Deny-Base Stateful Firewall with iptables
=========================================

Public domain    
********************************************************************************
### /etc/rc.d/init.d/firewall
    
    #!/bin/bash
    #
    # startup script for sateful-firwall
    #
    # chkconfig: - 91 15
    # description: stateful-firewall designed by Pejman Moghadam.
    # load appropriate modules
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # some definitions
    IPTABLES=/sbin/iptables
    LOCALNET=192.168.0.0/24
    INTIF=eth0
    EXTIF=eth1
    start() {
            echo "Starting firewall . . ."
            echo -e "\t Kerlnel flags:"
                echo -e "\t\t IP forwarding."
                echo 1 > /proc/sys/net/ipv4/ip_forward
                echo -e "\t\t Anti smurf amplifier."
                echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                echo -e "\t\t Anti synflood DoS."
                echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
        echo -e "\t Flush filter table."
        $IPTABLES -t filter -F
        echo -e "\t Remove user defined chains."
        $IPTABLES -t filter -X
        echo -e "\t Zero filter table counters."
        $IPTABLES -t filter -Z
        echo -e "\t Change filter policy to DROP."
        $IPTABLES -t filter -P INPUT DROP
        $IPTABLES -t filter -P OUTPUT DROP
        $IPTABLES -t filter -P FORWARD DROP
        echo -e "\t Allow self-connection on firewall box."
        $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
        echo -e "\t ----------SSH----------"
        echo -e "\t Allow SSH(tcp/22) connection from localnet to firewall box."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------DNS----------"
        echo -e "\t Allow DNS(udp/53) query from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t Allow DNS(udp/53) query from localnet to firewall box."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow DNS(udp/53) qurey transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------HTTP----------"
        echo -e "\t Allow HTTP(tcp/80) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/80) connection from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/80) connection from localnet to firewall box."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/800) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 800 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 800 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/8000) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8000 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8000 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/8080) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/8383) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8383 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8383 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/3000) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 3000 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/2082) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 2082 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 2082 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/2095) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 2095 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 2095 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTPS(tcp/443) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------ICMP----------"
        echo -e "\t Allow PING(icmp) echo request from/to localnet to/from firewall box."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p icmp -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p icmp -j ACCEPT
        echo -e "\t Allow PING(icmp) echo request from firwall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-reply -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p icmp --icmp-type echo-request -j ACCEPT
        echo -e "\t Allow PING(icmp) echo request transit from localnet to internet(192.9.9.3)."
        $IPTABLES -t filter -A FORWARD -i $INTIF -d 192.9.9.3 -p icmp --icmp-type echo-request -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -s 192.9.9.3 -p icmp --icmp-type echo-reply -j ACCEPT
        echo -e "\t Allow TRACEROUTE(icmp) from firwall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
        echo -e "\t Allow TRACEROUTE(icmp) tansit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
        echo -e "\t ----------FTP----------"
        echo -e "\t Allow FTP(tcp/21) connection from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo -e "\t Allow FTP(tcp/21) connection from firewall box to localnet."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection from firewall box to localnet."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection from firewall box to localnet."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo -e "\t Allow FTP(tcp/21) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------MAIL----------"
        echo -e "\t Allow SMTP(tcp/25) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow POP3(tcp/110) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------TELNET----------"
        echo -e "\t Allow TELNET(tcp/23) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------SNMP----------"
        echo -e "\t Allow SNMP(udp/161) query from firewall box to internet."
        $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --sport 161 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $EXTIF -p udp --dport 161 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t ----------PCAnyWhere----------"
        echo -e "\t Allow PCAnyWhere(tcp/5631-udp/5632) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 5631 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 5631 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 5632 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 5632 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------RealPlayer----------"
        echo -e "\t Allow RealPlayer(tcp/554-tcp/7070) connection transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 554 -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 554 -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 7070 -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 7070 -j ACCEPT
        # $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 6970:7170 -j ACCEPT
        # $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 6970:7170 -j ACCEPT
        echo -e "\t ----------Squid----------"
        echo -e "\t Allow Proxy(tcp/3128) connection from localnet to firwall box."
        $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow Proxy(tcp/d=9202,s=4028) connection from firwall box to internet."
        $IPTABLES -A INPUT -i $EXTIF -p tcp --sport 4028 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 9202 -m state --state NEW,ESTABLISHED -j ACCEPT
        echo -e "\t ----------Yahoo----------"
        echo -e "\t Allow YM connection(tcp/5050) transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 5050 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 5050 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow YM voice(tcp/5001-udp/5000) transit form localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 5001 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $INTIF -p udp --dport 5000 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p udp --sport 5000 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow YM video(tcp/5100) transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 5100 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 5100 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow Y-Game(tcp/11999) transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 11999 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 11999 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t ----------MSN----------"
        echo -e "\t Allow MSN Messenger(tcp/1863) connection from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 1863 -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 1863 -j ACCEPT
        echo -e "\t ----------RADIUS----------"
        echo -e "\t Allow RADIUS data flow between Remote-Access-Server and Secure-Server."
        iptables -t filter -A FORWARD -s 192.168.0.66 -d 192.168.0.130 -j ACCEPT
        iptables -t filter -A FORWARD -s 192.168.0.130 -d 192.168.0.66 -j ACCEPT
        echo " -[Ok]-"
        echo -e "\t ----------Corporation----------"
        echo -e "\t Allow JAP (tcp/6544,6543) transit from localnet to internet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 6544 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 6544 -m state --state ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 6543 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 6543 -m state --state ESTABLISHED -j ACCEPT
        echo -e "\t Allow HTTP(tcp/80) connection transit from localnet to localnet."
        $IPTABLES -t filter -A FORWARD -i $INTIF -o $INTIF -s $LOCALNET -d $LOCALNET -j ACCEPT
        $IPTABLES -t filter -A FORWARD -i $INTIF -o $INTIF -d $LOCALNET -s $LOCALNET -j ACCEPT
        echo " -[Ok]-"
    }
    stop() {
        echo "Stopping firewall . . ."
        echo -e "\t Flush filter table."
        $IPTABLES -t filter -F
        echo -e "\t Remove user defined chains."
        $IPTABLES -t filter -X
        echo -e "\t Zero filter table counters."
        $IPTABLES -t filter -Z
        echo -e "\t Change filter policy to ACCEPT."
        $IPTABLES -t filter -P INPUT ACCEPT
        $IPTABLES -t filter -P OUTPUT ACCEPT
        $IPTABLES -t filter -P FORWARD ACCEPT
        echo " -[Ok]-"
    }
    case "$1" in
      start)
        start
        ;;
      stop)
        stop
        ;;
      status)
            $IPTABLES -L -nxv | less
        ;;
      *)
        echo "Usage: $0 {start|stop|status}"
    esac
    exit
    
    
    
    
********************************************************************************
_BY: Pejman Moghadam_  
_TAG: firewall, iptables, bash-script, bash_  
_DATE: 2003-11-17 17:25:10_