# ipchains firewall rules 
# http://www.rdrs.net/document/
#
# Note that ipchains is less powerful than iptables.
# iptables provides Stateful Packet Inspection. kernel >= 2.4 
# ipchains allows packets in that aren't part of an existing TCP connection.
# Although such packets will not normally be processed by an application,
# they can be used as part of a [D]enial [O]f [S]ervice attack.

#
# Ipchains 
ipchains -F
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.204/32 -j MASQ
ipchains -A forward -s 192.168.1.203/32 -j MASQ
ipchains -A forward -s 192.168.1.202/32 -j MASQ
ipchains -A forward -s 192.168.1.201/32 -j MASQ
ipchains -A input -s 10.10.10.10 -j DENY  #BLOCK adres 10.10.10.10 
ipchains -A input  -l -i ippp? -p tcp --destination-port 137:139 -j DENY
ipchains -A input  -l -i ippp? -p udp --destination-port 137:139 -j DENY
ipchains -A output -l -i ippp? -p tcp --destination-port 137:139 -j DENY
ipchains -A output -l -i ippp? -p udp --destination-port 137:139 -j DENY 
ipchains -A input  -l -i ippp? -p tcp --destination-port 23 -j DENY 

# ICMP redirect messages (these can be used to manipulate routing))
ipchains -A input  -l -i ippp+ -p icmp --icmp-type ping -j ACCEPT # ping log
ipchains -A input  -l -i ippp+ -p icmp --icmp-type 5 -j DENY 

# commerce banners icq (ads.web.aol.com)
ipchains -A input -s 64.12.184.57 -j DENY

# anything not from my ntp-server is blocked.
ipchains -A input --source ! 184.39.186.11 -l -i ppp+ -p tcp --dport 123 -j DENY
ipchains -A input --source ! 184.39.186.11 -l -i ppp+ -p udp --dport 123 -j DENY

#
# FORWARD/REDIRECT connections/ports from outside to local network.
# This example will forward active ftp for the internet to a local network.
#
# First, set forwarding on
ipmasqadm portfw -f
# Second, accept connections only for specific service(FTP)
ipchains -A input -l -i eth0 -p tcp -s 0/0 -d 231.44.233.44 20 -j ACCEPT
ipchains -A input -l -i eth0 -p tcp -s 0/0 -d 231.44.233.44 21 -j ACCEPT
# Third, re-route the incoming connection.
ipmasqadm portfw -a -P tcp -L 231.44.233.44 21 -R 192.168.1.30 21
ipmasqadm portfw -a -P tcp -L 231.44.233.44 20 -R 192.168.1.30 20

# MSN Servers
# port 1863 == Messages ; port 6891 == File transfer ; 
# 6891 to 6900 == Multiple file transfers

# dont forget!:
echo 1 > /proc/sys/net/ipv4/ip_forward
# to list all the chains
ipchains -vnL

# Do not answer ping requests to your host
# off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# on
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#
# ignore broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# on
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts