evardsson.com: stuff that w0rks

As everyone knows, security depends on defense-in-depth. (And if you didn’t before, you do now!) The idea being that defense should take place in layers, from the edge of the network to the heart of the system. That’s why we have firewalls, anti-virus, intrusion detection, anti-spam and kernel and compiler hardening mechanisms. But just because you have a firewall at the edge of the network doesn’t mean you can skip the host-based firewall.

The most common Linux host-based firewall is probably iptables. Unfortunately, iptables can be incredibly complex to configure correctly. There are lots of tools to help with this. My favorite has to be firehol. Both from an ease of use standpoint, and from a “don’t kill me while I’m testing” sort of operation. If you are not careful while editing iptables rules it is actually fairly easy to lock yourself out.

Say you are remote in your server via ssh. You edit your iptables firewall rules and disable shh port 22 by placing a comment marker in the wrong line. You HUP the firewall and BANG you’re locked out. The way firehol gets around this is to generate a rule to accept all ESTABLISHED and RELATED connections. So you’re connected via ssh, change the firehol configs, restart the service and you are still connected. Now you start another shell and try to log in and when you find that you can’t you can return to the open connection, fix the error and restart, and so on.

In the interest of showing how firehol works, here is a sample firehol.conf and the generated iptables firewall rules that it created.

interface eth0 internal src "192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server ident accept
  	server microsoft_ds accept
  	server mysql accept
  	server samba accept
  	server time accept
  	server ssh accept
  	server http accept
  	server https accept
  	server ntp accept
  	server vnc accept
  	server webmin accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface eth0 outside src not "${UNROUTABLE_IPS} 192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server http accept
  	server https accept
  	server ntp accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface lo loopback src "127.0.0.0/8" dst "127.0.0.0/8 192.168.1.10/32"
  	policy accept

Generated rules:

# Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *mangle
 :PREROUTING ACCEPT [7340:1260938]
 :INPUT ACCEPT [7296:1245746]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [7454:4772446]
 :POSTROUTING ACCEPT [7468:4775764]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *nat
 :PREROUTING ACCEPT [340:49114]
 :POSTROUTING ACCEPT [19:2454]
 :OUTPUT ACCEPT [19:2454]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 :in_internal - [0:0]
 :in_internal_ICMP_s1 - [0:0]
 :in_internal_all_c14 - [0:0]
 :in_internal_dns_s2 - [0:0]
 :in_internal_ftp_c16 - [0:0]
 :in_internal_ftp_s3 - [0:0]
 :in_internal_http_s10 - [0:0]
 :in_internal_https_s11 - [0:0]
 :in_internal_ident_s4 - [0:0]
 :in_internal_irc_c15 - [0:0]
 :in_internal_microsoft_ds_s5 - [0:0]
 :in_internal_mysql_s6 - [0:0]
 :in_internal_ntp_s12 - [0:0]
 :in_internal_samba_s7 - [0:0]
 :in_internal_ssh_s9 - [0:0]
 :in_internal_time_s8 - [0:0]
 :in_internal_webmin_s13 - [0:0]
 :in_loopback - [0:0]
 :in_outside - [0:0]
 :in_outside_ICMP_s1 - [0:0]
 :in_outside_all_c9 - [0:0]
 :in_outside_dns_s2 - [0:0]
 :in_outside_ftp_c11 - [0:0]
 :in_outside_ftp_s3 - [0:0]
 :in_outside_http_s4 - [0:0]
 :in_outside_https_s5 - [0:0]
 :in_outside_irc_c10 - [0:0]
 :in_outside_ntp_s6 - [0:0]
 :in_outside_ssh_s7 - [0:0]
 :in_outside_webmin_s8 - [0:0]
 :out_internal - [0:0]
 :out_internal_ICMP_s1 - [0:0]
 :out_internal_all_c14 - [0:0]
 :out_internal_dns_s2 - [0:0]
 :out_internal_ftp_c16 - [0:0]
 :out_internal_ftp_s3 - [0:0]
 :out_internal_http_s10 - [0:0]
 :out_internal_https_s11 - [0:0]
 :out_internal_ident_s4 - [0:0]
 :out_internal_irc_c15 - [0:0]
 :out_internal_microsoft_ds_s5 - [0:0]
 :out_internal_mysql_s6 - [0:0]
 :out_internal_ntp_s12 - [0:0]
 :out_internal_samba_s7 - [0:0]
 :out_internal_ssh_s9 - [0:0]
 :out_internal_time_s8 - [0:0]
 :out_internal_webmin_s13 - [0:0]
 :out_loopback - [0:0]
 :out_outside - [0:0]
 :out_outside_ICMP_s1 - [0:0]
 :out_outside_all_c9 - [0:0]
 :out_outside_dns_s2 - [0:0]
 :out_outside_ftp_c11 - [0:0]
 :out_outside_ftp_s3 - [0:0]
 :out_outside_http_s4 - [0:0]
 :out_outside_https_s5 - [0:0]
 :out_outside_irc_c10 - [0:0]
 :out_outside_ntp_s6 - [0:0]
 :out_outside_ssh_s7 - [0:0]
 :out_outside_webmin_s8 - [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.10 -i eth0 -j in_internal
 -A INPUT -d 192.168.1.10 -i eth0 -j in_outside
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j in_loopback
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 192.168.1.10 -i lo -j in_loopback
 -A INPUT -m state --state RELATED -j ACCEPT
 -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
 -A INPUT -j DROP
 -A FORWARD -m state --state RELATED -j ACCEPT
 -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
 -A FORWARD -j DROP
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -s 192.168.1.10 -d 192.168.1.0/255.255.255.0 -o eth0 -j out_internal
 -A OUTPUT -s 192.168.1.10 -o eth0 -j out_outside
 -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -s 192.168.1.10 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -m state --state RELATED -j ACCEPT
 -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
 -A OUTPUT -j DROP
 -A in_internal -j in_internal_ICMP_s1
 -A in_internal -j in_internal_dns_s2
 -A in_internal -j in_internal_ftp_s3
 -A in_internal -j in_internal_ident_s4
 -A in_internal -j in_internal_microsoft_ds_s5
 -A in_internal -j in_internal_mysql_s6
 -A in_internal -j in_internal_samba_s7
 -A in_internal -j in_internal_time_s8
 -A in_internal -j in_internal_ssh_s9
 -A in_internal -j in_internal_http_s10
 -A in_internal -j in_internal_https_s11
 -A in_internal -j in_internal_ntp_s12
 -A in_internal -j in_internal_webmin_s13
 -A in_internal -j in_internal_all_c14
 -A in_internal -j in_internal_irc_c15
 -A in_internal -j in_internal_ftp_c16
 -A in_internal -m state --state RELATED -j ACCEPT
 -A in_internal -m limit --limit 1/sec -j LOG --log-prefix "IN-internal:"
 -A in_internal -j DROP
 -A in_internal_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_all_c14 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_http_s10 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_https_s11 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ident_s4 -p tcp -m tcp --sport 1024:65535 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_irc_c15 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_microsoft_ds_s5 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_mysql_s6 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ssh_s9 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p tcp -m tcp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p udp -m udp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_webmin_s13 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_loopback -m state --state RELATED -j ACCEPT
 -A in_loopback -j ACCEPT
 -A in_outside -s 0.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 2.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 5.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 7.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 23.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 27.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 31.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 36.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 39.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 41.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 42.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 73.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 74.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 76.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 89.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 90.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 92.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 96.0.0.0/224.0.0.0 -j RETURN
 -A in_outside -s 173.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 174.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 176.0.0.0/248.0.0.0 -j RETURN
 -A in_outside -s 184.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 189.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 190.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 197.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 223.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 240.0.0.0/240.0.0.0 -j RETURN
 -A in_outside -s 10.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 169.254.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 172.16.0.0/255.240.0.0 -j RETURN
 -A in_outside -s 192.0.2.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.88.99.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.168.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 192.168.1.0/255.255.255.0 -j RETURN
 -A in_outside -j in_outside_ICMP_s1
 -A in_outside -j in_outside_dns_s2
 -A in_outside -j in_outside_ftp_s3
 -A in_outside -j in_outside_http_s4
 -A in_outside -j in_outside_https_s5
 -A in_outside -j in_outside_ntp_s6
 -A in_outside -j in_outside_ssh_s7
 -A in_outside -j in_outside_webmin_s8
 -A in_outside -j in_outside_all_c9
 -A in_outside -j in_outside_irc_c10
 -A in_outside -j in_outside_ftp_c11
 -A in_outside -m state --state RELATED -j ACCEPT
 -A in_outside -m limit --limit 1/sec -j LOG --log-prefix "IN-outside:"
 -A in_outside -j DROP
 -A in_outside_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_all_c9 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_http_s4 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_https_s5 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_irc_c10 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ssh_s7 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_webmin_s8 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal -j out_internal_ICMP_s1
 -A out_internal -j out_internal_dns_s2
 -A out_internal -j out_internal_ftp_s3
 -A out_internal -j out_internal_ident_s4
 -A out_internal -j out_internal_microsoft_ds_s5
 -A out_internal -j out_internal_mysql_s6
 -A out_internal -j out_internal_samba_s7
 -A out_internal -j out_internal_time_s8
 -A out_internal -j out_internal_ssh_s9
 -A out_internal -j out_internal_http_s10
 -A out_internal -j out_internal_https_s11
 -A out_internal -j out_internal_ntp_s12
 -A out_internal -j out_internal_webmin_s13
 -A out_internal -j out_internal_all_c14
 -A out_internal -j out_internal_irc_c15
 -A out_internal -j out_internal_ftp_c16
 -A out_internal -m state --state RELATED -j ACCEPT
 -A out_internal -m limit --limit 1/sec -j LOG --log-prefix "OUT-internal:"
 -A out_internal -j DROP
 -A out_internal_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_all_c14 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_http_s10 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_https_s11 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ident_s4 -p tcp -m tcp --sport 113 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_irc_c15 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_microsoft_ds_s5 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_mysql_s6 -p tcp -m tcp --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 139 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ssh_s9 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p tcp -m tcp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p udp -m udp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_webmin_s13 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_loopback -m state --state RELATED -j ACCEPT
 -A out_loopback -j ACCEPT
 -A out_outside -d 0.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 2.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 5.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 7.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 23.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 27.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 31.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 36.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 39.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 41.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 42.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 73.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 74.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 76.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 89.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 90.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 92.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 96.0.0.0/224.0.0.0 -j RETURN
 -A out_outside -d 173.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 174.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 176.0.0.0/248.0.0.0 -j RETURN
 -A out_outside -d 184.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 189.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 190.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 197.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 223.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 240.0.0.0/240.0.0.0 -j RETURN
 -A out_outside -d 10.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 169.254.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 172.16.0.0/255.240.0.0 -j RETURN
 -A out_outside -d 192.0.2.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.88.99.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.168.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 192.168.1.0/255.255.255.0 -j RETURN
 -A out_outside -j out_outside_ICMP_s1
 -A out_outside -j out_outside_dns_s2
 -A out_outside -j out_outside_ftp_s3
 -A out_outside -j out_outside_http_s4
 -A out_outside -j out_outside_https_s5
 -A out_outside -j out_outside_ntp_s6
 -A out_outside -j out_outside_ssh_s7
 -A out_outside -j out_outside_webmin_s8
 -A out_outside -j out_outside_all_c9
 -A out_outside -j out_outside_irc_c10
 -A out_outside -j out_outside_ftp_c11
 -A out_outside -m state --state RELATED -j ACCEPT
 -A out_outside -m limit --limit 1/sec -j LOG --log-prefix "OUT-outside:"
 -A out_outside -j DROP
 -A out_outside_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_all_c9 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_http_s4 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_https_s5 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_irc_c10 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ssh_s7 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_webmin_s8 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005