SourceForge.net Logo

D.9. /etc/init.d/firewall

#!/bin/ash 
# 
#
# GPL $Id: firewall,v 1.3 2005/10/16 14:58:12 cvonk Exp $
# Firewall configuration for iptables/netfilter
#
# Originally generated by Firewall Builder  fwb_ipt v2.0.5-1 
# but many mods for SISO

IPTABLES="/sbin/iptables"
IP="/bin/ip"
IP_ETH0=10.0.1.1
IP_ETH1=
IP_ETH1_GW=
IP_ATH0=10.0.2.1
IP_VPN0=10.0.3.1
IP_LOCAL=127.0.0.0
SYSLOG_SERVER=10.0.1.2
IP_ETH1_PREV_FNAME=/var/run/firewall.eth1

TRY_RPFILTER=1
LOG_OPTIONS="--log-level notice"  #--log-ip-options  --log-tcp-options
TFTP_SERVER=

. /etc/init.d/functions

configure()
{
    if ! $IP link show >/dev/null 2>&1; then
	echo "iproute not found"
	exit 1
    fi
    
log "Fw: Activating .."

    # get the dynamically assigned address of the external interface.

    getaddr eth1 IP_ETH1
    getaddrgw eth1 IP_ETH1_GW

    # the firewall script needs to be rerun when the IP address of the external
    # interface changes.  However it does not need to do anything when the
    # external interface is assigned the same address that it had before.

    IP_ETH1_PREV=`cat $IP_ETH1_PREV_FNAME 2>/dev/null`
    test -z "$IP_ETH1_PREV" && IP_ETH1_PREV="not set"

    echo $IP_ETH1 > $IP_ETH1_PREV_FNAME

    if [ "$IP_ETH1" =  "$IP_ETH1_PREV" ] ; then
	log "Fw: external dynamic IP lease extended, no need to reconfigure"
	return
    fi
    
log "Fw: eth1 address is $IP_ETH1 (was \"$IP_ETH1_PREV\")"
    
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    
    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    
    # the busybox ip command does not support these commands
    #$IP -4 neigh flush dev ath0 >/dev/null 2>&1
    #$IP -4 addr flush dev ath0 secondary label "ath0:FWB*" >/dev/null 2>&1
    #$IP -4 neigh flush dev eth0 >/dev/null 2>&1
    #$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1
    #$IP -4 neigh flush dev eth1 >/dev/null 2>&1
    #$IP -4 addr flush dev eth1 secondary label "eth1:FWB*" >/dev/null 2>&1
    
log "Fw: default policy is DROP"

    $IPTABLES -P OUTPUT  DROP
    $IPTABLES -P INPUT   DROP
    $IPTABLES -P FORWARD DROP
    
log "Fw: flush all chains (except mangle)"

    cat /proc/net/ip_tables_names | while read table; do
	test "X$table" = "Xmangle" && continue
	$IPTABLES -t $table -L -n | while read c chain rest; do
	    if test "X$c" = "XChain" ; then
		$IPTABLES -t $table -F $chain
	    fi
	done
	$IPTABLES -t $table -X
    done
    
log "Fw: accept established connections"

    $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED         -j ACCEPT
    $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED,INVALID -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED         -j ACCEPT
    
log "Fw: allow management traffic (SSH)"

    $IPTABLES -A INPUT -p tcp -m tcp --dport ssh  -m state --state NEW -j ACCEPT

log "Fw: NAT rule 0: do not translate lan/vpn/wifi/extif<>lan/vpn/wifi/extif"

    # I wonder if this can/should be a lot simpler, i.e.
    #   for net in "$IP_ETH0/24 $IP_ATH0/24 $IP_VPN0/24 $IP_LOCAL/8"
    #     $IPTABLES -t nat -A POSTROUTING -o eth1 -s $net -d ! $net -j MASQUERADE
    #   done

    $IPTABLES -t nat -N NAT_DONOTTRANSLATE

    test -n "$IP_ETH1" && \
    $IPTABLES -t nat -A POSTROUTING  -d $IP_ETH1/32 -j NAT_DONOTTRANSLATE
    $IPTABLES -t nat -A POSTROUTING  -d $IP_ETH0/24 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A POSTROUTING  -d $IP_ATH0/24 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A POSTROUTING  -d $IP_VPN0/24 -j NAT_DONOTTRANSLATE
    $IPTABLES -t nat -A POSTROUTING  -d $IP_LOCAL/8 -j NAT_DONOTTRANSLATE

    test -n "$IP_ETH1" && \
    $IPTABLES -t nat -A PREROUTING   -d $IP_ETH1/32 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A PREROUTING   -d $IP_ETH0/24 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A PREROUTING   -d $IP_ATH0/24 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A PREROUTING   -d $IP_VPN0/24 -j NAT_DONOTTRANSLATE  
    $IPTABLES -t nat -A PREROUTING   -d $IP_LOCAL/8 -j NAT_DONOTTRANSLATE  

    test -n "$IP_ETH1" && \
    $IPTABLES -t nat -A NAT_DONOTTRANSLATE  -s $IP_ETH1/32 -j ACCEPT  
    $IPTABLES -t nat -A NAT_DONOTTRANSLATE  -s $IP_ETH0/24 -j ACCEPT  
    $IPTABLES -t nat -A NAT_DONOTTRANSLATE  -s $IP_ATH0/24 -j ACCEPT  
    $IPTABLES -t nat -A NAT_DONOTTRANSLATE  -s $IP_VPN0/24 -j ACCEPT  
    $IPTABLES -t nat -A NAT_DONOTTRANSLATE  -s $IP_LOCAL/8 -j ACCEPT  

# log "Fw: NAT rule 1: redirect FTP traffic to its servers"
#
#    test -n "$IP_ETH1" && \
#    $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp -dport 21 -d $IP_ETH1 \
#	-j DNAT --to-destination $FTP_SERVER
#    $IPTABLES -t nat -A PREROUTING  -p udp -m udp -dport 21 -d $IP_ETH1 \
#	-j DNAT --to-destination $FTP_SERVER

log "Fw: NAT rule 1: redirect TFTP traffic to its server"

    test -n "$IP_ETH1" && test -n "$TFTP_SERVER" && \
    $IPTABLES -t nat -A PREROUTING  -p udp -m udp --dport 69 -d $IP_ETH1 \
	-j DNAT --to-destination $TFTP_SERVER

    . /etc/sysconfig/network/eth1.conf
log "Fw: NAT rule 2: masquerade/snat lan<>wan, wifi<>wan, vpn<>wan ($BOOTPROTO)"
    if [ -n "$IP_ETH1" ] ; then
	if [ "$BOOTPROTO" = "static" ] ; then
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_ETH0/24 \
		-j SNAT --to-source $IP_ETH1 
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_ATH0/24 \
		-j SNAT --to-source $IP_ETH1 
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_VPN0/24 \
		-j SNAT --to-source $IP_ETH1 
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_LOCAL/8 \
		-j SNAT --to-source $IP_ETH1 
	else
	    # not sure if the following line is needed
	    # echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_ETH0/24 -j MASQUERADE
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_ATH0/24 -j MASQUERADE
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_VPN0/24 -j MASQUERADE
	    $IPTABLES -t nat -A POSTROUTING -o eth1  -s $IP_LOCAL/8 -j MASQUERADE
	fi
    fi

log "Fw: ath0 rule 0: allow all traffic going to WiFi"

    $IPTABLES -A OUTPUT  -o ath0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD -o ath0  -m state --state NEW  -j ACCEPT 

log "Fw: ath0 rule 1: allow WiFi DHCP requests"

    $IPTABLES -N ATH_ALLOWDHCP
    $IPTABLES -A INPUT  -i ath0  -s 0.0.0.0  -d 255.255.255.255 \
	-m state --state NEW  -j ATH_ALLOWDHCP 
    $IPTABLES -A ATH_ALLOWDHCP  -p udp -m udp \
	-m multiport  --dports 68,67  -j ACCEPT 

log "Fw: ath0 rule 2: allow traffic from Wifi interface with a WiFi IP-address"

    $IPTABLES -A INPUT   -i ath0 -s $IP_ATH0/24  -m state --state NEW -j ACCEPT
    $IPTABLES -A FORWARD -i ath0 -s $IP_ATH0/24  -m state --state NEW -j ACCEPT

log "Fw: ath0 rule 3: only allow incoming with WiFi/0.0.0.0 IP-address"

    $IPTABLES -N ATH0_VERIFYIP
    $IPTABLES -A INPUT   -i ath0  -s ! $IP_ATH0/24  -j ATH0_VERIFYIP 
    $IPTABLES -A FORWARD -i ath0  -s ! $IP_ATH0/24  -j ATH0_VERIFYIP 
    $IPTABLES -A ATH0_VERIFYIP  -m limit --limit 4/minute -j LOG \
	$LOG_OPTIONS --log-prefix "Fw: DENY WiFi Spoofing: "	
    $IPTABLES -A ATH0_VERIFYIP   -j DROP 

log "Fw: eth0 rule 0: allow all traffic going to LAN"

    $IPTABLES -A OUTPUT  -o eth0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD -o eth0  -m state --state NEW  -j ACCEPT 

log "Fw: eth0 rule 1: allow LAN DHCP requests"

    $IPTABLES -N ETH0_ALLOWDHCP
    $IPTABLES -A INPUT  -i eth0  -s 0.0.0.0  -d 255.255.255.255  \
	-m state --state NEW  -j ETH0_ALLOWDHCP 
    $IPTABLES -A ETH0_ALLOWDHCP  -p udp -m udp  \
	-m multiport  --dports 68,67  -j ACCEPT 

log "Fw: eth0 rule 2: allow traffic from LAN interface with a LAN IP-address"

    $IPTABLES -A INPUT   -i eth0 -s $IP_ETH0/24  -m state --state NEW -j ACCEPT
    $IPTABLES -A FORWARD -i eth0 -s $IP_ETH0/24  -m state --state NEW -j ACCEPT

log "Fw: eth0 rule 3: only allow incoming with LAN/0.0.0.0 IP-address"

    $IPTABLES -N ETH0_VERIFYIP
    $IPTABLES -A INPUT  -i eth0  -s ! $IP_ETH0/24  -j ETH0_VERIFYIP 
    $IPTABLES -A FORWARD  -i eth0  -s ! $IP_ETH0/24  -j ETH0_VERIFYIP 
    $IPTABLES -A ETH0_VERIFYIP    -m limit --limit 4/minute -j LOG  \
	$LOG_OPTIONS --log-prefix "Fw: DENY LAN Spoofing: "
    $IPTABLES -A ETH0_VERIFYIP   -j DROP 

log "Fw: eth1 rule 0: allow all traffic to WAN"

#CJV
    $IPTABLES -A INPUT -p udp -m udp --dport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV INPUT d1701: "
    $IPTABLES -A INPUT -p udp -m udp --sport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV INPUT s1701: "
    $IPTABLES -A INPUT -p udp -m udp --dport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV INPUT d4500: "
    $IPTABLES -A INPUT -p udp -m udp --sport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV INPUT s4500: "

    $IPTABLES -A OUTPUT -p udp -m udp --dport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV OUTPUT d1701: "
    $IPTABLES -A OUTPUT -p udp -m udp --sport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV OUTPUT s1701: "
    $IPTABLES -A OUTPUT -p udp -m udp --dport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV OUTPUT d4500: "
    $IPTABLES -A OUTPUT -p udp -m udp --sport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV OUTPUT s4500: "

    $IPTABLES -A FORWARD -p udp -m udp --dport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV FORWARD d1701: "
    $IPTABLES -A FORWARD -p udp -m udp --sport 1701 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV FORWARD s1701: "
    $IPTABLES -A FORWARD -p udp -m udp --dport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV FORWARD d4500: "
    $IPTABLES -A FORWARD -p udp -m udp --sport 4500 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV FORWARD s4500: "

    $IPTABLES -A OUTPUT  -o eth1  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD  -o eth1  -m state --state NEW  -j ACCEPT 

log "Fw: eth1 rule 1: allow traffic marked with IPsec kernel marks"

    # marks are set using the mangle table, see /etc/init.d/racoon
    $IPTABLES -A INPUT -i eth1 -m mark --mark 15 -j LOG $LOG_OPTIONS --log-prefix "Fw: CJV MARKED: "
    $IPTABLES -A INPUT -i eth1 -m mark --mark 15 -j ACCEPT

log "Fw: eth1 rule 1a: allow TFTP"

    test -n "$TFTP_SERVER" && \
    $IPTABLES -N ETH1_ALLOWTFTP
    test -n "$TFTP_SERVER" && \
    $IPTABLES -A ETH1_ALLOWTFTP  -p udp -m udp -dport 514,69  -j ACCEPT 

log "Fw: eth1 rule 2: allow NTP replies from time servers"

    $IPTABLES -N ETH1_NTP.0
    $IPTABLES -N ETH1_NTP.1
    $IPTABLES -A INPUT  -i eth1 -p udp -m udp  --dport 123  \
	-m state --state NEW  -j ETH1_NTP.0 

    $IPTABLES -A ETH1_NTP.0  -s 131.107.1.10  -j ETH1_NTP.1  # time-nw.nist.gov
    $IPTABLES -A ETH1_NTP.0  -s 192.43.244.18 -j ETH1_NTP.1  # time.nist.gov

    test -n "$IP_ETH1" && \
    $IPTABLES -A ETH1_NTP.1  -d $IP_ETH1  -j ACCEPT 
    $IPTABLES -A ETH1_NTP.1  -d $IP_ETH0  -j ACCEPT 
    $IPTABLES -A ETH1_NTP.1  -d $IP_ATH0  -j ACCEPT 

log "Fw: eth1 rule 3: allow SSH and IPsec from WAN"

    $IPTABLES -N ETH1_ALLOWIPSEC

    test -n "$IP_ETH1" && \
    $IPTABLES -A INPUT  -i eth1  -d $IP_ETH1  -m state --state NEW  \
	-j ETH1_ALLOWIPSEC
    $IPTABLES -A ETH1_ALLOWIPSEC  -p tcp -m tcp --dport 22   -j ACCEPT # SSH
    $IPTABLES -A ETH1_ALLOWIPSEC  -p udp -m udp --dport 500  -j ACCEPT # IKE
    $IPTABLES -A ETH1_ALLOWIPSEC  -p udp -m udp --dport 4500 -j ACCEPT # NAT-T 
    $IPTABLES -A ETH1_ALLOWIPSEC  -p 50  -j ACCEPT                     # ESP

log "Fw: eth1 rule 4: allow RealPlayer and MS Media Player"

    $IPTABLES -A INPUT  -i eth1 -p tcp -m tcp  \
	-m multiport  --dports 554,7070,1755  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A INPUT  -i eth1 -p udp \
	-m udp  --dport 1755  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD  -i eth1 -p tcp -m tcp  \
	-m multiport  --dports 554,7070,1755  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD  -i eth1 -p udp \
	-m udp  --dport 1755  -m state --state NEW  -j ACCEPT 

log "Fw: eth1 rule 5: allow LAN DHCP requests"

    $IPTABLES -N ETH1_ALLOWDHCP
#    $IPTABLES -A INPUT  -i eth0  -s 0.0.0.0  -d 255.255.255.255  \
#	-m state --state NEW  -j ETH0_ALLOWDHCP
    if [ -n "$IP_ETH1_GW" ] ; then
	$IPTABLES -A ETH1_ALLOWDHCP -i eth1 -p UDP -s $IP_ETH1_GW \
	    --sport 68 --dport 67 -j ACCEPT
    else
	echo "Fw: eth1 rule 5: no default route via eth1"
    fi

log "Fw: eth1 rule 6: anti spoofing"

    TRY_RPFILTER=1
    if [ -n "$TRY_RPFILTER" ] ; then
	for ii in /proc/sys/net/ipv4/conf/*/rp_filter; do
	    echo "1" > $ii
	done
	for ii in /proc/sys/net/ipv4/conf/*/log_martians; do
	    echo "1" > $ii
	done
    else
	$IPTABLES -N ETH1_ANTISPOOFING
	
	test -n "$IP_ETH1" && \
	$IPTABLES -A INPUT   -i eth1  -s $IP_ETH1/32  -j ETH1_ANTISPOOFING 
	$IPTABLES -A INPUT   -i eth1  -s $IP_ETH0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A INPUT   -i eth1  -s $IP_ATH0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A INPUT   -i eth1  -s $IP_VPN0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A INPUT   -i eth1  -s $IP_LOCAL/8  -j ETH1_ANTISPOOFING 
	
	test -n "$IP_ETH1" && \
	    $IPTABLES -A FORWARD -i eth1  -s $IP_ETH1/32  -j ETH1_ANTISPOOFING 
	$IPTABLES -A FORWARD -i eth1  -s $IP_ETH0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A FORWARD -i eth1  -s $IP_ATH0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A FORWARD -i eth1  -s $IP_VPN0/24  -j ETH1_ANTISPOOFING 
	$IPTABLES -A FORWARD -i eth1  -s $IP_LOCAL/8  -j ETH1_ANTISPOOFING 
	
	$IPTABLES -A ETH1_ANTISPOOFING    -m limit --limit 4/minute -j LOG \
	    $LOG_OPTIONS --log-prefix "Fw: DENY WAN Spoofing: "
	$IPTABLES -A ETH1_ANTISPOOFING   -j DROP 
    fi

log "Fw: lo rule 0: everything goes"

    $IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT 

log "Fw: global rule 0: no restrictions on internal network or ext WAN i/f"
    # note that spoofed IP addresses from the WAN are filtered already

    $IPTABLES -N RULE_0

    test -n "$IP_ETH1" && \
    $IPTABLES -A INPUT   -s $IP_ETH1/32  -m state --state NEW  -j RULE_0
    $IPTABLES -A INPUT   -s $IP_ETH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A INPUT   -s $IP_ATH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A INPUT   -s $IP_VPN0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A INPUT   -s $IP_LOCAL/8  -m state --state NEW  -j RULE_0 

    test -n "$IP_ETH1" && \
    $IPTABLES -A OUTPUT  -s $IP_ETH1/32  -m state --state NEW  -j RULE_0 
    $IPTABLES -A OUTPUT  -s $IP_ETH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A OUTPUT  -s $IP_ATH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A OUTPUT  -s $IP_VPN0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A OUTPUT  -s $IP_LOCAL/8  -m state --state NEW  -j RULE_0 

    $IPTABLES -A FORWARD -s $IP_LOCAL/8  -m state --state NEW  -j RULE_0 
    $IPTABLES -A FORWARD -s $IP_ETH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A FORWARD -s $IP_ATH0/24  -m state --state NEW  -j RULE_0 
    $IPTABLES -A FORWARD -s $IP_VPN0/24  -m state --state NEW  -j RULE_0 

    $IPTABLES -A RULE_0   -m limit --limit 4/minute -j LOG \
	 $LOG_OPTIONS --log-prefix "Fw: OK Policy recog: "
    $IPTABLES -A RULE_0  -j ACCEPT 

log "Fw: global rule 1: disallow all other traffic"

    $IPTABLES -N RULE_OTHER
    $IPTABLES -A OUTPUT  -j RULE_OTHER 
    $IPTABLES -A INPUT   -j RULE_OTHER 
    $IPTABLES -A FORWARD -j RULE_OTHER 


    # stop NETBIOS attempts for filling up my logs
    $IPTABLES -N RULE_OTHER_NETBIOS
    $IPTABLES -A RULE_OTHER -p tcp -m tcp --dport 135 -j RULE_OTHER_NETBIOS

    $IPTABLES -A RULE_OTHER -m limit --limit 4/minute -j LOG \
	$LOG_OPTIONS --log-prefix "Fw: DENY Policy unrecog: "
    $IPTABLES -A RULE_OTHER -j DROP 

    $IPTABLES -A RULE_OTHER_NETBIOS
    $IPTABLES -A RULE_OTHER_NETBIOS -m limit --limit 1/hour -j LOG \
	$LOG_OPTIONS --log-prefix "Fw: DENY Policy NetBIOS: "
    $IPTABLES -A RULE_OTHER_NETBIOS -j DROP 

    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
}


unconfigure()
{
    log "Fw: Deactivating .."

    echo > $IP_ETH1_PREV_FNAME

    log "Fw: default policy is DROP"

    $IPTABLES -P OUTPUT  DROP
    $IPTABLES -P INPUT   DROP
    $IPTABLES -P FORWARD DROP
    
    log "Fw: flush all chains (except mangle)"

    cat /proc/net/ip_tables_names | while read table; do
	test "X$table" = "Xmangle" && continue
	$IPTABLES -t $table -L -n | while read c chain rest; do
	    if test "X$c" = "XChain" ; then
		$IPTABLES -t $table -F $chain
	    fi
	done
	$IPTABLES -t $table -X
    done

    log "Fw: allow established connections"

    $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    log "Fw: allow traffic to/from LAN"

    $IPTABLES -A INPUT   -i eth0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A OUTPUT  -o eth0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD -o eth0  -m state --state NEW  -j ACCEPT 

    log "Fw: allow traffic to/from WiFi"

    $IPTABLES -A INPUT   -i ath0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A OUTPUT  -o ath0  -m state --state NEW  -j ACCEPT 
    $IPTABLES -A FORWARD -o ath0  -m state --state NEW  -j ACCEPT 

    log "Fw: allow management traffic (SSH)"

    $IPTABLES -A INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW -j ACCEPT
}


#
# main
#

. /etc/sysconfig/tc.conf

case "$1" in
    start|restart)
	echo -n " eth1"
	configure
        ;;
    stop)
	unconfigure
        ;;
    status)
	shift
	$IPTABLES -t mangle -L -n -v
        ;;
esac

# 

Example D.9. /etc/init.d/firewall