A iptables script that is useful to IPCop

A useful iptables script for IPCop (written by a friend), do not remember which one is written, please mail (ayihu@qq.com) under the Tell me:

#!/bin/sh
#
# Firewall Starting Firewall
#
# chkconfig:2345 98 01
# description:setting Firewall
##########################################################################
# Set parameters
##########################################################################
INNER_NET=192.168.0.0/24 # LAN LAN free set
fwall_ip=192.168.0.1 # Firewall IP The real IP of your machine
INNER_PORT=ETH1 # LAN End IP
OUTER_PORT=PPP0 # WAN End IP
Iptables= "/sbin/iptables" # IPTABLES command
Modprobe= "/sbin/modprobe" # modprobe command
##########################################################################
# Module loading and setting for kernel work
##########################################################################
$MODPROBE Ip_tables
$MODPROBE Iptable_filter
$MODPROBE Ip_conntrack
$MODPROBE Iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_ftp
$MODPROBE ipt_state
$MODPROBE Ipt_masquerade
$MODPROBE Ipt_log
$MODPROBE Ipt_reject
$MODPROBE Ipt_limit
# Allow IP Masquerade (transform)
Echo 1 >/proc/sys/net/ipv4/ip_forward
# ignoring Ping's broadcast
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Check Source IP
for f In/proc/sys/net/ipv4/conf/*/rp_filter; Do echo 1 > $f; Done
# record Impossible (false) IP
for f In/proc/sys/net/ipv4/conf/*/log_martians; Do echo "1" > $f; Done
# Ignore ICMP Redirect message
for f in/proc/sys/net/ipv4/conf/*/accept_redirects; Do echo 1 > $f; Done
##########################################################################
# initialization Rules
##########################################################################
$IPTABLES-P Input DROP # empty INPUT original definition
$IPTABLES-P OUTPUT DROP # empty ouput original definition
$IPTABLES-P FORWARD DROP # empty FORWARD original definition
$IPTABLES-F # Flash Chain
$IPTABLES-F-t NAT
$IPTABLES-X # Delete user-defined chain
##########################################################################
# User-defined chain
##########################################################################
#
# record and discard illegal packages
#
Generation of $IPTABLES-N droppacket # Droppackt Chain
$IPTABLES-A droppacket-j LOG--log-prefix "Invalid_packet:"
--log-level=3-m limit--limit 1/s--limit-burst 10
$IPTABLES-A droppacket-j DROP
#
# Check the chain of the Synflood attack
#
Generation of $IPTABLES-N Synflood # Synflood Chain
# return without exceeding the limit
$IPTABLES-A synflood-m limit--limit 10/s--limit-burst 20-j return
# exceeding the limit, as Synflood attack, record and discard
$IPTABLES-A synflood-m limit--limit 1/s--limit-burst 10-j LOG
--log-level=1--log-prefix "Synflood:"
$IPTABLES-A synflood-j DROP
#
# record illegal flag TCP, and discard
#
Generation of $IPTABLES-N dropflags # dropflags Chain
$IPTABLES-A dropflags-j LOG--log-prefix "Invalid_flags:"
--log-level=3-m limit--limit 1/s--limit-burst 10
$IPTABLES-A dropflags-j DROP
#
# Check for illegal combination of TCP flag
#
$IPTABLES-N Chkflags
$IPTABLES-A chkflags-p tcp--tcp-flags ack,fin fin-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags ack,psh psh-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags Ack,urg urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags fin,rst fin,rst-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags syn,fin syn,fin-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags syn,rst syn,rst-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all all-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all none-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all fin,psh,urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all syn,fin,psh,urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all syn,rst,ack,fin,urg-j dropflags
#
# Reject Microsoft Network-related forward
#
$IPTABLES-N chkmsnet
$IPTABLES-A chkmsnet-p tcp--dport 42-j DROP # wins DUP
$IPTABLES-A chkmsnet-p tcp--dport 135-j DROP # MS-RPC
$IPTABLES-A chkmsnet-p UDP--dport 135-j DROP # MS-RPC
$IPTABLES-A chkmsnet-p UDP--dport 137:138-j DROP # MS Browse
$IPTABLES-A chkmsnet-p UDP--dport 137:138-j DROP # MS Browse
$IPTABLES-A chkmsnet-p tcp--dport 139-j DROP # SMB
$IPTABLES-A chkmsnet-p tcp--dport 445-j DROP # DHSMB
##########################################################################
# INPUT Chain
##########################################################################
# localhost, all permission.
$IPTABLES-A input-i lo-j ACCEPT
# Check the package for correctness
$IPTABLES-A input-m State--state invalid-j Droppacket
# Check if the package is a SYN attack
$IPTABLES-A input-p TCP--syn-j Synflood
# TCP Flag Check
$IPTABLES-A input-p tcp-j chkflags
# license connections within the LAN
$IPTABLES-A input-i $INNER _port-s $INNER _net-j ACCEPT
# License already established connections
$IPTABLES-A input-m State--state established,related-j ACCEPT
# Check if it's IP camouflage
$IPTABLES-A input-i $OUTER _port-s $INNER _net-j DROP
#
# Licensed services (for externally exposed services, documented below)
#
$IPTABLES-A input-p TCP--dport 22-m State--state new-j ACCEPT # SSH
$IPTABLES-A input-p TCP--dport 80-m State--state new-j ACCEPT # HTTP
$IPTABLES-A input-p TCP--dport 443-m State--state new-j ACCEPT # HTTPS
$IPTABLES-A input-p TCP--dport 53-m State--state new-j ACCEPT # DOMAIN (DNS)
$IPTABLES-A input-p UDP--dport 53-m State--state new-j ACCEPT # DOMAIN (DNS)
# Reject Auth Request
$IPTABLES-A input-p tcp--dport 113-j REJECT--reject-with tcp-reset
# ICMP (in)
$IPTABLES-A input-p ICMP--icmp-type echo-request-s $INNER _net-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type echo-reply-s $INNER _net-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type destination-unreachable-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type source-quench-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type time-exceeded-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type parameter-problem-j ACCEPT
# all the packages except above are recorded and discarded by default policy
$IPTABLES-A input-j LOG--log-prefix "Undefind_input:"
--log-level=3-m limit--limit 1/s--limit-burst 10
##########################################################################
# OUTPUT Chain
##########################################################################
# License a bag from localhost
$IPTABLES-A output-o lo-j ACCEPT
# TCP Flag Check
$IPTABLES-A output-p tcp-j chkflags
# License connections from server to LAN
$IPTABLES-A output-o $INNER _port-s $FWALL _ip-j ACCEPT
# Check the Microsoft Network
$IPTABLES-A output-j chkmsnet
# License packages that are already connected
$IPTABLES-A output-m State--state established,related-j ACCEPT
# License new connections from server to Internet
$IPTABLES-A output-m State--state new-j ACCEPT
# ICMP (out)
$IPTABLES-A output-p ICMP--icmp-type echo-request-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type echo-reply-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type destination-unreachable-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type fragmentation-needed-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type source-quench-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type parameter-problem-j ACCEPT
# all the packages except above are recorded and discarded by default policy
$IPTABLES-A output-j LOG--log-prefix "undefind_icmp:"--log-level=3
-M limit--limit 1/s--limit-burst 10
##########################################################################
# IP Transform
##########################################################################
# Check the Microsoft Network
$IPTABLES-A forward-j chkmsnet
# Allow IP transformation of machines in LAN
$IPTABLES-T nat-a postrouting-o $OUTER _port-s $INNER _net-j Masquerade
# from external to LAN connection, license already connected Froward
$IPTABLES-A forward-i $OUTER _port-o $INNER _port-d $INNER _net-m State
--state established,related-j ACCEPT
# license LAN to external connections
$IPTABLES-A forward-i $INNER _port-o $OUTER _port-s $INNER _net-m State
--state new,established,related-j ACCEPT
Exit 0