New IPTABLES settings block Postfix [SOLVED]

[Fooligan]

This is my first post. I've always manged to sort things out by reading other posts and howto's but now I seem stuck.

With the help of various howto's on the web Ive been running a home server / router for a few years now.
After re-reading the Gentoo Security Handbook again I thought it was time to adjust my firewall settings.

My working firewall was made with the commands found on http://www.gentoo.org/doc/en/home-router-howto.xml;
I added some rules to the above so my web server and mail server are also available from the WAN. (See FIREWALL SETUP 1)

I thought adjusting the script I found in the Security Handbook (see FIREWALL SETTINGS 2) with the parts marked in red would have me up and running again with all the benefits of this script.

After I applied this script I found myself very happy for a moment thinking everything worked as before, until I noticed that the Que in Postfix kept growing. Messages could not be delivered / sent. The error message I got was; no route to host [127.0.0.1]. For my email server I happily used the following Howto's;
http://www.gentoo.org/doc/en/virt-mail-howto.xml and http://www.gentoo.org/doc/en/mailfilter-guide.xml

Where did I go wrong? Is there something wrong with the order I put things in? If you need more info to help please let me know.

FIREWALL SETUP 1

#First we flush our current rules
iptables -F
iptables -t nat -F

#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Copy and paste these examples ...
export LAN=eth1
export WAN=eth0

#Locking services so they only work from LAN
$IPTABLES -I INPUT 1 -i ${LAN} -j ACCEPT
$IPTABLES -I INPUT 1 -i lo -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport bootps -i ! $IINTERFACE -j REJECT
$IPTABLES -A INPUT -p UDP --dport domain -i ! $IINTERFACE -j REJECT

#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

FIREWALL SETUP 2

#!/bin/sh
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=194.109.6.66
DNS2=194.109.9.99
#inside
IIP=192.168.0.1
IINTERFACE=eth1
LOCAL_NETWORK=192.168.0.0/24
#outside
OIP=10.0.0.150
OINTERFACE=eth0

opts="${opts} showstatus panic save restore showoptions rules"

depend() {
need net
}

rules() {
stop
ebegin "Setting internal rules"

einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

#default rule
einfo "Creating states chain"
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \
"Bad packet from ${IINTERFACE}:"
$IPTABLES -A allowed-connection -j DROP

#Locking services so they only work from LAN
$IPTABLES -I INPUT 1 -i $IINTERFACE -j ACCEPT
$IPTABLES -I INPUT 1 -i lo -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport bootps -i ! $IINTERFACE -j REJECT
$IPTABLES -A INPUT -p UDP --dport domain -i ! $IINTERFACE -j REJECT
#ICMP traffic
einfo "Creating icmp chain"
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -j DROP

#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
einfo "Creating incoming server traffic chain"
$IPTABLES -N allow-server-traffic-in
$IPTABLES -F allow-server-traffic-in
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 7 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 9030 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp -m state --state NEW -m udp --dport 2677 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 8880 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 7 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp –-dport 21 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 25 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 110 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 993 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p udp --dport 2677 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 10000 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 8880 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p udp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 80 -j ACCEPT



#outgoing traffic
einfo "Creating outgoing ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

einfo "Creating outgoing dns traffic chain"
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
-j ACCEPT

einfo "Creating outgoing server traffic chain"
$IPTABLES -N allow-server-traffic-out
$IPTABLES -F allow-server-traffic-out
$IPTABLES -A allow-server-traffic-in -p tcp --dport 7 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 21 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 25 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 110 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 993 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp --dport 2677 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 10000 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 8880 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp --dport 80 -j ACCEPT

#Catch portscanners
einfo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A INPUT -j allowed-connection

einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allow-ssh-traffic-in
$IPTABLES -A FORWARD -j allow-www-traffic-out
$IPTABLES -A FORWARD -j allowed-connection

einfo "Applying chains to OUTPUT"
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
$IPTABLES -A OUTPUT -j allow-dns-traffic-out
$IPTABLES -A OUTPUT -j allow-www-traffic-out
$IPTABLES -A OUTPUT -j allowed-connection

#Allow client to route through via NAT (Network Address Translation)
$IPTABLES -I FORWARD -i $IINTERFACE -d 192.168.0.0/255.255.0.0 -j DROP
$IPTABLES -A FORWARD -i $IINTERFACE -s 192.168.0.0/255.255.0.0 -j ACCEPT
$IPTABLES -A FORWARD -i $OINTERFACE -d 192.168.0.0/255.255.0.0 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $OINTERFACE -j MASQUERADE
eend $?
}

start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}

stop() {
ebegin "Stopping firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
eend $?
}

showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}

panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}

save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}

restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}

restart() {
svc_stop; svc_start
}

showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}

[Hu]

Please use iptables-save -c to show us the rules you are actually using. I see several problems with your existing script, but they are probably not relevant to your immediate issue. You create the allowed-server-traffic-out chain, but you never add any rules to it. On the other hand, the scripts shown never use that chain either, so it only wastes space.

[Fooligan]

I'm sorry I do this on a step by step base.
This server is a headless server and many times I changed something in my firewall I almost locked myself out. I went trough some troubles (logging in without a monitor and entering commands) using the iptables-restore command to get my connections back up. So I'd rather not do that again and have a more or less flawless script before I attempt it again to shown you the output of the iptables-save -c command.
I just changed the script above. I corrected the server-out-chain and added the rules further down (again in red).
Do you see anything else you think needs correcting? As long as you think I can ssh myself in thru a network computer to correct any problems I'd be more than happy to apply the script to show you the output.
I don't like to be such a PITA.... And thanks for helping me out!

[Fooligan]

I restored the original post to it's first state (including the typos) to keep things clear.

I decided to go thru with it and followed Hu's suggestions.
Mail passes thru the machine again like before.
Just added a rule for port 873. Since I found I could not sync anymore.
The problem, thank you Hu for pointing it out, was that I put all my trust in "search and replace" in the editor I adjusted the script (found in the Gentoo Security Handbook) in.
After that I stared myself blind on the ports part without looking at what was actually written.

Another question; Hu wrote:

[Hu]

The script is not optimal in terms of how various things are matched, but I see nothing outright incorrect in the revised version. In particular, it appears that you handle all the permitted ports twice: once for NEW and again for RELATED,ESTABLISHED. This is useful if you are trying to keep hit counters, but otherwise it is easier to roll them into one rule. I would point out that by using a series of invocations of iptables commands, you are loading the rules in a non-atomic manner. For complete correctness, you should load your rules atomically using iptables-restore to read in a pre-built set of rules. Gentoo provides an init script to do this.

With regard to locking yourself out, the easiest way to avoid that is to avoid using DROP/REJECT targets. When debugging, replace such targets with a LOG target so that you can see it was hit. Then, before making the script live, check that none of the temporary LOG targets were hit incorrectly. If they were, then some legitimate traffic did not match the intended ACCEPT rule.

[Fooligan]

Thanx again Hu. It all seems working fine right now.

This is the "final" working firewall script, maybe it helps someone else get started;

#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=194.109.6.66
DNS2=194.109.9.99
#inside
IIP=192.168.0.1
IINTERFACE=eth1
LOCAL_NETWORK=192.168.0.0/24
#outside
OIP=10.0.0.150
OINTERFACE=eth0

opts="${opts} showstatus panic save restore showoptions rules"

depend() {
need net
}

rules() {
stop
ebegin "Setting internal rules"

einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

#default rule
einfo "Creating states chain"
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \
"Bad packet from ${IINTERFACE}:"

#ICMP traffic
einfo "Creating icmp chain"
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -j DROP

#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

einfo "Creating incoming server traffic chain"
$IPTABLES -N allow-server-traffic-in
$IPTABLES -F allow-server-traffic-in
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 9030 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp -m state --state NEW -m udp --dport 2677 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 8880 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-in -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

#outgoing traffic
einfo "Creating outgoing ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

einfo "Creating outgoing dns traffic chain"
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
-j ACCEPT

einfo "Creating outgoing server traffic chain"
$IPTABLES -N allow-server-traffic-out
$IPTABLES -F allow-server-traffic-out
$IPTABLES -A allow-server-traffic-out -p tcp --dport 7 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 21 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 25 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 110 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p udp --dport 123 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 993 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 2703 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p udp --dport 6277 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 10000 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 8880 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p udp --dport 53 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-server-traffic-out -p tcp --dport 873 -j ACCEPT


#Catch portscanners
einfo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -j allowed-connection
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A INPUT -j allow-server-traffic-in
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/255.255.0.0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP

einfo "Applying chains to OUTPUT"
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID OUTPUT"
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT
$IPTABLES -A OUTPUT -j allowed-connection
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
$IPTABLES -A OUTPUT -j allow-dns-traffic-out
$IPTABLES -A OUTPUT -j allow-server-traffic-out
eend $?
}

start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}

stop() {
ebegin "Stopping firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
eend $?
}

showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}

panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}

save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}

restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}

restart() {
svc_stop; svc_start
}

showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}