Differences

This shows you the differences between two versions of the page.

--- iptables:firewall [2017/04/10 10:53] – peter
+++ iptables:firewall [2019/11/29 17:30] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Firewall ======
-===== Verify the IPTables package is installed =====
-<code bash>
-dpkg --list | grep iptables
-</code>
-Returns
-<code>
-ii  iptables                            1.6.0-2ubuntu3                      amd64        administration tools for packet filtering and NAT
-</code>
-===== Verify the Kernel Module is loaded =====
-<code bash>
-lsmod | grep ip_tables
-</code>
-Returns
-<code>
-ip_tables              24576  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
-</code>
-===== Creating iptables rules =====
-<code bash>
-iptables -P INPUT DROP
-iptables -P OUTPUT DROP
-# Allowing Loopback Traffic.
-iptables -I INPUT -i lo -j ACCEPT
-# Allow established connections.
-iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-# Allow SSH access.
-# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
-iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT
-# Enable Web.
-# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
-# Enable FTP.
-# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
-# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
-# To block an IP range.
-iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP
-</code>
-===== Enable kernel modules =====
-To have FTP work correctly with iptables, ensure that the **ip_conntrack_ftp** module is loaded.
-<code bash>
-modprobe ip_conntrack_ftp
-</code>
-Check that the module is loaded
-<code bash>
-lsmod | grep conntrack
-</code>
-Returns
-<code>
-nf_conntrack_ftp       20480  1 nf_nat_ftp
-nf_conntrack_ipv4      16384  84
-nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
-xt_conntrack           16384  81
-nf_conntrack          106496  9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
-x_tables               36864  25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw
-</code>
-===== Setup an init script =====
-<file bash /etc/init.d/firewall-sharewiz>
-#!/bin/bash
-#
-# Start and stop the Firewall.
-# Modify the following settings as required:
-### BEGIN INIT INFO
-# Provides:          firewall-sharewiz
-# Required-Start:    $network
-# Required-Stop:
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-### END INIT INFO
-IPTABLES=/sbin/iptables
-NAME=firewall-sharewiz
-opts="start stop restart reload status"
-#if [[ $1 == start ]] ; then
-case "$1" in
-    start)
-        /sharewiz/firewall/firewall.sh
-;;
-    stop)
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-;;
-    restart|reload)
-#        $0 stop
-#        $0 start
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-        /sharewiz/firewall/firewall.sh
-;;
-    status)
-        $IPTABLES --list
-        $IPTABLES -t nat --list
-        $IPTABLES -t mangle --list
-;;
-    *)
-        echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2
-        exit 1
-;;
-esac
-exit 0·
-</file>
-Set permissions
-<code bash>
-chmod 755 /etc/init.d/firewall-sharewiz
-</code>
-===== Create the firewall script =====
-<code bash>
-vi /sharewiz/firewall/firewall.sh
-</code>
-and populate as
-<file bash /sharewiz/firewall/firewall.sh>
-#!/bin/bash
-#
-# Modify the following settings as required:
-#
-# You should check/test that the firewall really works, using
-# iptables -vnL, nmap, ping, telnet, ...
-#
-# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
-IPTABLES=/sbin/iptables
-IP6TABLES=/sbin/ip6tables
-LOAD_MODULES=yes
-LOAD_MODULES_IPV6=no
-DEPMOD=/sbin/depmod
-MODPROBE=/sbin/modprobe
-RMMOD=/sbin/rmmod
-ARP=/usr/sbin/arp
-#
-# REJECT target works basically the same as the DROP target, but it also sends
-# back an error message to the host sending the packet that was blocked.
-#
-# The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT
-# chains or their sub chains.
-#
-# REJECT --reject-with tcp-reset        # RFC 793.  TCP RST packets are used to close open TCP connections gracefully.
-# REJECT --icmp-net-unreachable         #
-# REJECT --icmp-host-unreachable        #
-# REJECT --icmp-port-unreachable        # Default
-# REJECT --icmp-proto-unreachable       #
-# REJECT --icmp-net-prohibited          #
-# REJECT --icmp-host-prohibited         #
-#*********************************************************
-#
-# Interfaces
-#
-#SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'`
-#SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2`
-#tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:])
-#ifconfig em1 | grep -m 1 inet | tr -d [:alpha:]
-#INET_IP=$(echo $tmp | cut -d : -f2)
-#INET_BCAST=$(echo $tmp | cut -d : -f3)
-#INET_MASK=$(echo $tmp | cut -d : -f4)
-#unset tmp
-#
-# Internet Interface
-#
-#INET_IFACE="eth0"
-#INET_IFACE="em1"
-INET_IFACE="br0"
-#INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1)
-INET_GW="192.168.1.1"
-INET_IP="192.168.1.2"
-INET_NET="192.168.1.1/24"
-INET_BCAST="192.168.1.255"
-#
-#
-# Local Interface Information
-#
-#LOCAL_IFACE="eth1"
-LOCAL_IFACE="em2"
-#LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}')
-LOCAL_IP="192.168.0.2"
-LOCAL_NET="192.168.0.1/24"
-LOCAL_BCAST="192.168.0.255"
-#
-#
-# Localhost Interface
-#
-LO_IFACE="lo"
-LO_IP="127.0.0.1"
-#
-#
-# Standard Definitions
-#
-ALL="0/0"
-CLASS_A="10.0.0.0/8"
-CLASS_B="172.16.0.0/12"
-CLASS_C="192.168.0.0/16"
-CLASS_D_MULTICAST="224.0.0.0/4"
-CLASS_E_RESERVED_NET="240.0.0.0/5"
-LOOPBACK="127.0.0.0/8"
-P_PORTS="0:1023"
-UP_PORTS="1024:65535"
-#
-#
-# DNS servers
-#
-DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4"
-#
-###########################################################################
-#
-# Module loading.
-#
-if [ $LOAD_MODULES == "yes" ]; then
-#
-# Initially load modules
-#
-$DEPMOD -a
-#
-# Required modules
-#
-$MODPROBE ip_tables                    # Required; all IPv4 modules depend on this one.
-#$MODPROBE ip6_tables                   # Required; all IPv6 modules depend on this one.
-$MODPROBE ip_conntrack                 # Stateful Connections. Allows connection tracking state match, which allows you to write rules matching the state of a connection.
-$MODPROBE ip_conntrack_ftp             # Permits active FTP; requires ip_conntrack. Recognises connection is related to original port 21.
-$MODPROBE iptable_filter               # Filter Table.
-$MODPROBE iptable_mangle               # Implement the mangle table.
-$MODPROBE ipt_MASQUERADE               # Masquerade Target.
-$MODPROBE iptable_nat                  # Implement the NAT table.
-$MODPROBE ip_nat_ftp                   #
-$MODPROBE ipt_LOG                      #
-$MODPROBE ipt_limit                    # Allows log limits.
-$MODPROBE ipt_state                    # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
-#
-# To prevent the dmesg command showing errors such as:·
-# xt_recent: hitcount (25) is larger than packets to be remembered (20)
-#
-# The following command shows all the xt_recent parameters:
-# head /sys/module/xt_recent/parameters/*
-#
-# ls -al  /proc/net/xt_recent/
-#
-# Use modinfo xt_recent to see the possible parameters.
-#
-# ls -1 /sys/module/xt_recent/parameters/
-# Any of the parameters can be checked by simply:
-# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
-#
-#$RMMOD xt_recent
-$MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255
-#$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
-#
-# Non-Required modules
-#
-#$MODPROBE ipt_owner                    #
-#$MODPROBE ipt_REJECT                   # Implement the REJECT target.
-#$MODPROBE ipt_MASQUERADE               #
-#$MODPROBE ip_conntrack_ftp             #
-#$MODPROBE ip_conntrack_irc             #
-#$MODPROBE ip_nat_ftp                   #
-#$MODPROBE ip_nat_irc                   #
-#
-fi
-#*********************************************************
-# What to allow
-#
-# 0=no
-# 1=yes
-#
-ALLOW_APPLESHARE_IN=0                  # 500
-ALLOW_APPLESHARE_OUT=0                 # 500
-ALLOW_BITTORRENT_IN=0                  #
-ALLOW_BITTORRENT_OUT=0                 #
-ALLOW_BOOTP_CLIENT_IN=0                # 68 DHCP boot protocol client
-ALLOW_BOOTP_CLIENT_OUT=0               # 68 DHCP boot protocol client
-ALLOW_BOOTP_SERVER_IN=0                # 67 DHCP boot protocol server
-ALLOW_BOOTP_SERVER_OUT=0               # 67 DHCP boot protocol server
-ALLOW_CHARGEN_IN=0                     # 19
-ALLOW_CHARGEN_OUT=0                    # 19
-ALLOW_CORBA_IIOP_IN=0                  # 535
-ALLOW_CORBA_IIOP_OUT=0                 # 535
-ALLOW_CUPS_IN=0                        # CUPS printer service
-ALLOW_CUPS_OUT=0                       # CUPS printer service
-ALLOW_CVS_IN=0                         #
-ALLOW_CVS_OUT=0                        #
-ALLOW_DAYTIME_IN=0                     # 13 daytime-server
-ALLOW_DAYTIME_OUT=0                    # 13 daytime-server
-ALLOW_DHCP_BROADCAST_IN=1              #
-ALLOW_DHCP_BROADCAST_OUT=1             #
-ALLOW_DISCARD_IN=0                     # 9 discard-server
-ALLOW_DISCARD_OUT=0                    # 9 discard-server
-ALLOW_DNS_IN=1                         # 53
-ALLOW_DNS_OUT=1                        # 53
-ALLOW_ECHO_IN=0                        # 7 echo-server
-ALLOW_ECHO_OUT=0                       # 7 echo-server
-ALLOW_FINGER_IN=0                      # 79
-ALLOW_FINGER_OUT=0                     # 79
-ALLOW_FTP_IN=1                         # 20, 21=ftp-data
-ALLOW_FTP_OUT=1                        # 20, 21=ftp-data
-ALLOW_HTTP_IN=1                        # 80
-ALLOW_HTTP_OUT=1                       # 80
-ALLOW_HTTPS_IN=1                       # 443
-ALLOW_HTTP_OUT=1                       # 80
-ALLOW_HTTPS_IN=1                       # 443
-ALLOW_HTTPS_OUT=1                      # 443
-ALLOW_ICMP_PARAM_PROBLEM_IN=0          #
-ALLOW_IDENT_IN=1                       # 59??? What about 113?  Are these different?
-ALLOW_IDENT_OUT=1                      # 59??? What about 113?  Are these different?
-ALLOW_IMAP_IN=1                        # 143
-ALLOW_IMAP_OUT=1                       # 143
-ALLOW_IMAPS_IN=1                       # 993
-ALLOW_IMAPS_OUT=1                      # 993
-ALLOW_IRC_IN=0                         #
-ALLOW_IRC_OUT=0                        #
-ALLOW_KAZAA_IN=0                       # 1214
-ALLOW_KAZAA_OUT=0                      # 1214
-ALLOW_KPASSWD_IN=0                     # 464
-ALLOW_KPASSWD_OUT=0                    # 464
-ALLOW_KRB5_IN=0                        # 88 Kerberos
-ALLOW_KRB5_OUT=0                       # 88 Kerberos
-ALLOW_LDAP_IN=0                        # 389
-ALLOW_LDAP_OUT=0                       # 389
-ALLOW_LDAPS_IN=0                       # 636 Secure LDAP
-ALLOW_LDAPS_OUT=0                      # 636 Secure LDAP
-ALLOW_LINUX_CONF_IN=0                  # 98
-ALLOW_LINUX_CONF_OUT=0                 # 98
-ALLOW_LINUX_MOUNTD_BUG_IN=0            # 635
-ALLOW_LINUX_MOUNTD_BUG_OUT=0           # 635
-ALLOW_MS_EXCHANGE_IN=0                 # 691
-ALLOW_MS_EXCHANGE_OUT=0                # 691
-ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003.
-ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003
-ALLOW_MS_FT_DS_IN=0                    # 445
-ALLOW_MS_FT_DS_OUT=0                   # 445
-ALLOW_MS_RPC_IN=0                      # 135
-ALLOW_MS_RPC_OUT=0                     # 135
-ALLOW_MS_RPC_OVER_HTTP_IN=0            # 593
-ALLOW_MS_RPC_OVER_HTTP_OUT=0           # 593
-ALLOW_MSSQL_IN=0                       # 1433 MSSQL database
-ALLOW_MSSQL_OUT=0                      # 1433 MSSQL database
-ALLOW_MSSQL_MONITOR_IN=0               # 1434 MSSQL monitor
-ALLOW_MSSQL_MONITOR_OUT=0              # 1434 MSSQL monitor
-ALLOW_MYSQL_IN=0                       # 3306 MySQL database
-ALLOW_MYSQL_OUT=0                      # 3306 MySQL database
-ALLOW_NC_IN=0                          # 2030
-ALLOW_NC_OUT=0                         # 2030
-ALLOW_NCP_IN=0                         # 524
-ALLOW_NCP_OUT=0                        # 524
-ALLOW_NETWORK_LOG_CLIENT_IN=0          # 1394
-ALLOW_NETWORK_LOG_CLIENT_OUT=0         # 1394
-ALLOW_NFS_IN=0                         # 1025
-ALLOW_NFS_OUT=0                        # 1025
-ALLOW_NNTP_IN=0                        # 119 NNTP news
-ALLOW_NNTP_OUT=0                       # 119 NNTP news
-ALLOW_NTP_IN=1                         # 123
-ALLOW_NTP_OUT=1                        # 123
-ALLOW_OPENVPN_IN=0                     #
-ALLOW_OPENVPN_OUT=0                    #
-ALLOW_PCANYWHERE_IN=0                  # 5623
-ALLOW_PCANYWHERE_OUT=0                 # 5623
-ALLOW_PC_SERVER_BACKDOOR_IN=0          # 600
-ALLOW_PC_SERVER_BACKDOOR_OUT=0         # 600
-ALLOW_PHASE_ZERO_IN=0                  # 555
-ALLOW_PHASE_ZERO_OUT=0                 # 555
-ALLOW_PING_IN=0                        #
-ALLOW_PING_OUT=1                       #
-ALLOW_PLESK_IN=0                       # PLESK desktop
-ALLOW_PLESK_OUT=0                      # PLESK desktop
-ALLOW_POP2_IN=0                        # 109
-ALLOW_POP2_OUT=0                       # 109
-ALLOW_POP3_IN=1                        # 110
-ALLOW_POP3_OUT=1                       # 110
-ALLOW_POP3S_IN=1                       # 995
-ALLOW_POP3S_OUT=1                      # 995
-ALLOW_POSTGRESQL_IN=0                  #
-ALLOW_POSTGRESQL_OUT=0                 #
-ALLOW_PRINT_IN=0 »»·»·                 # 515 Allow printer port
-ALLOW_PRINT_OUT=0 »·»·»·               # 515 Allow printer port
-ALLOW_REAL_SERVER_IN=0                 # 554
-ALLOW_REAL_SERVER_OUT=0                # 554
-ALLOW_ROUTE_IN=0                       # 520
-ALLOW_ROUTE_OUT=0                      # 520
-ALLOW_RWHO_IN=0                        # 513
-ALLOW_RWHO_OUT=0                       # 513
-ALLOW_RWHOIS_IN=1                      # 4321
-ALLOW_RWHOIS_OUT=1                     # 4321
-ALLOW_SAMBA_IN=1                       # 137=SMB Name, 138=SMB Data, 139=SMB Session
-ALLOW_SAMBA_OUT=1                      # 137=SMB Name, 138=SMB Data, 139=SMB Session
-ALLOW_SGI_IRIX_TCPMUX_IN=0             # 1
-ALLOW_SGI_IRIX_TCPMUX_OUT=0            # 1
-ALLOW_SMTP_IN=1 »·»·»·                 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
-ALLOW_SMTP_OUT=1 »»·»·                 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
-ALLOW_SMTPS_IN=0                       # 465
-ALLOW_SMTPS_OUT=0                      # 465
-ALLOW_SNMP_IN=0                        # 161
-ALLOW_SNMP_OUT=0                       # 161
-ALLOW_SOCKS5_IN=0                      # 1080
-ALLOW_SOCKS5_OUT=0                     # 1080
-ALLOW_SSH_IN=1                         # 22
-ALLOW_SSH_OUT=1                        # 22
-ALLOW_SQL_IN=0                         # 1114
-ALLOW_SQL_OUT=0                        # 1114
-ALLOW_SQUID_IN=0 »»·»·                 # 3128 SQUID proxy
-ALLOW_SQUID_OUT=0 »·»·»·               # 3128 SQUID proxy
-ALLOW_SUB7_IN=0                        # 1243
-ALLOW_SUB7_OUT=0                       # 1243
-ALLOW_SUBMISSION_IN=1                  # 587
-ALLOW_SUBMISSION_OUT=1                 # 587
-ALLOW_SUNRPC_IN=0                      # 111 Also RPCbind
-ALLOW_SUNRPC_OUT=0                     # 111 Also RPCbind
-ALLOW_SVN_IN=0                         #
-ALLOW_SVN_OUT=0                        #
-ALLOW_TELNET_IN=0                      # 23
-ALLOW_TELNET_OUT=0                     # 23
-ALLOW_TFTP_IN=0                        # 69 Trivial FTP
-ALLOW_TFTP_OUT=0                       # 69 Trivial FTP
-ALLOW_TIME_IN=0                        # 37
-ALLOW_TIME_OUT=0                       # 37
-ALLOW_TIME_SERVER_IN=0                 # 525
-ALLOW_TIME_SERVER_OUT=0                # 525
-ALLOW_TOMCAT_IN=0     »·»·»·           # 9080
-ALLOW_TOMCAT_OUT=0»·»·»·               # 9080
-ALLOW_TOR_OUT=0                        #
-ALLOW_TRACEROUTE_IN=0                  #
-ALLOW_TRACEROUTE_OUT=1                 #
-ALLOW_UNIX_SYSSTAT_IN=0                # 11
-ALLOW_UNIX_SYSSTAT_OUT=0               # 11
-ALLOW_UPNP_IN=0                        # 2869 Universal Plug and Play
-ALLOW_UPNP_OUT=0                       # 2869 Universal Plug and Play
-ALLOW_WEBLOGIN_IN=1                    # 2054 Needed for sharing
-ALLOW_WEBLOGIN_OUT=0                   # 2054 Needed for sharing
-ALLOW_WHOIS_IN=1 »»·»·                 # 43 See also RWHOIS
-ALLOW_WHOIS_OUT=1 »·»·»·               # 43 See also RWHOIS
-ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
-ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
-ALLOW_TRACEROUTE_IN=1                  #
-ALLOW_TRACEROUTE_OUT=1                 #
-ALLOW_XDMCP_IN=0                       # 177
-ALLOW_XDMCP_OUT=0                      # 177
-ALLOW_XWINDOWS_IN=0                    #
-ALLOW_XWINDOWS_OUT=0                   #
-ALLOW_XWINDOWS_FONTSERVER_IN=0         #
-ALLOW_XWINDOWS_FONTSERVER_OUT=0        #
-BLOCK_AKAMAI=1                         #
-BLOCK_BROADCASTS=1                     #
-BLOCK_BRUTE_FORCE_ATTACKS=1            #
-BLOCK_CONNECTIONS_COUNT=1              #
-BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1    #
-BLOCK_FACEBOOK=0                       #
-BLOCK_FLOODS=1                         #
-BLOCK_SAMBA_WITHOUT_LOGGING=0          #
-BLOCK_OVERSIZE_ICMP_PACKETS=1          #
-BLOCK_VIRUSES=1                        #·
-DO_BAD_PACKETS_LAST=0 »·»·»·           # Less logging
-DO_KERNEL_SECURE=1 »»·»·               # Set various kernel network protection on
-DO_LOG_SCANS=1 »»·»·»·                 # if 1 will log well known scans whilst dropping them
-DO_MASQUERADE=0 »·»·»·                 # if 0 will use SNAT / DNAT
-DO_PORT_KNOCKING=0 »»·»·               # if 1 will allow Port Knocking
-DO_QUICK_NTP=0 »»·»·»·                 # if 1 will allow NTP in without any checks
-DO_QUOTA=0                             # If 1 then will switch on quota checking
-DO_REJECT_INSTEAD_OF_DROP=0            # Reject instead of drop
-DO_STEALTH_ALL_IN=0                    # Stealth all incoming
-DO_WHITELISTING=0 »·»·»·               # Dangerous if made a 1
-#
-#*********************************************************
-#
-# /proc sysctl settings
-#
-PROC_SYSCTL_IP_FORWARD=1»·»·           # To enable ipforward, VERY important
-PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1       # Block ALL the pings from everywhere·
-PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf)
-PROC_SYSCTL_ICMP_ERROR_MESG=1»»·       # Protect against bogus error messages
-PROC_SYSCTL_LOG_MARTIANS=1»·»·         # Log packets with impossible addresses
-PROC_SYSCTL_IP_SPOOFING=1»»·           # Disable spoofing attacks on ALL interfaces
-PROC_SYSCTL_REDUCE_DOS=1»·»·           # Reduces the timeouts and the posibility of a DOS
-PROC_SYSCTL_SYN_COOKIES=1»»·           # Enable tcp syn cookies protection
-PROC_SYSCTL_TIME_STAMPS=1»»·           # Enable tcp timestamps protection
-PROC_SYSCTL_SOURCE_ROUTED=1»»·         # Ignore source routed packets
-PROC_SYSCTL_ACCEPT_REDIRECTS=1»·»·     # Ignore accepted redirected packets
-PROC_SYSCTL_SEND_REDIRECTS=1»·»·       # Ignore send redirected packets
-PROC_SYSCTL_SECURE_REDIRECTS=1»·»·     # Enable secure redirects
-PROC_SYSCTL_DISABLE_BOOTP_RELAY=1      # Disable BootP relays
-PROC_SYSCTL_DISABLE_PROXY_ARP=1        # Disable Proxy ARP
-#
-#*********************************************************
-# Trusted hosts
-#
-# Hosts that are auto allowed into the system if WhiteListing
-# is allowed.
-#
-TRUSTED_HOSTS="192.168.0.10"
-UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
-#UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com"
-#
-#*********************************************************
-# Port Knocking
-#
-# Port knocking is a method of externally opening ports on a firewall by·
-# generating a connection attempt on a set of prespecified closed ports.
-#
-# Once a correct sequence of connection attempts is received, the firewall·
-# rules are dynamically modified to allow the host which sent the connection·
-# attempts to connect over specific port(s).
-#
-PORT_KNOCK_1="3456"
-PORT_KNOCK_2="4567"
-PORT_KNOCK_3="1234"
-PORT_KNOCK_ALLOW="22"
-#
-#*********************************************************
-# Websites to stop
-#
-#WEB_FACEBOOK="facebook.com"
-#
-#*********************************************************
-# Connection limits
-#
-# Against brute-force attacks.
-#
-#               4 connect/min  5 connects/3 mins   10 connects/10 mins   25 connects/20 mins   50 connects/40 mins   ...
-# Offense #1         10 min            30 min              1 hour                2 hours               3 hours
-# Offense #2         30 min            1 hour              2 hours               3 hours               6 hours··
-# Offense #3         1 hour            2 hours             3 hours               6 hours               1 day·
-# Offense #4         2 hours           3 hours             6 hours               1 day                 1 week
-# Offense #5         3 hours           6 hours             1 day                 1 week                1 month
-# Offense #6         6 hours           1 day               1 week                1 month               1 month·
-# Offense #7         1 day             1 week              1 month               1 month               1 month
-# Offense #8         1 week            1 month             1 month               1 month               1 month
-# Offense #9         1 month           1 month             1 month               1 month               1 month
-#
-CONNECTION_MAX_1=4                     # 4 Connections
-CONNECTION_MAX_2=5                     # 5 Connections
-CONNECTION_MAX_3=10                    # 10 Connections
-CONNECTION_MAX_4=25                    # 25 Connections
-CONNECTION_MAX_5=50                    # 50 Connections
-CONNECTION_MAX_6=75                    # 75 Connections
-CONNECTION_MAX_7=100                   # 100 Connections
-CONNECTION_MAX_8=200                   # 200 Connections
-CONNECTION_MAX_9=255                   # 255 Connections
-#
-CONNECTION_LIMIT_1=60                  # 1 Minute
-CONNECTION_LIMIT_2=180                 # 3 Minutes
-CONNECTION_LIMIT_3=600                 # 10 Minutes
-CONNECTION_LIMIT_4=1200                # 20 Minutes
-CONNECTION_LIMIT_5=2400                # 40 Minutes
-CONNECTION_LIMIT_6=3600                # 60 Minutes  (1 hour)
-CONNECTION_LIMIT_7=7200                # 120 Minutes (2 hours)
-CONNECTION_LIMIT_8=10800               # 180 Minutes (3 hours)
-CONNECTION_LIMIT_9=21600               # 360 minutes (6 hours)
-#
-# Offence timeouts
-CONNECTION_TIMEOUT_1=600               # 10 Minute
-CONNECTION_TIMEOUT_2=1800              # 30 Minutes
-CONNECTION_TIMEOUT_3=3600              # 60 Minutes  (1 hour)
-CONNECTION_TIMEOUT_4=7200              # 120 Minutes (2 hours)
-CONNECTION_TIMEOUT_5=10800             # 180 Minutes (3 hours)
-CONNECTION_TIMEOUT_6=21600             # 360 Minutes (6 hours)
-CONNECTION_TIMEOUT_7=86400             # 24 hours    (1 day)
-CONNECTION_TIMEOUT_8=604800            # 168 hours   (1 week)
-CONNECTION_TIMEOUT_9=2635200           # 732 hours   (1 month)
-#*********************************************************
-# Log limit
-#
-LOG_LEVEL=7
-#LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
-#LOG="$LOG --log-ip-options"
-#LOG="--log-ip-options --log-tcp-options
-#
-#*********************************************************
-# String Search Algorith
-#
-STRING_ALGO="bm"
-STRING_ALGO2="kmp"
-#
-#*********************************************************
-# Quota limits
-#
-QUOTA_LIMIT_TCP="2147483648"           # 2 GB Quota limit
-QUOTA_LIMIT_UDP="2147483648"           # 2 GB Quota limit
-QUOTA_LIMIT_ICMP="2147483648"          # 2 GB Quota limit
-#
-#*********************************************************
-# DNS limits
-#
-# Limits the number of DNS queries per second to 5/s
-# with a burst rate of 15/s and does not require buffer space changes.
-#
-# Limit the requests per second to 5, which leads to 35 requests in 7 seconds.
-# To solve the first-second burst, allow for 15 requests to happen in each of·
-# the seven seconds.
-# DNS open time.
-DNS_TIMEOUT="7"
-# DNS Requests per second
-DNS_BURST="15"
-# DNS Requests per 7 seconds
-DNS_TOTAL_REQUESTS="35"
-#
-#*********************************************************
-# Flooding limits
-#
-#
-# Limit per second
-LIMIT_PER_SECOND="4"
-#
-# Limit for SYN connections
-LIMIT_SYN_MAX="9"
-#
-# Limit for SYN-Flood detection
-LIMIT_SYN="5/s"
-#
-#
-# Burst Limit for SYN-Flood detection
-LIMIT_SYN_BURST="10"
-#
-#
-# Overall Limit for Logging in Logging-Chains
-LIMIT_LOG="2/s"
-#
-#
-# Burst Limit for Logging in Logging-Chains
-LIMIT_LOG_BURST="10"
-#
-#
-# Overall Limit for TCP-Flood-Detection
-LIMIT_TCP="5/s"
-#
-#
-# Burst Limit for TCP-Flood-Detection
-LIMIT_TCP_BURST="10"
-#
-#
-# Overall Limit for UDP-Flood-Detection
-LIMIT_UDP="5/s"
-#
-#
-# Burst Limit for TCP-Flood-Detection
-LIMIT_UDP_BURST="10"
-#
-#
-# Overall Limit for Ping-Flood-Detection
-LIMIT_PING="5/s"
-#
-#
-# Burst Limit for Ping-Flood-Detection
-LIMIT_PING_BURST="10"
-#
-#**************************************************
-#********** Do not edit beyond this line **********
-#**************************************************
-#
-# IP Mask for all IP addresses
-PORTS_UNIVERSE="0.0.0.0/0"
-PORTS_BROADCAST="255.255.255.255"
-#
-#
-# Ports for Dropbox Lan Sync Broadcasts
-PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500"
-#
-#
-# Ports for IRC-Connection-Tracking
-PORTS_IRC="6665,6666,6667,6668,6669,7000"
-#
-#
-# Ports for TOR
-# (http://tor.eff.org)
-PORTS_TOR="9001,9002,9030,9031,9090,9091"
-#
-#
-# Ports for traceroute
-PORTS_TRACEROUTE_SRC="32769:65535"
-PORTS_TRACEROUTE_DEST="33434:33523"
-#
-#
-# Specification of the high unprivileged IP ports.
-PORTS_UNPRIV="1024:65535"
-PORTS_PSSH="1000:1023"
-#
-#
-# Specification of X Window System (TCP)
-PORTS_XWIN="6000:6063"
-#
-#*********************************************************
-# AKAMAI·
-#
-# http://www.matveev.se/net/akamai.htm
-#
-RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19"
-RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15"
-RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17"
-#*********************************************************
-# IANA RESERVED·
-#
-RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8"
-RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5"
-RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6"
-RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3"
-#
-#*********************************************************
-# Mitigate ARP spoofing/poisoning and similar attacks.
-#------------------------------------------------------------------------------
-# Hardcode static ARP cache entries here
-# $ARP -s IP-ADDRESS MAC-ADDRESS
-#
-#*********************************************************
-# Delete all existing rules
-#
-$IPTABLES -F
-$IPTABLES -t nat -F
-$IPTABLES -t mangle -F
-$IPTABLES -X
-$IPTABLES -t nat -X
-$IPTABLES -t mangle -X
-#
-#
-# Zero all packets and counters.
-#
-$IPTABLES -Z
-$IPTABLES -t nat -Z
-$IPTABLES -t mangle -Z
-#
-# Set Policies
-# By default, drop everything except outgoing traffic
-#
-$IPTABLES -P INPUT DROP
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT DROP
-#
-# Set the nat/mangle/raw tables' chains to ACCEPT
-$IPTABLES -t nat -P PREROUTING ACCEPT
-$IPTABLES -t nat -P OUTPUT ACCEPT
-$IPTABLES -t nat -P POSTROUTING ACCEPT
-$IPTABLES -t mangle -P PREROUTING ACCEPT
-$IPTABLES -t mangle -P INPUT ACCEPT
-$IPTABLES -t mangle -P FORWARD ACCEPT
-$IPTABLES -t mangle -P OUTPUT ACCEPT
-$IPTABLES -t mangle -P POSTROUTING ACCEPT
-#if [ $BLOCK_BROADCASTS -eq 1 ]
-#then
-#$IPTABLES -A INPUT DROP
-#$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP
-#$IPTABLES -A INPUT -d 192.168.255.255  -i INET_IFACE -j DROP
-#$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP
-#$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
-#fi
-#*********************************************************
-#
-# Kernel configuration.
-# For details see:
-# * http://www.securityfocus.com/infocus/1711
-# * http://www.linuxgazette.com/issue77/lechnyr.html
-# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
-# * /usr/src/linux/Documentation/filesystems/proc.txt
-# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
-#
-# Save these settings in the /etc/sysctl.conf file to make it permanent
-#
-#------------------------------------------
-if [ $DO_KERNEL_SECURE -eq 1 ]
-then
-#------------------------------------------
-# Allow port forwarding - Enable IP NAT in the Linux kernel
-#
-#echo 1 > /proc/sys/net/ipv4/ip_forward
-if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then
-  if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-    echo "          ip_forward activated"
-  fi
-fi
-#
-#------------------------------------------
-# Disabling IP Spoofing
-#
-#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
-if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then
-  if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
-    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
-    echo "          .....Blocking IP spoofing attacks"
-  fi
-#
-#------------------------------------------
-# Enable IP spoofing protection (i.e. source address verification).
-# Note: This is special, as it seems to only be enabled if you set
-# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
-# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
-#
-# Turn on reverse path filtering. This helps make sure that packets use·
-# legitimate source addresses, by automatically rejecting incoming packets·
-# if the routing table entry for their source address doesn't match the·
-# network interface they're arriving on. This has security advantages because
-# it prevents so-called IP spoofing, however it can pose problems if you use·
-# asymmetric routing (packets from you to a host take a different path than·
-# packets from that host to you) or if you operate a non-routing host which·
-# has several IP addresses on different interfaces.·
-# (Note - If you turn on IP forwarding, you will also get this).
-#
-  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
-#
-fi
-#
-#------------------------------------------
-# Ignore all incoming ICMP echo requests (i.e. disable ping).
-# Usually not a good idea, as some protocols and users need/want this.
-# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-#
-if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ]
-then
-#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
-    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
-    echo "          .....Blocking all incoming pings from everywhere"
-  fi
-else
-#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
-    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
-    echo "          .....Allowing all incoming pings from everywhere"
-  fi
-fi
-#
-#------------------------------------------
-# Don't respond to broadcast pings
-# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
-# want to participate in smurf (and similar) DoS attacks.
-# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
-#
-if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ]
-then
-#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
-    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-    echo "          .....Blocking all broadcast pings"
-  fi
-else
-#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
-    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-    echo "          .....Allowing all broadcast pings"
-  fi
-fi
-#
-#------------------------------------------
-# Disable multicast routing. Should not be needed, usually.
-# TODO: This throws an "Operation not permitted" error. Why?
-#
-# The proc entry containing that value is read-only, and cannot be made writable easily.
-#
-#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
-#
-#------------------------------------------
-# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
-#
-#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then
-  if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
-    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
-    echo "          .....TCP syn cookies protection enabled"
-  fi
-fi
-#
-#------------------------------------------
-# Kill timestamps
-#
-#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
-if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then
-  if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
-    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
-    echo "          .....TCP timestamps protection enabled"
-  fi
-fi
-#
-#------------------------------------------
-# Block source routing
-#
-# Don't accept source routed packets.  Attackers can use source routing·
-# to generate traffic pretending to be from inside your network, but·
-# which is routed back along the path from which it came, namely outside,·
-# so attackers can compromise your network.  Source routing is rarely·
-# used for legitimate purposes.
-#
-#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
-if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then
-  if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
-    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
-    echo "          .....Ignore source routed packets"
-  fi
-#
-#------------------------------------------
-# Don't accept source routed packets.
-#
-  for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
-#
-fi
-#
-#------------------------------------------
-# Kill redirects
-#
-# Disable ICMP redirect acceptance. ICMP redirects can be used to alter·
-# your routing tables, possibly to a bad end.
-#
-#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
-#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
-if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then
-  if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
-    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
-    echo "          .....Ignore accept redirected packets"
-  fi
-  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
-fi
-#
-if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then
-  if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
-    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
-    echo "          .....Ignore send redirected packets"
-  fi
-  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
-fi
-#
-#------------------------------------------
-# Don't accept or send ICMP redirects.
-#
-#for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
-#for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
-#
-#------------------------------------------
-# Enable secure redirects, i.e. only accept ICMP redirects for gateways
-# listed in the default gateway list. Helps against MITM attacks.
-#
-#for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
-if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then
-  for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
-fi
-#
-#
-#------------------------------------------
-# Enable bad error message protection
-# Don't log invalid responses to broadcast frames, they just clutter the logs.
-#
-#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then
-  if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
-    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-    echo "          .....Enable error message protection"
-  fi
-fi
-#
-#------------------------------------------
-# Log martians
-#
-# Log packets with impossible addresses
-# Log spoofed packets, source routed packets, redirect packets.
-#
-#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
-if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then
-  if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then
-    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
-    echo "          .....Logging packets with impossible addresses"
-  fi
-#
-#------------------------------------------
-# Log packets with impossible addresses.
-#
-  for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
-#
-fi
-#
-#------------------------------------------
-# Disable bootp_relay. Should not be needed, usually.
-#
-if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then
-  for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
-fi
-#
-#------------------------------------------
-# Disable proxy_arp. Should not be needed, usually.
-#
-if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then
-  for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
-fi
-#
-#------------------------------------------
-# TODO: These may mitigate ARP poisoning attacks?
-# /proc/sys/net/ipv4/neigh/*/locktime
-# /proc/sys/net/ipv4/neigh/*/gc_stale_time
-# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
-# Are there any security-relevant options I missed? Check especially:
-# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
-#
-#------------------------------------------
-# Set out local port range
-#
-#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
-#
-#------------------------------------------
-# Reduce timeouts for DoS protection
-#
-#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
-#
-#------------------------------------------
-# Other
-#
-#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
-#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
-#echo 0 > /proc/sys/net/ipv4/tcp_sack
-#
-if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then
-  echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
-  echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
-  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
-  echo "0" > /proc/sys/net/ipv4/tcp_sack
-  echo "          .....Denial of Service Reduction Measures"
-fi
-#
-fi
-#
-#*********************************************************
-#
-# Completely disable IPv6.
-#
-# Block all IPv6 traffic
-#
-#------------------------------------------
-# If the ip6tables command is available, try to block all IPv6 traffic.
-#
-if test -x $IP6TABLES; then
-#------------------------------------------
-# Set the default policies.
-# Drop everything.
-$IP6TABLES -P INPUT DROP 2>/dev/null
-$IP6TABLES -P FORWARD DROP 2>/dev/null
-$IP6TABLES -P OUTPUT DROP 2>/dev/null
-#------------------------------------------
-# The mangle table can pass everything.
-$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
-#------------------------------------------
-# Delete all rules.
-$IP6TABLES -F 2>/dev/null
-$IP6TABLES -t mangle -F 2>/dev/null
-#------------------------------------------
-# Delete all chains.
-$IP6TABLES -X 2>/dev/null
-$IP6TABLES -t mangle -X 2>/dev/null
-#------------------------------------------
-# Zero all packets and counters.
-$IP6TABLES -Z 2>/dev/null
-$IP6TABLES -t mangle -Z 2>/dev/null
-fi
-#------------------------------------------
-# Shellshock
-$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
-$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
-#*********************************************************
-#
-# Create the chains
-#
-$IPTABLES -N IANA_RESERVED
-$IPTABLES -N BAD_PACKETS
-$IPTABLES -N BAD_TCP_PACKETS
-if [ $DO_WHITELISTING -eq 1 ]
-then
-$IPTABLES -N WHITELIST
-fi
-if [ $DO_PORT_KNOCKING -eq 1 ]
-then
-$IPTABLES -N PORT_KNOCK
-$IPTABLES -N PORT_KNOCK_STAGE1
-$IPTABLES -N PORT_KNOCK_STAGE2
-$IPTABLES -N PORT_KNOCK_STAGE3
-fi
-$IPTABLES -N PRIVATE_PACKETS
-$IPTABLES -N BLACKLIST
-if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
-then
-$IPTABLES -N ATTACK
-$IPTABLES -N ATTACK2
-$IPTABLES -N ATTACK_CHECK
-$IPTABLES -N ATTACKED1
-$IPTABLES -N ATTACKED2
-$IPTABLES -N ATTACKED3
-$IPTABLES -N ATTACKED4
-$IPTABLES -N ATTACKED5
-$IPTABLES -N ATTACKED6
-$IPTABLES -N ATTACKED7
-$IPTABLES -N ATTACKED8
-$IPTABLES -N ATTACKED9
-$IPTABLES -N BAN1
-$IPTABLES -N BAN2
-$IPTABLES -N BAN3
-$IPTABLES -N BAN4
-$IPTABLES -N BAN5
-$IPTABLES -N BAN6
-$IPTABLES -N BAN7
-$IPTABLES -N BAN8
-$IPTABLES -N BAN9
-fi
-if [ $BLOCK_FLOODS -eq 1 ]
-then
-$IPTABLES -N FLOODS
-fi
-if [ $BLOCK_VIRUSES -eq 1 ]
-then
-$IPTABLES -N VIRUS
-fi
-if [ $DO_LOG_SCANS -eq 1 ]
-then
-$IPTABLES -N SCANS
-fi
-$IPTABLES -N ICMP_IN
-$IPTABLES -N ICMP_OUT
-$IPTABLES -N TCP_IN
-$IPTABLES -N TCP_OUT
-$IPTABLES -N UDP_IN
-$IPTABLES -N UDP_OUT
-$IPTABLES -N NO_LOGGING
-if [ $DO_QUOTA -eq 1 ]
-then
-$IPTABLES -N QUOTA
-fi
-#
-#*********************************************************
-# Check Quotas
-#
-if [ $DO_QUOTA -eq 1 ]
-then
-$IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN
-$IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN
-$IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN
-$IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP "
-$IPTABLES -A QUOTA -j DROP
-fi
-#
-#*********************************************************
-# Filter IANA RESERVED
-#
-$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP "
-$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP
-#$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP
-#$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP
-</file>