• IPCHAINS
    Packet filtering is synonymous with firewalls. This is the process of deciding
    whether a packet should be allowed to pass or not.
    
    Although you use the same tool (ipchains) to control both masquerading and
    transparent proxying, these are seperate processes and should not give the
    impression that these processes are closely related.
    
    Chain Operations:
    
    	-N	Create a new chain.
    	-X	Delete an empty chain.
    	-P	Change the policy for a built-in chain.
    	-L	List the rules in a chain.
    	-F	Flush the rules out of a chain.
    	-Z	Zero the packet and byte counters on all rules in a chain.
    
    Chain Rule Manipulations:
    
    	-A	Append a new rule to a chain.
    	-I	Insert a new rule at some position in a chain.
    	-R	Replace a rule at some position in a chain.
    	-D	Delete a rule at some position in a chain.
    	-D	Delete the first rule that matches in a chain.
    
    Other
    
    	-M -L	List the currently masqueraded connections.
    	-M -S	Set masquerading timout values.
    
    While manipulating the rules of the firewall, timing issues occur where packets
    are allowed through the system while the changes are being made. To prevent this
    from occuring, drop all packets for the duration of the changes by doing the
    following:
    
    	% ipchains -I input	1 -j DENY
    	% ipchains -I output	1 -j DENY
    	% ipchains -I forward	1 -j DENY
    	...make changes...
    	% ipchains -D input	1
    	% ipchains -D output	1
    	% ipchains -D forward	1
    
    #------------------------------------------------------------------------------------
    #!/bin/sh
    #
    # rc.firewall
    #
    # Flush everything (start from scratch)...
    /sbin/ipchains -F input
    /sbin/ipchains -F output
    /sbin/ipchains -F forward
    
    # If your machine is assigned an IP via DHCP...
    # /sbin/ipchains -M -S 7200 10 60
    # /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
    
    # Redirect for HTTP Transparent Proxy...
    /sbin/ipchains -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080
    
    # Create your own chain...
    /sbin/ipchains -N my-chain
    # Allow email to get to the server...
    /sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
    # Allow email connections to outside email servers...
    /sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT
    # Allow Web connections to your WWW server...
    /sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
    # Allow Web connections to outside WWW server...
    /sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
    # Allow DNS traffic...
    /sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT
    
    # If you are using masquerading
    # Don't masq internal-internal traffic...
    /sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
    # Don't masq external interface direct...
    /sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
    # Masquerade all internal IP's going outside
    /sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ
    
    # Deny all other packets
    /sbin/ipchains -P my-chain input DENY
    
    
    Since ipchains inserts and deletes rules from the kernel's packet filtering
    section, all setups will be lost upon reboot. You can use the 'ipchains-save'
    and 'ipchains-restore' scripts to save a firewall setup.
    % ipchains-save > /etc/ipchains.rules ipchains bootstrap script: #!/bin/sh # /etc/init.d/packetfilter # run this script during bootstrap, before S40network. # symlink "S39packetfilter" RULES="/etc/ipchains.rules" [ -f "$RULES" ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < $RULES || exit 1 echo "1" > /proc/sys/net/ipv4/ip_forward echo "." ;; stop) echo -n "Turning off packet filtering:" echo "0" > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; save) echo -n "Saving packet filtering rules:" /sbin/ipchains-save > $RULES echo "." ;; *) echo "Usage: `basename "$0"` [start|stop|save]" echo "" exit 1 ;; esac exit 0