The following is a firewall written via BASH and IPTABLES. There is a DHCP assigned WAN interface, and a single physical connection for the internal network with two IPs bound to is, one for the real network, the 192.168.1.xxx network and a network 10.0.0.xxx which is populated by VMWare Server machines. How well written is this firewall, scored by US acedemic scores? (A,B,C,D,F, No credit go to the principle's office now!!!)
---- START ----- ######WRAPTEXTBAR################################################################# # First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. export LC_ALL="en"
######################################################################## # VARIABLE DEFINITION ######################################################################## INTIF1=eth0 EXTIF=eth1 VIRIF=eth0
# ****** Loop device/localhost ****** LPDIF=lo LPDIP=127.0.0.1 LPDMSK=255.0.0.0 LPDNET="$LPDIP/$LPDMSK"
# ****** Text tools variables ****** IPT='/sbin/iptables' IFC='/sbin/ifconfig' G='/bin/grep' SED='/bin/sed'
# ****** Markable Priorities ****** MARKPRIO1="1" MARKPRIO2="2" MARKPRIO3="3" MARKPRIO4="4"
# ****** Rates ****** UPRATE="256kbit" P2PRATE="128kbit" PRIORATE1="65kbit" PRIORATE2="46kbit" PRIORATE3="27kbit" PRIORATE4="8kbit"
# ****** Quantum ****** QUANTUM1="12187" QUANTUM2="8625" QUANTUM3="5062" QUANTUM4="1500"
# ****** Burst ****** BURST1="6k" BURST2="4k" BURST3="2k" BURST4="0k" CBURST1="3k" CBURST2="2k" CBURST3="1k" CBURST4="0k"
# ****** Port Definitions ****** IRC='ircd' MSN=1863 ICQ=5190 NFS='sunrpc' PORTAGE='rsync' BT='50000:50100' NATRANGES='2222 2223 2224 51100:51200 51300:51400 51500:51600
51700:51800' OpenPGP_HTTP_Keyserver=11371TCPSERV="8080 domain rsync ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver $BTi $NATRANGES"
UDPSERV="8080 domain time rsync $BT $NATRANGES"
######################################################################## # PORT BLOCKING RULES ######################################################################## # ****** Common Ports For both UDP and TCP ****** COMBLOCK="0:1 13 98 111 137:139 1214 1999 2049 3049 4329 6346 3128 8000
8008 12345 65535"# ****** TCP Ports to Block ****** TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# ***** UDP Ports To Block ****** UDPBLOCK="$COMBLOCK 520 123 517:518 1427 9000"
######################################################################## # QoS Config # "QoS is not complete yet as we still need to mark our traffic" # ***** Example for ICMP ***** # iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 # iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1 # We will echo this out rather then internal comments for this # section only... ######################################################################## echo "STARTING QoS Config"
echo "******Set queue length for $EXTIF******"
ifconfig $EXTIF txqueuelen 16
echo "******Specify queue discipline******" tc qdisc add dev $EXTIF root handle 1:0 htb default 103 r2q 1
echo "******Set root class******" tc class add dev $EXTIF parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1
echo "******Specify sub classes*******" tc class add dev $EXTIF parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0
tc class add dev $EXTIF parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1
tc class add dev $EXTIF parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2
tc class add dev $EXTIF parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3
echo "******Filter packets (Effectivly Translate the Priority to a class ID******" tc filter add dev $EXTIF parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101
tc filter add dev $EXTIF parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102
tc filter add dev $EXTIF parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103
tc filter add dev $EXTIF parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104
echo "******Add queuing disciplines******" tc qdisc add dev $EXTIF parent 1:101 sfq perturb 16 quantum $QUANTUM1 tc qdisc add dev $EXTIF parent 1:102 sfq perturb 16 quantum $QUANTUM2 tc qdisc add dev $EXTIF parent 1:103 sfq perturb 16 quantum $QUANTUM3 tc qdisc add dev $EXTIF parent 1:104 sfq perturb 16 quantum $QUANTUM4
######################################################################## # Deny then accept: this keeps holes from opening up # while we close ports and such. Effectivly this means any unmatched # traffic is DROPPED. ######################################################################## $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP
######################################################################## # Flush all existing chains and erase personal chains # "This is to reset the Fail2Ban chain" ######################################################################## CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $CHAINS; do $IPT -t $i -F done for i in $CHAINS; do $IPT -t $i -X done
######################################################################## # Ensure Firewall Option are on in the kernel ######################################################################## echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
######################################################################## # Source Address Verification ######################################################################## for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done ######################################################################## # Disable IP source routing and ICMP redirects ######################################################################## for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done echo 1 > /proc/sys/net/ipv4/ip_forward
######################################################################### # Setting up external interface environment variables # and output Network Settings ######################################################################### EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" EXTBC="255.255.255.255" EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" EXTNET="$EXTIP/$EXTMSK" echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\\([^ ]*\\) .*/\\1/'`" INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" INTNET1="$INTIP1/$INTMSK1" echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
VIRIP="`$IFC $VIRIF:1|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" VIRBC="`$IFC $VIRIF:1|$G Bcast:|$SED 's/.*Bcast:\\([^ ]*\\) .*/\\1/'`" VIRMSK="`$IFC $VIRIF:1|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" VIRNET="$VIRIP/$VIRMSK" echo "VIRIP=$VIRIP VIRBC=$VIRBC VIRMSK=$VIRMSK VIRNET=$VIRNET"
########################################### # !!!! BEGIN FIREWALL RULES !!!! ########################################### # # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ############### ############### # ############# ############# # ########### ########### # ######### ######### # ####### ####### # ##### ##### # ### ### # # # # ###########################################
#0###################################################################### # CUSTOM LOGGING GROUPS ########################################################################
# ****** Drop LOG ******* # Anything Dropped # *********************** $IPT -N LOGDROP 2> /dev/null $IPT -A LOGDROP -j LOG --log-prefix 'DROP:' $IPT -A LOGDROP -j DROP
# ****** Reject LOG ******* # Anything Rejected # *********************** $IPT -N LOGREJECT 2> /dev/null $IPT -A LOGREJECT -j LOG --log-prefix 'LOGREJECT:' $IPT -A LOGREJECT -j REJECT
# ****** Broadcast LOG ******* # Anything Broadcast # *********************** $IPT -N LOGBROADCAST 2> /dev/null $IPT -A LOGBROADCAST -j LOG --log-prefix 'LOGBROADCAST:' $IPT -A LOGBROADCAST -j REJECT
# ****** Foreign LOG ******* # Wrong Subnet traffic # *********************** $IPT -N LOGFOREIGN 2> /dev/null $IPT -A LOGFOREIGN -j LOG --log-prefix 'LOGFOREIGN:' $IPT -A LOGFOREIGN -j REJECT
#Q######################################### # QoS Prioritize Traffic Types # This section will need a rewrite eventually ###########################################
# ****** Priority 1 ******* # * Critical and System # *************************
# ********** # ***** icmp # ********** $IPT -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
# ********** # ***** SSH # ********** $IPT -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
# ********** # ***** NON-TCP # ********** $IPT -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1
# ****** Priority 2 ******* # * Reserved For Future # *************************
# ****** Priority 3 ******* # * HTTP Traffic # *************************
# ********** # ***** HTTP # ********** $IPT -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
# ********** # ***** HTTPS # ********** $IPT -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 $IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 # ********** # ***** SMTP # ********** $IPT -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 $IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
# ****** Priority 4 ******* # * packets > 1024 bytes # ************************* $IPT -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
# ********** # ***** Bittorrent # ********** $IPT -t mangle -A FORWARD -i $EXTIF -p tcp --sport $BT -j MARK
--set-mark $MARKPRIO4
$IPT -t mangle -A FORWARD -i $EXTIF -p tcp --dport $BT -j MARK
--set-mark $MARKPRIO4
# ****** TOS Priority ******* # Remaining packets are marked according to TOS # *************************** $IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark
--mark 0 -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO2 $IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark
--mark 0 -j MARK --set-mark $MARKPRIO4
#Keep Existing Connections Alive on a re-run $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# MASQURADE RULES $IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPT -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
# MASQURADE RULES $IPT -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT $IPT -A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
# Backup SSH $IPT -A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp -d 192.168.1.180 --sport 22 -m state
--state ESTABLISHED,RELATED -j ACCEPT # Backup EXT SSH $IPT -A INPUT -p tcp -m tcp -i $EXTIF --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp -o $EXTIF --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT #11##################################################################### # NAT RULES ######################################################################## $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE $IPT -t nat -A POSTROUTING -o $EXTIF -s $VIRNET -j MASQUERADE
$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#1###################################################################### # LOOPBACK RULES # -------------- # Now we are going to accpet all traffic from our loopback device # if the IP matches any of our interfaces. ######################################################################## $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT $IPT -A INPUT -i $LPDIF -s $VIRIP -j ACCEPT
#2###################################################################### # BROADCAST RULES (LOG TO LOGBROADCAST) # --------------- # Blocking Broadcasts ######################################################################## $IPT -A INPUT -i $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A INPUT -i $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A INPUT -i $VIRIF -d $VIRBC -j LOGBROADCAST
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A OUTPUT -o $VIRIF -d $VIRBC -j LOGBROADCAST
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A FORWARD -o $VIRIF -d $VIRBC -j LOGBROADCAST
#3###################################################################### # WAN TO LAN RULES (LOG TO LOGDROP) # ---------------- # Block WAN access to internal network # This also stops nefarious crackers from using our network as a # launching point to attack other people # iptables translation: # "if input going into our external interface does not originate from our isp assigned # ip address, drop it like a hot potato ######################################################################## $IPT -A INPUT -i $EXTIF -d ! $EXTIP -j LOGDROP
#5###################################################################### # ALLOW DNS ######################################################################## $IPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
#6###################################################################### # Block outbound ICMP (except for PING) ######################################################################## $IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP $IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP
#7###################################################################### # Loop and Block Ports ######################################################################## echo -n "FW: Blocking attacks to TCP port " for i in $TCPBLOCK; do echo -n "$i " $IPT -A INPUT -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-1-$i" $IPT -A OUTPUT -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-2-$i" $IPT -A FORWARD -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-3-$i" done echo "" echo -n "FW: Blocking attacks to UDP port " for i in $UDPBLOCK; do echo -n "$i " $IPT -A INPUT -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-4-$i" $IPT -A OUTPUT -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-5-$i" $IPT -A FORWARD -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-6-$i" done echo ""
#8###################################################################### # Loop and Allow Ports to be used from LAN THESE ARE NOT NAT RULES!! # If you are going to NAT a port range you have to add it here also # All services ports are read from /etc/services # WHAT DO WE ALLOW PEOPLE INSIDE OUR NETWORK TO USE ######################################################################## echo -n "FW: Allowing inside systems to use service:" for i in $TCPSERV; do echo -n "$i " $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-1-$i" $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-2-$i" $IPT -A FORWARD -i $VIRIF -p tcp -s $VIRNET --dport $i --syn -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-3-$i"
done echo "" echo -n "FW: Allowing inside systems to use service:" for i in $UDPSERV; do echo -n "$i " $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-4-$i" $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-5-$i" $IPT -A FORWARD -i $VIRIF -p udp -s $VIRNET --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-6-$i" done echo ""
#9###################################################################### # Allow to ping out ######################################################################## $IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state
--state NEW -j ACCEPT $IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state
--state NEW -j ACCEPT $IPT -A FORWARD -i $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state
--state NEW -j ACCEPT
#10##################################################################### # Allow firewall to ping internal systems ######################################################################## $IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state
--state NEW -j ACCEPT $IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state
--state NEW -j ACCEPT $IPT -A INPUT -i $VIRIF -p tcp --dport 22 --syn -m state --state NEW
-j ACCEPT
#12##################################################################### # NAT Translations (INSERT ON THE FORWARD) ########################################################################
#*********************************************************************** #*Bit Torrent to MOAT*************************************************** #*********************************************************************** $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $BT -j DNAT
--to-destination 192.168.1.180 $IPT -A FORWARD -s 192.168.1.180 -p tcp --dport $BT -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport $BT -j DNAT
--to-destination 192.168.1.180 $IPT -A FORWARD -s 192.168.1.180 -p udp --dport $BT -j ACCEPT #*********************************************************************** #*SSH To Internal Servers*********************************************** #*********************************************************************** $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2222 -j DNAT
--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 2222 -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2223 -j DNAT
--to-destination 10.0.0.101 $IPT -A FORWARD -s 10.0.0.101 -p tcp --dport 2223 -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2224 -j DNAT
--to-destination 10.0.0.102 $IPT -A FORWARD -s 10.0.0.102 -p tcp --dport 2224 -j ACCEPT
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 'rsync' -j DNAT
--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 'rsync' -j DNAT
--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT ########################################################################
#Comms between the Local Lan and the VM lan For now, unrestricted $IPT -A FORWARD -s $INTNET1 -d $VIRNET -j ACCEPT $IPT -A FORWARD -s $VIRNET -d $INTNET1 -j ACCEPT
#4###################################################################### # FOREIGN LAN RULES (LOG TO LOGFORIEGN) # Now we will block internal addresses originating from anything but our # two predefined interfaces.....just remember that if you jack your # your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly # for that IP as well # Interface one/internal net one # These rules don't seem to work as the source should be a network not an address # plus with two different subnets bound to the same IF these would implode and # possess the toaster resulting in meyhem, anarchy, and a 3's Company revival ######################################################################## #$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN #$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN #$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN #$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN
#$IPT -A INPUT -i $VIRIF -s ! $VIRNET -j LOGFOREIGN #$IPT -A OUTPUT -o $VIRIF -d ! $VIRNET -j LOGFOREIGN #$IPT -A FORWARD -i $VIRIF -s ! $VIRNET -j LOGFOREIGN #$IPT -A FORWARD -o $VIRIF -d ! $VIRNET -j LOGFOREIGN
# An additional Egress check $IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j LOGFOREIGN
#13###################################################################### # Block and log what me may have forgot (APPEND) ######################################################################## $IPT -A INPUT -j LOGDROP $IPT -A OUTPUT -j LOGREJECT $IPT -A FORWARD -j LOGDROP
--- SNIP----