PATH=”/sbin” # Our internal network address space and (Ipower web hosting)
PATH=”/sbin” # Our internal network address space and its supporting network device. OURNET=”172.29.16.0/24″ OURBCAST=”172.29.16.255″ OURDEV=”eth0″ # The outside address and the network device that supports it. ANYADDR=”0/0″ ANYDEV=”eth1″ # The TCP services we wish to allow to pass -”" empty means all ports # note: space separated TCPIN=”smtp www” TCPOUT=”smtp www ftp ftp-data irc” # The UDP services we wish to allow to pass -”" empty means all ports # note: space separated UDPIN=”domain” UDPOUT=”domain” # The ICMP services we wish to allow to pass -”" empty means all types # ref: /usr/include/netinet/ip_icmp.h for type numbers # note: space separated ICMPIN=”0 3 11″ ICMPOUT=”8 3 11″ # Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1 # END USER CONFIGURABLE SECTION ########################################################################## # Flush the Input table rules $IPCHAINS -F input # We want to deny incoming access by default. $IPCHAINS -P input deny # SPOOFING # We should not accept any datagrams with a source address matching ours # from the outside, so we deny them. $IPCHAINS -A input -s $OURNET -i $ANYDEV -j deny # SMURF # Disallow ICMP to our broadcast address to prevent “Smurf” style attack. $IPCHAINS -A input -p icmp -w $ANYDEV -d $OURBCAST -j deny # We should accept fragments, in ipchains we must do this explicitly. $IPCHAINS -A input -f -j accept # TCP # We will accept all TCP datagrams belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we’re allowing through. # This should catch more than 95 % of all valid TCP packets. $IPCHAINS -A input -p tcp -d $OURNET $TCPIN ! -y -b -j accept # TCP -INCOMING CONNECTIONS # We will accept connection requests from the outside only on the # allowed TCP ports. $IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $TCPIN -y -j accept # TCP -OUTGOING CONNECTIONS