"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/README" (16 Sep 2020, 32353 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "README": 2.1.0_vs_2.1.1.

    1                     -= Arno's Iptables Firewall(AIF) =-
    2          Single- & multi-homed firewall script with DSL/ADSL support
    3 
    4                       ~ In memory of my dear father ~
    5 
    6 (C) Copyright 2001-2019 by Arno van Amersfoort & Lonnie Abelbeck
    7 Homepage   : https://rocky.eld.leidenuniv.nl/
    8 Email      : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
    9              (note: you must remove all spaces and substitute the @ and the .
   10              at the proper locations!)
   11 -------------------------------------------------------------------------------
   12 This program is free software; you can redistribute it and/or
   13 modify it under the terms of the GNU General Public License
   14 version 2 as published by the Free Software Foundation.
   15 
   16 This program is distributed in the hope that it will be useful,
   17 but WITHOUT ANY WARRANTY; without even the implied warranty of
   18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   19 GNU General Public License for more details.
   20 
   21 You should have received a copy of the GNU General Public License
   22 along with this program; if not, write to the Free Software
   23 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   24 -------------------------------------------------------------------------------
   25 
   26 A MESSAGE FROM THE AUTHOR:
   27 --------------------------
   28 Almost *all* my work is distributed under the terms of the GNU GPL License,
   29 which means it's free (open-source) software. If you like my work or you want
   30 me to implement a certain feature, you are encouraged to donate money. You can
   31 (preferably) donate directly to me through my bank account (mail me for my IBAN
   32 number (International Bank Account Number). My favourite charity organisations are:
   33 - foundations for cancer research (in The Netherlands: "KWF Kanker Bestrijding");
   34 - foundations for brain desease research (in The Netherlands: "De Hersenstichting");
   35 - foundations for the welfare of animals ("IFAW" or in the Netherlands: "De Dierenbescherming")
   36 
   37 Note that *ALL* donations I receive go to one of the above foundations.
   38 
   39 IMPORTANT NOTE:
   40 ---------------
   41 I don't provide enduser support on my email address. Any problems & questions
   42 directly related to the use/implementation of my firewall should go to the
   43 mailinglist, for which you can sign up on my website. Also consult the FAQs
   44 before reporting a problem/question. Please use this way as I'm simply too busy
   45 to help everybody out with every (trivial) issue. Furthermore read the
   46 information in the troubleshooting section below!
   47 
   48 An explanation of the files in the package:
   49 -------------------------------------------
   50 /bin/arno-iptables-firewall :
   51         The actual firewall script, core of Arno's Iptables Firewall(AIF).
   52         You should put this file in eg. /usr/local/sbin/ . You should make
   53         sure it's executable (use "chmod 700 or chmod +x).
   54 
   55 /bin/arno-fwfilter :
   56         A pipe filter script to make the firewall-log better readable. It can
   57         be used for example in conjuction with a tail to log your firewall to
   58         local tty10 (-12). It can be used for both /var/log/messages and
   59         /var/log/firewall (or whatever name you configured syslogd), depending
   60         on the log-level specified in the configuration file. An example on how
   61         to use it can be found in the beginning of the fwfilter script. Any
   62         options for fwfilter can be configured within the script itself. You 
   63         should put this file in eg. /usr/local/bin/.
   64 
   65 /etc/arno-iptables-firewall/firewall.conf :
   66         The configuration file used for Arno's Iptables Firewall(AIF).
   67         Normally you should put it in /etc/arno-iptables-firewall/. Make sure
   68         root is owner/group (with "chown 0:0").
   69 
   70 /etc/arno-iptables-firewall/plugins/ :
   71         Any plugin config files  (.conf files) are stored here.
   72 
   73 /etc/arno-iptables-firewall/conf.d/ :
   74         Put any (override) configuration files in the directory. Any files here
   75         with a .conf-extension(!) will be sourced AFTER the main firewall.conf
   76         file has been read.
   77 
   78 /etc/arno-iptables-firewall/custom-rules :
   79         Put any (iptables) custom rules in this file. This file
   80         should be put in /etc/arno-iptables-firewall/ . Make sure root
   81         is owner/group (with "chown 0:0").
   82 
   83 /lib/systemd/system/arno-iptables-firewall.service :
   84         The systemd service file. Depending on your system it should be
   85         put in either /usr/lib/systemd/system, /lib/systemd/system or
   86         /etc/systemd/system
   87 
   88 /etc/init.d/arno-iptables-firewall :
   89         The init.d script (for older systems still using init.d). On some (older)
   90         distributions you may need to put it in /etc/rc.d/ (instead of
   91         /etc/init.d).  You should make sure it's executable (use "chmod 700 or
   92         chmod +x). Inside this script you can also enable VERBOSE(=1) logging
   93         for eg. debugging purposes.
   94 
   95 /share/arno-iptables-firewall/environment :
   96         This is the environment-file required by the firewall and plugins.
   97         It contains several global functions. It should normally be put in
   98         /usr/local/share/.
   99 
  100 /share/arno-iptables-firewall/plugins/ :
  101         Put any plugin binaries (.plugin files) for my firewall in this
  102         directory. It should normally be put in /usr/local/share/.
  103 
  104 /share/man/man8/arno-iptables-firewall.8 :
  105         A man page for the arno-iptables-firewall script.
  106 
  107 /share/man/man1/arno-fwfilter.1 :
  108         A man page for the arno-fwfilter script.
  109 
  110 /CHANGELOG :
  111         The version changelog of my firewall.
  112 
  113 /README :
  114         "This" file.
  115 
  116 /configure.sh :
  117         Script to setup a basic configuration.
  118 
  119 /install.sh :
  120         Install script to deploy my firewall on your system.
  121 
  122 /uninstall.sh :
  123         Uninstall script to remove my firewall from your system.
  124 
  125 /contrib/ :
  126         Directory contains any misc. (user contributed) files (scripts etc.) It
  127         also contains examples on how to modify your syslogger to log your
  128         firewall stuff into a separate file.
  129 
  130 -----------------------------------------
  131 | Some IMPORTANT (security) information |
  132 -----------------------------------------
  133 1) If possible try to start the firewall before you enable your (ADSL) internet
  134    connection. For an ppp-interface that doesn't exist yet
  135    you can use the wildcard device called "ppp+" (but you can only use
  136    ppp+ if there aren't any other ppp interfaces!).
  137 
  138 2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't
  139    really understand what they mean. Changing them anyway could have a big
  140    impact on the security of your machine.
  141 
  142 3) I get a lot of emails from people complaining that their webserver etc.
  143    stopped working after installing my firewall. This is the CORRECT
  144    behaviour for a firewall: BLOCKING ALL incoming traffic by default!
  145    Configure your eg. OPEN_TCP accordingly!
  146 
  147 
  148 -----------------
  149 | General hints |
  150 -----------------
  151 1) For IPv4 addresses you can use IP ranges in all variables by specifying it as
  152    eg. "192.168.1.10-50" (which would make the range start with 192.168.1.10
  153    and end at 192.168.1.50). Note that this only works for Class-C(/24) ranges,
  154    so specifying eg. 192.168.1.1-192.168.2.1 does NOT work!
  155 
  156 2) My firewall has mixed IPv4/IPv6 support. You can switch from IPv4-only to
  157    IPv4/IPv6 support by simply setting "IPV6_SUPPORT=1" in the config file.
  158 
  159 3) You can use the $ANYPORT and $ANYHOST macros to specify "ALL ports" or
  160    "ALL hosts" in the configuration variables/rules.
  161 
  162 4) The configuration variables use several "special" (seperator) characters:
  163    ' ' (space): Used to seperate rules (eg. 'rule1 rule2')
  164    ','        : Used for lists of ports, hosts or protocols (eg. '21,22,23')
  165    '~'        : Used for host-port seperation (eg. '192.168.1.1~22')
  166    '>'        : Used for source-to-target seperation (eg. '192.168.1.1>10.0.0.3')
  167    '#'        : Used for external interface(-IP) restrictions (eg. 'eth0>rule')
  168                 Also see 5)
  169 
  170    You may want to have a look at the configuration file in
  171    /etc/arno-iptables-firewall/ for additional information (and examples)
  172 
  173 5) For configuration-variables/rules which are related to the external
  174    (internet) interface one can restrict the interface(s) for which it is
  175    applied to by adding either "{interface1,interface2,...}#" or
  176    "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter
  177    is especially handy for aliased interfaces.
  178    Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for
  179               interface eth0
  180    Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for
  181               interface which has the IP 1.2.3.4
  182 
  183    This feature can also be used to enable NAT port forwarding for certain
  184    (external) interfaces. Examples:
  185    Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means:
  186               - Forwards TCP port 22;
  187               - Forward is available for the whole world (0/0);
  188               - Forward is applied to eth0 only;
  189               - {internal_host} is the host the port should be forwarded to.
  190    Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means:
  191               - Forwards TCP port 80;
  192               - Forward is available for the whole world (0/0);
  193               - Forward is applied to the (external) (aliased) interface with
  194                 IP 1.2.3.4;
  195               - {internal_host} is the host the port should be forwarded to.
  196 
  197 6) Port ranges should be written as port_start:port_end, eg. "137:139" would
  198    select ports 137,138 and 139.
  199 
  200 ---------------
  201 | Quick setup |
  202 ---------------
  203 If you want to have it running ASAP or are a novice user, than this is the part
  204 that's important. Remember that my firewall has a lot of other useful features
  205 which will NOT be used in this way. On the other hand, various security
  206 features are enabled by default to protect you from hostile attacks.
  207 
  208 1) First we've to check whether your Linux setup is OK in order to make the
  209    script work correctly:
  210         - It needs iptables and iproute(2) to be installed (probably come 
  211           as packages with your distro).
  212         - It requires a POSIX compliant /bin/sh (should live on any UNIX system
  213           by default)
  214         - My scripts need the following binaries (in your path): 
  215           iptables (obviously), ip (from the iproute package), sysctl, modprobe,
  216           logger, uname, date, awk, tr, grep, sed, cut, head, tail, wc, which,
  217           & cat.
  218         - If you plan to use DNS resolving (eg. for certain plugins) then the
  219           binary 'dig' (from the dnsutils package) or as a fall-back 'nslookup'
  220           should also be available.
  221 
  222 2) Now we need to determine whether you have a single- or dual-homed machine.
  223    Single means you ONLY have one network-interface, which is the one connected
  224    to the outside "evil" world (internet). Dual-homed also have a local subnet
  225    connected to an additional network interface.
  226 
  227 3) Run the install script and follow the instructions: ./install.sh
  228 
  229    a) Configure your external network interfaces, EXT_IF. In case of a
  230       dual(multi)-homed it's the interface which is connected to the internet, in
  231       case of a LAN it's the one connected to your network. When you have an
  232       (dynamically) IP assigned to you (by your ISP) via DHCP, you should set
  233       "EXT_IF_DHCP_IP=1" else leave it off (0, default). If you have multiple
  234       (non-aliased) external interfaces, you should ALL specify them here (space
  235       separated). Note that for aliased interfaces you should only specify the
  236       "parent"-interface in EXT_IF. So if you have eth0, eth0:1 and eth0:2, you
  237       should make EXT_IF="eth0" (only).
  238 
  239    b) When your public IP is assigned to you by your ISP (through DHCP) then you
  240       should enable support for an DHCP external assigned IP.
  241 
  242    c) Now we configure what ports should be open for the outside world. If you
  243       eg. are running an HTTP-server(port 80), an SSH-server(port 22), and/or
  244       an FTP-server (port 21) which should be accessible from the internet you
  245       should configure the OPEN_TCP / OPEN_UDP variables like this:
  246       OPEN_TCP="21 22 80"
  247       OPEN_UDP=""
  248 
  249    d) For dual-homed machines you should also configure INT_IF, the interface
  250       used for the local network and you should set your local subnet range in
  251       "INTERNAL_NET=". If you want your internal network to be able to access
  252       the internet (aka. internet-sharing), you should also enable NAT
  253       (masquerading) by setting "NAT=1"). For single-homed machines (part of a
  254       LAN), you shouldn't touch INT_IF (leave it disabled) and just stick to
  255       using EXT_IF.
  256 
  257 
  258 4) Now your firewall is ready but I'd suggest to review this additional info:
  259 
  260    a) In case you use an (A)DSL modem (which works with a PPtP connection to
  261       your machine) you should enable the dsl-ppp-modem plugin (You can verify
  262       this with 'ifconfig', if a ppp device with your public IP exists you
  263       need this).
  264 
  265       We must enable/configure the dsl-ppp-modem plugin via
  266       /etc/arno-iptables-firewall/dsl-ppp-modem.conf by setting ENABLED=1.
  267       Now we must configure the network interface(ethX) to which your modem is
  268       physically connected (=MODEM_IF, which is commented(#) out by default),
  269       and this is NOT ppp+, ppp0 etc.! Here are some examples on how to do it
  270       for some providers (it's assumed that the modem is connected to eth0):
  271 
  272       PPPoE connection with a static public IP (eg. MxStream in the Netherlands)
  273       (setup with the ADSL4Linux package from http://www.adsl4linux.nl):
  274       - MODEM_IF="eth0"
  275       - MODEM_IF_IP="10.0.0.150"
  276       - MODEM_IP="10.0.0.138"              # Make sure this IP corresponds to
  277                                              the one used by your modem!
  278 
  279       T-DSL (Germany) with a dynamic public IP:
  280       - MODEM_IF="eth0"
  281       - MODEM_IF_IP="192.168.99.1"
  282       - MODEM_IP=""
  283 
  284       PPPoA connection with a dynamic public IP:
  285       - MODEM_IF="eth0"
  286       - MODEM_IF_IP=""                     # This MUST be unset("") (default)
  287       - MODEM_IP="10.0.0.138"              # Make sure this IP corresponds to
  288                                              the one used by your modem!
  289 
  290       NOTE 1: For extra security you *can* set the IP of your modem (MODEM_IP),
  291               but it's not neccessary (anymore). If you don't know its IP or
  292               believe it doesn't have an IP, you can leave MODEM_IP="".
  293               The same applies for the IP of the modem network interface
  294               (MODEM_IF_IP).
  295 
  296       NOTE 2: If both your modem AND your network interface don't have an IP
  297               you probably don't have to configure your modem settings (at all).
  298 
  299       NOTE 3: In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP
  300               empty(="")!
  301 
  302       NOTE 4: Don't forget to set EXT_IF_DHCP_IP=1 in firewall.conf too, in
  303               case your ISP uses DHCP.
  304 
  305    b) In case your on a corporate network which uses public IPs I'd suggest to add
  306       your local subnet (range) to "FULL_ACCESS_HOSTS".
  307 
  308    c) Some people mentioned that protocols like IRC or some (older)
  309       FTP/POP3/SMTP servers don't work (properly) if port 113(Identd) is
  310       filtered (firewalled). I really hate the fact that these type of
  311       protocols still depend on the "not-so-secure" IDENT-protocol. But if you
  312       really need it, you can do 2 things to make them work properly:
  313       1) If you don't want to run an IDENT-daemon, simply add port 113 to the
  314          REJECT_TCP-variable (Recommended).
  315       2) Or if you really want to run an IDENT-daemon, you should add port 113
  316          to the OPEN_TCP-variable. (Not recommended)
  317 
  318 9)  You're now ready to start the firewall by issueing:
  319     "/etc/init.d/arno-iptables-firewall start"
  320     Everything should be working OK now, if it doesn't, carefully review all
  321     steps and your configuration. For troubleshouting you can first consult 
  322     the FAQs on my webpage.
  323 
  324     NOTE 1: Make sure that when you use NAT, you should properly configure the
  325             client's "default gateway" and the (public) DNS server(s) it should
  326             use! Note that you don't have to setup any proxy settings in eg.
  327             your client's browser.
  328 
  329     NOTE 2: Additional (more advanced) options are (also) explained in the
  330             configuration-file comments and in the QA's on my webpage (eg.
  331             IPSec VPN support).
  332 
  333 
  334 Troubleshooting: What if it doesn't work?:
  335 ------------------------------------------------------------------------------
  336 1)  Check your settings (.conf) at least 10 times. It's quite common for a
  337     human being to make mistakes.
  338     TIPS / Common errors:
  339     - Make sure that EXT_IF, MODEM_IF and/or INT_IF are not the same. If they
  340       are, YOU made a mistake, as they can never EVER be the same!
  341     - Another error I once saw was someone that used something like
  342       "127.0.0.0/24" for his local subnet. "127.0.0.0" is the address of the
  343       local loopback and therefor should never ever appear in the configuration
  344       file!
  345 2)  Obtain the latest version of your (distribution) kernel & iptables.
  346 3)  Make sure your (self-built) kernel supports all required options.
  347 4)  Carefully inspect the output generated when issueing
  348     "arno-iptables-firewall start"
  349 5)  Read the README file at least 3 times
  350 6)  Download the latest (beta) version of my script and check whether this
  351     fixes your problem.
  352 7)  Read the README file one more time and review your .conf-file also one more
  353     time, just in case ;-)
  354 8)  Do NOT send enduser requests to my personal email address, instead post
  355     your question/problem on the firewall mailing list. Provide us with:
  356     - your (firewall) *.conf files
  357     - the screen output of "/usr/local/sbin/arno-iptables-firewall start" 
  358       (or whatever it is located)
  359     - the output of 'ifconfig'
  360     - (firewall) logs
  361     - the version of my script you're using (or date if you use the development
  362       script)
  363     - detailed explanation of your setup
  364     - and anything else that might help
  365     Remember that people that don't obey these rules, get a low, very low
  366     priority, or won't get any reaction at all!
  367 
  368 
  369 Plugin support
  370 ------------------------------------------------------------------------------
  371 As of version 1.8.7-RC2 my firewall also supports plugins -> little scripts
  372 that implement specific functionality.
  373 
  374 Notes on plugins:
  375 -----------------
  376 1) Plugin config files can be found in /etc/arno-iptables-firewall/plugins/
  377 2) All plugins have an option called "ENABLED" (in their config file) which is
  378    set to 0 by default, meaning it is disabled. So if you actually want to use
  379    a plugin, you have to make ENABLED=1
  380 3) Plugins can have their own additional set of configuration variables, don't
  381    forget to set/review those too.
  382 
  383 Everyone is invited to write their own plugins to implement other things, and
  384 to submit to us.
  385 
  386 Notes on writing your own plugins
  387 ---------------------------------
  388 1)  When you write your own plugins, make sure you know what you're doing. You
  389     can severely compromise security or break things with buggy plugins.
  390 2)  Submit plugins to me, if you think they can be of use to others, but note
  391     that I always reserve the right to decline the plugin (because it was eg.
  392     poorly written). Submitted plugins must be (at least) compatible with the
  393     GPLv2 license.
  394 3)  The plugin should have/use these variables:
  395     - PLUGIN_NAME (Plugin name/description)
  396     - PLUGIN_VERSION (Plugin version)
  397     - PLUGIN_CONF_FILE (Location of the plugin config file)
  398 
  399     Furthermore it should honour the ENABLED variable from the config-file to
  400     enable/disable the plugin.
  401 
  402     Use one of my plugins as a template(skeleton) for writing your own plugins
  403     (I recommend to have a look at the "SSH Brute-Force protection"-plugin),
  404     in this way it's easier to understand it for me and for others.
  405 4)  Plugins should have a separate config file (.conf) with all user
  406     variables(settings). It should at least contain the "ENABLED="-variable
  407     to enable/disable the plugin.
  408 5)  Plugins should also have a separate file with their CHANGELOG (.changelog)
  409 6)  Plugins should be preferably POSIX shell compatible (eg. work with "Dash")
  410 7)  Plugins can use all variables/functions/chains from the main-script and
  411     main configuration file. Plugin specific configuration variables should be
  412     put inside the plugin's configuration file (.conf).
  413 8)  Make sure that when you create new iptables-chains, they don't conflict
  414     with the main script or other plugins. The same goes for the iptables
  415     MARK-module, make sure that you use an unique MARK-number that doesn't
  416     conflict with other plugins.
  417 9)  Plugins should in principle always cleanup up their own chains (and
  418     possibly other stuff) they created at start when stopping.
  419 10) A list of available chains created by AIF's main script can be found below.
  420     Note that I strongly recommend NOT to directly use any builtin iptables
  421     chains like INPUT/OUTPUT/FORWARD/PREROUTING/POSTROUTING. Only do this when
  422     it's absolutely necessary!
  423 
  424 
  425 Available iptables chains created by Arno's Iptables Firewall
  426 -------------------------------------------------------------
  427 BASE_INPUT_CHAIN            - Base input chain. For internal use by AIF only!
  428 BASE_OUTPUT_CHAIN           - Base output chain. For internal use by AIF only!
  429 BASE_FORWARD_CHAIN          - Base forward chain. For internal use by AIF only!
  430 INPUT_CHAIN                 - AIF's main INPUT chain. Use this if you want to
  431                               insert rules in the INPUT chain
  432 OUTPUT_CHAIN                - AIF's main OUTPUT chain. Use this if you want to
  433                               insert rules in the OUTPUT chain
  434 FORWARD_CHAIN               - AIF's main FORWARD chain. Use this if you want to
  435                               insert rules in the FORWARD chain
  436 EXT_INPUT_CHAIN             - External-net INPUT chain
  437 EXT_OUTPUT_CHAIN            - External-net OUTPUT chain
  438 EXT_BROADCAST_CHAIN         - External-net chain for broadcast traffic
  439 EXT_MULTICAST_CHAIN         - External-net chain for multicast traffic
  440 EXT_FORWARD_IN_CHAIN        - External-net FORWARD chain for INcoming traffic
  441 EXT_FORWARD_OUT_CHAIN       - External-net FORWARD chain for OUTgoing traffic
  442 EXT_ICMP_FLOOD_CHAIN        - External-net chain where ICMP packets go which
  443                               are considered a "flood"
  444 DMZ_FORWARD_IN_CHAIN        - DMZ FORWARD chain for INcoming traffic
  445 DMZ_FORWARD_OUT_CHAIN       - DMZ FORWARD chain for OUTgoing traffic
  446 DMZ_INET_FORWARD_CHAIN      - DMZ to internet/external-net forward chain
  447 DMZ_INPUT_CHAIN             - DMZ INPUT chain
  448 DMZ_LAN_FORWARD_CHAIN       - DMZ to LAN/internal-net forward chain
  449 DMZ_OUTPUT_CHAIN            - DMZ output chain
  450 INET_DMZ_FORWARD_CHAIN      - External-net(internet) to DMZ forward chain
  451 HOST_BLOCK_SRC              - Chain containing the list of inbound blocked hosts
  452 HOST_BLOCK_DST              - Chain containing the list of outbound blocked hosts
  453 HOST_BLOCK_SRC_DROP         - Chain where packets from dropped inbound blocked hosts go
  454 HOST_BLOCK_DST_DROP         - Chain where packets from dropped outbound blocked hosts go
  455 INT_INPUT_CHAIN             - Internal-net INPUT chain
  456 INT_OUTPUT_CHAIN            - Internal-net OUTPUT chain
  457 LAN_LAN_FORWARD_CHAIN       - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
  458 LAN_INET_FORWARD_CHAIN      - LAN to internet (external net) forward chain
  459 POST_INPUT_CHAIN            - This chain is always processed last(post) in the
  460                               INPUT chain
  461 POST_OUTPUT_CHAIN           - This chain is always processed last(post) in the
  462                               OUTPUT chain
  463 POST_FORWARD_CHAIN          - This chain is always processed last(post in the
  464                               FORWARD chain
  465 POST_INPUT_DROP_CHAIN       - Packets dropped at the end of the INPUT chain end
  466                               up in this chain (Used for eg. IDS)
  467 RESERVED_NET_CHK            - This chain holds the list of reserved nets to
  468                               check against
  469 SPOOF_CHK                   - This chain contains rules for spoof checking
  470 VALID_CHK                   - This chain contains rules for checking whether a
  471                               packet is valid
  472 NAT_POSTROUTING_CHAIN       - NAT (-t nat) POSTROUTING chain
  473 NAT_PREROUTING_CHAIN        - NAT (-t nat) PREROUTING chain
  474 POST_NAT_POSTROUTING_CHAIN  - This chain is always processed last(post) in the
  475                               NAT (-t nat) POSTROUTING chain
  476 POST_NAT_PREROUTING_CHAIN   - This chain is always processed last(post) in the
  477                               NAT (-t nat) PREROUTING chain
  478 
  479 
  480 Loadbalancing/multirouting (with multiroute masquerade/SNAT)
  481 ------------------------------------------------------------
  482 My firewall also supports multirouting (loadbalancing), optionally in
  483 conjunction with NAT. Although this works with both conventional masquerading
  484 and SNAT, it's strongly recommended to use SNAT. This is because the latter
  485 is known to have a much lower chance of causing problems. Also note that I
  486 haven't found a way (yet) to make this work with dynamic external(internet)
  487 IP's, meaning you need static IP's from your ISP.
  488 
  489 First of all, if you want to use multirouting, make sure that your
  490 (vanilla)-kernel has the following network features enabled (eg. when
  491 building from source):
  492 - CONFIG_IP_ADVANCED_ROUTER=y
  493 - CONFIG_IP_MULTIPLE_TABLES=y
  494 - CONFIG_IP_ROUTE_MULTIPATH=y
  495 
  496 Second, you should configure/enable the multiroute-plugin. And last but not
  497 least, you should setup the firewall: adding (all) the used external
  498 interfaces to EXT_IF. And when SNAT is used, add the corresponding
  499 external IPs to NAT_STATIC_IP. That's it!
  500 
  501 NOTE: Redundant connections are (currently) not supported! This is limitation
  502 of the (current) Linux kernel (not of my firewall).
  503 
  504 
  505 Info when building your own kernel (2.4 & 2.6) through "make menuconfig":
  506 -------------------------------------------------------------------------------
  507 For the firewall to work properly you need the following options enabled (as
  508 modules or compiled in your kernel):
  509 - "Loadable module support"
  510         - "Enable loadable module support" (If you want to build iptables as
  511            modules)
  512         - "Automatic kernel module loading" (Strongly recommended if you build
  513            iptables as modules) (Only available in newer 2.6 kernels)
  514 - "Networking", "Networking Support", "Networking Options" :
  515         - "Packet socket" (If you want to use dhcp client and/or server)
  516         - "TCP/IP networking"
  517                 - "IP: Multicasting"
  518                 - "IP: advanced router"
  519                         - "IP: policy routing" (If you want to use load
  520                            balancing, eg. multiroute masquerading)
  521                         - "IP: equal cost multipath" (If you want to use load
  522                            balancing, eg. multiroute masquerading)
  523                 - "IP: TCP syncookie support"
  524         - ("Network packet filtering")
  525                 - "Core Netfilter Configuration" (For kernel =>2.6.16)
  526                         - "Netfilter Xtables support (Required for ip_tables)"
  527                                 - "MARK" target support (Only required for
  528                                    special purposes like eg. traffic shaping
  529                                    & kernel 2.6 VPN support)
  530                                 - "conntrack" connection tracking match support
  531                                 - "limit" match support
  532                                 - "mac" address match support (If you want to
  533                                    use MAC filtering)
  534                                 - "state" match support
  535                                 - "tcpmss" match support (If you want to use
  536                                    tcpmss clamping)
  537                 - "IP: Netfilter Configuration":
  538                         - "Connection tracking"
  539                                 - "Connection tracking flow accounting" (If you
  540                                    want to do accounting on your network traffic.
  541                                    (kernel 2.6 only)
  542                                 - "FTP protocol support"
  543                         - "IP tables support" (NOTE: The order of sub-options can
  544                            differ between kernel versions):
  545                                 - "Multiple port match support"
  546                                 - "TOS match support" (If you want to use TOS
  547                                    mangling)
  548                                 - "recent match support" (required for IDS
  549                                    & SSH brute-force protection)
  550                                 - "TTL match support" (If you want to use TTL
  551                                    manipulation)
  552                                 - "limit match support" (kernel <2.6.16)
  553                                 - "MAC address match support" (If you want to
  554                                    use MAC filtering) (kernel <2.6.16)
  555                                 - "Multiple port match support" (kernel <2.6.16)
  556                                 - "tcpmss match support" (If you use tcpmss
  557                                    clamping) (kernel <2.6.16)
  558                                 - "Connection state match support"
  559                                    (Kernel <2.6.16)
  560                                 - "Packet filtering" (kernel <2.6.16)
  561                                         - "REJECT target support"
  562                                 - "LOG target support"
  563                                 - "TCPMSS target support (If you want to use
  564                                    tcpmss-clamping)
  565                                 - "Full NAT" (If you use NAT/masquerading aka
  566                                    internet-sharing or transparent proxies)
  567                                         - "MASQUERADE target" (If you want to
  568                                            use masquerading)
  569                                         - "REDIRECT target support" (If you
  570                                            want to use port- forwarding,
  571                                            -redirection or transparent proxies)
  572                                 - "Packet mangling"
  573                                         - "TOS target support" (If you want to
  574                                            use TOS mangling)
  575                                         - "MARK target support" (Only required
  576                                            for special purposes like eg. traffic
  577                                            shaping & kernel 2.6 VPN support)
  578                                            (kernel <2.6.16)
  579                                         - "TTL target support" (if you want to
  580                                            use TTL manipulation
  581 
  582 
  583 Kernel configuration - Special issues
  584 -------------------------------------
  585 Some kernel versions, or series of versions, may have unique issues, below are
  586 topics related to the scope of this firewall script.
  587 
  588 1) Starting with kernel version 2.6.27, CONFIG_NF_CT_ACCT is deprecated, the
  589    result when the "nf_conntrack" module is loaded and the kernel has
  590    CONFIG_NF_CT_ACCT=y set, the following message is displayed:
  591 
  592      "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
  593      nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or
  594      sysctl net.netfilter.nf_conntrack_acct=1 to enable it."
  595 
  596    The message is harmless, and can be safely ignored. The main script also
  597    sets net.netfilter.nf_conntrack_acct=1 in the case CONFIG_NF_CT_ACCT is not
  598    set.
  599 
  600    Though, if you find this message annoying, it can be silenced via
  601    "make menuconfig":
  602 
  603        -- Core Netfilter Configuration --
  604      <M> Netfilter connection tracking support
  605      [ ]   Connection tracking flow accounting
  606 
  607    if "Connection tracking flow accounting" can't be disabled, then disabling
  608 
  609      < >   "connbytes" per-connection counter match support
  610 
  611    may be required because of dependencies.  The resulting configuration
  612    settings are:
  613 
  614      CONFIG_NF_CONNTRACK=m
  615      # CONFIG_NF_CT_ACCT is not set
  616      # CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
  617 
  618    CONFIG_NF_CT_ACCT was scheduled to be removed in 2.6.29, but has not yet
  619    been removed, as of writing.