# Temporarily disable forwarding in the kernel echo 0 > /proc/sys/net/ipv4/ip_forward # Clear out any old rules ipchains -F ipchains -X ipchains -Z # Enable IP masquerading ipchains -P forward DENY # Enable forwarding in the kernel echo 1 > /proc/sys/net/ipv4/ip_forward # Enable packet forwarding to/from the pptpd connection ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT # Enable IP masquerading for stuff coming from the ethernet connection # (Note this rule must come AFTER the pptpd forwarding rule so that # packets heading for the pptpd connection don't get MASQ'd) ipchains -A forward -i eth0 -j MASQ # Set the timeouts for (TCP sessions) (TCP after FIN) (UDP) ipchains -M -S 1800 120 300 # Create a chain for outputs on the eth0 dialup device ipchains -N eth0-out ipchains -A output -i eth0 -j eth0-out # Log and kill anything with local addresses seen on the eth0 devices ipchains -A eth0-out -s 192.168.0.0/16 -l -j DENY ipchains -A eth0-out -d 192.168.0.0/16 -l -j DENY # Create a chain for inputs on the eth0 dialup device ipchains -N eth0-in ipchains -A input -i eth0 -j eth0-in # Log and deny anything with local addresses seen on the eth0 devices ipchains -A eth0-in -s 192.168.0.0/16 -l -j DENY ipchains -A eth0-in -d 192.168.0.0/16 -l -j DENY # Squash and log any attempt to access SMTP, Telnet, FTP, Samba through the eth0 devices ipchains -A eth0-in -p TCP -d 0.0.0.0/0 smtp -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 telnet -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 ftp -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ssn -l -j DENY ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ssn -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-dgm -l -j DENY ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-dgm -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ns -l -j DENY ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ns -l -j DENY ipchains -A eth0-in -p TCP -d 0.0.0.0/0 sunrpc -l -j DENY ipchains -A eth0-in -p UDP -d 0.0.0.0/0 sunrpc -l -j DENY # REJECT all IDENT connections. This should improve the response of servers # that are looking for IDENT because they will get an immediate # (albeit negative) response. ipchains -A eth0-in -p TCP -d 0.0.0.0/0 auth -j REJECT # Allow ftp-data through for masquerading connections # the SYN packets are logged, others are silently accepted ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0 1024:5999 -j ACCEPT -l ipchains -A eth0-in -p TCP -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0 1024:5999 -j ACCEPT ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0 6010: -j ACCEPT -l ipchains -A eth0-in -p TCP -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0 6010: -j ACCEPT ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 ftp-data -j ACCEPT -l ipchains -A eth0-in -p TCP -d 0.0.0.0/0 ftp-data -j ACCEPT # Allow traffic for PPTPD ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l ipchains -A eth0-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT ipchains -A eth0-in -p 47 -j ACCEPT # Deny any other TCP connections on the external interface ipchains -A eth0-in -p TCP -y -j DENY -l # Allow all post-connection TCP traffic ipchains -A eth0-in -p TCP -j ACCEPT # Allow UDP and ICMP traffic (might only need to allow specific ports) ipchains -A eth0-in -p UDP -j ACCEPT ipchains -A eth0-in -p ICP -j ACCEPT # Deny all other traffic for all protocols ipchains -A eth0-in -j DENY