As everyone knows, security depends on defense-in-depth. (And if you didn’t before, you do now!) The idea being that defense should take place in layers, from the edge of the network to the heart of the system. That’s why we have firewalls, anti-virus, intrusion detection, anti-spam and kernel and compiler hardening mechanisms. But just because you have a firewall at the edge of the network doesn’t mean you can skip the host-based firewall.
The most common Linux host-based firewall is probably iptables. Unfortunately, iptables can be incredibly complex to configure correctly. There are lots of tools to help with this. My favorite has to be firehol. Both from an ease of use standpoint, and from a “don’t kill me while I’m testing” sort of operation. If you are not careful while editing iptables rules it is actually fairly easy to lock yourself out.
Say you are remote in your server via ssh. You edit your iptables firewall rules and disable shh port 22 by placing a comment marker in the wrong line. You HUP the firewall and BANG you’re locked out. The way firehol gets around this is to generate a rule to accept all ESTABLISHED and RELATED connections. So you’re connected via ssh, change the firehol configs, restart the service and you are still connected. Now you start another shell and try to log in and when you find that you can’t you can return to the open connection, fix the error and restart, and so on.
In the interest of showing how firehol works, here is a sample firehol.conf and the generated iptables firewall rules that it created.
interface eth0 internal src "192.168.1.0/24" dst 192.168.1.10/32
policy drop
server ICMP accept
server dns accept
server ftp accept
server ident accept
server microsoft_ds accept
server mysql accept
server samba accept
server time accept
server ssh accept
server http accept
server https accept
server ntp accept
server vnc accept
server webmin accept
server smtp accept
server pop3 accept
client all accept
interface eth0 outside src not "${UNROUTABLE_IPS} 192.168.1.0/24" dst 192.168.1.10/32
policy drop
server ICMP accept
server dns accept
server ftp accept
server http accept
server https accept
server ntp accept
server smtp accept
server pop3 accept
client all accept
interface lo loopback src "127.0.0.0/8" dst "127.0.0.0/8 192.168.1.10/32"
policy accept
Generated rules:
# Generated by iptables-save v1.2.11 on Wed Dec 7 14:49:09 2005
*mangle
:PREROUTING ACCEPT [7340:1260938]
:INPUT ACCEPT [7296:1245746]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7454:4772446]
:POSTROUTING ACCEPT [7468:4775764]
COMMIT
# Completed on Wed Dec 7 14:49:09 2005
# Generated by iptables-save v1.2.11 on Wed Dec 7 14:49:09 2005
*nat
:PREROUTING ACCEPT [340:49114]
:POSTROUTING ACCEPT [19:2454]
:OUTPUT ACCEPT [19:2454]
COMMIT
# Completed on Wed Dec 7 14:49:09 2005
# Generated by iptables-save v1.2.11 on Wed Dec 7 14:49:09 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in_internal - [0:0]
:in_internal_ICMP_s1 - [0:0]
:in_internal_all_c14 - [0:0]
:in_internal_dns_s2 - [0:0]
:in_internal_ftp_c16 - [0:0]
:in_internal_ftp_s3 - [0:0]
:in_internal_http_s10 - [0:0]
:in_internal_https_s11 - [0:0]
:in_internal_ident_s4 - [0:0]
:in_internal_irc_c15 - [0:0]
:in_internal_microsoft_ds_s5 - [0:0]
:in_internal_mysql_s6 - [0:0]
:in_internal_ntp_s12 - [0:0]
:in_internal_samba_s7 - [0:0]
:in_internal_ssh_s9 - [0:0]
:in_internal_time_s8 - [0:0]
:in_internal_webmin_s13 - [0:0]
:in_loopback - [0:0]
:in_outside - [0:0]
:in_outside_ICMP_s1 - [0:0]
:in_outside_all_c9 - [0:0]
:in_outside_dns_s2 - [0:0]
:in_outside_ftp_c11 - [0:0]
:in_outside_ftp_s3 - [0:0]
:in_outside_http_s4 - [0:0]
:in_outside_https_s5 - [0:0]
:in_outside_irc_c10 - [0:0]
:in_outside_ntp_s6 - [0:0]
:in_outside_ssh_s7 - [0:0]
:in_outside_webmin_s8 - [0:0]
:out_internal - [0:0]
:out_internal_ICMP_s1 - [0:0]
:out_internal_all_c14 - [0:0]
:out_internal_dns_s2 - [0:0]
:out_internal_ftp_c16 - [0:0]
:out_internal_ftp_s3 - [0:0]
:out_internal_http_s10 - [0:0]
:out_internal_https_s11 - [0:0]
:out_internal_ident_s4 - [0:0]
:out_internal_irc_c15 - [0:0]
:out_internal_microsoft_ds_s5 - [0:0]
:out_internal_mysql_s6 - [0:0]
:out_internal_ntp_s12 - [0:0]
:out_internal_samba_s7 - [0:0]
:out_internal_ssh_s9 - [0:0]
:out_internal_time_s8 - [0:0]
:out_internal_webmin_s13 - [0:0]
:out_loopback - [0:0]
:out_outside - [0:0]
:out_outside_ICMP_s1 - [0:0]
:out_outside_all_c9 - [0:0]
:out_outside_dns_s2 - [0:0]
:out_outside_ftp_c11 - [0:0]
:out_outside_ftp_s3 - [0:0]
:out_outside_http_s4 - [0:0]
:out_outside_https_s5 - [0:0]
:out_outside_irc_c10 - [0:0]
:out_outside_ntp_s6 - [0:0]
:out_outside_ssh_s7 - [0:0]
:out_outside_webmin_s8 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.10 -i eth0 -j in_internal
-A INPUT -d 192.168.1.10 -i eth0 -j in_outside
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j in_loopback
-A INPUT -s 127.0.0.0/255.0.0.0 -d 192.168.1.10 -i lo -j in_loopback
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
-A INPUT -j DROP
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.10 -d 192.168.1.0/255.255.255.0 -o eth0 -j out_internal
-A OUTPUT -s 192.168.1.10 -o eth0 -j out_outside
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
-A OUTPUT -s 192.168.1.10 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
-A OUTPUT -m state --state RELATED -j ACCEPT
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
-A OUTPUT -j DROP
-A in_internal -j in_internal_ICMP_s1
-A in_internal -j in_internal_dns_s2
-A in_internal -j in_internal_ftp_s3
-A in_internal -j in_internal_ident_s4
-A in_internal -j in_internal_microsoft_ds_s5
-A in_internal -j in_internal_mysql_s6
-A in_internal -j in_internal_samba_s7
-A in_internal -j in_internal_time_s8
-A in_internal -j in_internal_ssh_s9
-A in_internal -j in_internal_http_s10
-A in_internal -j in_internal_https_s11
-A in_internal -j in_internal_ntp_s12
-A in_internal -j in_internal_webmin_s13
-A in_internal -j in_internal_all_c14
-A in_internal -j in_internal_irc_c15
-A in_internal -j in_internal_ftp_c16
-A in_internal -m state --state RELATED -j ACCEPT
-A in_internal -m limit --limit 1/sec -j LOG --log-prefix "IN-internal:"
-A in_internal -j DROP
-A in_internal_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_all_c14 -m state --state ESTABLISHED -j ACCEPT
-A in_internal_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ftp_c16 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_internal_ftp_c16 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A in_internal_ftp_c16 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A in_internal_http_s10 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_https_s11 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ident_s4 -p tcp -m tcp --sport 1024:65535 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_irc_c15 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_internal_microsoft_ds_s5 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_mysql_s6 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ntp_s12 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ntp_s12 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_ssh_s9 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_time_s8 -p tcp -m tcp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_time_s8 -p udp -m udp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_internal_webmin_s13 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_loopback -m state --state RELATED -j ACCEPT
-A in_loopback -j ACCEPT
-A in_outside -s 0.0.0.0/254.0.0.0 -j RETURN
-A in_outside -s 2.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 5.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 7.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 23.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 27.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 31.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 36.0.0.0/254.0.0.0 -j RETURN
-A in_outside -s 39.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 41.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 42.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 73.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 74.0.0.0/254.0.0.0 -j RETURN
-A in_outside -s 76.0.0.0/252.0.0.0 -j RETURN
-A in_outside -s 89.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 90.0.0.0/254.0.0.0 -j RETURN
-A in_outside -s 92.0.0.0/252.0.0.0 -j RETURN
-A in_outside -s 96.0.0.0/224.0.0.0 -j RETURN
-A in_outside -s 173.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 174.0.0.0/254.0.0.0 -j RETURN
-A in_outside -s 176.0.0.0/248.0.0.0 -j RETURN
-A in_outside -s 184.0.0.0/252.0.0.0 -j RETURN
-A in_outside -s 189.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 190.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 197.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 223.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 240.0.0.0/240.0.0.0 -j RETURN
-A in_outside -s 10.0.0.0/255.0.0.0 -j RETURN
-A in_outside -s 169.254.0.0/255.255.0.0 -j RETURN
-A in_outside -s 172.16.0.0/255.240.0.0 -j RETURN
-A in_outside -s 192.0.2.0/255.255.255.0 -j RETURN
-A in_outside -s 192.88.99.0/255.255.255.0 -j RETURN
-A in_outside -s 192.168.0.0/255.255.0.0 -j RETURN
-A in_outside -s 192.168.1.0/255.255.255.0 -j RETURN
-A in_outside -j in_outside_ICMP_s1
-A in_outside -j in_outside_dns_s2
-A in_outside -j in_outside_ftp_s3
-A in_outside -j in_outside_http_s4
-A in_outside -j in_outside_https_s5
-A in_outside -j in_outside_ntp_s6
-A in_outside -j in_outside_ssh_s7
-A in_outside -j in_outside_webmin_s8
-A in_outside -j in_outside_all_c9
-A in_outside -j in_outside_irc_c10
-A in_outside -j in_outside_ftp_c11
-A in_outside -m state --state RELATED -j ACCEPT
-A in_outside -m limit --limit 1/sec -j LOG --log-prefix "IN-outside:"
-A in_outside -j DROP
-A in_outside_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_all_c9 -m state --state ESTABLISHED -j ACCEPT
-A in_outside_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ftp_c11 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_outside_ftp_c11 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A in_outside_ftp_c11 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A in_outside_http_s4 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_https_s5 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_irc_c10 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
-A in_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ntp_s6 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ntp_s6 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_ssh_s7 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A in_outside_webmin_s8 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal -j out_internal_ICMP_s1
-A out_internal -j out_internal_dns_s2
-A out_internal -j out_internal_ftp_s3
-A out_internal -j out_internal_ident_s4
-A out_internal -j out_internal_microsoft_ds_s5
-A out_internal -j out_internal_mysql_s6
-A out_internal -j out_internal_samba_s7
-A out_internal -j out_internal_time_s8
-A out_internal -j out_internal_ssh_s9
-A out_internal -j out_internal_http_s10
-A out_internal -j out_internal_https_s11
-A out_internal -j out_internal_ntp_s12
-A out_internal -j out_internal_webmin_s13
-A out_internal -j out_internal_all_c14
-A out_internal -j out_internal_irc_c15
-A out_internal -j out_internal_ftp_c16
-A out_internal -m state --state RELATED -j ACCEPT
-A out_internal -m limit --limit 1/sec -j LOG --log-prefix "OUT-internal:"
-A out_internal -j DROP
-A out_internal_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
-A out_internal_all_c14 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A out_internal_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A out_internal_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_http_s10 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_https_s11 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ident_s4 -p tcp -m tcp --sport 113 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_irc_c15 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal_microsoft_ds_s5 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_mysql_s6 -p tcp -m tcp --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p tcp -m tcp --sport 139 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_samba_s7 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_ssh_s9 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_time_s8 -p tcp -m tcp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_time_s8 -p udp -m udp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_internal_webmin_s13 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_loopback -m state --state RELATED -j ACCEPT
-A out_loopback -j ACCEPT
-A out_outside -d 0.0.0.0/254.0.0.0 -j RETURN
-A out_outside -d 2.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 5.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 7.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 23.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 27.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 31.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 36.0.0.0/254.0.0.0 -j RETURN
-A out_outside -d 39.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 41.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 42.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 73.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 74.0.0.0/254.0.0.0 -j RETURN
-A out_outside -d 76.0.0.0/252.0.0.0 -j RETURN
-A out_outside -d 89.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 90.0.0.0/254.0.0.0 -j RETURN
-A out_outside -d 92.0.0.0/252.0.0.0 -j RETURN
-A out_outside -d 96.0.0.0/224.0.0.0 -j RETURN
-A out_outside -d 173.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 174.0.0.0/254.0.0.0 -j RETURN
-A out_outside -d 176.0.0.0/248.0.0.0 -j RETURN
-A out_outside -d 184.0.0.0/252.0.0.0 -j RETURN
-A out_outside -d 189.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 190.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 197.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 223.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 240.0.0.0/240.0.0.0 -j RETURN
-A out_outside -d 10.0.0.0/255.0.0.0 -j RETURN
-A out_outside -d 169.254.0.0/255.255.0.0 -j RETURN
-A out_outside -d 172.16.0.0/255.240.0.0 -j RETURN
-A out_outside -d 192.0.2.0/255.255.255.0 -j RETURN
-A out_outside -d 192.88.99.0/255.255.255.0 -j RETURN
-A out_outside -d 192.168.0.0/255.255.0.0 -j RETURN
-A out_outside -d 192.168.1.0/255.255.255.0 -j RETURN
-A out_outside -j out_outside_ICMP_s1
-A out_outside -j out_outside_dns_s2
-A out_outside -j out_outside_ftp_s3
-A out_outside -j out_outside_http_s4
-A out_outside -j out_outside_https_s5
-A out_outside -j out_outside_ntp_s6
-A out_outside -j out_outside_ssh_s7
-A out_outside -j out_outside_webmin_s8
-A out_outside -j out_outside_all_c9
-A out_outside -j out_outside_irc_c10
-A out_outside -j out_outside_ftp_c11
-A out_outside -m state --state RELATED -j ACCEPT
-A out_outside -m limit --limit 1/sec -j LOG --log-prefix "OUT-outside:"
-A out_outside -j DROP
-A out_outside_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
-A out_outside_all_c9 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_outside_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A out_outside_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A out_outside_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_http_s4 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_https_s5 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_irc_c10 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_ssh_s7 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A out_outside_webmin_s8 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Dec 7 14:49:09 2005