# from LAN to the firewall host's DHCP packet, to be released, only when the firewall as DHCP to use
# $IPTABLES-A input-p udp-i $LAN _iface--dport--sport 68-j
# Access all packets from the WAN to the firewall host, check for response packets, and release
$IPTABLES-A input-p all-d $INET _ip-m State--state established,related-j ACCEPT
# Limit the frequency of the filtering rule to three packets per minute (the packet exceeding the upper limit will be paused), and the instantaneous flow is set to handle up to three packets at a time (the packet exceeding the upper limit will be discarded), and this kind of packet is usually used by hackers for blocking attacks.
$IPTABLES-A input-m limit--limit 3/minute--limit-burst 3-j LOG--log-level INFO--log-prefix "IPT INPUT Packet Died: "
#
# 4.1.5 FORWARD Chain (filter packets to be passed through the firewall)
#
#
# TCP packets through the firewall must first be bad_tcp_packets filtered
$IPTABLES-A forward-p tcp-j bad_tcp_packets
# packets from LAN to WAN are released
$IPTABLES-A forward-i $LAN _iface-o $INET _iface-j ACCEPT
# packets to LAN from WAN only release response packets
$IPTABLES-A forward-i $INET _iface-o $LAN _iface-m State--state established,related-j ACCEPT
# Allow Ping packets from WAN to be delivered to all servers in the campus
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http1_ip-j icmp_packets
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http2_ip-j icmp_packets
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http3_ip-j icmp_packets
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http4_ip-j icmp_packets
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http5_ip-j icmp_packets
$IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http6_ip-j icmp_packets
# Allow HTTP, HTTPS packets from WAN to be delivered to all WEB servers on campus
$IPTABLES-A forward-p tcp-i $INET _iface-o $LAN _iface-d $LAN _http1_ip-m multiport--dport $HTTP, $HTTPS-j allowed
$IPTABLES-A forward-p tcp-i $INET _iface-o $LAN _iface-d $LAN _http2_ip-m multiport--dport $HTTP, $HTTPS-j allowed