Iptables: Configuration Examples

Introduction

Iptables is not very intuitive, and examples are almost essential for setting up your configuration. Here are some examples ranging from the simplest to the most complex.

Example 1

#!/bin/sh
################################################
#                                              #
#  Basic Firewall Script                       #
#                                              #
################################################

#############
# Variables #
############
    IPTABLES=/sbin/iptables
    IF_EXT=eth0
    IP_SSH=xx.xx.xx.xx


###################
# Clear tables #
##################
   ${IPTABLES} -t mangle -F
   ${IPTABLES} -t nat -F
   ${IPTABLES} -F
   ${IPTABLES} -t mangle -X
   ${IPTABLES} -t nat -X
   ${IPTABLES} -X
   ${IPTABLES} -Z


#####################
# Default rules #
####################
  ## ignore_echo_broadcasts, TCP Syncookies, ip_forward
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  ## Default Policy
   ${IPTABLES} -P INPUT DROP
   ${IPTABLES} -P OUTPUT DROP
   ${IPTABLES} -P FORWARD DROP

  ## Accept loopback
   ${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT
   ${IPTABLES} -A INPUT -i lo -j ACCEPT
   ${IPTABLES} -A OUTPUT -o lo -j ACCEPT

  ## REJECT connections pretending to initialize without syn
   ${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW,INVALID -j REJECT


####################
# Special rules #
###################
### Create chains
    ${IPTABLES} -N SPOOFED
    ${IPTABLES} -N SERVICES

### Prohibit spoofed packets
    ${IPTABLES} -A SPOOFED -s 127.0.0.0/8 -j DROP
    ${IPTABLES} -A SPOOFED -s 169.254.0.0/12 -j DROP
    ${IPTABLES} -A SPOOFED -s 172.16.0.0/12 -j DROP
    ${IPTABLES} -A SPOOFED -s 192.168.0.0/16 -j DROP
    ${IPTABLES} -A SPOOFED -s 10.0.0.0/8 -j DROP

### Allowed INPUT
    ### ICMP
    ## Ping (*)
        ${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    ### TCP
    ## SSH (*)
    ${IPTABLES} -A SERVICES -p tcp -d ${IP_SSH} --dport 22 -j ACCEPT
   ## MAIL (*)
    ${IPTABLES} -A SERVICES -p tcp -d ${IP_SSH} --dport 25 -j ACCEPT


#################################
# Open ports on the firewall #
################################
    ${IPTABLES} -A OUTPUT -j ACCEPT
    ${IPTABLES} -A INPUT -m state --state ESTABLISH,RELATED -j ACCEPT
    ${IPTABLES} -A INPUT -j SPOOFED
    ${IPTABLES} -A INPUT -i ${IF_EXT} -j SERVICES

Example 2

#!/bin/bash
echo Setting firewall rules...

###### Initialization Start ######

# Block all incoming connections
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
echo - Block all incoming connections: [OK]

# Block all outgoing connections
iptables -t filter -P OUTPUT DROP
echo - Block all outgoing connections: [OK]

# Clear current tables
iptables -t filter -F
iptables -t filter -X
echo - Clearing: [OK]

# Allow SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - Allow SSH: [OK]

# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - Don't break established connections: [OK]

###### End Initialization ######

##### Begin Rules ######

# Allow DNS, FTP, HTTP, NTP requests
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - Allow DNS, FTP, HTTP, NTP requests: [OK]

# Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Allow loopback: [OK]

# Allow ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - Allow ping: [OK]

# HTTP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
echo - Allow Apache server: [OK]

# FTP
modprobe ip_conntrack_ftp
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - Allow FTP server: [OK]

# Mail
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - Allow Mail server: [OK]

###### End Rules ######

echo Firewall successfully updated!

Example 3

# description: Firewall rules with masquerading
# probe: true
#
### BEGIN INIT INFO
# Provides: firewall_passerelle
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 3 5
# Default-Stop:
# Description: Firewall rules with masquerading (configurable)
### END INIT INFO

####################################################################
# INTRODUCTION
####################################################################

## Make sure we are root
if [ ! "`id 2>&1 | egrep 'uid=0' | cut -d '(' -f1`" = "uid=0" ]; then
        echo "This script must be run by the 'root' user"
        exit 1 ## Exit the script
fi

# If iptables utility is not installed, exit with an error
# Note: the path to the IPTABLES utility may vary from one
# system to another
IPT="/sbin/iptables"
[ -x ${IPT} ] || {
        echo "Unable to find the path for iptables"
        exit 1
        }

# Internet connection interface
# This variable is mandatory
OUT="ppp0"

# If the following line is uncommented, the machine
# is not configured in gateway mode and only serves
# as a firewall
IN="eth0"  # private network interface if applicable

# Uncomment the following line to enable protocol filtering
# when using in gateway mode
#FILTRAGE="-p tcp -m multiport --destination-port 6667,5190"

# let's see how we were called
case "$1" in
        start)
                ;;
        stop)
                ${IPT} -t filter -F
                ${IPT} -t nat    -F
                ${IPT} -t filter -X
                ${IPT} -t filter -Z
                ${IPT} -t filter -P INPUT       ACCEPT
                ${IPT} -t filter -P OUTPUT      ACCEPT
                ${IPT} -t filter -P FORWARD     ACCEPT
                /bin/echo "0" > /proc/sys/net/ipv4/ip_forward
                exit 0
                ;;
        restart)
                $0 stop
                $0 start
                ;;
        *)
                echo "Usage: $0 {start|stop|restart}"
                exit 1
esac

# Load modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_h323

# Clear all rules and chains
${IPT} -t filter -F
${IPT} -t nat    -F
${IPT} -t filter -X
${IPT} -t filter -Z

# Configure default behavior (Policy)
${IPT} -P INPUT DROP
${IPT} -P OUTPUT DROP
${IPT} -P FORWARD DROP

####################################################################
# Kernel flags
####################################################################

# Enable TCP SYN Cookie protection (repeated connection requests)
#/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Ignore ping responses
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable ICMP broadcast responses
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source
# routing to generate traffic pretending to be from inside your
# network, but which is routed back along the path which it came,
# namely outside, so attackers can compromise your network.
# Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP Redirect Acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# To prevent IP SPOOFING, check the source address on all
# interfaces - can cause issues with asymmetric routing
# (packets take different paths in each direction)
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
        /bin/echo "1" > ${interface}
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
        /bin/echo "1" > ${interface}
done
# For dynamic IP address
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable IP packet routing
# This is the main command authorizing the gateway function
if [ ${IN} ]; then
        /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
else
        /bin/echo "0" > /proc/sys/net/ipv4/ip_forward
fi

####################################################################
# Rules
####################################################################

# Unlimited traffic on loopback address
${IPT} -A INPUT  -i lo -j ACCEPT
${IPT} -A OUTPUT -o lo -j ACCEPT

# Unlimited traffic on other Ethernet interfaces
# Avoid touching the public network interface
# (connected to the Internet)
for interface in /proc/sys/net/ipv4/conf/eth*; do
        VAL=`echo ${interface} | cut -c 25-`
        if [ ${VAL} != ${OUT} ]; then
                ${IPT} -A INPUT  -i ${VAL} -j ACCEPT
                ${IPT} -A OUTPUT -o ${VAL} -j ACCEPT
        fi
done

# transparent proxy: redirection rule to the proxy
# we consider that eth0 is the private network interface
# and 3128 is the proxy-cache server port
#${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128

# If gateway function is enabled
if [ ${IN} ]; then

        # Accept forwarding packets on the internal interface
        ${IPT} -A FORWARD -i ${IN} ${FILTRAGE} -j ACCEPT
        ${IPT} -A FORWARD -o ${IN} -j ACCEPT

        # Enable masquerading for traffic from the private
        # subnet (For fixed IP, SNAT is better)
        ${IPT} -t nat -A POSTROUTING -o ${OUT} -j MASQUERADE

fi

# Accept outgoing connections from the
# private subnet
${IPT} -A OUTPUT -o ${OUT} -j ACCEPT

#
# Add rules to authorize certain ports
# Uncomment the lines that interest you
#

## Simultaneous access to a web server and FTP
#${IPT} -A INPUT -i ${OUT} -p tcp -m state --state NEW -m multiport --destination-port 80,20,21 -j ACCEPT

## Access only to a web server
#${IPT} -A INPUT -i ${OUT} -p tcp -m state --state NEW --destination-port 80 -j ACCEPT

## gtk-gnutella
#${IPT} -A INPUT -i ${OUT} -p tcp -m state --state NEW --destination-port 23934 -j ACCEPT
#${IPT} -A INPUT -i ${OUT} -p udp -m state --state NEW --destination-port 23934 -j ACCEPT

## SSH
${IPT} -A INPUT -i ${OUT} -p tcp --destination-port 22 -j ACCEPT

## HTTP
${IPT} -A INPUT -i ${OUT} -p tcp --destination-port 80 -j ACCEPT

# Mldonkey
${IPT} -A INPUT -i ${OUT} -p tcp --destination-port 6666 -j ACCEPT
${IPT} -A INPUT -i ${OUT} -p tcp --destination-port 6682 -j ACCEPT
${IPT} -A INPUT -i ${OUT} -p tcp --destination-port 8155 -j ACCEPT

## Jabber file transfer
#${IPT} -A INPUT -i ${OUT} -p udp --destination-port 8010 -j ACCEPT

#
# End of rule addition
#

# Accept already established incoming connections
${IPT} -A INPUT -i ${OUT} -m state --state ESTABLISHED,RELATED -j ACCEPT

# If gateway function is enabled
if [ ${IN} ]; then

        # Track rejected packets on the FORWARD chain
        ${IPT} -N LOG_FWD
        ${IPT} -A LOG_FWD  -j LOG --log-level info --log-ip-options --log-prefix "Firewall FWD:"
        ${IPT} -A LOG_FWD  -j DROP

        # Log rejected packets on the FORWARD chain
        ${IPT} -A FORWARD -j LOG_FWD

fi

# Initialize tracking for rejected input packets on
# the external interface
${IPT} -N LOG_EXT
${IPT} -A LOG_EXT  -j LOG --log-level info --log-ip-options --log-prefix "Firewall IN:"
${IPT} -A LOG_EXT  -j DROP

# Log rejected input packets on the external interface
${IPT} -A INPUT -i ${OUT} -j LOG_EXT

exit 0

Example 4

#!/bin/bash

###################################################
## ARCHITECTURE FOR A 4-INTERFACE FIREWALL       ##
##                       ##
##         INTERNET          ##
##            |              ##
##  DMZ--------FIREWALL--------SERVER ZONE ##
##            |              ##
##           LAN             ##
##                       ##
###################################################

###################################################
## REQUIRED IPTABLES MODULES                     ##
###################################################
MODULES_IPTABLES="ip_tables \
                  ipt_string \
          ip_conntrack \
                  ip_conntrack_ftp \
          ip_nat_ftp"           # Iptables modules loaded at startup
INTERNET="ppp0"                 # Internet device (multiple devices possible)
INTERNET_NAT="ppp0"                             # Internet device used for NAT (only 1 device possible)
DMZ=""                          # DMZ device (public IPs, servers accessible from internet)
ZONE_SERVEURS="eth2"                # Server zone device (private IPs, servers accessible internally)
LAN="eth1 eth3"                 # Intranet device (multiple devices possible)

PAQUETS_ICMP_AUTHORISES="0 3 4 5 8 11 12"   # ICMP packets authorized to travel between different networks
PING_FLOOD="1/s"                # Number of PING authorized per second
LOG_FLOOD="1/s"

PROTOCOLES_AUTHORISES="47"          # Protocols authorized to pass through the firewall

MASQ_LAN="YES"                                  # Masquerade the LAN
MASQ_DMZ="NO"                                   # Masquerade the DMZ
MASQ_ZONE_SERVEURS="YES"                        # Masquerade the server zone

PORTS_TCP_INTERNET_AUTHORISES="53"      # TCP ports of the firewall accessible from the internet
PORTS_UDP_INTERNET_AUTHORISES="53"      # UDP ports of the firewall accessible from the internet
PORTS_TCP_DMZ_AUTHORISES=""         # TCP ports of the firewall accessible from the DMZ
PORTS_UDP_DMZ_AUTHORISES=""         # UDP ports of the firewall accessible from the DMZ
PORTS_TCP_ZONE_SERVEURS_AUTHORISES="53 113" # TCP ports of the firewall accessible from the server zone
PORTS_UDP_ZONE_SERVEURS_AUTHORISES="53 113" # UDP ports of the firewall accessible from the server zone
PORTS_TCP_LAN_AUTHORISES="53 113 22"        # TCP ports of the firewall accessible from the LAN
PORTS_UDP_LAN_AUTHORISES="53 113 22"        # UDP ports of the firewall accessible from the LAN

PORTS_TCP_SORTIE_REFUSES="6346 \
              7777 \
              8888 \
              6699 \
              6000"                 # TCP ports forbidden for output from the firewall
PORTS_UDP_SORTIE_REFUSES="6346 \
              7777 \
              8888 \
              6699 \
              6000"                 # UDP ports forbidden for output from the firewall

RESEAUX_LAN="192.168.10.0/24 \
         192.168.30.0/24"           # Networks composing the LAN
RESEAUX_DMZ=""                                  # Networks composing the DMZ
RESEAUX_ZONE_SERVEURS="192.168.50.0/24"         # Networks composing the server zone

NAT_TCP_NET=" 80.13.192.105:80>192.168.50.100:8080 "  # NAT => IP_FIREWALL:PORT_FIREWALL>IP_INTERNAL:PORT_INTERNAL
NAT_UDP_NET=""                  # NAT => IP_FIREWALL:PORT_FIREWALL>IP_INTERNAL:PORT_INTERNAL

MOTS_CLES="root admin"                          # Keywords to log

MOTS_CLES_INTERDITS="mp3>192.168.10.117 \
             MP3>192.168.10.117 \
             ogg>192.168.10.117 \
             OGG>192.168.10.117"        # Forbidden keywords ;-) KEYWORD>RECIPIENT_IP
IP_INTERDITES=" 66.28.48.0/24 \
        66.28.49.0/24"          # Addresses blocked from entry

###################################################
## SCRIPT VARIABLES (DO NOT EDIT)               ##
###################################################

IPTABLES=`which iptables`
MODPROBE=`which modprobe`
VERT="\033[32m"
JAUNE="\033[33m"
GRAS="\033[1m"
NORMAL="\033[m"
ROUGE="\033[31m"


###################################################
## VERIFY IPTABLES PRESENCE                      ##
###################################################

echo -en "${GRAS}Verifying IPTABLES presence:${NORMAL}"
if [ -z ${IPTABLES} ] ;then
    echo -e "\t\t${ROUGE}FAILED${NORMAL}\n"
    exit 1
else
    echo -e "\t\t${VERT}OK${NORMAL}"
fi


###################################################
## VERIFY MODPROBE PRESENCE                      ##
###################################################

echo -en "${GRAS}Verifying MODPROBE presence:${NORMAL}"
if [ -z ${MODPROBE} ] ;then
    echo -e "\t\t${ROUGE}FAILED${NORMAL}\n"
    exit 1
else
    echo -e "\t\t${VERT}OK${NORMAL}\n"
fi


###################################################
## LOADING IPTABLES MODULES                      ##
###################################################

for module in ${MODULES_IPTABLES} ;do
    echo -e "${GRAS}Loading module ${module}:${NORMAL}\t\t\t${VERT}OK${NORMAL}"
    ${MODPROBE} ${module}
done
echo -e "\n"

###################################################
## BASIC FIREWALL CONFIGURATION USING            ##
## /proc FILESYSTEM                              ##
###################################################

###################################################
## ENABLE IP FORWARDING (routing)                ##
###################################################

echo -en "${GRAS}${JAUNE}Enabling ip forwarding:${NORMAL}"
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo -e "\t\t\t\t${VERT}OK${NORMAL}"
else
    echo -e "\t\t\t\t${ROUGE}FAILED${NORMAL}\n"
    exit 1
fi

###################################################
## Protection against SYN FLOOD                  ##
###################################################

echo -en "${GRAS}${JAUNE}Protection against SYN/FLOOD:${NORMAL}"
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo -e "\t\t\t${VERT}OK${NORMAL}"
else
    echo -e "\t\t\t${ROUGE}FAILED${NORMAL}"
fi

###################################################
## Defragment packets before forwarding them     ##
## Useful for masquerading                       ##
###################################################

echo -en "${GRAS}${JAUNE}Packet refragmentation:${NORMAL}"
if [ -e /proc/sys/net/ipv4/ip_always_defrag ] ; then
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag
    echo -e "\t\t\t\t${VERT}OK${NORMAL}"
else
    echo -e "\t\t\t\t${ROUGE}FAILED${NORMAL}"
fi

###################################################
## Don't respond to ICMP packets                 ##
## sent to broadcast                             ##
###################################################

echo -en "${GRAS}${JAUNE}Insensitivity to ICMP packets sent to broadcast:${NORMAL}"
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo -e "\t${VERT}OK${NORMAL}"
else
    echo -e "\t${ROUGE}FAILED${NORMAL}"
fi

###################################################
## Ignore ICMP errors from hosts                 ##
## on the network reacting poorly to frames      ##
## sent to what they perceive as                 ##
## the broadcast address                         ##
###################################################

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

###################################################
## Reverse Path Filtering                        ##
## Only route packets belonging to               ##
## our networks                                  ##
###################################################

echo -e "${GRAS}${JAUNE}Enabling Reverse Path Filtering:${NORMAL}\t\t\t${VERT}OK${NORMAL}\n"
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done


###################################################
## CLEAR OLD RULES                               ##
###################################################

echo -en "${GRAS}${JAUNE}Clearing old rules:${NORMAL}"
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat    -F PREROUTING
${IPTABLES} -t nat    -F OUTPUT
${IPTABLES} -t nat    -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
echo -e "\t\t\t${VERT}OK${NORMAL}"

###################################################
## RESET CHAINS                                  ##
###################################################

echo -en "${GRAS}${JAUNE}Resetting chains:${NORMAL}"
${IPTABLES} -t filter -Z
${IPTABLES} -t nat    -Z
${IPTABLES} -t mangle -Z
echo -e "\t\t\t\t${VERT}OK${NORMAL}"

###################################################
## SET DEFAULT POLICY                            ##
###################################################

echo -en "${GRAS}${JAUNE}Setting default policy:${NORMAL}"
${IPTABLES} -t filter -P INPUT   DROP
${IPTABLES} -t filter -P OUTPUT  ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
echo -e "\t\t${VERT}OK${NORMAL}\n"

###################################################
## KEYWORDS TO LOG                               ##
###################################################

if [ "${MOTS_CLES}" != "" ] ;then
    echo -ne "${GRAS}${JAUNE}Enabling keyword-based logging system:${NORMAL}"
    for mot in ${MOTS_CLES} ;do
    ${IPTABLES} -A INPUT -m string --string "${mot}" -j LOG --log-level info --log-prefix "${mot}: "
    ${IPTABLES} -A FORWARD -m string --string "${mot}" -j LOG --log-level info --log-prefix "${mot}: "
    done
    echo -e "\t\t${VERT}OK${NORMAL}"
fi

###################################################
## Block entry of certain addresses              ##
## via the firewall for tcp and udp              ##
###################################################

if [ "${IP_INTERDITES}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Blocking entry of certain addresses:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for adr in ${IP_INTERDITES} ;do
    ${IPTABLES} -t filter -A FORWARD -p tcp -s ${adr} -j DROP
    ${IPTABLES} -t filter -A FORWARD -p udp -s ${adr} -j DROP
    done
fi

###################################################
## Block outgoing of certain ports via           ##
## the firewall for tcp                          ##
###################################################

if [ "${PORTS_TCP_SORTIE_REFUSES}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Blocking outgoing TCP ports:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for port_no in ${PORTS_TCP_SORTIE_REFUSES} ;do
    ${IPTABLES} -t filter -A FORWARD -p tcp --dport ${port_no} -j DROP
    ${IPTABLES} -t filter -A OUTPUT -p tcp -o ${INTERNET} --dport ${port_no} -j DROP
    done
fi

###################################################
## Block outgoing of certain ports via           ##
## the firewall for udp                          ##
###################################################

if [ "${PORTS_TCP_SORTIE_REFUSES}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Blocking outgoing UDP ports:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for port_no in ${PORTS_TCP_SORTIE_REFUSES} ;do
    ${IPTABLES} -t filter -A FORWARD -p udp --dport ${port_no} -j DROP
    ${IPTABLES} -t filter -A OUTPUT -p udp -o ${INTERNET} --dport ${port_no} -j DROP
    done
fi
###################################################
## Block passage of certain keywords             ##
###################################################

if [ "${MOTS_CLES_INTERDITS}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Blocking passage of certain keywords:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for mot_cles in ${MOTS_CLES_INTERDITS} ;do
    mot=`echo ${mot_cles} | sed 's/>.*//g'`
    ip=`echo ${mot_cles} | sed 's/.*>//g'`

    ${IPTABLES} -A INPUT -m string --string "${mot}" -d ${ip} -j DROP
    ${IPTABLES} -A FORWARD -m string --string "${mot}" -d ${ip} -j DROP
    done
fi

###################################################
## Allow ICMP packets                            ##
###################################################

if [ "${PAQUETS_ICMP_AUTHORISES}" != ""  ] ;then
    echo -e "${GRAS}${JAUNE}Allowing certain ICMP packets:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for icmp_no in ${PAQUETS_ICMP_AUTHORISES} ;do
    ${IPTABLES} -t filter -A INPUT   -p icmp --icmp-type ${icmp_no} -m limit --limit ${PING_FLOOD} -j ACCEPT
    ${IPTABLES} -t filter -A FORWARD -p icmp --icmp-type ${icmp_no} -m limit --limit ${PING_FLOOD} -j ACCEPT
    ${IPTABLES} -t filter -A OUTPUT  -p icmp --icmp-type ${icmp_no} -m limit --limit ${PING_FLOOD} -j ACCEPT
    done
fi


###################################################
## Allow certain protocols to pass              ##
###################################################

if [ "${PROTOCOLES_AUTHORISES}" != ""  ] ;then
    echo -e "${GRAS}${JAUNE}Allowing certain protocols:${NORMAL}\t\t\t${VERT}OK${NORMAL}"

    for protocole_no in ${PROTOCOLES_AUTHORISES} ;do
    ${IPTABLES} -t filter -A INPUT   -p ${protocole_no} -j ACCEPT
    ${IPTABLES} -t filter -A FORWARD -p ${protocole_no} -j ACCEPT
    done
fi


###################################################
## Allow connections already established before  ##
## launch of this script                         ##
###################################################

echo -e "${GRAS}${JAUNE}Allowing already established connections:${NORMAL}\t\t${VERT}OK${NORMAL}"
${IPTABLES} -t filter -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t filter -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT


###################################################
## Allow LocalHost connections                    ##
###################################################

echo -e "${GRAS}${JAUNE}Allowing localhost connections:${NORMAL}\t${VERT}OK${NORMAL}"
${IPTABLES} -t filter -A INPUT   -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
${IPTABLES} -t filter -A OUTPUT  -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

###################################################
## Allow TCP connections on the                  ##
## internet device                              ##
###################################################

if [ "${INTERNET}" != "" ] ;then
    for internet_device in ${INTERNET} ;do
    if [ "${PORTS_TCP_INTERNET_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}TCP connections on internet interface ${internet_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_TCP_INTERNET_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p tcp -i ${internet_device} --dport ${port_no} -j ACCEPT

        if [ "0${port_no}" == "021" ] ;then
            ${IPTABLES} -t filter -A INPUT -p tcp -i ${internet_device} --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
        fi
        done
    fi
    done
fi


###################################################
## Allow UDP connections on the                  ##
## internet device                              ##
###################################################

if [ "${INTERNET}" != "" ] ;then
    for internet_device in ${INTERNET} ;do
    if [ "${PORTS_UDP_INTERNET_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}UDP connections on internet interface ${internet_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_UDP_INTERNET_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p udp -i ${internet_device} --dport ${port_no} -j ACCEPT
        done
    fi
    done
fi


###################################################
## Allow TCP connections on the                  ##
## DMZ device                                    ##
###################################################

if [ "${DMZ}" != "" ] ;then
    for dmz_device in ${DMZ} ;do
    if [ "${PORTS_TCP_DMZ_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}TCP connections on DMZ interface ${dmz_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_TCP_DMZ_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p tcp -i ${dmz_device} --dport ${port_no} -j ACCEPT

        if [ "0${port_no}" == "021" ] ;then
            ${IPTABLES} -t filter -A INPUT -p tcp -i ${dmz_device} --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
        fi
        done
    fi
    done
fi

###################################################
## Allow UDP connections on the                  ##
## DMZ device                                    ##
###################################################

if [ "${DMZ}" != "" ] ;then
    for dmz_device in ${DMZ} ;do
    if [ "${PORTS_UDP_DMZ_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}UDP connections on DMZ interface ${dmz_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_UDP_DMZ_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p udp -i ${dmz_device} --dport ${port_no} -j ACCEPT
        done
    fi
    done
fi


###################################################
## Allow TCP connections on the                  ##
## server zone device                           ##
###################################################

if [ "${ZONE_SERVEURS}" != "" ] ;then
    for zone_serveurs_device in ${ZONE_SERVEURS} ;do
    if [ "${PORTS_TCP_ZONE_SERVEURS_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}TCP connections on server zone interface ${zone_serveurs_device}:${NORMAL}\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_TCP_ZONE_SERVEURS_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p tcp -i ${zone_serveurs_device} --dport ${port_no} -j ACCEPT

        if [ "0${port_no}" == "021" ] ;then
            ${IPTABLES} -t filter -A INPUT -p tcp -i ${zone_serveurs_device} --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
        fi
        done
    fi
    done
fi

###################################################
## Allow UDP connections on the                  ##
## server zone device                           ##
###################################################

if [ "${ZONE_SERVEURS}" != "" ] ;then
    for zone_serveurs_device in ${ZONE_SERVEURS} ;do
    if [ "${PORTS_UDP_ZONE_SERVEURS_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}UDP connections on server zone interface ${zone_serveurs_device}:${NORMAL}\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_UDP_ZONE_SERVEURS_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p udp -i ${zone_serveurs_device} --dport ${port_no} -j ACCEPT
        done
    fi
    done
fi

###################################################
## Allow TCP connections on the                  ##
## LAN device                                    ##
###################################################

if [ "${LAN}" != "" ] ;then
    for lan_device in ${LAN} ;do
    if [ "${PORTS_TCP_LAN_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}TCP connections on LAN interface ${lan_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_TCP_LAN_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p tcp -i ${lan_device} --dport ${port_no} -j ACCEPT

        if [ "0${port_no}" == "021" ] ;then
            ${IPTABLES} -t filter -A INPUT -p tcp -i ${lan_device} --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
        fi
        done
    fi
    done
fi


###################################################
## Allow UDP connections on the                  ##
## LAN device                                    ##
###################################################

if [ "${LAN}" != "" ] ;then
    for lan_device in ${LAN} ;do
    if [ "${PORTS_UDP_LAN_AUTHORISES}" != "" ] ;then
        echo -e "${GRAS}${JAUNE}UDP connections on LAN interface ${lan_device}:${NORMAL}\t\t${VERT}OK${NORMAL}"

        for port_no in ${PORTS_UDP_LAN_AUTHORISES} ;do
        ${IPTABLES} -t filter -A INPUT -p udp -i ${lan_device} --dport ${port_no} -j ACCEPT
        done
    fi
    done
fi
echo -e ""


###################################################
## Masquerade the LAN                            ##
###################################################

if [ "${MASQ_LAN}" = "YES" -o "${MASQ_LAN}" = "yes" ] ;then
    echo -e "${GRAS}${JAUNE}Enabling Masquerading for the LAN:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for reseau in ${RESEAUX_LAN} ;do
    ${IPTABLES} -t nat -A POSTROUTING -s ${reseau} -o ${INTERNET} -j MASQUERADE
    ${IPTABLES} -t filter -A FORWARD -s ${reseau} -j ACCEPT
    done
fi


###################################################
## Masquerade the DMZ                            ##
###################################################

if [ "${MASQ_DMZ}" = "YES" -o "${MASQ_DMZ}" = "yes" ] ;then
    echo -e "${GRAS}${JAUNE}Enabling Masquerading for the DMZ:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for reseau in ${RESEAUX_DMZ} ;do
    ${IPTABLES} -t nat -A POSTROUTING -s ${reseau} -o ${INTERNET} -j MASQUERADE
    ${IPTABLES} -t filter -A FORWARD -s ${reseau} -j ACCEPT
    done
fi

###################################################
## Masquerade the server zone                    ##
###################################################

if [ "${MASQ_ZONE_SERVEURS}" = "YES" -o "${MASQ_ZONE_SERVEURS}" = "yes" ] ;then
    echo -e "${GRAS}${JAUNE}Enabling Masquerading for the server zone:${NORMAL}\t${VERT}OK${NORMAL}"

    for reseau in ${RESEAUX_ZONE_SERVEURS} ;do
    ${IPTABLES} -t nat -A POSTROUTING -s ${reseau} -o ${INTERNET} -j MASQUERADE
    ${IPTABLES} -t filter -A FORWARD -s ${reseau} -j ACCEPT
    done
fi


###################################################
## Enable TCP NAT                                ##
###################################################

if [ "${NAT_TCP_NET}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Enabling TCP network address translation:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for translation in ${NAT_TCP_NET} ;do
    srcport=`echo ${translation} | sed 's/>.*//g'|cut -d : -f 2`
    srchost=`echo ${translation} | sed 's/:.*//g'`
    desthost=`echo ${translation} | sed 's/.*>//g'| cut -d : -f 1`
    destport=`echo ${translation} | sed 's/.*://g'`

    ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INTERNET_NAT} -d ${srchost} --dport ${srcport} -j DNAT --to ${desthost}:${destport}
    ${IPTABLES} -A FORWARD -p tcp -i ${INTERNET_NAT} -d ${desthost} --dport ${destport} -j ACCEPT
    done
fi


###################################################
## Enable UDP NAT                                ##
###################################################

if [ "${NAT_UDP_NET}" != "" ] ;then
    echo -e "${GRAS}${JAUNE}Enabling UDP network address translation:${NORMAL}\t\t${VERT}OK${NORMAL}"

    for translation in ${NAT_UDP_NET} ;do
    srcport=`echo ${translation} | sed 's/>.*//g'|cut -d : -f 2`
    srchost=`echo ${translation} | sed 's/:.*//g'`
    desthost=`echo ${translation} | sed 's/.*>//g'| cut -d : -f 1`
    destport=`echo ${translation} | sed 's/.*://g'`

    ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INTERNET_NAT} -d ${srchost} --dport ${srcport} -j DNAT --to ${desthost}:${destport}
    ${IPTABLES} -A FORWARD -p udp -i ${INTERNET_NAT} -d ${desthost} --dport ${destport} -j ACCEPT
    done
fi

###################################################
## FUCK nimda and codered:)                     ##
###################################################

echo -e "${GRAS}${JAUNE}Protection against Nimda and codered:${NORMAL}\t\t\t${VERT}OK${NORMAL}"
${IPTABLES} -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string "c+dir"
${IPTABLES} -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string "c+tftp"
${IPTABLES} -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string "cmd.exe"
${IPTABLES} -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string "default.ida"
${IPTABLES} -I FORWARD -j DROP -m string -p tcp -s 0.0.0.0/0 --string "c+dir"
${IPTABLES} -I FORWARD -j DROP -m string -p tcp -s 0.0.0.0/0 --string "c+tftp"
${IPTABLES} -I FORWARD -j DROP -m string -p tcp -s 0.0.0.0/0 --string "cmd.exe"
${IPTABLES} -I FORWARD -j DROP -m string -p tcp -s 0.0.0.0/0 --string "default.ida"


###################################################
## Enable logging                                ##
###################################################

echo -ne "${GRAS}${JAUNE}Enabling logging system:${NORMAL}"
${IPTABLES} -t filter -A INPUT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "INPUT TCP DROPPED: "
${IPTABLES} -t filter -A INPUT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "INPUT UDP DROPPED: "
${IPTABLES} -t filter -A INPUT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "INPUT ICMP DROPPED: "
${IPTABLES} -t filter -A INPUT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "INPUT FRAGMENT DROPPED: "
${IPTABLES} -t filter -A INPUT -p all -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "INPUT PROTOCOL DROPPED: "

${IPTABLES} -t filter -A FORWARD -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "FORWARD TCP DROPPED: "
${IPTABLES} -t filter -A FORWARD -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "FORWARD UDP DROPPED: "
${IPTABLES} -t filter -A FORWARD -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "FORWARD ICMP DROPPED: "
${IPTABLES} -t filter -A FORWARD -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "FORWARD FRAGMENT DROPPED: "
${IPTABLES} -t filter -A FORWARD -p all -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "FORWARD PROTOCOL DROPPED: "
echo -e "\t\t\t\t${VERT}OK${NORMAL}"

Example 5

#!/bin/bash

#-------------------------------------------------------------------------
# Essentials
#-------------------------------------------------------------------------

IPTABLES='/sbin/iptables';
modprobe nf_conntrack_ftp

#-------------------------------------------------------------------------
# Physical and virtual interfaces definitions
#-------------------------------------------------------------------------

# Interfaces
wan_if="eth0";
vpn_if="tap0";

#-------------------------------------------------------------------------
# Networks definitions
#-------------------------------------------------------------------------

# Networks
wan_ip="x.x.x.x";
lan_net="192.168.90.0/24";
vpn_net="192.168.20.0/24";

# IPs
ed_ip="192.168.90.1";
banzai_ip="192.168.90.2";

#-------------------------------------------------------------------------
# Global Rules input / output / forward
#-------------------------------------------------------------------------

# Flushing tables
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F

# Define default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A INPUT -j ACCEPT -d $lan_net;
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

#-------------------------------------------------------------------------
# Allow masquerading for VE
#-------------------------------------------------------------------------

# Activating masquerade to get Internet from VE
$IPTABLES -t nat -A POSTROUTING -o $wan_if -s $lan_net -j MASQUERADE

# Activating masquerade to get VPN access from VE
$IPTABLES -t nat -A POSTROUTING -o tap0 -j MASQUERADE

#-------------------------------------------------------------------------
# Allow ports on CT
#-------------------------------------------------------------------------

# Allow ICMP
$IPTABLES -A INPUT -j ACCEPT -p icmp

# SSH access
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22

#-------------------------------------------------------------------------
# Redirections for incoming connections (wan)
#-------------------------------------------------------------------------

# HTTP access
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d $wan_ip -j DNAT --to-destination $ed_ip:80

# HTTPS access
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -d $wan_ip -j DNAT --to-destination $ed_ip:443

Example 6

#!/bin/bash
clear
echo "############################## Firewall Rules ###################################"
# Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Initializing rules"

# Clear all rules
iptables -F
iptables -t nat -F
# Apply basic policies
# Allow internal traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Block all entry and exit
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP

# Internal traffic allowed
echo "Internal traffic"
iptables -t nat -I POSTROUTING -o lo -j ACCEPT
iptables -t nat -I PREROUTING -i lo -j ACCEPT


# Network card definitions
WEB="ppp0"
DMZ="eth2"
COM="eth1"
STA="eth0"
PPP="ppp0"

# IP network definitions
NET_COM="10.0.0.0/8"
NET_STA="192.168.2.0/24"
NET_DMZ="172.16.1.0/24"

# Server definitions for external connection to servers
REMOTE="192.168.2.8:81"
FICS="172.16.1.6/32"
EXC="172.16.1.3/32"
DC="172.16.1.1/32"
MAIL="172.16.1.3:25"
HTTP="172.16.1.4:80"
EMULE="172.16.1.4:5555"
RDP="172.16.1.4:3389"
PPTP="172.16.1.1"
VUE="192.168.2.8/32"
MAILWEB="172.16.1.3/32"
LINUX2="172.16.1.7/32"
LINUX="192.168.2.5/32"
YONI="192.168.2.62/32"
WIFI="192.168.2.7/32"

# Common Rules
# ====================== >>>> Masquerade all networks to the internet
echo "Applying common rules"
# All outgoing traffic to Internet is masqueraded
iptables -t nat -I POSTROUTING -s $NET_STA -d $NET_DMZ -j MASQUERADE

# Squid must always go out to internal clients

iptables -t nat -I POSTROUTING -p tcp --sport 3128 -d $NET_STA -j ACCEPT

iptables -t nat -I POSTROUTING -o $WEB -j MASQUERADE

iptables -t nat -I POSTROUTING -o $COM -j MASQUERADE

iptables -t nat -A POSTROUTING -s $NET_STA -o $COM -j DROP
iptables -t nat -A POSTROUTING -s $NET_DMZ -o $COM -j DROP


iptables -I INPUT -i $WEB -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT

iptables -I INPUT -i $COM -m state --state ESTABLISHED -j ACCEPT

# Allow standard internal routing

# ====================== >>>> DHCP
echo "Allowing DHCP traffic"
iptables -t nat -A PREROUTING -p udp --dport 67:68 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --sport 67:68 -j ACCEPT

echo "Local DNS to SRV-DC"
iptables -t nat -A PREROUTING -p udp --sport 53 -i $DMZ -s "172.16.1.1/32" -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --dport 53 -o $DMZ -d "172.16.1.1/32" -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --sport 53 -i $DMZ -s "172.16.1.1/32" -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 53 -o $DMZ -d "172.16.1.1/32" -j ACCEPT

# Network access rules
# 1 --> DMZ
    echo "====================== >>>> Rules for commercial machines"
    echo "Daytime rules"
    echo "Access based on time"

    iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 08:45 --timestop 17:45 \
        --days Mon,Tue,Wed,Thu,Fri -p tcp -m multiport --ports 20,21,80,3128,1863,110,119,25,8080,9000 -j ACCEPT

    echo "Nighttime rules"
    iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 17:46 --timestop 23:59 \
        --days Mon,Tue,Wed,Thu -p tcp -j ACCEPT
        iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 00:00 --timestop 08:44 \
               --days Mon,Tue,Wed,Thu,Fri -p tcp -j ACCEPT

    # No limits on weekends
    echo "No limits on weekends"
       iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 17:46 --timestop 23:59 \
               --days Fri  -p tcp -j ACCEPT
       iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 00:00 --timestop 23:59 \
               --days Sat,Sun  -p tcp -j ACCEPT


    iptables -t nat -I PREROUTING -i $DMZ -p udp --dport 53 -j ACCEPT
    #====>>>>>    Transparent proxy for commercial users
    iptables -t nat -I PREROUTING -p tcp -i $DMZ --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -p tcp -i $DMZ --dport 443 -j ACCEPT
#   iptables -t nat -A PREROUTING -p tcp -i $DMZ --dport 443 -j REDIRECT --to-port 3128

    echo "====================== >>>> Rules for classrooms"
# 2 --> Classroom <-> DMZ
#   A - FICS2
    echo "  Classroom -> SRV-FICS2"
    iptables -t nat -A PREROUTING -p tcp -d $FICS -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -d $MAILWEB -j ACCEPT
    iptables -t nat -A POSTROUTING -s $NET_DMZ -d $NET_STA -j ACCEPT
# 3 --> Classroom <-> Internet
#   A - HTTP
    echo "  Classroom -> Internet with Squid"
    iptables -t nat -A PREROUTING -p tcp -i $STA --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -p tcp -i $STA --dport 443 -j ACCEPT

#   C - DNS
    iptables -t nat -A PREROUTING -p udp -i $STA --dport 53 -j ACCEPT
#   iptables -t nat -A PREROUTING -p tcp -i $STA --dport 53 -j ACCEPT

    echo "====================== >>>> Rules for Internet to internal network"
# 5 --> Internet <--> DMZ
#   A - SMTP
        echo "  SMTP"
        iptables -t nat -I PREROUTING -i $WEB -p tcp --dport 25 -j DNAT --to-destination $MAIL
        iptables -t nat -I POSTROUTING -o $DMZ -d $EXC -p tcp --dport 25 -j ACCEPT

#   B - WEB
        echo "  WEB"
        iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 80 -j DNAT --to-destination $HTTP
        iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 80 -j MASQUERADE
#   B' - EMULE
        iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 5555 -j DNAT --to-destination $EMULE
        iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 5555 -j MASQUERADE
        iptables -t nat -A PREROUTING -i $WEB -p udp --dport 5555 -j DNAT --to-destination $HTTP
        iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p udp --dport 5555 -j MASQUERADE
#   C - PPTP
        echo "  PPTP"
        iptables -t nat -A PREROUTING -i $WEB -p 47 -j DNAT --to-destination $PPTP
        iptables -t nat -A POSTROUTING -o $DMZ -p 47 -j MASQUERADE
        iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 1723 -j DNAT --to-destination $PPTP
        iptables -t nat -A POSTROUTING -o $DMZ -p tcp --dport 1723 -j MASQUERADE

#   D - SSH from outside or only for authorized internal machines
        echo "  SSH from Internet"
        iptables -t nat -A PREROUTING -s 172.16.1.0/24 -p tcp --dport 22 -j ACCEPT

#       E - FTP
                echo "  FTP IS DISABLED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
                #iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 20 -j DNAT --to-destination "172.16.1.4:20"
                #iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 21 -j DNAT --to-destination "172.16.1.4:21"
                #iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 21 -j MASQUERADE

                #iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 20 -j MASQUERADE

#   F - RDP
        echo "  RDP"
        iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 3389 -j DNAT --to-destination $RDP
                iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 3389 -j MASQUERADE
#   G - SNMP
        echo "  SNMP"
        iptables -t nat -A POSTROUTING -p tcp --dport 161 -j ACCEPT
        iptables -t nat -A POSTROUTING -p udp --dport 161 -j ACCEPT
        iptables -t nat -A POSTROUTING -p udp --dport 162 -j ACCEPT


# 6 --> Access by MAC address
    echo "====================== >>>> Special rules for internal users"
    echo "  Yoni"
#   A - Yoni
        iptables -t nat -I PREROUTING -m mac --mac-source '00:00:F0:82:58:AF' -j ACCEPT
        iptables -t nat -I PREROUTING -m mac --mac-source '00:04:23:76:63:10' -j ACCEPT

#   A' - OlivierG
        iptables -t nat -I PREROUTING  -s 192.168.2.69/32 -m mac --mac-source '00:0d:60:75:b8:75' -j ACCEPT
        iptables -t nat -I PREROUTING  -s 192.168.2.39/32 -m mac --mac-source '00:0C:F1:43:14:05' -j ACCEPT

#   B - Olivier all
    echo "  OlivierC"
    iptables -t nat -I PREROUTING -s 192.168.2.63/32 -m mac --mac-source '00:90:F5:1E:51:A1' -j ACCEPT
    iptables -t nat -I PREROUTING -s 172.16.1.63/32 -m mac --mac-source '00:90:F5:1E:51:A1' -j ACCEPT
    # Wifi Olivier
    iptables -t nat -I PREROUTING -m mac --mac-source '00:A0:C5:B1:DD:15' -j ACCEPT
#   C - Steeve all
    echo "  Steeve"
        iptables -t nat -I PREROUTING -s 192.168.2.64/32 -m mac --mac-source '00:08:02:04:fa:d7' -j ACCEPT
        iptables -t nat -I PREROUTING -m mac --mac-source '00:08:02:04:fa:d7' -j ACCEPT
#   D - Portable Compaq
    echo "  Portable Compaq"
        iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
        -p tcp -m multiport --ports 443,110,25,119 -j ACCEPT
                iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
                -p udp --dport 53 -j ACCEPT
                iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
        -d $NET_DMZ -j ACCEPT

#   D' Portable Toshiba
    echo "  Portable Toshiba"
        iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3' \
                -p tcp -m multiport --ports 443,110,25,119 -j ACCEPT
        iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3' \
                -p udp --dport 53 -j ACCEPT
        iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3'  \
                -d $NET_DMZ -j ACCEPT

#   E - VUE Server
    echo "   VUE Server"
    iptables -t nat -I PREROUTING -s $VUE -m mac --mac-source '00:0c:6e:c5:42:6c' -j ACCEPT
    iptables -t nat -I PREROUTING -i $DMZ -d $VUE -j ACCEPT
#   F- Linux Server Ground Floor
    echo "  Linux Server"
    iptables -t nat -I PREROUTING -i $DMZ -d $LINUX -j ACCEPT

#   F - Quentin Laptop
    echo "   Quentin"
        iptables -t nat -I PREROUTING -s 172.16.1.65/32 -m mac --mac-source '00:0b:db:a1:c2:a5' -j ACCEPT
        iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:0b:db:a1:c2:a5' -j ACCEPT
        iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:a0:c5:b1:da:f8' -j ACCEPT

#   F - Eva Laptop
    echo "  Eva is grounded"
        #iptables -t nat -I PREROUTING -m mac --mac-source '00:02:3f:13:bb:21' -j ACCEPT

#   G  - Lionel Laptop
    echo "  Lionel"
        iptables -t nat -I PREROUTING \
        -m mac --mac-source '00:0D:60:2C:12:95' -j ACCEPT

#   H  - WIFI ROUTER
    echo "  WIFI ROUTER"
        iptables -t nat -I PREROUTING \
        -m mac --mac-source '00:0F:66:33:20:12' -j ACCEPT
echo "############################## END ===> Firewall Rules ###################################"
    iptables -t nat -I PREROUTING -s $LINUX -j ACCEPT
    iptables -t nat -I PREROUTING -s $LINUX2 -j ACCEPT

iptables -t nat -I PREROUTING -s 172.16.1.1/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.2/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.3/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.4/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.5/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.95/32 -j ACCEPT