Advanced Firewall - ipchains

Scenario One:
=========
Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT:

#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY

# Add Rules

# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l

# Accept requests/responses from/to your own firewall machine
ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s 192.168.10.0/24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward



Notes:

For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
localhost refers to your loopback interface on 127.0.0.1