REDIRECT NOT working.....

Don Donigan email hidden
Mon Mar 3 21:40:23 CET 2003


I cannot seem to get redirect(DNAT) working on this box. I have set up
several that are VERY SIMILAR, without any problems. This on will not
cooperate. Does any one have any ideas?

The incoming www, https, smtp, and pop3 packets appear to be dropped, but
there is no indication in the logs that this is so.

Here the particulars that I think will be usefull:

[root at ns2 fiaif]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:BF:FE:73:0F
          inet addr:207.22x.xxx.244  Bcast:207.224.147.247
Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15613 errors:322 dropped:0 overruns:0 carrier:644
          collisions:0 txqueuelen:100
          RX bytes:5300327 (5.0 Mb)  TX bytes:2164712 (2.0 Mb)
          Interrupt:5 Base address:0x8800

eth1      Link encap:Ethernet  HWaddr 00:50:BF:FE:E5:91
          inet addr:10.0.0.254  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12517 errors:0 dropped:0 overruns:0 frame:0
          TX packets:336 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1453313 (1.3 Mb)  TX bytes:23151 (22.6 Kb)
          Interrupt:9 Base address:0xc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:469 errors:0 dropped:0 overruns:0 frame:0
          TX packets:469 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:27808 (27.1 Kb)  TX bytes:27808 (27.1 Kb)

[root at ns2 fiaif]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
207.224.147.240 *               255.255.255.248 U     0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         rwan            0.0.0.0         UG    0      0        0 eth0
[ note: the rwan refered to in the route of last resort is the edge
router. ]

[root at ns2 fiaif]# sysdx

Run Date :  Mon Mar 3 13:26:58 MST 2003


Iptables Version:  iptables v1.2.6a

Uname:  Linux ns2 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386
GNU/Linux

Bash Version:  GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
Copyright (C) 2002 Free

Software Foundation, Inc.

Kernel Modules Loaded:
Module                  Size  Used by    Not tainted
ipt_MASQUERADE          2200   0  (autoclean)
tulip                  43552   2
ipt_limit               1560   2  (autoclean)
ipt_state               1048   5  (autoclean)
ipt_multiport           1176  15  (autoclean)
ipt_TOS                 1656  16  (autoclean)
ipt_LOG                 4184   8  (autoclean)
ipt_REJECT              3736   2  (autoclean)
iptable_nat            19960   1  (autoclean) [ipt_MASQUERADE]
ip_conntrack           21244   2  (autoclean) [ipt_MASQUERADE ipt_state
iptable_nat]
iptable_filter          2412   1  (autoclean)
iptable_mangle          2776   1  (autoclean)
ip_tables              14936  12  [ipt_MASQUERADE ipt_limit ipt_state
ipt_multiport ipt_TOS ipt_LOG

ipt_REJECT iptable_nat iptable_filter iptable_mangle]
mousedev                5524   0  (unused)
keybdev                 2976   0  (unused)
hid                    22244   0  (unused)
input                   5888   0  [mousedev keybdev hid]
ehci-hcd               17480   0  (unused)
usbcore                77024   1  [hid ehci-hcd]
ext3                   70368   3
jbd                    52212   3  [ext3]

Fiaif Version:
1.10.0
[root at ns2 fiaif]# cat fiaif.conf
############################################################################
###
# FIAIF global configuration file.
# Version $Id: fiaif.conf,v 1.34 2002/12/30 19:28:38 afu Exp $
############################################################################
###

## Reserved (illegal) and private networks
## See: www.iana.com
## Private networks is used in conjunction with PUBLIC=0
PUBLIC=1
RESERVED_NETWORKS=reserved_networks
PRIVATE_NETWORKS=private_networks

LOOPBACK_NET="127.0.0.1/255.0.0.0"
SERVICES="/etc/services"

############################################################################
###
# Search path for binaries
############################################################################
###
BIN_PATH=/sbin:/usr/sbin:/usr/local/sbin

############################################################################
###
# User configurable parameters
############################################################################
###

## Activate fiaif?
## Set this VARIABLE to 0 or delete the line to enable FIAIF.
DONT_START=0

## Configuration directory. All configuration files are read from this
## directory.
CONF_DIR=/etc/fiaif/

## Zone names. Only these zones are used.
## You must have a CONF_<name> entry for each below.
ZONES="EXT INT"

## Zone cofiguration files.
## The files are expected to be found in CONF_DIR
## Use: CONF_XXX=<filename>
CONF_INT=zone.int
CONF_EXT=zone.ext
CONF_DMZ=zone.dmz

## Use iptables-save and iptables restore to speed up
## Startup scripts. You should leave this setting to 0.
## Use: SAVE_STATE=0|1
SAVE_STATE=1

## Change values in /proc/sys/net/*
## When issuing a 'fiaif test' a list of errors and warnings are displayed.
## The SET_PROC_ERRORS, specifies that FIAIF should correct the errors, and
## The SET_PROC_WARNINGS, specifies that FIAIF should correct the warnings.
## SET_PROC_ERRORS=<0|1>
## SET_PROC_WARNINGS=<0|1>
SET_PROC_ERRORS=1
SET_PROC_WARNINGS=0

## Enable TC for any zone.
## Overrides ENABLE_TC in zone configurations.
## Use: ENABLE_TC=<0|1>
ENABLE_TC=0

## File to which commands are written when making a test.
## TEST_FILE=<file name>
TEST_FILE="/tmp/fiaif.out"

## Set to one if you do not want to close up the firewall.
## DEBUG=<0|1>
DEBUG=0

## Set to one, to enable logging via ulogd.
## You need to have the ulogd installed, to enable this functionality
## Note: does not work correctly with kernel 2.4.18.
## ENABLE_ULOGD=<0|1>
ENABLE_ULOG=0

## Set to one if dropped or rejected packets should be logged.
## VERBOSE=<0|1>
VERBOSE=1

## Prefix to pre-pend to log messages
## Use: LOG_PREFIX="FIAIF_"
##   This will cause log messages to have [FIAIF_DROP] or [FIAIF_MARTIAN]
(etc)
##   as their marker
LOG_PREFIX="FIAIF_"

## Limit the number of log-messages when packets are dropped.
## Lower to avoid spamming the logs.
## Use: LOG_LEVEL=<level>
## Use: LOG_LIMIT=<limit>
## Use: LOG_BURST=<burst>
##   LEVEL : defines the level (or priority) of the logged
##           messages - See syslog.conf(5) for more
##           If ulog is enabled, the value must be in the range
##      1..32
##   LIMIT : Maximum  average matching rate: specified as a number,
##           with an optional '/second', '/minute', '/hour', or '/day'
##           suffix.
##   BURST : Maximum  initial  number  of packets to match: this
##           number is incrementedby one every time  the  limit
##           specified  above is not reached, up to this number.
LOG_LEVEL=CRIT
LOG_LIMIT=10/minute
LOG_BURST=10

## Load modules upon starting the firewall. The modules will be
## unloaded, when the firewall is stopped.
## MODULES=[module_name]*
MODULES=""

## The following lines allows users specified commands to
## be executed before and after FIAIF is started/stopped.
## This can be used to e.g. insert additional rules for traffic counters,
## And then save/restore these.
## Use:
##   <PRE|POST>_<START|STOP>_SCTIPT[N]=<shell command>

#PRE_START_SCRIPT[0]=""
#PRE_START_SCRIPT[1]=""
#POST_START_SCRIPT[0]=""
#POST_START_SCRIPT[1]=""

#PRE_STOP_SCRIPT[0]=""
#PRE_STOP_SCRIPT[1]=""
#POST_STOP_SCRIPT[0]=""
#POST_STOP_SCRIPT[1]=""

## Specify localtion of "Type Of Services" file.
## This can either be empty or a file.
TOS_FILE=type_of_services
[root at ns2 fiaif]# cat zone.ext
############################################################################
##
## Example zone configuration file.
## Read all configuration parameters, and modify to suit your needs.
## Version $Id: zone.ext,v 1.61 2003/02/24 12:58:10 afu Exp $
############################################################################
##

## A sample zone configuration to control traffic to the internet

## Name of the zone. Must match the name in fiaif.conf.
NAME=EXT
## Network interface name
DEV=eth0

## DYNAMIC:     Set to '1' if the IP can change runtime or if the ip is
##              unknow when fiaif is started.
## GLOBAL:      Set to '1' if the IP if this zone connect you to the
internet.
DYNAMIC=0
GLOBAL=1

## Network information. Nessesary only if DYNAMIC=0
#IP=80.196.xxx.xxx
#MASK=255.255.255.252
#NET=80.196.xxx.xxx/255.255.255.252
#BCAST=80.196.xxx.xxx

IP=207.22x.xxx.244
MASK=255.255.255.248
NET=207.224.147.240/255.255.255.248
BCAST=207.224.147.247


## IP_EXTRA specifies that the interface has multiple IP addresses;
## all the interface's extra IP's should be listed here.
IP_EXTRA=""
## Specifies extra networks in this zone (besides NET).
NET_EXTRA=""

## Specify if the zone should respond to DHCP queries.
## This is usefull if a DHCP server is running on the firewall.
## Remember to set this only in the zone for which the DHCP server is
running.
DHCP_SERVER=0

## The descriptions of packets coming IN to the interface specifed in DEV
and NETWORK to

drop|accept|reject
## Use: INPUT[N]="<ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
INPUT[0]="ACCEPT tcp smtp,www,https,ssh 0.0.0.0/0=>0.0.0.0/0"
INPUT[1]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
INPUT[2]="ACCEPT igmp 0.0.0.0/0=>224.0.0.0/4"
INPUT[3]="ACCEPT tcp 10000 0.0.0.0/0=>0.0.0.0/0"
INPUT[4]="ACCEPT tcp 23 0.0.0.0/0=>0.0.0.0/0"
INPUT[5]="ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"
INPUT[6]="ACCEPT tcp 25 0.0.0.0/0=>0.0.0.0/0"
INPUT[7]="ACCEPT tcp 110 0.0.0.0/0=>0.0.0.0/0"
INPUT[8]="ACCEPT tcp 180 0.0.0.0/0=>0.0.0.0/0"
INPUT[9]="DROP ALL 0.0.0.0/0=>0.0.0.0/0"

## The descriptions of packets going OUT of the interface specifed in DEV
and NETWORK to

drop|accept|reject
## Use: OUTPUT[N]="<ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
OUTPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

## Forward rules. Specify where packets entering this zone may originate
from.
## Use: FORWARD[N]="<zone|ALL> <ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

ip[/mask]=>ip[/mask]"
##
## Use this to protect this zone
## Rules are read in the order they are written.
## Default is to accept everything: all zones are allowd to talk
## with the Internet.
FORWARD[0]="ALL ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

## Mark rules. Mark packets parsing through the firewall.
## Use MARK[N]="<zone|ALL> <mark number> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
##
## MARK packets can be used to determine how a packet sould be routed.
## FIAIF does not use marking.
#MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"
#MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

## Make special replys on incoming packets.
## Use: REPLY_XXX="<zone> <type> <protocol [port[:port][<,port>[:port]]*]>
<ip[/mask]=>ip[/mask]>"
## Where type can be one of the following:
##   icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable,
##   icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or
##   tcp-reset (Only valid if the protocol if TCP)
## If the zone equal this zone, then the rules apply to packets originating
from
## this network towards the firewall
REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
REPLY_TRACEROUTE="EXT icmp-port-unreachable udp 33434:33464
0.0.0.0/0=>0.0.0.0/0"

## Alter the destination of packets.
## Use: REDIRECT_XXX="<protocol [port[:port]]> <ip[/mask]=>ip[/mask]>
<[ipaddr[,ipaddr]*] [port]"
## The rule applies only for packet originating from this zone.
#REDIRECT_SSH="tcp 22 0.0.0.0/0=>0.0.0.0/0 10.0.0.1:22"
REDIRECT_WWW="tcp 80 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:80"
REDIRECT_SMTP="tcp 25 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:25"
REDIRECT_POP="tcp 110 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:110"
REDIRECT_HTTPS="tcp 443 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:443"

## Log all traffic for these IP addresses
## Use WATCH_IP="[IP[/MASK]]*|[FILE]"
#WATCH_IP="111.111.111.111/32 222.222.222.222/24"

## Dissalow any communication with specified MAC-addresses in this zone
## Use: MAX_DROP="[MAC address]*|[FILE]"
## Inserted on PREROUTING chain
#MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY"

## Dissalow any communication with specified IP-addresses in this zone
## Use: IP_DROP="[IP[/MASK]]*|[FILE]"
#IP_DROP="111.111.111.111/32 222.222.222.222/24"

## Change the source address of a packet comming from this zone.
## This is also called masquerading.
## Use: SNAT[N]="<ZONE> <protocol [port[:port][<,port>[:port]]*]>
<ip[/mask]=>ip[/mask]>"
## Where: ZONE    :  Destination zone. The source of matched packets is
##                   changed to all ip numbers for the zone.
#SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

## Limit new packets.
## Use: LIMIT_XXX="<zone> <policy> <limit> <burst> <protocol
[port[<,port>*|<:port>]>

<ip[/mask]=>ip[/mask]>"
## Where:
##   ZONE     : Is the zone from which the packet originates. This can be
this zone itself.
##   POLICY   : Is waht to do with the packet: ACCEPT|REJECT|DROP
##   LIMIT    : Maximum  average matching rate: specified as a number,  with
an   optional
##         '/second', '/minute', '/hour', or '/day' suffix.
##   BURST    : Maximum  initial  number  of packets to match: this
##              number gets recharged by one every time  the  limit
##              specified  above is not reached, up to this number.
##   PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional
##   PORTS    : If protocol is tcp|udp: A list of ports or a port range.
##                 icmp   : A single icmp type.
##  this parameter is optional, and must only be specified,
##  if a protocol is specified.
##   IP/MASK  : If PORTS are specified, then an optional IP/MASK source and
address can be specified.
LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"

## Traffic Shaping.
## Enables traffic shaping for the device.
## This requires the following modules to be present or compiled statically:
## sch_ingress
## cls_fw
## cls_u32
## sch_sfq
## sch_cbq or sch_htb
## Usage:
## TC_ENABLE=0|1
## TC_TYPE=CBQ|HTB
##
## TC_UPLINK=<kbits>
## TC_DOWNLINK=<kbits>
## The type specifies which shaper is to be used. The new HTB shaper is
##     better than the old CBQ, but not available on all systems.
## The speeds should be below the actual speed of the link.
TC_ENABLE=0
TC_TYPE=CBQ
TC_DOWNLINK=410
TC_UPLINK=434
[root at ns2 fiaif]# cat zone.int
############################################################################
##
## Example zone configuration file.
## Read all configuration parameters, and modify to suit your needs.
## Version $Id: zone.int,v 1.50 2003/02/23 16:53:20 afu Exp $
############################################################################
##

## A sample zone configuration to control traffic to and from an internal
## network (reached via eth1).

## Name of the zone. Must match the name in fiaif.conf.
NAME=INT
## Network interface name
DEV=eth1

## DYNAMIC:     Set to '1' if the IP can change runtime or if the ip is
##              unknow when fiaif is started.
## GLOBAL:      Set to '1' if the IP if this zone connect you to the
internet.
DYNAMIC=0
GLOBAL=0

## Network information. Nessesary only if DYNAMIC=0
IP=10.0.0.254
MASK=255.255.254.0
NET=10.0.0.254/255.255.254.0
BCAST=10.0.1.255



## IP_EXTRA specifies that the interface has multiple IP addresses;
## all the interface's extra IP's should be listed here.
IP_EXTRA=""
## Specifies extra networks in this zone (besides NET).
NET_EXTRA="224.0.0.0/4"

## Specify if the zone should respond to DHCP queries.
## This is usefull if a DHCP server is running on the firewall.
## Remember to set this only in the zone for which the DHCP server is
running.
DHCP_SERVER=0

## The descriptions of packets coming IN to the interface specifed in DEV
and NETWORK to

drop|accept|return
## Use: INPUT[N]="<ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

ip[/mask]=>ip[/mask]"
INPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

## The descriptions of packets going OUT of the interface specifed in DEV
and NETWORK to

drop|accept|return
## Use: OUTPUT[N]="<ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
OUTPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

## Forward rules. Specify where packets entering this zone may originate
from.
## Use: FORWARD[N]="<zone|ALL> <ACCEPT|REJECT|DROP> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
##
## Use this to protect a zone.
## Rules are read in the order they are written.
## Default is to drop everything, accepting only related and establihed
connections.
FORWARD[0]="EXT ACCEPT tcp 80 0.0.0.0/0=>207.22x.xxx.244"
FORWARD[1]="EXT ACCEPT tcp 25 0.0.0.0/0=>207.22x.xxx.244"
FORWARD[2]="EXT ACCEPT tcp 110 0.0.0.0/0=>207.22x.xxx.244"
FORWARD[3]="EXT ACCEPT tcp 180 0.0.0.0/0=>207.22x.xxx.244"
FORWARD[4]="EXT ACCEPT tcp 443 0.0.0.0/0=>207.22x.xxx.244"
FORWARD[5]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

## Mark rules. Mark packets parsing through the firewall.
## Use MARK[N]="<zone|ALL> <mark number> <protocol
[port[:port][<,port>[:port]]*]>

<ip[/mask]=>ip[/mask]>"
##
## MARK packets can be used to determine how a packet sould be routed.
## FIAIF does not use marking.
#MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"
#MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

## Make special replys on incoming packets.
## Use: REPLY_XXX="<zone> <type> <protocol [port[:port][<,port>[:port]]*]>
<ip[/mask]=>ip[/mask]>"
## Where type can be one of the following:
##   icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable,
##   icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or
##   tcp-reset (Only valid if the protocol if TCP)
## If the zone equal this zone, then the rules apply to packets originating
from
## this network towards the firewall
#REPLY_AUTH="ALL tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"

## Alter the destination of packets.
## Use: REDIRECT_XXX="<protocol [port[:port]]> <ip[/mask]=>ip[/mask]>
<[ipaddr[,ipaddr]*] [port]"
## The rule applies only for packet originating from this zone.
#REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"

## Log all traffic for these IP addresses
## Use WATCH_IP="[IP[/MASK]]*|[FILE]"
#WATCH_IP="111.111.111.111/32 222.222.222.222/24"

## Dissalow any communication with specified MAC-addresses in this zone
## Use: MAX_DROP="[MAC address]*|[FILE]"
## Inserted on PREROUTING chain
#MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY"

## Dissalow any communication with specified IP-addresses in this zone
## Use: IP_DROP="[IP[/MASK]]*|[FILE]"
#IP_DROP="111.111.111.111/32 222.222.222.222/24"

## Change the source address of a packet comming from this zone.
## This is also called masquerading.
## Use: SNAT[N]="<ZONE> <protocol [port[:port][<,port>[:port]]*]>
<ip[/mask]=>ip[/mask]>"
## Where: ZONE    :  Destination zone. The source of matched packets is
##                   changed to all ip numbers for the zone.
SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

## Limit new packets.
## Use: LIMIT_XXX="<zone> <policy> <limit> <burst> <protocol
[port[<,port>*|<:port>]>

<ip[/mask]=>ip[/mask]>"
## Where:
##   ZONE     : Is the zone from which the packet originates. This can be
this zone itself.
##   POLICY   : Is waht to do with the packet: ACCEPT|REJECT|DROP
##   LIMIT    : Maximum  average matching rate: specified as a number,  with
an   optional
##         '/second', '/minute', '/hour', or '/day' suffix.
##   BURST    : Maximum  initial  number  of packets to match: this
##              number gets recharged by one every time  the  limit
##              specified  above is not reached, up to this number.
##   PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional
##   PORTS    : If protocol is tcp|udp: A list of ports or a port range.
##                 icmp   : A single icmp type.
##  this parameter is optional, and must only be specified,
##  if a protocol is specified.
##   IP/MASK  : If PORTS are specified, then an optional IP/MASK source and
address can be specified.
#LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"

## Traffic Shaping.
## Enables traffic shaping for the device.
## This requires the following modules to be present or compiled statically:
## sch_ingress
## cls_fw
## cls_u32
## sch_sfq
## sch_cbq/sch_htb
## Usage:
## TC_ENABLE=0|1
## TC_TYPE=CBQ|HTB
##
## TC_UPLINK=<kbits>
## TC_DOWNLINK=<kbits>
## The type specifies which shaper is to be used. The new HTB shaper is
##     better than the old CBQ, but not available on all systems.
## The speeds should be below the actual speed of the link.
TC_ENABLE=0
TC_TYPE=CBQ
TC_DOWNLINK=410
TC_UPLINK=434
[root at ns2 fiaif]# fw test
FIAIF ver. 1.10.0, by Anders Fugmann (C) 2002-2003
Saving rules: Done.
Clearing all rules: Done.
Configuring zone: EXT INT
Examining system Configuration:
Done.
All rules has been written to /tmp/fiaif.out
[root at ns2 fiaif]# cat /tmp/fiaif.out
### Removing all existing rules, and setting default policies
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -Z
iptables -Z -t nat
iptables -Z -t mangle
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
### Creating global chains for zone: EXT
iptables -N INPUT_EXT
iptables -N FORWARD_EXT
iptables -N OUTPUT_EXT
iptables -N SEND_EXT
iptables -t mangle -N PREROUTING_MANGLE_EXT
iptables -t mangle -N INPUT_MANGLE_EXT
iptables -t mangle -N FORWARD_MANGLE_EXT
iptables -t mangle -N OUTPUT_MANGLE_EXT
iptables -t mangle -N POSTROUTING_MANGLE_EXT
iptables -t nat -N PREROUTING_NAT_EXT
iptables -t nat -N OUTPUT_NAT_EXT
iptables -t nat -N POSTROUTING_NAT_EXT
### Creating global chains for zone: INT
iptables -N INPUT_INT
iptables -N FORWARD_INT
iptables -N OUTPUT_INT
iptables -N SEND_INT
iptables -t mangle -N PREROUTING_MANGLE_INT
iptables -t mangle -N INPUT_MANGLE_INT
iptables -t mangle -N FORWARD_MANGLE_INT
iptables -t mangle -N OUTPUT_MANGLE_INT
iptables -t mangle -N POSTROUTING_MANGLE_INT
iptables -t nat -N PREROUTING_NAT_INT
iptables -t nat -N OUTPUT_NAT_INT
iptables -t nat -N POSTROUTING_NAT_INT
### Setting up default chains.
iptables -N LIMIT_LOGGING_ACCEPT
iptables -A LIMIT_LOGGING_ACCEPT -m limit --limit 10/minute --limit-burst
10 -j RETURN
iptables -A LIMIT_LOGGING_ACCEPT -j ACCEPT
iptables -N LIMIT_LOGGING_REJECT
iptables -A LIMIT_LOGGING_REJECT -m limit --limit 10/minute --limit-burst
10 -j RETURN
iptables -A LIMIT_LOGGING_REJECT -j REJECT
iptables -N LIMIT_LOGGING_DROP
iptables -A LIMIT_LOGGING_DROP -m limit --limit 10/minute --limit-burst
10 -j RETURN
iptables -A LIMIT_LOGGING_DROP -j DROP
iptables -N LOG_MARTIAN
iptables -A LOG_MARTIAN -j LIMIT_LOGGING_DROP
iptables -A LOG_MARTIAN -j LOG --log-level CRIT --log-prefix
[FIAIF_MARTIAN]:
iptables -A LOG_MARTIAN -j DROP
iptables -N LOG_DROP
iptables -A LOG_DROP -j LIMIT_LOGGING_DROP
iptables -A LOG_DROP -j LOG --log-level CRIT --log-prefix [FIAIF_DROP]:
iptables -A LOG_DROP -j DROP
iptables -N LOG_INVALID
iptables -A LOG_INVALID -j LIMIT_LOGGING_DROP
iptables -A LOG_INVALID -j LOG --log-level CRIT --log-prefix
[FIAIF_INVALID]:
iptables -A LOG_INVALID -j DROP
iptables -N LOG_MISS
iptables -A LOG_MISS -j LIMIT_LOGGING_DROP
iptables -A LOG_MISS -j LOG --log-level CRIT --log-prefix [FIAIF_MISS]:
iptables -A LOG_MISS -j DROP
iptables -N LOG_ZONE_MISS
iptables -A LOG_ZONE_MISS -j LIMIT_LOGGING_DROP
iptables -A LOG_ZONE_MISS -j LOG --log-level CRIT --log-prefix
[FIAIF_ZONE_MISS]:
iptables -A LOG_ZONE_MISS -j DROP
iptables -N LOG_LIMIT_DROP
iptables -A LOG_LIMIT_DROP -j LIMIT_LOGGING_DROP
iptables -A LOG_LIMIT_DROP -j LOG --log-level CRIT --log-prefix
[FIAIF_LIMIT_DROP]:
iptables -A LOG_LIMIT_DROP -j DROP
iptables -N LOG_SYN
iptables -A LOG_SYN -j LIMIT_LOGGING_DROP
iptables -A LOG_SYN -j LOG --log-level CRIT --log-prefix [FIAIF_SYN]:
iptables -A LOG_SYN -j DROP
iptables -N LOG_SCAN
iptables -A LOG_SCAN -j LIMIT_LOGGING_DROP
iptables -A LOG_SCAN -j LOG --log-level CRIT --log-prefix [FIAIF_SCAN]:
iptables -A LOG_SCAN -j DROP
iptables -N LOG_GLOBAL_MISS
iptables -A LOG_GLOBAL_MISS -j LIMIT_LOGGING_DROP
iptables -A LOG_GLOBAL_MISS -j LOG --log-level CRIT --log-prefix
[FIAIF_GLOBAL_MISS]:
iptables -A LOG_GLOBAL_MISS -j DROP
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LIMIT_LOGGING_REJECT
iptables -A LOG_REJECT -j LOG --log-level CRIT --log-prefix [FIAIF_REJECT]:
iptables -A LOG_REJECT -j REJECT
iptables -N LOG_LIMIT_REJECT
iptables -A LOG_LIMIT_REJECT -j LIMIT_LOGGING_REJECT
iptables -A LOG_LIMIT_REJECT -j LOG --log-level CRIT --log-prefix
[FIAIF_LIMIT_REJECT]:
iptables -A LOG_LIMIT_REJECT -j REJECT
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j ACCEPT
iptables -N LOG_LIMIT_ACCEPT
iptables -A LOG_LIMIT_ACCEPT -j ACCEPT
iptables -N LOG_WATCH
iptables -A LOG_WATCH -j LOG --log-level CRIT --log-prefix [FIAIF_WATCH]:
iptables -N LOG_TEST
iptables -A LOG_TEST -j LOG --log-level CRIT --log-prefix [FIAIF_TEST]:
iptables -N NOLOG_DROP
iptables -A NOLOG_DROP -j DROP
### RESERVED_NETWORKS=reserved_networks
iptables -N RESERVED_SRC
iptables -N RESERVED_DST
iptables -A RESERVED_SRC -s 0.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 0.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 2.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 2.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 5.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 5.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 7.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 7.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 23.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 23.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 27.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 27.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 31.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 31.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 36.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 36.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 39.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 39.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 41.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 41.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 42.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 42.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 49.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 49.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 50.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 50.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 58.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 58.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 60.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 60.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 70.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 70.0.0.0/7 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 72.0.0.0/5 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 72.0.0.0/5 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 83.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 83.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 84.0.0.0/6 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 84.0.0.0/6 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 88.0.0.0/5 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 88.0.0.0/5 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 96.0.0.0/3 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 96.0.0.0/3 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 127.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 127.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 169.254.0.0/16 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 169.254.0.0/16 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 172.16.0.0/12 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 172.16.0.0/12 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 192.0.2.0/24 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 192.0.2.0/24 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 197.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 197.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 198.18.0.0/15 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 198.18.0.0/15 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 201.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 201.0.0.0/8 -j LOG_MARTIAN
iptables -A RESERVED_SRC -s 240.0.0.0/4 -j LOG_MARTIAN
iptables -A RESERVED_DST -d 240.0.0.0/4 -j LOG_MARTIAN
### PRIVATE_NETWORKS=private_networks
iptables -N PRIVATE_SRC
iptables -N PRIVATE_DST
iptables -A PRIVATE_SRC -s 10.0.0.0/8 -j LOG_MARTIAN
iptables -A PRIVATE_DST -d 10.0.0.0/8 -j LOG_MARTIAN
iptables -A PRIVATE_SRC -s 172.16.0.0/12 -j LOG_MARTIAN
iptables -A PRIVATE_DST -d 172.16.0.0/12 -j LOG_MARTIAN
iptables -A PRIVATE_SRC -s 192.168.0.0/16 -j LOG_MARTIAN
iptables -A PRIVATE_DST -d 192.168.0.0/16 -j LOG_MARTIAN
### Setup packets sanity checks
iptables -N SANITY
iptables -A SANITY -p tcp ! --syn -j NOLOG_DROP
iptables -A SANITY -p tcp --tcp-flags ALL ALL -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags ALL NONE -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags SYN,RST SYN,RST -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags SYN,ACK,RST ACK -j LOG_SCAN
iptables -A SANITY -p tcp --tcp-flags FIN,ACK FIN -j LOG_SCAN
iptables -N CHECK_IP
iptables -N DEV_eth0_SRC
iptables -N DEV_eth0_DST
iptables -A CHECK_IP -i eth0 -j DEV_eth0_SRC
iptables -A CHECK_IP -o eth0 -j DEV_eth0_DST
iptables -N DEV_eth1_SRC
iptables -N DEV_eth1_DST
iptables -A CHECK_IP -i eth1 -j DEV_eth1_SRC
iptables -A CHECK_IP -o eth1 -j DEV_eth1_DST
iptables -t mangle -N SET_TOS
### TOS_FILE=type_of_services
### TOS_MAXIMIZE_RELIABILITY_IGMP=Maximize-Reliability igmp any
iptables -t mangle -A SET_TOS -p igmp -j TOS --set-tos Maximize-Reliability
### TOS_MAXIMIZE_RELIABILITY_TCP=Maximize-Reliability tcp
### TOS_MAXIMIZE_RELIABILITY_UDP=Maximize-Reliability udp
### TOS_MAXIMIZE_THROUGHPUT_TCP=Maximize-Throughput tcp

ftp-data,smtp,imap,imaps,pop3,pop3s,cvspserver,rsync
iptables -t mangle -A SET_TOS -p tcp -m multiport --dports

ftp-data,smtp,imap,imaps,pop3,pop3s,cvspserver,rsync -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A SET_TOS -p tcp -m multiport --sports

ftp-data,smtp,imap,imaps,pop3,pop3s,cvspserver,rsync -j TOS --set-tos
Maximize-Throughput
### TOS_MAXIMIZE_THROUGHPUT_UDP=Maximize-Throughput udp
### TOS_MINIMIZE_COST_TCP=Minimize-Cost tcp nntp
iptables -t mangle -A SET_TOS -p tcp -m multiport --dports nntp -j
TOS --set-tos Minimize-Cost
iptables -t mangle -A SET_TOS -p tcp -m multiport --sports nntp -j
TOS --set-tos Minimize-Cost
### TOS_MINIMIZE_COST_UDP=Minimize-Cost udp snmp
iptables -t mangle -A SET_TOS -p udp -m multiport --dports snmp -j
TOS --set-tos Minimize-Cost
iptables -t mangle -A SET_TOS -p udp -m multiport --sports snmp -j
TOS --set-tos Minimize-Cost
### TOS_MINIMIZE_DELAY_TCP=Minimize-Delay tcp ftp,telnet
iptables -t mangle -A SET_TOS -p tcp -m multiport --dports ftp,telnet -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A SET_TOS -p tcp -m multiport --sports ftp,telnet -j
TOS --set-tos Minimize-Delay
### TOS_MINIMIZE_DELAY_UDP=Minimize-Delay udp domain,ntp,tftp
iptables -t mangle -A SET_TOS -p udp -m multiport --dports
domain,ntp,tftp -j TOS --set-tos

Minimize-Delay
iptables -t mangle -A SET_TOS -p udp -m multiport --sports
domain,ntp,tftp -j TOS --set-tos

Minimize-Delay
### TOS_NORMAL_SERVICE_EGP=Normal-Service egp any
iptables -t mangle -A SET_TOS -p egp -j TOS --set-tos Normal-Service
### TOS_NORMAL_SERVICE_TCP=Normal-Service tcp www,https
iptables -t mangle -A SET_TOS -p tcp -m multiport --dports www,https -j
TOS --set-tos Normal-Service
iptables -t mangle -A SET_TOS -p tcp -m multiport --sports www,https -j
TOS --set-tos Normal-Service
### TOS_NORMAL_SERVICE_UDP=Normal-Service udp bootps,bootpc
iptables -t mangle -A SET_TOS -p udp -m multiport --dports bootps,bootpc -j
TOS --set-tos

Normal-Service
iptables -t mangle -A SET_TOS -p udp -m multiport --sports bootps,bootpc -j
TOS --set-tos

Normal-Service
iptables -t mangle -A INPUT -j SET_TOS
iptables -t mangle -A FORWARD -j SET_TOS
iptables -t mangle -A OUTPUT -j SET_TOS
### Configuring zone: LO
iptables -A FORWARD -o lo -j LOG_DROP
iptables -A FORWARD -i lo -j LOG_DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### Global chains
iptables -N GENERAL
iptables -A GENERAL -m state --state INVALID -j LOG_INVALID
iptables -A GENERAL -m state --state RELATED,ESTABLISHED -j LOG_ACCEPT
iptables -A GENERAL -j CHECK_IP
iptables -A GENERAL -j SANITY
iptables -N INPUT_NEW
iptables -A INPUT -j GENERAL
iptables -A INPUT -m state --state NEW -j INPUT_NEW
iptables -A INPUT -j LOG_GLOBAL_MISS
iptables -N INPUT_NEW_eth0
iptables -A INPUT_NEW -i eth0 -j INPUT_NEW_eth0
iptables -N INPUT_NEW_eth1
iptables -A INPUT_NEW -i eth1 -j INPUT_NEW_eth1
iptables -N FORWARD_NEW
iptables -A FORWARD -j GENERAL
iptables -A FORWARD -m state --state NEW -j FORWARD_NEW
iptables -A FORWARD -j LOG_GLOBAL_MISS
iptables -N FORWARD_NEW_eth0
iptables -A FORWARD_NEW -o eth0 -j FORWARD_NEW_eth0
iptables -N FORWARD_NEW_eth1
iptables -A FORWARD_NEW -o eth1 -j FORWARD_NEW_eth1
iptables -N OUTPUT_NEW
iptables -A OUTPUT -j GENERAL
iptables -A OUTPUT -m state --state NEW -j OUTPUT_NEW
iptables -A OUTPUT -j LOG_GLOBAL_MISS
iptables -N OUTPUT_NEW_eth0
iptables -A OUTPUT_NEW -o eth0 -j OUTPUT_NEW_eth0
iptables -N OUTPUT_NEW_eth1
iptables -A OUTPUT_NEW -o eth1 -j OUTPUT_NEW_eth1
iptables -N SEND_NEW_eth0
iptables -I FORWARD_NEW -i eth0 -j SEND_NEW_eth0
iptables -N SEND_NEW_eth1
iptables -I FORWARD_NEW -i eth1 -j SEND_NEW_eth1
###
###
### Configuring zone: EXT
### DEV=eth0, DYNAMIC=0, GLOBAL=1
### IP=207.22x.xxx.244, MASK=255.255.255.248,
NET=207.224.147.240/255.255.255.248,

BCAST=207.224.147.247
###
### Creating zone chains
### DHCP_SERVER=0
### DYNAMIC=0
### GLOBAL=1
iptables -A DEV_eth0_DST -d 207.224.147.240/255.255.255.248 -j RETURN
iptables -A DEV_eth0_SRC -s 207.224.147.240/255.255.255.248 -j RETURN
iptables -t nat -A PREROUTING -i eth0 -j PREROUTING_NAT_EXT
iptables -t nat -A POSTROUTING -o eth0 -j POSTROUTING_NAT_EXT
iptables -t mangle -A PREROUTING -i eth0 -j PREROUTING_MANGLE_EXT
iptables -t mangle -A POSTROUTING -o eth0 -j POSTROUTING_MANGLE_EXT
iptables -t mangle -A OUTPUT -o eth0 -j OUTPUT_MANGLE_EXT
iptables -A DEV_eth0_DST -j PRIVATE_DST
iptables -A DEV_eth0_SRC -j PRIVATE_SRC
iptables -A DEV_eth0_DST -j RESERVED_DST
iptables -A DEV_eth0_DST -j RETURN
iptables -A DEV_eth0_SRC -j RESERVED_SRC
iptables -A DEV_eth0_SRC -j RETURN
iptables -A INPUT_NEW_eth0 -j INPUT_EXT
iptables -A OUTPUT_NEW_eth0 -j OUTPUT_EXT
iptables -A FORWARD_NEW_eth0 -j FORWARD_EXT
iptables -A SEND_NEW_eth0 -j SEND_EXT
### REDIRECT_HTTPS=tcp 443 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:443
iptables -t nat -A PREROUTING_NAT_EXT -p tcp --dport 443 -d
207.22x.xxx.244 -j DNAT --to-destination

10.0.0.1:443
### REDIRECT_POP=tcp 110 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:110
iptables -t nat -A PREROUTING_NAT_EXT -p tcp --dport 110 -d
207.22x.xxx.244 -j DNAT --to-destination

10.0.0.1:110
### REDIRECT_SMTP=tcp 25 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:25
iptables -t nat -A PREROUTING_NAT_EXT -p tcp --dport 25 -d
207.22x.xxx.244 -j DNAT --to-destination

10.0.0.1:25
### REDIRECT_WWW=tcp 80 0.0.0.0/0=>207.22x.xxx.244 10.0.0.1:80
iptables -t nat -A PREROUTING_NAT_EXT -p tcp --dport 80 -d
207.22x.xxx.244 -j DNAT --to-destination

10.0.0.1:80
### WATCH_IP:
### MAC_DROP:
### IP_DROP:
### REPLY_AUTH=EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport auth -j REJECT --reject-with
tcp-reset
### REPLY_TRACEROUTE=EXT icmp-port-unreachable udp 33434:33464
0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p udp --dport 33434:33464 -j
REJECT --reject-with

icmp-port-unreachable
### LIMIT_PING=EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0
iptables -N LIMIT_PING_EXT
iptables -A LIMIT_PING_EXT -m limit --limit 1/second --limit-burst 3 -j
RETURN
iptables -A LIMIT_PING_EXT -j LOG_LIMIT_DROP
iptables -t filter -A INPUT_EXT -p ICMP --icmp-type echo-request -j
LIMIT_PING_EXT
iptables -N USER_INPUT_EXT
iptables -I INPUT_EXT -j USER_INPUT_EXT
iptables -N USER_OUTPUT_EXT
iptables -I OUTPUT_EXT -j USER_OUTPUT_EXT
iptables -N USER_FORWARD_EXT
iptables -I FORWARD_EXT -j USER_FORWARD_EXT
### INPUT[0]=ACCEPT tcp smtp,www,https,ssh 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp -m multiport --dports
smtp,www,https,ssh -j LOG_ACCEPT
### INPUT[1]=ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p icmp --icmp-type echo-request -j
LOG_ACCEPT
### INPUT[2]=ACCEPT igmp 0.0.0.0/0=>224.0.0.0/4
iptables -t filter -A INPUT_EXT -p igmp -d 224.0.0.0/4 -j LOG_ACCEPT
### INPUT[3]=ACCEPT tcp 10000 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 10000 -j LOG_ACCEPT
### INPUT[4]=ACCEPT tcp 23 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 23 -j LOG_ACCEPT
### INPUT[5]=ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 80 -j LOG_ACCEPT
### INPUT[6]=ACCEPT tcp 25 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 25 -j LOG_ACCEPT
### INPUT[7]=ACCEPT tcp 110 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 110 -j LOG_ACCEPT
### INPUT[8]=ACCEPT tcp 180 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -p tcp --dport 180 -j LOG_ACCEPT
### INPUT[9]=DROP ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_EXT -j LOG_DROP
### OUTPUT[0]=ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A OUTPUT_EXT -j LOG_ACCEPT
### FORWARD[0]=ALL ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A FORWARD_EXT -j LOG_ACCEPT
### Log all unmatched packets in this zone
iptables -A INPUT_EXT -j LOG_MISS
iptables -A OUTPUT_EXT -j LOG_MISS
iptables -A FORWARD_EXT -j LOG_MISS
### Done configuring zone
###
###
### Configuring zone: INT
### DEV=eth1, DYNAMIC=0, GLOBAL=0
### IP=10.0.0.254, MASK=255.255.254.0, NET=10.0.0.254/255.255.254.0,
BCAST=10.0.1.255
###
### Creating zone chains
### DHCP_SERVER=0
### DYNAMIC=0
### GLOBAL=0
iptables -A DEV_eth1_DST -d 10.0.0.254/255.255.254.0 -j RETURN
iptables -A DEV_eth1_SRC -s 10.0.0.254/255.255.254.0 -j RETURN
iptables -A DEV_eth1_DST -d 224.0.0.0/4 -j RETURN
iptables -A DEV_eth1_SRC -s 224.0.0.0/4 -j RETURN
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.254/255.255.254.0 -j
PREROUTING_NAT_INT
iptables -t nat -A POSTROUTING -o eth1 -d 10.0.0.254/255.255.254.0 -j
POSTROUTING_NAT_INT
iptables -t mangle -A PREROUTING -i eth1 -s 10.0.0.254/255.255.254.0 -j
PREROUTING_MANGLE_INT
iptables -t mangle -A POSTROUTING -o eth1 -d 10.0.0.254/255.255.254.0 -j
POSTROUTING_MANGLE_INT
iptables -t mangle -A OUTPUT -o eth1 -d 10.0.0.254/255.255.254.0 -j
OUTPUT_MANGLE_INT
iptables -A INPUT_NEW_eth1 -s 10.0.0.254/255.255.254.0 -j INPUT_INT
iptables -A OUTPUT_NEW_eth1 -d 10.0.0.254/255.255.254.0 -j OUTPUT_INT
iptables -A FORWARD_NEW_eth1 -d 10.0.0.254/255.255.254.0 -j FORWARD_INT
iptables -A SEND_NEW_eth1 -s 10.0.0.254/255.255.254.0 -j SEND_INT
iptables -t nat -A PREROUTING -i eth1 -s 224.0.0.0/4 -j PREROUTING_NAT_INT
iptables -t nat -A POSTROUTING -o eth1 -d 224.0.0.0/4 -j POSTROUTING_NAT_INT
iptables -t mangle -A PREROUTING -i eth1 -s 224.0.0.0/4 -j
PREROUTING_MANGLE_INT
iptables -t mangle -A POSTROUTING -o eth1 -d 224.0.0.0/4 -j
POSTROUTING_MANGLE_INT
iptables -t mangle -A OUTPUT -o eth1 -d 224.0.0.0/4 -j OUTPUT_MANGLE_INT
iptables -A INPUT_NEW_eth1 -s 224.0.0.0/4 -j INPUT_INT
iptables -A OUTPUT_NEW_eth1 -d 224.0.0.0/4 -j OUTPUT_INT
iptables -A FORWARD_NEW_eth1 -d 224.0.0.0/4 -j FORWARD_INT
iptables -A SEND_NEW_eth1 -s 224.0.0.0/4 -j SEND_INT
### WATCH_IP:
### MAC_DROP:
### IP_DROP:
### SNAT[0]=EXT ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t nat -N SNAT_INT_0
iptables -t nat -A POSTROUTING_NAT_EXT -s 10.0.0.254/255.255.254.0 -j
SNAT_INT_0
iptables -t nat -A POSTROUTING_NAT_EXT -s 224.0.0.0/4 -j SNAT_INT_0
iptables -t nat -A SNAT_INT_0 -j SNAT --to-source 207.22x.xxx.244
iptables -N USER_INPUT_INT
iptables -I INPUT_INT -j USER_INPUT_INT
iptables -N USER_OUTPUT_INT
iptables -I OUTPUT_INT -j USER_OUTPUT_INT
iptables -N USER_FORWARD_INT
iptables -I FORWARD_INT -j USER_FORWARD_INT
### INPUT[0]=ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A INPUT_INT -j LOG_ACCEPT
### OUTPUT[0]=ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A OUTPUT_INT -j LOG_ACCEPT
### FORWARD[0]=EXT ACCEPT tcp 80 0.0.0.0/0=>207.22x.xxx.244
iptables -N FORWARD_INT0
iptables -t filter -A FORWARD_INT -i eth0 -j FORWARD_INT0
iptables -t filter -A FORWARD_INT0 -p tcp --dport 80 -d 207.22x.xxx.244 -j
LOG_ACCEPT
### FORWARD[1]=EXT ACCEPT tcp 25 0.0.0.0/0=>207.22x.xxx.244
iptables -N FORWARD_INT1
iptables -t filter -A FORWARD_INT -i eth0 -j FORWARD_INT1
iptables -t filter -A FORWARD_INT1 -p tcp --dport 25 -d 207.22x.xxx.244 -j
LOG_ACCEPT
### FORWARD[2]=EXT ACCEPT tcp 110 0.0.0.0/0=>207.22x.xxx.244
iptables -N FORWARD_INT2
iptables -t filter -A FORWARD_INT -i eth0 -j FORWARD_INT2
iptables -t filter -A FORWARD_INT2 -p tcp --dport 110 -d 207.22x.xxx.244 -j
LOG_ACCEPT
### FORWARD[3]=EXT ACCEPT tcp 180 0.0.0.0/0=>207.22x.xxx.244
iptables -N FORWARD_INT3
iptables -t filter -A FORWARD_INT -i eth0 -j FORWARD_INT3
iptables -t filter -A FORWARD_INT3 -p tcp --dport 180 -d 207.22x.xxx.244 -j
LOG_ACCEPT
### FORWARD[4]=EXT ACCEPT tcp 443 0.0.0.0/0=>207.22x.xxx.244
iptables -N FORWARD_INT4
iptables -t filter -A FORWARD_INT -i eth0 -j FORWARD_INT4
iptables -t filter -A FORWARD_INT4 -p tcp --dport 443 -d 207.22x.xxx.244 -j
LOG_ACCEPT
### FORWARD[5]=ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0
iptables -t filter -A FORWARD_INT -j LOG_DROP
### Log all unmatched packets in this zone
iptables -A INPUT_INT -j LOG_MISS
iptables -A OUTPUT_INT -j LOG_MISS
iptables -A FORWARD_INT -j LOG_MISS
### Done configuring zone
### Catch unmatched packets
iptables -A INPUT_NEW -j LOG_ZONE_MISS
iptables -A FORWARD_NEW -j LOG_ZONE_MISS
iptables -A OUTPUT_NEW -j LOG_ZONE_MISS
### Log martians
iptables -A DEV_eth0_SRC -j LOG_MARTIAN
iptables -A DEV_eth0_DST -j LOG_MARTIAN
iptables -A DEV_eth1_SRC -j LOG_MARTIAN
iptables -A DEV_eth1_DST -j LOG_MARTIAN

Best regards,

Donald R. Donigan
Desert CODE Works
donigan at desertcodeworks.com
don at donigan.net




More information about the fiaif mailing list