11.1. Config /etc/rc.d/init.d/firewall script file -Web Server

Errata:

Important

As i was giving the final look over on this book, Gerhard Mourani has released an errata for all firewall scripts and it is available here http://www.openna.com/books/errata.htm

This is the configuration script file for our Web Server. This configuration allows unlimited traffic on the Loopback interface, ICMP, DNS Caching and Client Server (53), SSH Server (22), HTTP Server (80), HTTPS Server (443), SMTP Client (25), FTP Server (20, 21), and OUTGOING TRACEROUTE requests by default.

If you don't want some services listed in the firewall rules files for the Web Server that I make ON by default, comment them out with a "#" at the beginning of the line. If you want some other services that I commented out with a "#", then remove the "#" at the beginning of those lines. Create the firewall script file, touch /etc/rc.d/init.d/firewall on your Web Server and add:


          #!/bin/sh
          #
          # ----------------------------------------------------------------------------
          # Last modified by Gerhard Mourani:  04-25-2000
          # ----------------------------------------------------------------------------
          # Copyright (C) 1997, 1998, 1999  Robert L. Ziegler
          #
          # Permission to use, copy, modify, and distribute this software and its
          # documentation for educational, research, private and non-profit purposes,
          # without fee, and without a written agreement is hereby granted. 
          # This software is provided as an example and basis for individual firewall
          # development.  This software is provided without warranty.
          #
          # Any material furnished by Robert L. Ziegler is furnished on an 
          # "as is" basis.  He makes no warranties of any kind, either expressed 
          # or implied as to any matter including, but not limited to, warranty 
          # of fitness for a particular purpose, exclusivity or results obtained
          # from use of the material.
          # ----------------------------------------------------------------------------
          #
          # Invoked from /etc/rc.d/init.d/firewall.
          # chkconfig: - 60 95
          # description: Starts and stops the IPCHAINS Firewall \
          #              used to provide Firewall network services.

          # Source function library.
          . /etc/rc.d/init.d/functions

          # Source networking configuration.
          . /etc/sysconfig/network

          # Check that networking is up.
          if [ ${NETWORKING} = "no" ]
          then
          exit 0
          fi

          if [ ! -x /sbin/ipchains ]; then
          exit 0
          fi

          # See how we were called.
          case "$1" in
          start)
          echo -n "Starting Firewalling Services: "

          # Some definitions for easy maintenance.

          # ----------------------------------------------------------------------------
          #  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

          EXTERNAL_INTERFACE="eth0"               	# Internet connected interface
          LOOPBACK_INTERFACE="lo"			# Your local naming convention
          IPADDR="my.ip.address"			# Your IP address
          ANYWHERE="any/0"				# Match any IP address
          NAMESERVER_1="my.name.server.1"		# Everyone must have at least one
          NAMESERVER_2="my.name.server.2"		# Your secondary name server
          MY_ISP="my.isp.address.range/24"       	# ISP & NOC address range

          SMTP_SERVER="my.smtp.server" 			# Your Mail Hub Server.
          SYSLOG_SERVER="syslog.internal.server"  	# Your syslog internal server
          SYSLOG_CLIENT="sys.int.client.range/24" 	# Your syslog internal client range

          LOOPBACK="127.0.0.0/8"			# Reserved loopback address range
          CLASS_A="10.0.0.0/8"				# Class A private networks
          CLASS_B="172.16.0.0/12"			# Class B private networks
          CLASS_C="192.168.0.0/16"			# Class C private networks
          CLASS_D_MULTICAST="224.0.0.0/4"		# Class D multicast addresses
          CLASS_E_RESERVED_NET="240.0.0.0/5"	        # Class E reserved addresses
          BROADCAST_SRC="0.0.0.0"			# Broadcast source address
          BROADCAST_DEST="255.255.255.255"		# Broadcast destination address
          PRIVPORTS="0:1023"				# Well known, privileged port range
          UNPRIVPORTS="1024:65535"			# Unprivileged port range

          # ----------------------------------------------------------------------------

          # SSH starts at 1023 and works down to 513 for
          # each additional simultaneous incoming connection.
          SSH_PORTS="1022:1023"                   		# range for SSH privileged ports

          # traceroute usually uses -S 32769:65535 -D 33434:33523
          TRACEROUTE_SRC_PORTS="32769:65535"
          TRACEROUTE_DEST_PORTS="33434:33523"

          # ----------------------------------------------------------------------------
          # Default policy is DENY
          # Explicitly accept desired INCOMING & OUTGOING connections

          # Remove all existing rules belonging to this filter
          ipchains -F

          # Clearing all current rules and user defined chains
          ipchains -X

          # Set the default policy of the filter to deny.
          # Don't even bother sending an error message back.
          ipchains -P input   DENY
          ipchains -P output  DENY
          ipchains -P forward DENY

          # ----------------------------------------------------------------------------
          # LOOPBACK

          # Unlimited traffic on the loopback interface.
          ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT 
          ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT 

          # ----------------------------------------------------------------------------
          # Network Ghouls
          # Deny access to jerks

          # /etc/rc.d/rc.firewall.blocked contains a list of
          # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY
          # rules to block from any access.

          # Refuse any connection from problem sites
          #if [ -f /etc/rc.d/rc.firewall.blocked ]; then
          #    . /etc/rc.d/rc.firewall.blocked
          #fi

          # ----------------------------------------------------------------------------
          # SPOOFING & BAD ADDRESSES
          # Refuse spoofed packets.
          # Ignore blatantly illegal source addresses.
          # Protect yourself from sending to bad addresses.

          # Refuse spoofed packets pretending to be from the external address.
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

          # Refuse packets claiming to be to or from a Class A private network
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
          ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
          ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

          # Refuse packets claiming to be to or from a Class B private network
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
          ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
          ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

          # Refuse packets claiming to be to or from a Class C private network
          #    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
          #    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
          #    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
          #    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

          # Refuse packets claiming to be from the loopback interface
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
          ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

          # Refuse broadcast address SOURCE packets
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

          # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
          # Multicast is illegal as a source address.
          # Multicast uses UDP.
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

          # Refuse Class E reserved IP  addresses
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

          # refuse addresses defined as reserved by the IANA
          # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
          # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
          # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 1.0.0.0/8  -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 2.0.0.0/8  -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 5.0.0.0/8  -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 7.0.0.0/8  -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

          #65: 01000001    - /3 includes 64 - need 65-79 spelled out
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

          #80: 01010000   - /4 masks 80-95
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

          # 96: 01100000    - /4 makses 96-111
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

          #126: 01111110    - /3 includes 127 - need 112-126 spelled out
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

          #217: 11011001    - /5 includes 216 - need 217-219 spelled out
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

          #223: 11011111    - /6 masks 220-223
          ipchains -A input  -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

          # ----------------------------------------------------------------------------
          # ICMP

          #    To prevent denial of service attacks based on ICMP bombs, filter
          #    incoming Redirect (5) and outgoing Destination Unreachable (3).
          #    Note, however, disabling Destination Unreachable (3) is not
          #    advisable, as it is used to negotiate packet fragment size.

          # For bi-directional ping.
          #     Message Types:  Echo_Reply (0),  Echo_Request (8)
          #     To prevent attacks, limit the src addresses to your ISP range.
          # 
          # For outgoing traceroute.
          #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
          #     default UDP base: 33434 to base+nhops-1
          # 
          # For incoming traceroute.
          #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
          #     To block this, deny OUTGOING 3 and 11

          #  0: echo-reply (pong)
          #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
          #  4: source-quench
          #  5: redirect
          #  8: echo-request (ping)
          # 11: time-exceeded
          # 12: parameter-problem

          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 0 -d $IPADDR -j ACCEPT 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 3 -d $IPADDR -j ACCEPT 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 4 -d $IPADDR -j ACCEPT 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 11 -d $IPADDR -j ACCEPT 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 12 -d $IPADDR -j ACCEPT 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $MY_ISP 8 -d $IPADDR -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 0 -d $MY_ISP -j ACCEPT 
          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 3 -d $MY_ISP -j ACCEPT 
          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 4 -d $ANYWHERE -j ACCEPT 
          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 8 -d $ANYWHERE -j ACCEPT 
          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 12 -d $ANYWHERE -j ACCEPT 
          ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
          -s $IPADDR 11 -d $MY_ISP -j ACCEPT 

          # ----------------------------------------------------------------------------
          # UDP INCOMING TRACEROUTE
          # traceroute usually uses -S 32769:65535 -D 33434:33523

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $MY_ISP $TRACEROUTE_SRC_PORTS \
          -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $ANYWHERE $TRACEROUTE_SRC_PORTS \
          -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

          # ----------------------------------------------------------------------------
          # DNS forwarding, caching only nameserver (53)
          # --------------------------------------------

          # server to server query or response
          # Caching only name server only requires UDP, not TCP

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_1 53 \
          -d $IPADDR 53 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR 53 \
          -d $NAMESERVER_1 53 -j ACCEPT 

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_2 53 \
          -d $IPADDR 53 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR 53 \
          -d $NAMESERVER_2 53 -j ACCEPT 

          # DNS client (53)
          # ---------------
          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_1 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_1 53 -j ACCEPT 

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -s $NAMESERVER_2 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT

          ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_2 53 -j ACCEPT

          # TCP client to server requests are allowed by the protocol 
          # if UDP requests fail. This is rarely seen. Usually, clients
          # use TCP as a secondary nameserver for zone transfers from
          # their primary nameservers, and as hackers.

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $NAMESERVER_1 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_1 53 -j ACCEPT 

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $NAMESERVER_2 53 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $NAMESERVER_2 53 -j ACCEPT 

          # ----------------------------------------------------------------------------
          # TCP accept only on selected ports
          # ---------------------------------
          # ------------------------------------------------------------------

          # SSH server (22)
          # ---------------

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 22 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 22 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $SSH_PORTS \
          -d $IPADDR 22 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 22 \
          -d $ANYWHERE $SSH_PORTS -j ACCEPT 


          # ------------------------------------------------------------------

          # HTTP server (80)
          # ----------------

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 80 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 80 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          # ------------------------------------------------------------------

          # HTTPS server (443)
          # ------------------

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 443 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 443 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          # ------------------------------------------------------------------

          # SYSLOG server (514)
          # -----------------

          # Provides full remote logging. Using  this feature you're able to
          # control all syslog messages on one host.

          #    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          #             -s $SYSLOG_CLIENT \
          #             -d $IPADDR 514 -j ACCEPT

          # SYSLOG client (514)
          # -----------------

          #    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          #             -s $IPADDR 514 \
          #             -d $SYSLOG_SERVER 514 -j ACCEPT

          # ------------------------------------------------------------------

          # AUTH server (113)
          # -----------------

          # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE \
          -d $IPADDR 113 -j REJECT 

          # ------------------------------------------------------------------

          # SMTP client (25)
          # ----------------
          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $SMTP_SERVER 25 \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR $UNPRIVPORTS \
          -d $SMTP_SERVER 25 -j ACCEPT 

          # ------------------------------------------------------------------

          # FTP server (20, 21)
          # -------------------

          # incoming request

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 21 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR 21 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          # PORT MODE data channel responses
          # 
          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR 20 -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
          -s $IPADDR 20 \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          # PASSIVE MODE data channel responses

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -s $ANYWHERE $UNPRIVPORTS \
          -d $IPADDR $UNPRIVPORTS -j ACCEPT 

          ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
          -s $IPADDR $UNPRIVPORTS \
          -d $ANYWHERE $UNPRIVPORTS -j ACCEPT 

          # ------------------------------------------------------------------
          # OUTGOING TRACEROUTE
          # -------------------
          ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
          -s $IPADDR $TRACEROUTE_SRC_PORTS \
          -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT 

          # ----------------------------------------------------------------------------
          # Enable logging for selected denied packets

          ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
          -d $IPADDR -j DENY -l

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -d $IPADDR $PRIVPORTS -j DENY -l

          ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
          -d $IPADDR $UNPRIVPORTS -j DENY -l

          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 5 -d $IPADDR -j DENY -l

          ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
          -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

          # ----------------------------------------------------------------------------

          ;;
          stop)
          echo -n "Shutting Firewalling Services: "

          # Remove all existing rules belonging to this filter
          ipchains -F

          # Delete all user-defined chain to this filter
          ipchains -X

          # Reset the default policy of the filter to accept.
          ipchains -P input  ACCEPT
          ipchains -P output ACCEPT
          ipchains -P forward ACCEPT

          ;;
          status)
          status firewall
          ;;
          restart|reload)
          $0 stop
          $0 start
          ;;
          *)
          echo "Usage: firewall {start|stop|status|restart|reload}"
          exit 1
          esac

          exit 0
            
          

Now, make this script executable and change its default permissions:

          [root@deep] /# chmod 700 /etc/rc.d/init.d/firewall
          [root@deep] /# chown 0.0 /etc/rc.d/init.d/firewall
          

Create the symbolic rc.d links for your Firewall with the following command:

          [root@deep] /# chkconfig --add firewall
          [root@deep] /# chkconfig --level 345 firewall on
          

Now, your firewall rules are configured to use System V init (System V init is in charge of starting all the normal processes that need to run at boot time) and it will be automatically started each time your server reboots. To manually stop the firewall on your system, use the following command:

          [root@deep] /# /etc/rc.d/init.d/firewall stop
          

          Shutting Firewalling Services:			[  OK  ]
          

To manually start the firewall on your system, use the following command:

          [root@deep] /# /etc/rc.d/init.d/firewall start
          

          Starting Firewalling Services:			[  OK  ]