###################### ipchains rules #########################
# (c) Yunliang Yu <yu@math.duke.edu>
###############################################################
eth="eth+"
myip="xxxxxxxxx"
anyip="xxxxxx/xx"
dns="xxxxxxxxxx"

# FLUSH ALL RULES  ipchains -L
ipchains -F input;  ipchains -F output; ipchains -F forward; 								

# ip spoofing, log
ipchains -A input -i $eth -s $myip -l -j DENY
# no igmp please
ipchains -A input -p igmp -i $eth -j DENY
# Let some icmp through (ipchains -h icmp  to see all types)
# deny ping of death fragments first
ipchains -A input -p icmp -f -j DENY -i $eth
# NEVER block ICMP type 3 messages
ipchains -A input -p icmp -j ACCEPT --icmp-type destination-unreachable -d $myip -i $eth
# we can ping outside
ipchains -A input -p icmp -j ACCEPT --icmp-type echo-reply -d $myip -i $eth
# deny all the rest icmp
ipchains -A input -p icmp -j DENY -i $eth
#### Auth (identd) needed for sendmail, etc... to the firewall
ipchains -A input -p tcp -j REJECT -s $dns 1024: -i $eth -d $myip 113

# ssh to and from external hosts
ipchains -A input -p tcp \! -y -j ACCEPT -d $myip  513: -i $eth -s $anyip 22                            

#### Deny all incoming ports, except for higher non-syn TCP & higher UDP ports
ipchains -A input -p tcp \! -y -j ACCEPT -i $eth -d $myip 1024: 
ipchains -A input -p udp -j ACCEPT -i $eth -d $myip 1024:
#### deny these common ones first to make log clear
ipchains -A input -j DENY -i $eth -d 255.255.255.255
ipchains -A input -j DENY -i $eth -d 0.0.0.0/0 137:138
#### catch all rule, all other incoming is denied and logged.
ipchains -A input -i $eth -l -j DENY

#### deny well-known ports on the interface
# kdm 1024/tcp, nterm 1026/tcp
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 1024:1026
# X windows 6000-6010
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 6000:6010
# xdmcp  177/udp/tcp
ipchains -A output -p udp -j DENY -i $eth -s $anyip 177
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 177
# portmapper, rpcbind
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 111
ipchains -A output -p udp -j DENY -i $eth -s $anyip 111
# NFS servers 2049/tcp/udp mount 635/udp lockd 4045/tcp/udp pcnfs 640/udp
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 2049
ipchains -A output -p udp -j DENY -i $eth -s $anyip 2049
ipchains -A output -p tcp -j DENY -i $eth -s $anyip 4045
ipchains -A output -p udp -j DENY -i $eth -s $anyip 4045
ipchains -A output -p udp -j DENY -i $eth -s $anyip 635:640

# catch all rule, anything else outgoing on remote interface is valid
#ipchains -A output -i $eth -j ACCEPT

###################### ipchains rules #########################