Listing 2. Annotated Script for Bridging Firewall Setup
#!/bin/sh
#####################################################################
# firewall.sh - set up ipchains rules for a bridging firewall
#
#    Copyright (c) 2000 UK/Canada/Netherlands Joint Astronomy Centre
#
#    Permission to use, copy, modify, distribute,
#    and sell this software and its documentation
#    for any purpose is hereby granted without fee,
#    provided that the above copyright notice appear
#    in all copies and that both that copyright notice
#    and this permission notice appear in
#    supporting documentation, and that the name
#    Joint Astronomy Centre not
#    be used in advertising or publicity pertaining
#    to distribution of this
#    software without specific, written prior
#    permission.
#
#    THIS SOFTWARE IS PROVIDED `AS-IS'. THE JOINT
#    ASTRONOMY CENTRE DISCLAIMS
#    ALL WARRANTIES WITH REGARD TO THIS
#    SOFTWARE, INCLUDING WITHOUT
#    LIMITATION ALL IMPLIED WARRANTIES OF
#    MERCHANTABILITY, FITNESS FOR A
#    PARTICULAR PURPOSE, OR NONINFRINGEMENT.
#    IN NO EVENT SHALL THE JOINT
#    ASTRONOMY CENTRE BE LIABLE FOR ANY DAMAGES
#    WHATSOEVER, INCLUDING SPECIAL,
#    INCIDENTAL OR CONSEQUENTIAL DAMAGES,
#    INCLUDING LOSS OF USE, DATA, OR
#    PROFITS, EVEN IF ADVISED OF THE
#    POSSIBILITY THEREOF, AND REGARDLESS OF
#    WHETHER IN AN ACTION IN CONTRACT,
#    TORT OR NEGLIGENCE, ARISING OUT OF
#    OR IN CONNECTION WITH THE USE OR
#    PERFORMANCE OF THIS SOFTWARE.
#
#    (There. That should satisfy the lawyers.
#    In Plain English, here's the 
#    software. Do whatever you want with it.
#    If anything breaks, it's your
#    fault and your problem. Don't come
#    crying to us. We're not paying 
#    anyone for anything.)
#######################################################################
IPCHAINS=/sbin/ipchains

#############################
# Definitions
#############################
firewallhost=N.N.N.N/32  # EDIT - your firewall
                         # address here
mynet=""                 # EDIT - your network/mask
                         # here
Any="0.0.0.0/0"
localhost="127.0.0.1/32"
EXT_IF=eth2              # EDIT - This is the
                         # interface which will
                         # connect to the Internet
INT_IF=eth1              # EDIT - This is the
                         # interface which will
                         # connect to your 
                         # protected network
##########################################
# Public (outside the firewall) servers
##########################################
WWW_SERVER=              # EDIT - address of your
                         # public WWW server 
FTP_SERVER=              # EDIT - address of your
                         # public FTP server
SMTP_SERVER=             # EDIT - address of your
                         # public mail server
INTERNAL_SMTP=           # EDIT - address of your
                         # internal mail hub
SSH_SERVER=              # EDIT - address of your
                         # public login (SSH) server
NNTP_SERVER=             # EDIT - address of your
                         # upstream News server
INTERNAL_NTP=            # EDIT - address of your
                         # internal NTP server
#############################
# Set default policies
#############################
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
#############################
# Flush any old rules
#############################
$IPCHAINS -F
#############################
# Create 2 new chains
#############################
$IPCHAINS -N public
$IPCHAINS -N private

# Since this is a bridge, not a router,
# you really don't need any of these
# input rules

# forward rules

# output rules

#############################
# Bridge chain - pass packets to appropriate
#                chain based on their input 
#                interface
#############################
# bridgein rules
$IPCHAINS -A bridgein -s $mynet -d $Any -i $INT_IF -j private 
$IPCHAINS -A bridgein -s $Any -d $mynet -i $EXT_IF -j public 
# Deny anything not explicitly matched in one of the other chains
$IPCHAINS -A bridgein -p tcp -s $Any -d $Any -j DENY -l 
$IPCHAINS -A bridgein -s $Any -d $Any -j DENY -l 

#############################
# "Public" rules - these control who/what gets to
#                  talk through the 
#                  firewall from the Internet
#                  to your protected network
#
# These are examples - modify to suit your own
#                  security needs
#############################
# public rules
# ICMP - allow echo-request from the "public"
#        servers back in to the
#        internal net. Do we need this? In any case,
#        block all echo-request
#        packets from anyone else. Don't bother to
#        log ping attempts.
#        Allow some of the other useful ICMP messages
$IPCHAINS -A public -p icmp -s $mynet 8 -d $mynet -i $EXT_IF -j ACCEPT 
$IPCHAINS -A public -p icmp -s $Any 8 -d $mynet -i $EXT_IF -j DENY 
# ICMP - allow echo-reply from anyone, so we can ping out.
$IPCHAINS -A public -p icmp -s $mynet 0 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow destination-unreachable
$IPCHAINS -A public -p icmp -s $Any 3 -d $mynet -i $EXT_IF -j ACCEPT 
# ICMP - allow source-quench
$IPCHAINS -A public -p icmp -s $Any 4 -d $mynet -i $EXT_IF -j ACCEPT 
# ICMP - allow time-exceeded
$IPCHAINS -A public -p icmp -s $Any 11 -d $mynet -i $EXT_IF -j ACCEPT 
# ICMP - allow parameter-problem
$IPCHAINS -A public -p icmp -s $Any 12 -d $mynet -i $EXT_IF -j ACCEPT 
#######################################
# Services
#######################################
# SSH - Assumes you have a machine on the outside
#       of the firewall to which
#       users can login via SSH, then, once
#       authenticated, connect to
#       any of the protected hosts
$IPCHAINS -A public -p tcp -s $SSH_SERVER -d $mynet ssh -i $EXT_IF -j ACCEPT
# Allow replies from any SSH server anywhere
#       back in - only if SYN not set 
$IPCHAINS -A public -p tcp -s $Any ssh -d $mynet -i $EXT_IF -j ACCEPT ! -y 
#######################################
# Telnet - allow replies from telnet servers
#       back in - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any telnet -d $mynet -i $EXT_IF -j ACCEPT ! -y 
#######################################
# WWW - allow replies from standard HTTP/HTTPS
#       servers - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any www -d $mynet -i $EXT_IF -j ACCEPT ! -y 
$IPCHAINS -A public -p tcp -s $Any https -d $mynet -i $EXT_IF -j ACCEPT ! -y
####################################### 
# FTP - Allow replies from external FTP servers
#       - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any ftp -d $mynet -i $EXT_IF -j ACCEPT ! -y 
$IPCHAINS -A public -p tcp -s $Any ftp-data -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# SMTP - only allow incoming Email from the
#       "public" server to the internal hub
$IPCHAINS -A public -p tcp -s $SMTP_SERVER -d $INTERNAL_SMTP smtp -i $EXT_IF -j ACCEPT 
$IPCHAINS -A public -p tcp -s $SMTP_SERVER smtp -d $INTERNAL_SMTP  -i $EXT_IF -j ACCEPT ! -y
#######################################
# WHOIS - allow replies from any WHOIS server
$IPCHAINS -A public -p tcp -s $Any whois -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# Finger - allow replies from any finger server
$IPCHAINS -A public -p tcp -s $Any finger -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y 
#######################################
# Auth - allow IDENT replies
$IPCHAINS -A public -p tcp -s $Any auth -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y 
#######################################
# News - allow replies from the NNTP server 
$IPCHAINS -A public -p tcp -s $NNTP_SERVER nntp -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# NTP - let your internal NTP server synchronize
#       with a clock somewhere.
#       For better security, specify the external
#       NTP servers.
$IPCHAINS -A public -p udp -s $Any  ntp -d $INTERNAL_NTP  ntp -i $EXT_IF -j ACCEPT 
#######################################
# DNS - allow DNS replies back in
$IPCHAINS -A public -p udp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT 
$IPCHAINS -A public -p tcp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y 
#######################################
# NFS - let internal hosts mount disks from
#       the "public" servers.
#       Do we need this?
$IPCHAINS -A public -p tcp -s $mynet 2049 -d $mynet -i $EXT_IF -j ACCEPT 
$IPCHAINS -A public -p tcp -s $mynet -d $mynet 2049 -i $EXT_IF -j ACCEPT 
#######################################
# RPC - let the "public" servers contact the
#       portmapper on internal hosts. 
#       Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet sunrpc -i $EXT_IF -j ACCEPT 
#######################################
# UDP - Allow general UDP traffic between
#       "public" and "protected" hosts.
#       Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet -i $EXT_IF -j ACCEPT 
$IPCHAINS -A public -p udp -s $mynet 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT
####################################### 
# Established connections from unprivileged ports
$IPCHAINS -A public -p tcp -s $Any 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT ! -y 
# Deny (and log!) everything not explicitly allowed
$IPCHAINS -A public -s $Any -d $Any -i $EXT_IF -j DENY -l

######################################
# "Private" rules - these control which internal
#       hosts can talk through the
#       firewall, and to whom
#
# In most cases, these should be fairly liberal.
######################################
# private rules
######################################
# ICMP - Allow echo replies back out to the
#        "public" servers, as well as
#        allowing some of the more useful
#        messages back out to anyone. 
$IPCHAINS -A private -p icmp -s $mynet 0 -d $mynet -i $INT_IF -j ACCEPT 
# ICMP - Allow echo-request
$IPCHAINS -A private -p icmp -s $mynet 8 -d $Any -i $INT_IF -j ACCEPT 
# ICMP - Allow destination-unreachable
$IPCHAINS -A private -p icmp -s $mynet 3 -d $Any -i $INT_IF -j ACCEPT 
# ICMP - allow source-quench
$IPCHAINS -A private -p icmp -s $mynet 4 -d $Any -i $INT_IF -j ACCEPT 
# ICMP - allow time-exceeded
$IPCHAINS -A private -p icmp -s $mynet 11 -d $Any -i $INT_IF -j ACCEPT 
# ICMP - Allow parameter-problem
$IPCHAINS -A private -p icmp -s $mynet 12 -d $Any -i $INT_IF -j ACCEPT 
######################################
# Services
######################################
# SMTP - restrict SMTP to only between
#        the "public" server and the internal 
#        mailhub. Log any unauthorized attempts
$IPCHAINS -A private -p tcp -s $INTERNAL_SMTP -d $SMTP_SERVER smtp -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p tcp -s $mynet -d $Any smtp -i $INT_IF -j DENY -l
#####################################
# Pretty much allow anything else.
$IPCHAINS -A private -p tcp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT 
$IPCHAINS -A private -p tcp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT 
$IPCHAINS -A private -p udp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT 
$IPCHAINS -A private -p udp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT