#
#
# Egress Filtering
# ----------------
#	egress filtering, or the filtering of outbound traffic
#
#
# Excerpt from:
#	http://www.incidents.org/protect/egress.php
#
#
# 02-Apr-02 amo Date-of-Birth
#
#
#
# Egress (and some other) filtering
#
# (Concepts also taken from "Linux Firewalls" by Robert Ziegler)
# Have 4 subnets: (the example uses the non-routable 172.31, but in reality this would be our class B)
#
# 172.31.45.0/24
# 172.31.49.0/24
# 172.31.54.0/24
# 172.31.55.0/24
# eth0 is connected to the external network ("the world")
# eth1 is connected to the internal network ("us")
#
# Defines:
LOOPBACK_INTERFACE="lo"
EXTERNAL_INTERFACE="eth0" # them
LOCAL_INTERFACE="eth1" # us
MY_IP="172.31.54.17" # this box
LOCAL_NET_45="172.31.45.0/24"
LOCAL_NET_49="172.31.49.0/24"
LOCAL_NET_54="172.31.54.0/24"
LOCAL_NET_55="172.31.55.0/24"
LOOBBACK="127.0.0.0/8"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
ALL_IPS="any/0"
PRIV_A="10.0.0.0/8"
PRIV_B="172.16.0.0/12"
PRIV_C="192.168.0.0/16"

# flush any pre-existing rules
ipchains -F

# Default is to deny and reject everything, but if we accept it into the box, forward it
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

# Let the box talk to itself
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# Pitch anything from or to the loopback address
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A input -i $LOCAL_INTERFACE -s $LOOPBACK -j DENY -l # And log it
ipchains -A input -i $LOCAL_INTERFACE -d $LOOPBACK -j DENY -l

# Reject anything with bogus broadcast addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j REJECT -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j REJECT -l
ipchains -A input -i $LOCAL_INTERFACE -s $BROADCAST_DEST -j REJECT -l
ipchains -A input -i $LOCAL_INTERFACE -d $BROADCAST_SRC -j REJECT -l

# Deny and log any attempts from outside to connect to this box
ipchains -A input -i $EXTERNAL_INTERFACE -d $MY_IP -j DENY -l

# Pitch anything from inside addressed to non-roatable addresses (and log it!)
ipchains -A input -i $LOCAL_INTERFACE -d $PRIV_A -j DENY -l
ipchains -A input -i $LOCAL_INTERFACE -d $PRIV_B -j DENY -l
ipchains -A input -i $LOCAL_INTERFACE -d $PRIV_C -j DENY -l

# Now, accept any remaining packets having a valid source address (ie, one of our subnets)
ipchains -A input -i $LOCAL_INTERFACE -s $LOCAL_NET_45 -j ACCEPT
ipchains -A input -i $LOCAL_INTERFACE -s $LOCAL_NET_49 -j ACCEPT
ipchains -A input -i $LOCAL_INTERFACE -s $LOCAL_NET_54 -j ACCEPT
ipchains -A input -i $LOCAL_INTERFACE -s $LOCAL_NET_55 -j ACCEPT

# Or pass packets having a broadcast dest address
ipchains -A input -i $LOCAL_INTERFACE -d $BROADCAST_DEST -j ACCEPT

# Pitch (and log) any packets coming to the external interface but with a source ip of one of our nets
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOCAL_NET_45 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOCAL_NET_49 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOCAL_NET_54 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOCAL_NET_55 -j DENY -l

# Other rules would go here, but for the purpose of preventing spoofed packets what is left should be OK
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOCAL_NET_45 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOCAL_NET_49 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOCAL_NET_54 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOCAL_NET_55 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_DEST -j ACCEPT
#
#
# (Ziegler notes that about 50 IANA reserved addresses should also not be forwarded - see p 74,5)
#
# end of file