>>> # In principle you don't need these variables, as everything is already
>>> blocked
>>> # (denied) by default, but just exists for consistency.
>>> #
>>> -----------------------------------------------------------------------------
>>> DENY_TCP=""
>>> DENY_UDP=""
>>>
>>> # Put in the following variables which ports you want to DENY(DROP) for
>>> # everyone but NOT logged. This is very useful if you have constant
>>> probes on
>>> # the same port(s) over and over again (code red worm) and don't want
>>> your logs
>>> # flooded with it.
>>> #
>>> -----------------------------------------------------------------------------
>>> DENY_TCP_NOLOG=""
>>> DENY_UDP_NOLOG=""
>>>
>>> # Put in the following variables the TCP/UDP ports you want to REJECT
>>> (instead
>>> # of DROP) for everyone (and logged).
>>> #
>>> -----------------------------------------------------------------------------
>>> REJECT_TCP=""
>>> REJECT_UDP=""
>>>
>>> # Put in the following variables the TCP/UDP ports you want to REJECT
>>> (instead
>>> # of DROP) for everyone but NOT logged.
>>> #
>>> -----------------------------------------------------------------------------
>>> REJECT_TCP_NOLOG=""
>>> REJECT_UDP_NOLOG=""
>>>
>>> # Put in the following variables which hosts you want to allow for
>>> certain
>>> # services.
>>> # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (HOST_OPEN_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (HOST_OPEN_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_OPEN_TCP=""
>>> HOST_OPEN_UDP=""
>>> HOST_OPEN_IP=""
>>> HOST_OPEN_ICMP=""
>>>
>>> # Put in the following variables which hosts you want to DENY(DROP) for
>>> certain
>>> # services (and logged).
>>> # to DENY(DROP) for certain hosts.
>>> # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (HOST_DENY_IP):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (HOST_DENY_ICMP):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_DENY_TCP=""
>>> HOST_DENY_UDP=""
>>> HOST_DENY_IP=""
>>> HOST_DENY_ICMP=""
>>>
>>> # Put in the following variables which hosts you want to DENY(DROP) for
>>> certain
>>> # services but NOT logged.
>>> # TCP/UDP port format (HOST_DENY_xxx_NOLOG):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (HOST_DENY_IP_NOLOG):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> # ICMP protocol format (HOST_DENY_ICMP_NOLOG):
>>> #       "host1 host2 ...."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_DENY_TCP_NOLOG=""
>>> HOST_DENY_UDP_NOLOG=""
>>> HOST_DENY_IP_NOLOG=""
>>> HOST_DENY_ICMP_NOLOG=""
>>>
>>> # Put in the following variables which hosts you want to REJECT
>>> (instead of
>>> # DROP) for certain TCP/UDP ports.
>>> # TCP/UDP port format (HOST_REJECT_xxx):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_REJECT_TCP=""
>>> HOST_REJECT_UDP=""
>>>
>>> # Put in the following variables which hosts you want to REJECT
>>> (instead of
>>> # DROP) for certain services but NOT logged.
>>> # TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_REJECT_TCP_NOLOG=""
>>> HOST_REJECT_UDP_NOLOG=""
>>>
>>> # Put in the following variables which services THIS machine is NOT
>>> # permitted to connect TO (remote end-point) via the external
>>> (internet)
>>> # interface. For example for blocking IRC (tcp 6666:6669).
>>> #
>>> -----------------------------------------------------------------------------
>>> DENY_TCP_OUTPUT=""
>>> DENY_UDP_OUTPUT=""
>>> DENY_IP_OUTPUT=""
>>>
>>> # Put in the following variables to which hosts THIS machine is NOT
>>> # permitted to connect TO for certain services (remote end-point)
>>> # via the external (internet) interface. In principle you can also
>>> # use this to put your machine in a "virtual-DMZ" by blocking all
>>> traffic
>>> # to your local subnet.
>>> # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
>>> #       "host1,host2>port1,port2 host3,host4>port3,port4 ..."
>>> #
>>> # IP protocol format (HOST_DENY_IP_OUTPUT):
>>> #       "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
>>> #
>>> -----------------------------------------------------------------------------
>>> HOST_DENY_TCP_OUTPUT=""
>>> HOST_DENY_UDP_OUTPUT=""
>>> HOST_DENY_IP_OUTPUT=""
>>>
>>> # Put in the following variable which TCP/UDP ports you don't want to
>>> # see broadcasts from (ie. DHCP (67/68) on your EXTERNAL interface.
>>> Note that
>>> # to make this properly work you also need to set "EXTERNAL_NET"!
>>> #
>>> -----------------------------------------------------------------------------
>>> BROADCAST_TCP_NOLOG=""
>>> #BROADCAST_UDP_NOLOG="67 68"
>>>
>>> # Put in the following variable which hosts you want to block
>>> (blackhole,
>>> # dropping every packet from the host).
>>> #
>>> -----------------------------------------------------------------------------
>>> BLOCK_HOSTS=""
>>>
>>> # Uncomment & specify here the location of the file that contains a
>>> list of
>>> # hosts(IP's) that should be BLOCKED. IP ranges can (only) be specified
>>> as
>>> # w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this
>>> file
>>> # should always contain a carriage-return (enter)!
>>> #
>>> -----------------------------------------------------------------------------
>>> #BLOCK_HOSTS_FILE=/etc/arno-firewall-blocked-hosts
>>>
>>> ------------------------------------------------------------------------
>>>
>>> #######################################################################
>>> # Feel free to edit this file.  However, be aware that debconf writes #
>>> # to (and reads from) this file too.  In case of doubt, only use      #
>>> # 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file.  #
>>> # If you really don't want to use debconf, or if you have specific    #
>>> # needs, you're likely better off creating                            #
>>> # /etc/arno-firewall-custom-rules.  See README.Debian.                #
>>> #######################################################################
>>> DC_EXT_IF="ppp0"
>>> DC_EXT_IF_DHCP_IP=1
>>> DC_OPEN_TCP="8080 2222 110 143"
>>> DC_OPEN_UDP="8080 2222 110 143"
>>> DC_INT_IF="eth0"
>>> DC_NAT=1
>>> DC_INTERNAL_NET="192.168.0.0/24"
>>> DC_NAT_INTERNAL_NET="192.168.0.0/24"
>>> DC_OPEN_ICMP=1
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Arno's Iptables Firewall Script v1.8.6c
>>> -------------------------------------------------------------------------------
>>> Sanity checks passed...OK
>>> Detected IPTABLES module... Loading additional IPTABLES modules:
>>> All IPTABLES modules loaded!
>>> Setting the kernel ring buffer to only log panic messages to the
>>> console
>>> Configuring /proc/.... settings:
>>>  Enabling anti-spoof with rp_filter.
>>>  Enabling SYN-flood protection via SYN-cookies.
>>>  Disabling the logging of martians.
>>>  Disabling the acception of ICMP-redirect messages.
>>>  Setting the max. amount of simultaneous connections to 16384.
>>>  Enabling protection against source routed packets.
>>>  Setting default conntrack timeouts.
>>>  Enabling reduction of the DoS'ing ability.
>>>  Setting Default TTL=64
>>>  Disabling ECN (Explicit Congestion Notification).
>>>  Enabling support for dynamic IP's
>>> /proc/ setup done...
>>> Flushing rules in the filter table.
>>> Setting default (secure) policies.
>>> Using loglevel "info" for syslogd.
>>>
>>> Setting up firewall rules:
>>> -------------------------------------------------------------------------------
>>> Accepting packets from the local loopback device.
>>> Enabling setting the maximum packet size via MSS.
>>> Enabling mangling TOS.
>>> Logging of stealth scans (nmap probes etc.) enabled.
>>> Logging of packets with bad TCP-flags enabled.
>>> Logging of possible stealth scans enabled.
>>> Logging of INVALID packets enabled.
>>> Logging of fragmented packets enabled.
>>> Logging of access from reserved addresses enabled.
>>> Setting up anti-spoof rules.
>>> Reading custom IPTABLES rules from /etc/arno-firewall-custom-rules
>>> Enabling support for a DHCP assigned IP on the external interface(s)
>>> ppp0
>>> Logging of explicitly blocked hosts enabled.
>>> Logging of denied local output connections enabled.
>>> Packets will NOT be checked for private source addresses.
>>> Allowing the whole world to connect to TCP port(s): 8080 2222 110 143
>>> Allowing the whole world to connect to UDP port(s): 8080 2222 110 143
>>> Allowing the whole world to send ICMP-requests(ping).
>>> Logging of dropped ICMP-request(ping) packets enabled.
>>> Logging of dropped other ICMP packets enabled.
>>> Logging of possible stealth scans enabled.
>>> Logging of (other) connection attempts to PRIVILEGED TCP ports enabled.
>>> Logging of (other) connection attempts to PRIVILEGED UDP ports enabled.
>>> Logging of (other) connection attempts to UNPRIVILEGED TCP ports
>>> enabled.
>>> Logging of (other) connection attempts to UNPRIVILEGED UDP ports
>>> enabled.
>>> Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
>>> enabled.
>>> Logging of ICMP flooding enabled.
>>> Adding external interface "ppp0" (without an external subnet specified)
>>> Setting up INPUT policy for internal interface(s) eth0
>>> Setting up FORWARD policy for internal interface(s) eth0:
>>>  Logging of denied LAN (forward) output connections enabled.
>>>  Allowing all (other) TCP ports
>>>  Allowing all (other) UDP ports
>>>  Allowing all (other) IP protocols
>>> Enabling masquerading(NAT) for host(s) 192.168.0.0/24 via ppp0
>>> Forwarding(NAT) TCP port(s) 22,443 to 192.168.0.99
>>> Security is ENFORCED for the external interface(s) in the FORWARD
>>> chain.
>>>
>>> Sep 29 11:04:03 All firewall rules applied.
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>
> --
> Arno van Amersfoort
> E-mail    : arnova at rocky.eld.leidenuniv.nl
> Donations are welcome through Paypal!
> ---------------------------------------------------------------------------
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>




More information about the Firewall mailing list