#!/bin/sh
#
# bastille-firewall		Load/unload ipchains rulesets
#
# do not rename this file unless you edit /sbin/bastille-firewall-reset
#
# chkconfig: 345 5 98
# description: An ipchains-based firewall script for Linux systems \
# that allows the machine to be used as a gateway system
#
# version 0.98-beta12
# Copyright (C) 1999-2000 Peter Watkins 
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
#
# This script is designed to be used as a SysV-style init script.
#
# It should be run with a "start" argument
#	1) as an rc?.d "S" script, _before_ the "network" script
# [copy this to /etc/rc.d/init.d/bastille-firewall and run 
#  'chkconfig -add bastille-firewall' ]
#	2) any time an interface is brought up or changed, e.g.
#	   establishing a PPP conection or renewing a DHCP lease
# [copy 'bastille-firewall-reset', 'bastille-firewall-schedule'
#  and 'ifup-local' to /sbin/]
#
#   Normally you Do Not _Ever_ Want to run this with a "stop" argument!
#
# Note that running this with "stop" will disable the firewall and open
# your system to all network traffic; if you make changes to these rules,
# apply them by running the script again with a "start" argument.

PATH=/bin:/sbin:/usr/bin:/usr/sbin
IPCHAINS=/sbin/ipchains

# the configuration values should be whitespace-delimited lists of 
# appropriate values, e.g.
# 	TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers

# 0) DNS servers. You must list your DNS servers here so that
#	the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"	
# If you are running a caching nameserver, you'll need to allow from
# "0.0.0.0/0" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
#  add "domain" to the TCP and UDP public service lists.)
#DNS_SERVERS="0.0.0.0/0"
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DNS_SERVERS=""


# 1) define your interfaces
#	Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP 
#	interface
#
# list internal/trusted interfaces
# traffic from these interfaces will be allowed 
# through the firewall, no restrictions
#TRUSTED_IFACES="lo"					# MINIMAL/SAFEST
#
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+"			# SAFEST
#
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having 
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
#INTERNAL_IFACES=""				# SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TRUSTED_IFACES="lo"					# MINIMAL/SAFEST
PUBLIC_IFACES="eth+ ppp+ slip+"			# SAFEST
INTERNAL_IFACES=""				# SAFEST


# 2) services for which we want to log access attempts to syslog
#	Note this only audits connection attempts from public interfaces
#
#	Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop-3 finger sunrpc exec login linuxconf ssh" 
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request"	# ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
#   kern.info				/var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_AUDIT_SERVICES="telnet ftp imap pop-3 finger sunrpc exec login linuxconf ssh" 
UDP_AUDIT_SERVICES="31337"
ICMP_AUDIT_TYPES=""


# 3) services we allow connections to
#
# FTP note:
#	To allow your machine to service "passive" FTP clients,
#	you will need to make allowances for the passive data
#	ports; Bastille users should read README.FTP for more
#	information
#
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
#TCP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
#
# UDP services that "public" hosts should be allowed to connect to
#UDP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
#
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
#      to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
#TCP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST
#
# UDP services that internal clients can connect to
#UDP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
UDP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
TCP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST
UDP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST

# 4) FTP is a firewall nightmare; if you allow "normal" FTP connections,
#	you must be careful to block any TCP services that are listening
#	on high ports; it's safer to require your FTP clients to use
#	"passive" mode. 
#
#	Note this will also force clients on machines
#	that use this one for NAT/IP Masquerading to use passive mode
#	for connections that go through this server (e.g. from the
#	internal network to public Internet machines
#
#	For more information about FTP, see the Bastille README.FTP doc
#
#FORCE_PASV_FTP="N"
#FORCE_PASV_FTP="Y"					# SAFEST
#
FORCE_PASV_FTP="Y"					# SAFEST


# 5) Services to explicitly block. See FTP note above
#	Note that ranges of ports are specified with colons, and you
#	can specify an open range by using only one number, e.g.
#	1024: means ports >= 1024 and :6000 means ports <= 6000
#
# TCP services on high ports that should be blocked if not forcing passive FTP
# This should include X (6000:6010) and anything else revealed by 'netstat -an'
#  (this does not matter unless you're not forcing "passive" FTP)
#TCP_BLOCKED_SERVICES="6000:6020"
#
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with 0.0.0.0 for DNS servers should
# obviously be very careful here!)
#UDP_BLOCKED_SERVICES="2049"
#
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable"		# MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_BLOCKED_SERVICES="6000:6020"
UDP_BLOCKED_SERVICES="2049"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"


# 6) Source Address Verification helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y"				# SAFEST


# 7) IP Masquerading / NAT. List your internal/masq'ed networks here
#
#	Also see item 4, FORCE_PASV_FTP, as that setting affects
#	clients using IP Masquerading through this machine
#
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK=""					# DISABLE/SAFEST
#IP_MASQ_NETWORK="10.0.0.0/8"				# example
#IP_MASQ_NETWORK="192.168.0.0/16"			# example
#
# Have lots of masq hosts? uncomment the following six lines 
#  and list the hosts/networks in /etc/firewall-masqhosts
#  the script assumes any address without a "/" netmask afterwards
#  is an individual address (netmask /255.255.255.255):
#if [ -f /etc/firewall-masqhosts ]; then
#  echo "Reading list of masq hosts from /etc/firewall-masqhosts"
#  # Read the file, but use 'awk' to strip comments
#  # Note the sed bracket phrase includes a space and tab char
#  IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ 	]*::g'`
#fi
# 
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive"	# ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive"			# RECOMMENDED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
IP_MASQ_NETWORK=""					# DISABLE/SAFEST
IP_MASQ_MODULES="ftp raudio vdolive"			# RECOMMENDED


# 8) How to react to disallowed packets
# whether to "REJECT" or "DENY" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DENY" so simple probes don't know if there's anything out there
#	NOTE: disallowed ICMP packets are discarded with "DENY", as
#		it would not make sense to "reject" the packet if you're
#		trying to disallow ping/traceroute
#
REJECT_METHOD="DENY"


# 9) DHCP
#    In case your server needs to get a DHCP address from some other
#    machine (e.g. cable modem)
#DHCP_IFACES="eth0"			# example, to allow you to query on eth0
#DHCP_IFACES=""				# DISABLED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DHCP_IFACES=""				# DISABLED


# 10) more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS=""				# DISABLE NTP QUERIES / SAFEST
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32"	# example, to allow querying 2 servers
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
NTP_SERVERS=""				# DISABLE NTP QUERIES / SAFEST


# 11) more ICMP. Control the outbound ICMP to make yourself invisible to
#     traceroute probes
#
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"


# 12) Logging
#	With this enabled, ipchains will log all blocked packets.
#	         ** this could generate huge logs **
#	This is primarily intended for the port mointoring system; 
#	also note that you probably do not want to "AUDIT" any services
#	that you are not allowing, as doing so would mean duplicate
#	logging
LOG_FAILURES="N"				# do not log blocked packets


#
# Computed values
# 
# These things should be queried/computed at run time
#
# LOCAL_ADDRESSES
#
# LOCAL_ADDRESSES lists all IP addresses for this server 
#  (for the INTERNAL_SERVICES rules); if you have virtual 
#  network devices, you may want to hand-code this, e.g.
# LOCAL_ADDRESSES="127.0.0.0/24"
#
# The following makes a list of all current IP addresses
LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}'`
#
#
# INTERNAL_NETWORKS
#
# INTERNAL_NETWORKS lists the masked networks for the INTERNAL_INTERFACES
# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
# The following makes a list of all current internal IP addresses _with netmasks_
for i in ${INTERNAL_IFACES} ; do
	INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}'`"
done
#
#
# DNS_SERVERS
#
# Derive this from /etc/resolv.conf if it's not set already
# Note we only take the first three as most systems' resolvers
# can only use three nameservers; see MAXNS in resolv.h for details
MAXNS=3
if [ -z "${DNS_SERVERS}" ]; then
	DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}`
fi
#
#
# LOG_FLAG
# 
# Flag to add to ${REJECT_METHOD} rules to force logging
if [ "${LOG_FAILURES}" = "Y" ]; then
	LOG_FLAG="-l"
else
	LOG_FLAG=""
fi
#
#
# CALLED_METHOD
#
# Variable to hold $1, for use in functions (which have their own $1 vars)
CALLED_METHOD="$1"

#
# Shell functions
#
# do_masq_mods
# Function to load/unload "ip_masq_*" kernel modules
do_masq_mods()
{
	# args: $1 = "load" or "unload"
	#
	# find the currently loaded modules
	masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'`
	#
	# Step 1: unload unwanted modules
	for m in ${masq_mods} ; do
		UNLOAD_THIS_MOD=Y
		for normal_mod in ${IP_MASQ_MODULES} ; do
			if [ "ip_masq_${normal_mod}" = $m ]; then
				# this module is _supposed_ to be loaded
				UNLOAD_THIS_MOD=N
			fi
		done
		if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
			# we're either disabling the firewall or we've disabled masquerading,
			# so we should unload _all_ masq modules
			UNLOAD_THIS_MOD=Y
		fi
		if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
			rmmod $m || echo "Error unloading ${m} module"
		fi
	done
	# Step 2: load wanted modules that are not already loaded
	if [ $1 = "load" ]; then
		for normal_mod in ${IP_MASQ_MODULES} ; do
			MOD_LOADED=N
			for m in ${masq_mods} ; do
				if [ "ip_masq_${normal_mod}" = ${m} ]; then
					MOD_LOADED=Y
				fi
			done
			if [ $MOD_LOADED = "N" ]; then
				insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module"
			fi
		done
	fi
}

# See how we were called.
case "$1" in
  start)
	echo
	#
	# we set defaults to DENY now to minimize possible interruptions
	# if this script is re-run to reset rules
	#
	# set default policy to disallow forwarding
	${IPCHAINS} -P forward DENY
	# flush rules
	${IPCHAINS} -F forward
	# default is to disallow incoming traffic	
	${IPCHAINS} -P input DENY
	# flush rules 
	${IPCHAINS} -F input
	# disallow outbound until we set up the explicit outbound rules
	${IPCHAINS} -P output DENY
	# flush rules 
	${IPCHAINS} -F output

	# always allow MTU discovery packets
	${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT
	${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT

	# from the ipchains HOWTO, I think
	if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
		if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        		echo -n "Setting up IP spoofing protection..."
		        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
            		echo 1 > $f
        		done
        		echo " done."
		else
        		echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
		fi
	fi

	# Auditing must be set up before these packets are blocked!
	for iface in ${PUBLIC_IFACES} ; do
		for service in ${TCP_AUDIT_SERVICES} ; do
			${IPCHAINS} -A input -p tcp -d 0.0.0.0/0 ${service} -y -i ${iface} -l
		done   
		for service in ${UDP_AUDIT_SERVICES} ; do
			${IPCHAINS} -A input -p udp -d 0.0.0.0/0 ${service} -i ${iface} -l
		done   
		for type in ${ICMP_AUDIT_TYPES} ; do
			${IPCHAINS} -A input -p icmp --icmp-type ${type} -d 0.0.0.0/0 -i ${iface} -l 
		done
	done

	# No packets with multicast source addresses (Joshua K, RFC 1122)
	${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG}

	# Forwarding

	# If you have networks that route traffic to each other through this
	# server, you may want to add some forwarding rules, here, e.g.
	# one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
	#${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT	
	# the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
	#${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT	

	# IP Masquerading/forwarding
	#
	# Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
	do_masq_mods unload
	#
	if [ ! -z "${IP_MASQ_NETWORK}" ]; then
		echo -n "Setting up masquerading rules..."	
		# since we've set the default forwarding policy to
		# reject, we can enable forwarding now
		echo 1 > /proc/sys/net/ipv4/ip_forward
		# NetBEUI
		${IPCHAINS} -A forward -p tcp -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -j ${REJECT_METHOD} ${LOG_FLAG}
		${IPCHAINS} -A forward -p udp -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -j ${REJECT_METHOD} ${LOG_FLAG}
		# set up rules for masqueraded networks
		for net in ${IP_MASQ_NETWORK} ; do
			for pub in ${PUBLIC_IFACES} ; do
				# NAT should be one-way, deny traffic from public
				# interfaces that is addresses to masq'ed networks
				${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
				# spoofed addreses from outside
				${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
				# enable forwarding
				${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ
			done
		done
		echo " done."
		echo -n "Loading masquerading modules..."	
		do_masq_mods load
		echo " done."
	fi

	# disallow any attempts to get to internal interfaces from outside
	# not good if this is supposed to route between normal networks
	for int in ${INTERNAL_NETWORKS} ; do
		for pub in ${PUBLIC_IFACES} ; do
			# deny traffic from public
			# interfaces that is addresses to internal networks
			${IPCHAINS} -A input -d ${int} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
			# spoofed addreses from outside
			${IPCHAINS} -A input -s ${int} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
		done
	done
		

	echo -n "Setting up general rules..."	

	# Allow all traffic from trusted interfaces
	for t_iface in ${TRUSTED_IFACES} ; do	
		${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT
	done

	# custom rules -------------------------------------------------
	#	
	#	Put custom rules for public services here before we set up the normal
	#	rules for the public interfaces
	#
	# custom rules -------------------------------------------------

	# Allow response from DHCP servers
	for iface in ${DHCP_IFACES} ; do
		# allow UDP responses
		${IPCHAINS} -A input -p udp -s 0.0.0.0/0 bootps -i ${iface}  -d 255.255.255.255/0 bootpc -j ACCEPT 		
		# normally we allow TCP data returns so this is redundant
		# ${IPCHAINS} -A input -p tcp -s 0.0.0.0/0 bootps -i ${iface}  -d 255.255.255.255/0 bootpc -j ACCEPT 		
		# make link so dhcpcd runs firewall when IP changes (if no such file already)
		[ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
		if [ -x /sbin/bastille-firewall-reset -a ! -s /etc/dhcpc/dhcpcd-${iface}.exe ]; then
			ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
		fi
	done

	# internal interface rules
	for iface in ${INTERNAL_IFACES} ; do
		NON_LOOPBACK_SEEN=N
		for net in ${LOCAL_ADDRESSES} ; do
			BASE_ADDR=`echo ${net} | awk -F. '{print $1}'`
			if [ ${BASE_ADDR} != "127" ]; then
				NON_LOOPBACK_SEEN=Y
			fi
			# TCP services
			for serv in ${TCP_INTERNAL_SERVICES} ; do
				${IPCHAINS} -A input -p tcp -d ${net} ${serv} -i ${iface} -j ACCEPT 		
			done
			${IPCHAINS} -A input -p tcp -d ${net} ${serv} \! -y -i ${iface} -j ACCEPT
			# UDP services
			for serv in ${UDP_INTERNAL_SERVICES} ; do
				${IPCHAINS} -A input -p udp -d ${net} ${serv} -i ${iface} -j ACCEPT 		
			done
		done
		# complain if no local addresses
		if [ ${NON_LOOPBACK_SEEN} = "N" ]; then
			echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!"
		fi
		# ICMP
		# hopefully you don't care about hiding from internal hosts!
		${IPCHAINS} -A input -p icmp -d 0.0.0.0/0 -i ${iface} -j ACCEPT 
		${IPCHAINS} -A output -p icmp -d 0.0.0.0/0 -i ${iface} -j ACCEPT 
		# ...but if you do... try this...
		#for type in ${ICMP_ALLOWED_TYPES} ; do
		#	${IPCHAINS} -A input -p icmp --icmp-type ${type} -d 0.0.0.0/0 -i ${iface} -j ACCEPT 
		#done
		#for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
		#	${IPCHAINS} -A output -p icmp --icmp-type ${type} -i ${iface} -j REJECT
		#done
	done
        
	# input rules
	#
	# public interfaces
	for iface in ${PUBLIC_IFACES} ; do

		# --------------------- TCP --------------------------
		for serv in ${TCP_PUBLIC_SERVICES} ; do
			${IPCHAINS} -A input -p tcp -d 0.0.0.0/0 ${serv} -i ${iface} -j ACCEPT 		
		done

		if [ ${FORCE_PASV_FTP} != "Y" ]; then
			# no point explicitly blocking TCP services unless active FTP is enabled
			# Step 1: block the high port TCP services
			for serv in ${TCP_BLOCKED_SERVICES} ; do
				# only block -y initial connects; in case the port was needlessly
				# specified, this should still enable it to be used as a source
				# port for non-FTP connecions from this host or machines using it as a gateway
				${IPCHAINS} -A input -p tcp -d 0.0.0.0/0 ${serv} -y -i ${iface} -j ${REJECT_METHOD} ${LOG_FLAG}
			done
			# FEATURE: check bound high TCP and complain?
			# Step 2: allow the ftp-data connections
			${IPCHAINS} -A input -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -i ${iface} -j ACCEPT
		fi
	
		# general response to my TCP requests
		${IPCHAINS} -A input -p tcp \! -y -i ${iface} -j ACCEPT
	
		# no TCP requests to other ports (redundant)
		# ${IPCHAINS} -A input -p tcp -i ${iface} -j ${REJECT_METHOD} ${LOG_FLAG}
	

		# --------------------- ICMP --------------------------
		for type in ${ICMP_ALLOWED_TYPES} ; do
			${IPCHAINS} -A input -p icmp --icmp-type ${type} -d 0.0.0.0/0 -i ${iface} -j ACCEPT 
		done

		# if you're disallowing ICMP, you may be trying to look 
		# invisible/disable ping, so let's just drop these attempts
		${IPCHAINS} -A input -p icmp -d 0.0.0.0/0 -i ${iface} -j DENY ${LOG_FLAG}

	
		# --------------------- UDP --------------------------
		for serv in ${UDP_PUBLIC_SERVICES} ; do
			${IPCHAINS} -A input -p udp -d 0.0.0.0/0 ${serv} -i ${iface} -j ACCEPT 		
		done

		# This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS
		# but who wouldn't have DNS servers configured?
		for serv in ${UDP_BLOCKED_SERVICES} ; do
			${IPCHAINS} -A input -p udp -d 0.0.0.0/0 ${serv} -i ${iface} -j ${REJECT_METHOD} ${LOG_FLAG}
		done

		for dns_net in ${DNS_SERVERS} ; do
			${IPCHAINS} -A input -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -i ${iface} -j ACCEPT
		done

		for ntp_net in ${NTP_SERVERS} ; do
			${IPCHAINS} -A input -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -i ${iface} -j ACCEPT
		done

		# Reject other UDP (redundant)
		#${IPCHAINS} -A input -p udp -i ${iface} -j ${REJECT_METHOD} ${LOG_FLAG}
	
		# end of loop through public interfaces for input rules
	done
	if [ ${FORCE_PASV_FTP} != "Y" -a ! -z "${PUBLIC_IFACES}" ]; then
		# warning
		echo
		echo "WARNING: allowing \"active\" FTP; any unknown TCP services running"
		echo "on high ports will be vulnerable; blocking too many high TCP ports"
		echo "may affect various TCP _clients_ running on this machine or using"
		echo "this machine as a gateway."
	fi
	#
	# now we can deny the attempts from the internal interfaces to this host
	for iface in ${INTERNAL_IFACES} ; do
		for tnet in ${LOCAL_ADDRESSES} ; do
			${IPCHAINS} -A input -i ${iface} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG}
		done
	done
	# now that we've blocked attempts from the internal interfaces
	# to the IP's on this server, we need to accept other connections
	# so the IP Masq / NAT will function
	for net in ${IP_MASQ_NETWORK} ; do
		${IPCHAINS} -A input -s ${net} -j ACCEPT
	done

	# --------------------- catch-all --------------------------
	# Reject all other traffic (redundant if not logging)
	if [ ${LOG_FAILURES} = "Y" ]; then
 		${IPCHAINS} -A input -j ${REJECT_METHOD} ${LOG_FLAG}
 		${IPCHAINS} -A forward -j ${REJECT_METHOD} ${LOG_FLAG}
 	fi

	#
       	echo " done."

	echo -n "Setting up outbound rules..."	
	#
	for iface in ${PUBLIC_IFACES} ; do
		# block outbound ICMP types (usu. to hide from traceroute)
		for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
			${IPCHAINS} -A output -p icmp --icmp-type ${type} -i ${iface} -j REJECT ${LOG_FLAG}
		done
		# 
		# Here you might really lock things down if this is a server,
		# e.g., to keep it from doing anything but connecting to
		# SMTP servers and responding to Web requests, or whatever
		# the specific requirements are. 
		#
		# Such lockdowns are recommended if the situation affords you
		# that flexibility.
		#
	done
	# default is to enable outbound traffic
	# (again, here, for a server you might default to ${REJECT_METHOD} )
	${IPCHAINS} -P output ACCEPT

	# Now that all rules are set, we can change the policies
	# to the user preference safely
	${IPCHAINS} -P forward ${REJECT_METHOD}
	${IPCHAINS} -P input ${REJECT_METHOD}

	echo " done."

	;;
  stop)
	echo
	echo "WARNING: reverting to default settings (dropping firewall)"
	# We should disable NAT/forwarding even if not set to restore defaults
	echo -n "disabling IP forwarding..."	
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo " done."
	echo -n "unloading masquerading modules..."	
	do_masq_mods unload
	echo " done."
	# flushing seems to leave the default input at ${REJECT_METHOD}
	echo -n "resetting default input rule to accept..."
	${IPCHAINS} -P input ACCEPT
	echo " done."
	echo -n "resetting default output rule to accept..."
	${IPCHAINS} -P output ACCEPT
	echo " done."
	# likewise, we ought to also disallow forwarding (not specifically
	#  necessary, as we disabled forwarding with the /proc interface)
	#  Note we do not set logging for this
	echo -n "resetting default forward rule to ${REJECT_METHOD}..."
	${IPCHAINS} -P forward ${REJECT_METHOD}
	echo " done."
	for chain in input output forward ; do
		echo -n "flushing ${chain} rules..."	
		${IPCHAINS} -F ${chain}
		echo " done."
	done
	;;
  status)
	${IPCHAINS} -L
	;;
  *)
	echo "Usage: $0 {start|stop|status}"
	exit 1
esac

exit 0

