So let us take a look at the firewall script

I have tried to devide the skript under semantical aspects

First section load the necessary modules

iptables is the firewall modul.

iptables_conntrack makes it possible to load additional modules.

conntrack_ftp makes ftp-transfer possible.

conntrack_irc is the internet relay chat-modul.

iptables_nat makes the network address translation possible.

ip_nat_ftp makes the same for ftp

ip_forward is for forwarding packets

ip_dynaddr manage dynamic addresses .

In section 2 all old rules get deleted. A new standard policy is set

iptables -F flushes all rules.

iptables -P INPUT DROP set standard-policy for all incoming packages to drop

iptables -P FORWARD DROP drop again.

iptables -P OUTPUT DROP and once more for thew output.

section 3 handles the necessary rules

iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT make a rule for the outgoing dns-packages. Protokoll-type (p) is udp , sourceport is 1024 oder higher (:). Destinationport is 53. These values are dns-specific.

iptables -A INPUT -p udp -s 194.25.2.129 --sport 53 --dport 1024: -j ACCEPT allow incoming dns-packets. The source (s) is the IP-adresse of my dn-Server

iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT allow outgoing tcp packets for dns

iptables -A INPUT -p tcp -s 192.25.2.129 --sport 53 --dport 1024: ! --syn -j ACCEPT allow incoming packets if they don´t (!) establish a new (--syn) connection.

iptables -A FORWARD -o ppp0 -p udp --sport 1024: --dport 53 -j ACCEPT allow forwarding outgoing on ppp0 with udp as protokoll, and so on.

Every rule has it´s analog rules for incoming packets. For every service there is a special port.

more /etc/services will show you the service and the belonging port.

http und https are for browsing.

loopback internal device, necessary for many programms and services.

extending rules

smtp allow sending emails

pop3 allow receiving e-mails

realplayer for real audio

nfs allow internal network.

whois, finger allow network tools.

section V.

error managing

section VI

iptables -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT allow forwarding for outgoing packets to establish new connections (NEW), excisting ones (ESTABLISHED) und related ones.

iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT rules the incoming forwarding

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE makes the masq-job.

section VII

log the other packet and drop it away.