Originally by Jan Rkorajski <baggins@pld-linux.org>
ipv4_ads_killer by Sergiusz Pawowicz <ser@it-zone.org>
Currently mail Mariusz Mazur <mmazur@kernel.pl>

PREAMBLE:
As of version 2.99.0 this package is distributed under GNU GPL, for all
previous versions BSD license applies.

firewall-init HOWTO

I. What is it?

Firewall-init provides a SysV-init style start-up script and /etc/sysconfig
control over the available kernel IP packet filter using iptables(8). In other
words, instead of having to write your own script to be run by init for
firewalling or having to shove all of your rules in rc.local you can use the
handy configuration files provided.

II. What does it include?

The base package comes with the following files:
<file>					<description>
/etc/rc.d/init.d/firewall		-- initscript that starts/stops firewalling.
/etc/sysconfig/firewall			-- main control file.
/etc/sysconfig/firewall.d/functions	-- shell functions library
/etc/sysconfig/firewall.d/functions.rules -- definitions of additional chains
/etc/sysconfig/firewall.d/ipv4		-- directory holding 'direction policy' files.
/etc/sysconfig/firewall.d/ipv6		-- directory holding 'direction policy' files.
/usr/share/doc/firewall-init-*/README	-- this file.

III. /etc/rc.d/init.d/firewall

This script controls starting and stopping the firewall and must be called with
one option: start or stop. It runs after networking in start run-levels (to
allow using rpcinfo (portmap) to detect some services not using fixed port
number) and after networking in stop run-levels. First it checks whether or not
firewalling should be turned on in /etc/sysconfig/firewall and if yes sets
default polices from that files. Following that it sets any further policies as
found in /etc/sysconfig/firewall.d/$proto/$table.

IV. /etc/sysconfig/firewall

The format for this file is:

# Controls if firewall should be started
FIREWALL=(yes|no)

# Location of programs/configuration files
FIREWALL_DIR="/etc/sysconfig/firewall.d"

iptables="/usr/sbin/iptables"
iptsave="/usr/sbin/iptables-save"
iptrestore="/usr/sbin/iptables-restore"

ip6tables="/usr/sbin/ip6tables"
ip6tsave="/usr/sbin/ip6tables-save"
ip6trestore="/usr/sbin/ip6tables-restore"

# Which tables you want set up for IPv4 (filter, nat, mangle, drop)
# list of files, <space> separated
ipv4_TABLES="filter nat"

# Which tables you want set up for IPv4 (filter, mangle)
ipv6_TABLES=

# Connection tracking (defaults to yes as it's VERY usefull also on non-nat boxes)
CONNTRACK="yes"

# Which conntrack modules to load, can be "all" (old default), "none" or a list
#CONNTRACK_MODULES="all"
#CONNTRACK_MODULES="ftp irc"
# Which conntrack modules not to load (mms cannot be unloaded)
#CONNTRACK_MODULES_BLACKLIST="mms"

# Which IPv4 nat modules to load, can be "all" (old default), "none" or a list
#NAT_MODULES="all"
#NAT_MODULES="ftp irc"
# Which conntrack modules not to load (mms cannot be unloaded)
#CONNTRACK_MODULES_BLACKLIST="mms"

# The ftp/irc options has been removed
# set them via /etc/modprobe.conf

# Size (number of entries) of hash table for connection tracking
# default is 1/16384 of memory
CONNTRACK_HASHSIZE=

# Policies for chains ($proto_$table_$CHAIN):
# IPv4:
ipv4_filter_INPUT="ACCEPT"
ipv4_filter_OUTPUT="ACCEPT"
ipv4_filter_FORWARD="DROP"

ipv4_nat_OUTPUT="ACCEPT"
ipv4_nat_PREROUTING="ACCEPT"
ipv4_nat_POSTROUTING="ACCEPT"

ipv4_mangle_INPUT="ACCEPT"
ipv4_mangle_OUTPUT="ACCEPT"
ipv4_mangle_FORWARD="ACCEPT"
ipv4_mangle_PREROUTING="ACCEPT"
ipv4_mangle_POSTROUTING="ACCEPT"

ipv4_raw_OUTPUT="ACCEPT"
ipv4_raw_PREROUTING="ACCEPT"

# IPv6:
ipv6_filter_INPUT="ACCEPT"
ipv6_filter_OUTPUT="ACCEPT"
ipv6_filter_FORWARD="DROP"

ipv6_mangle_INPUT="ACCEPT"
ipv6_mangle_OUTPUT="ACCEPT"
ipv6_mangle_FORWARD="ACCEPT"
ipv6_mangle_PREROUTING="ACCEPT"
ipv6_mangle_POSTROUTING="ACCEPT"

ipv6_raw_OUTPUT="ACCEPT"
ipv6_raw_PREROUTING="ACCEPT"

V. Firewalls: /etc/sysconfig/firewall.d/$proto/$table

NOTE: These files are shell scripts for POSIX compliant /bin/sh.

First in these files you must define chains for table, like this:

CHAINS="INPUT OUTPUT FORWARD"

Each of these files must contain functions (one for each chain) that
will be called by the main code, these functions must be named like this:

$proto_$table_$CHAIN_rules()
{
# Your rules here
}

where:
$proto is ipv4 or ipv6
$table is the name of the table (ipv4: filter, nat, mangle, drop;
				 ipv6: filter, mangle)
$CHAIN is the chain name (depends on table)

So, for example, function containing rules for IPv4 table filter for INPUT
chain will look like this:

ipv4_filter_INPUT_rules()
{
	$iptables -A INPUT -s ! 127.0.0.1 -j REJECT   #a sample firewall rule
}

VI. Example

The files in /etc/sysconfig/firewall.d/ in the distribution contain commented
out example rules.

VII. Masquerading

Masquerading an internal network through host is accomplished using the nat
table and POSTROUTING chain. So in order to masquerade  an internal network of
192.168.0.0/24 (one of the private addresses), the following function should be
placed in /etc/sysconfig/firewall.d/ipv4/nat:

ipv4_nat_POSTROUTING_rules()
{
	$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
# or, if you know your gateway external IP:
	$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 192.168.1.1

	$iptables -t nat -A POSTROUTING -j DROP
}

Be warned that, unlike in ipchains, masquerading is done NOT ON FORWARD, but
after the packet has been routed, so don't set FORWARD chain policy to DROP ;)

VIII. Logging

Errors from iptables(8) because of improper rules are logged to syslogd with a
priority of user.notice.

IX. Ads

In 'mangle' and 'filter' IPv4 tables you can uncomment ipv4_ads_killer function. 
It takes arguments from file /etc/sysconfig/firewall.d/ads.hosts, each line 
represents unwanted advertisement host, blocked by the firewall. 

X. Trojan killer

In 'filter' IPv4 table you can uncomment ipv4_trojan_killer. It takes one
argument, either INPUT or FORWARD, which specifies in what chain trojan killer
should be created. This function takes arguments from
/etc/sysconfig/firewall.d/trojan.ports file. Each line can contain up to 15
comma-separated ports, which will be blocked by the firewall. Remember, there
can't be more than 15 ports in line, because of multiport module limitations.
