Request scrutiny of ipchains script

Torgo Jr agarris@voyager.net
Sat, 19 Aug 2000 16:48:44 -0400


This is a multi-part message in MIME format.
--------------9600276EFF69A24D5FA3A5D1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Attached is my first attempt at a fairly complete firewall 
script for my home machine.  Could any of the GLLUG 
security gurus take a look?  My net connection is a PPP 
dialup thru Voyager, and I would like the usual output 
stuff allowed (web, ssh, ftp, etc...).  Of course, over 
my pathetic modem connection, I'm not running any services 
meant for public use on my server.  Are there any holes 
in the script, or anything I forgot?  I based it on 
a web generated script from www.linux-firewall-tools.com 
and changed a few things.  This will run on my Debian 
Potato box on each PPP dialin.

Please disregard any weird shell formatting or overkill 
vertical whitespace.  :)

-- 
Alan Garrison  ___ agarris@voyager.net
"MD5:  An encryption method used on the Internet."
- Microsoft IIS 4.0 Glossary
--------------9600276EFF69A24D5FA3A5D1
Content-Type: application/x-sh;
 name="firewall-start.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="firewall-start.sh"

#!/bin/sh

## Much of the code based below is from the book 
## "Linux Firewalls" by Robert L. Ziegler and his 
## web site (http://www.linux-firewall-tools.com/linux).
## This is for my dialup box which also acts as my 
## internet gateway for my home network.  This script 
## was generated by a firewall-building program on the 
## web site. 
## 

## This script to be placed in /etc/ppp/ip-up.d/

echo "Starting firewalling... "

##  Some definitions for easy maintenance.
##  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="ppp0"		# Internet connected interface
LOOPBACK_INTERFACE="lo"			# or your local naming convention
LOCAL_INTERFACE_1="eth0"		# internal LAN interface

## get PPP address dynamically
IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-35) 
LOCALNET_1="172.16.12.0/24"		# whatever private range you use

ANYWHERE="any/0"			# match any IP address

#### not using DHCP -aeg
####DHCP_SERVER="any/0"
NAMESERVER_1="172.16.12.1"          # everyone must have at least one
NAMESERVER_2="38.9.213.2"
NAMESERVER_3="209.153.128.4"

SMTP_SERVER="mail.voyager.net"    # Your ISP mail gateway. Your relay.
POP_SERVER="pop.voyager.net"		# Your ISP pop mail server.
NEWS_SERVER="news.voyager.net"		# Your ISP news server

LOOPBACK="127.0.0.0/8"			# reserved loopback address range
CLASS_A="10.0.0.0/8"			# class A private networks
CLASS_B="172.16.0.0/12"			# class B private networks
CLASS_C="192.168.0.0/16"		# class C private networks
BROADCAST_SRC="0.0.0.0"			# broadcast source address
BROADCAST_DEST="255.255.255.255"	# broadcast destination address
PRIVPORTS="0:1023"			# well known, privileged port range
UNPRIVPORTS="1024:65535"		# unprivileged port range

NFS_PORT="2049"				# (TCP/UDP) NFS
SOCKS_PORT="1080"			# (TCP) Socks

## X Windows port allocation begins at 6000 and increments to 6063
## for each additional server running.

XWINDOW_PORTS="6000:6063"		# (TCP) X windows

## traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

## ----------------------------------------------------------------------------
## Default policy is DENY
## Explicitly accept desired INCOMING & OUTGOING connections
## Remove all existing rules belonging to this filter

ipchains -F

## Set the default policy of the filter to deny.

ipchains -P input  DENY
ipchains -P output REJECT
ipchains -P forward DENY

## set masquerade timeout to 10 hours for tcp connections

ipchains -M -S 36000 0 0

# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY

## ----------------------------------------------------------------------------
## Enable IP Forwarding, if it isn't already

echo 1 > /proc/sys/net/ipv4/ip_forward

## Enable TCP SYN Cookie Protection

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Enable always defragging Protection

echo 1 > /proc/sys/net/ipv4/ip_always_defrag

## Enable broadcast echo Protection

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Enable bad error message  Protection

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

## Enable IP spoofing protection
## turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

## Disable ICMP Redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

## Disable Source Routed Packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

## Log Spoofed Packets, Source Routed Packets, Redirect Packets

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done




## These modules are necessary to masquerade their respective services.

/sbin/modprobe ip_masq_ftp





## LOOPBACK

## Unlimited traffic on the loopback interface.

ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT 
ipchains -A output -i $LOOPBACK_INTERFACE  -j ACCEPT 

## Unlimited traffic within the local network.

## All internal machines have access to the fireall machine.

ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT 
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT 

## Masquerade internal traffic.

## All internal traffic is masqueraded externally.

ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ









# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from
# the external interface's IP address
ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network
ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

# Refuse packets claiming to be to or from a Class B private network
ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

# Refuse packets claiming to be to or from a Class C private network
ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

# Refuse packets claiming to be from the loopback interface
ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

# Refuse malformed broadcast packets
ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC  -j DENY -l

# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP
ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
         -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
         -j REJECT -l

# Refuse Class E reserved IP addresses
ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
         -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
         -j REJECT

# Refuse addresses defined as reserved by the IANA.
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

# 65: 01000001   - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

# 80: 01010000   - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000  - /4 masks 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

# 126: 01111110  - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

# 217: 11011001  - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

# 223: 11011111  - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l









## NOTE:
##     The symbolic names used in /etc/services for the port numbers vary by
##     supplier.  Using them is less error prone and more meaningful, though.

## TCP UNPRIVILEGED PORTS
## Avoid ports subject to protocol & system administration problems.

## NFS: establishing a TCP connection

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $NFS_PORT -j REJECT 

## Xwindows: establishing a connection
    
ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $XWINDOW_PORTS -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $XWINDOW_PORTS -j REJECT 

## SOCKS: establishing a connection

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
         --destination-port $SOCKS_PORT -j REJECT 




## UDP UNPRIVILEGED PORTS
## Avoid ports subject to protocol & system administration problems.

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         --destination-port $NFS_PORT -j DENY -l




## UDP INCOMING TRACEROUTE
## traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         --source-port $TRACEROUTE_SRC_PORTS \
         --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -d $IPADDR -j ACCEPT 



## SSH client (22) - Allowing Client Access to Remote SSH Servers

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $IPADDR $UNPRIVPORTS \
         -d $ANYWHERE 22 -j ACCEPT

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $ANYWHERE 22 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $IPADDR $SSH_PORTS \
         -d $ANYWHERE 22 -j ACCEPT

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $ANYWHERE 22 \
         -d $IPADDR $SSH_PORTS -j ACCEPT

## DNS server (53)

## DNS forward-only nameserver

## forward-only can use regular TCP protocol to forwarders

ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
         -s $IPADDR 53 \
         -d $NAMESERVER_1 53 -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         -s $NAMESERVER_1 53 \
         -d $IPADDR 53 -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $NAMESERVER_1 53 -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
         -s $IPADDR 53 \
         -d $NAMESERVER_2 53 -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         -s $NAMESERVER_2 53 \
         -d $IPADDR 53 -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $NAMESERVER_2 53 -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
         -s $IPADDR 53 \
         -d $NAMESERVER_3 53 -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         -s $NAMESERVER_3 53 \
         -d $IPADDR 53 -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $NAMESERVER_3 53 -j ACCEPT 

## HTTP client (80)

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 80 -j ACCEPT 

## HTTPS client (443)
    
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 443 -j ACCEPT 

## NNTP NEWS client (119)
    
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $NEWS_SERVER 119 -j ACCEPT 

## POP client (110)
    
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $POP_SERVER 110 -j ACCEPT 

## SMTP client (25)
    
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $SMTP_SERVER 25 -j ACCEPT 

## AUTH server (113)

## Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
         --source-port $UNPRIVPORTS \
         -d $IPADDR 113 -j REJECT 

## AUTH client (113)

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 113 -j ACCEPT 

## WHOIS client (43)

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 43 -j ACCEPT 

## FTP client (21)

## outgoing request
    
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 21 -j ACCEPT 

## PORT mode data channel

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
         --source-port 20 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 20 -j ACCEPT 

## PASSIVE mode data channel creation

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port $UNPRIVPORTS -j ACCEPT 





## UDP accept only on selected ports

#### (aeg) Removed DHCP code since I don't use DHCP to connect to the internet.

## OUTGOING TRACEROUTE

ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
         -s $IPADDR $TRACEROUTE_SRC_PORTS \
         --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l




## ICMP

##    To prevent denial of service attacks based on ICMP bombs, filter
##    incoming Redirect (5) and outgoing Destination Unreachable (3).
##    Note, however, disabling Destination Unreachable (3) is not
##    advisable, as it is used to negotiate packet fragment size.

## For bi-directional ping.
##     Message Types:  Echo_Reply (0),  Echo_Request (8)
##     To prevent attacks, limit the src addresses to your ISP range.
## 
## For outgoing traceroute.
##     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
##     default UDP base: 33434 to base+nhops-1
## 
## For incoming traceroute.
##     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
##     To block this, deny OUTGOING 3 and 11#

##  0: echo-reply (pong)
##  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
##  4: source-quench
##  5: redirect
##  8: echo-request (ping)
## 11: time-exceeded
## 12: parameter-problem

ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type echo-reply \
         -d $IPADDR -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type destination-unreachable \
         -d $IPADDR -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type source-quench \
         -d $IPADDR -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type time-exceeded \
         -d $IPADDR -j ACCEPT 

ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type parameter-problem \
         -d $IPADDR -j ACCEPT 


ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
         -s $IPADDR fragmentation-needed -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
         -s $IPADDR source-quench -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
         -s $IPADDR echo-request -j ACCEPT 

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
         -s $IPADDR parameter-problem -j ACCEPT 


## Enable logging for selected denied packets

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  -j DENY -l

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         --destination-port $PRIVPORTS -j DENY -l

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
         --destination-port $UNPRIVPORTS -j DENY -l


ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type 5 -j DENY -l
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
         --icmp-type 13:255 -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE  -j REJECT -l

echo "done"

exit 0

--------------9600276EFF69A24D5FA3A5D1--