PDA

Click to See Complete Forum and Search --> : Masqing a Win2k Box

aph3x
02-13-2001, 01:40 AM
i am near the point of giving up on getting this ip masquerading working properly... :mad:

here's the dealio:

i have a SuSE box masqing a win2k box and have it set up (i thought) to allow http, ftp, telnet, ident, and a few others... the SuSE is on a ppp dial-up and eth0 is the internal NIC on SuSE connected via a hub to win2k.

i can ping eth0, ppp0, external IP's and DNS names from both boxes. however, when i try to connect to the web with IE on win2k, it says "Web Site Found, Waiting For Reply..." in the status bar, and then hangs until it times out... i can also ftp to a server, log in, but when i issue a command like ls, it also hangs... :mad:

however, i can telnet to, say, www.linuxnewbie.org (http://www.linuxnewbie.org) 80, and type in HEAD / http/1.0 CRLF,CRLF yada, yada, yada... this works fine.

as i said, im getting rather frustrated, so any help or ideas would be really appreciated... thanks in advance :D

edit: i also just realized that i can traceroute from win2k. but if i recall correctly, *doze boxes send ICMP echo-requests in their tracert instead of UDP datagrams as they do on *nix boxes... so this may not make a bit of difference... n/m :p

[ 13 February 2001: Message edited by: aph3x ]
Gaccm
02-13-2001, 04:49 AM
what are you using to masq only ftp ident, http, etc? none of the firewalls i used had that ability, they all would just MASQUERADE all data from 169.254.1.2 (win2k box) have you set up win2k correctly? control panel->netowrk &dail-up options lan props-> internet protical (tcp/ip)->properties (did u fill this out?) -> advanced, did u put your linux box ip as the gateway? try lossening all security from your firewall (if your using one) all i can think of now
aph3x
02-13-2001, 03:19 PM
im using ipchains... it allows you to accept or deny just about anything you want (or dont want)

right now its set to a deny by default policy. im going to set the default policy to accept and see what happens...
Craig McPherson
02-14-2001, 01:09 AM
Hi,

please post your firewall script here, and we'll disect it. It's hard to diagnose it without seeing it.

Or you can generate a functional firewall interactively at http://www.linux-firewall-tools.com/. You'll want to look through it and personalize it a bit even after you generate it, but it's a very good jumping-off point.
aph3x
02-14-2001, 04:38 PM
thanks. i went to that site and created a script... with that script executed, i cant even do DNS lookups or ICMP echo requests from win2k. :mad: and yes, i had enabled them while creating the script... do you mind if i mail the script to you craig?
synparse
02-15-2001, 09:12 AM
hi aphex,

This may help, On your win2k machine set DNS active on your NIC.,

tcp/ip internet settings > Advanced.
[ip settings tab]
Default gateways > Add > {The ip addy of oyur linux router/gatewa}
[DNS tab]
Add > {The ip addy of your linux gateway/router}

Needless to say add a hostname and domainname to match whatever setting you have on your other machines..

Reboot.If necessary.

Pop Open IE.., and http://www.metacrawler.com

Hope this works for you.

Just tryin to help...Youve probably done this already.
-syn

[ 15 February 2001: Message edited by: synparse ]
Fandelem
02-15-2001, 10:32 AM
i went to that site and created a script

personally, i think you should go with PMFirewall until you are really experienced with firewall stuff (ipchains, iptables, etc) because i'm almost sure you are denying something because you thought it might give you some "added" protection when actually, it probably is, but look at the price you are paying :D

try PMFirewall, if it works, then you know it's something with the script you had created for you that is blocking.. if not, then it's another problem. but PMFirewall only takes a few minuets to setup and configure.

regards,

~kyle
aph3x
02-15-2001, 04:22 PM
Originally posted by synparse:
hi aphex,

This may help, On your win2k machine set DNS active on your NIC.,

tcp/ip internet settings > Advanced.
[ip settings tab]
Default gateways > Add > {The ip addy of oyur linux router/gatewa}
[DNS tab]
Add > {The ip addy of your linux gateway/router}

Needless to say add a hostname and domainname to match whatever setting you have on your other machines..

Reboot.If necessary.

Pop Open IE.., and http://www.metacrawler.com

Hope this works for you.

Just tryin to help...Youve probably done this already.
-syn

[ 15 February 2001: Message edited by: synparse ]

yes, i already have configured my win2k box to contact my ISP's DNS server... setting my win2k to query my linux box for DNS lookups wont work because im not running BIND or any DNS daemon on linux...

this sucks... i have an opporunity to split a DSL or Cable line fee with my pops if i can get this damn masquerading working so i set up a household LAN... :mad:

Fandelem: i just downloaded PM Firewall, ill give it a try... thanks for all your replies. :D
aph3x
02-16-2001, 03:21 PM
pm firewall just made it worse... :mad:

here's the script i was using with the original post which allowed me to connect, sort of... :p


#!/bin/bash
# Get outside IP Address

IPADDR=`/sbin/ifconfig ppp0 | grep "inet addr" | awk -F":" '{print$2}' | awk '{print $1}'`


# Define variables...

LOOPBACK="lo"
LOCALHOST="$IPADDR"
echo "External IP Address(s)=$IPADDR"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE="ppp0"
INTERNAL_NETWORK="10.0.0.1/24"
EXTERNAL_NETWORK="0.0.0.0/0"
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
BROADCAST_0="0.0.0.0"
BROADCAST_1="255.255.255.255"
LIST_VIRTUAL_IP_ADDRESSES="x.x.x.x a.a.a.a b.b.b.b"

# Services/port numbers

TELNET="23"
POP3="110"
SMTP="25"
LDAP="389"
FTP="21"
FTP_DATA="20"
DNS="53"
DynIP="252"
NNTP="119"
HTTP="80"
HTTPS="443"
IDENTD="113"
FINGER="79"
WHOIS="43"
IMAP="143"
IRC="6667"
NTP="123"
SSH="22"
SSHPORTS="1010:1023"
DHCP_SERVER="67"
DHCP_CLIENT="68"
QUAKE="27901:27910"
ICQ_TCP="2000:4000"
ICQ_UDP="4000"
TRACEROUTE_SOURCE_PORTS="32769:65535"
TRACEROUTE_DESTINATION_PORTS="33434:33523"




################################################## ###########################
# Setup IP Spoofing protection
################################################## ###########################
echo "IP Spoofing protection"


# This will turn on Source Address Verification and get spoof protection
# on all current interfaces.

ipv4="/proc/sys/net/ipv4"


if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

echo -n "Setting up IP spoofing proection... "
for EVERYINTERFACE in $ipv4/conf/*/rp_filter; do
echo 1 > $EVERYINTERFACE
done
echo "Completed IP spoofing protection."

else

echo "IP SPOOFING PROTECTION WAS NOT SETUP!! BE WORRIED!!"
echo " "

fi


echo "Starting IP Source Routing Protection"
for procfile in $ipv4/conf/*/accept_source_route; do
echo 0 > $procfile
done

echo "Starting IP ICMP Redirect Protection"
for procfile in $ipv4/conf/*/accept_redirects; do
echo 0 > $procfile
done

echo "Starting IP TCP SYN Cookie Protection"
echo 1 > $ipv4/tcp_syncookies

echo "Starting IP Fragment Protection"
echo 1 > $ipv4/ip_always_defrag

echo "Starting IP ICMP Broadcast Echo Protection"
echo 1 > $ipv4/icmp_echo_ignore_broadcasts

echo "Starting IP Bogus Error Response Protection"
echo 1 > $ipv4/icmp_ignore_bogus_error_responses

echo "Starting IP Martian Logging"
for procfile in $ipv4/conf/*/log_martians; do
echo 0 > $procfile
done




################################################## ###########################
#
# Flush all policies
#
################################################## ###########################

echo "Flush all policies"
ipchains -F forward
ipchains -F input
ipchains -F output



################################################## ###########################
#
# Set default policy to deny
#
################################################## ###########################

echo "Setting default policy of deny"
ipchains --policy input DENY
ipchains --policy output DENY
ipchains --policy forward DENY




################################################## ##########################
# Refuse Spoofed Packets
# This is additional support for Spoofed packets, better safe than sorry
################################################## ##########################

echo "Spoofed Packet Configuration"
ipchains --append input \
--jump DENY \
--interface $EXTERNAL_INTERFACE \
--source $INTERNAL_NETWORK \
--destination $ANYWHERE --log

#######################################
#
# ICMP
#
#######################################

echo -n "ICMP Configuration... "

# 0: Echo_Reply
# 3: Dest_Unreachable, Network_Unavailable, Service_Unavailable, etc.
# 4: Source_Quench (slow down, talking too fast)
# 5: Redirect (ALWAYS IGNORE THIS!!)
# 8: Echo_Request
# 11: Time_Exceeded
# 12: Parameter_Problem

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type destination-unreachable

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type destination-unreachable

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type source-quench

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type source-quench

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type time-exceeded

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type time-exceeded

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type parameter-problem

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type parameter-problem

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type echo-request

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type echo-request

ipchains --append input \
--jump ACCEPT \
--protocol icmp \
--icmp-type echo-reply

ipchains --append output \
--jump ACCEPT \
--protocol icmp \
--icmp-type echo-reply

echo "complete."


################################################## ###########################
#
# Loopback Configuration
#
################################################## ###########################

echo "Loopback Configuration"
ipchains --append input \
--jump ACCEPT \
--interface $LOOPBACK

ipchains --append output \
--jump ACCEPT \
--interface $LOOPBACK



################################################## ###########################
#
# Allow Internal Traffic
#
################################################## ###########################

echo "Unlimited internal traffic"
ipchains --append input \
--jump ACCEPT \
--interface $INTERNAL_INTERFACE

ipchains --append output \
--jump ACCEPT \
--interface $INTERNAL_INTERFACE



################################################## ####################
#
# DHCP Client (67,68)
#
################################################## ####################
echo "Enabling $ExternalInterface to obtain IP Address via DHCP"
# allow dhcp server (67) to connect to dhcp client (68)
ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $ANYWHERE $DHCP_SERVER \
--destination $LOCALHOST $DHCP_CLIENT \
--protocol udp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $ANYWHERE $DHCP_SERVER \
--destination $BROADCAST_1 $DHCP_CLIENT \
--protocol udp


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $BROADCAST_0 $DHCP_CLIENT \
--destination $BROADCAST_1 $DHCP_SERVER \
--protocol udp


# Getting renumbered
ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $BROADCAST_0 $DHCP_CLIENT \
--destination $BROADCAST_1 $DHCP_SERVER \
--protocol udp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DHCP_CLIENT \
--destination $ANYWHERE $DHCP_SERVER \
--protocol udp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $ANYWHERE $DHCP_SERVER \
--destination $ANYWHERE $DHCP_CLIENT \
--protocol udp


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DHCP_CLIENT \
--destination $ANYWHERE $DHCP_SERVER \
--protocol udp

################################################## #############
#
echo "Configure from Inside to Outside Service DNS using port(s) $DNS"
#
################################################## #############



# DNS - UDP - client --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $DNS \
--protocol udp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $DNS \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol udp


# DNS - TCP - client --> server or server --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $DNS \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $DNS \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN bit cleared


# DNS - UDP - server --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DNS \
--destination $EXTERNAL_NETWORK $DNS \
--protocol udp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $DNS \
--destination $LOCALHOST $DNS \
--protocol udp


################################################## #############
#
echo "Configure from Inside to Outside Service FINGER using port(s) $FINGER"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $FINGER \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $FINGER \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service FTP using port(s) $FTP"
#
################################################## #############


# outgoing request and host request
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $FTP \
--protocol tcp

ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $FTP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y

# passive mode creation and response
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $UNPRIVPORTS \
--protocol tcp

ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $UNPRIVPORTS \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y


# data channel creation and response
# ipchains --append input \
# --jump ACCEPT \
# --interface $EXTERNAL_INTERFACE \
# --source $EXTERNAL_NETWORK $FTP_DATA \
# --destination $LOCALHOST $UNPRIVPORTS \
# --protocol tcp

# ipchains --append output \
# --jump ACCEPT \
# --interface $EXTERNAL_INTERFACE \
# --source $LOCALHOST $UNPRIVPORTS \
# --destination $EXTERNAL_NETWORK $FTP_DATA \
# --protocol tcp ! -y


################################################## #############
#
echo "Configure from Inside to Outside Service HTTP using port(s) $HTTP"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $HTTP \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $HTTP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service HTTPS using port(s) $HTTPS"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $HTTPS \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $HTTPS \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service ICQ using port(s) $ICQ"
#
################################################## #############


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $ICQ_TCP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $ICQ_TCP \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $ICQ_UDP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol udp


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $ICQ_UDP \
--protocol udp



################################################## #############
#
echo "Configure from Inside to Outside Service IRC using port(s) $IRC"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $IRC \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $IRC \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service NNTP using port(s) $NNTP"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $NNTP \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $NNTP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service POP3 using port(s) $POP3"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $POP3 \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $POP3 \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service SMTP using port(s) $SMTP"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $SMTP \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $SMTP \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service SSH using port(s) $SSH"
#
################################################## #############



# For normal clients
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $SSHPORTS \
--destination $EXTERNAL_NETWORK $SSH \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $SSH \
--destination $LOCALHOST $SSHPORTS \
--protocol tcp ! -y #SYN BIT Check

# For abnormal clients - i.e. windows
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $SSH \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $SSH \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check



################################################## #############
#
echo "Configure from Inside to Outside Service TELNET using port(s) $TELNET"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $TELNET \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $TELNET \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check


################################################## #############
#
echo "Configure from Inside to Outside Service TRACEROUTE using port(s) $TRACEROUTE"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $TRACEROUTE_SOURCE_PORTS \
--destination $EXTERNAL_NETWORK $TRACEROUTE_DESTINATION_PORTS \
--protocol udp

################################################## #############
#
echo "Configure from Inside to Outside Service WHOIS using port(s) $WHOIS"
#
################################################## #############


ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $UNPRIVPORTS \
--destination $EXTERNAL_NETWORK $WHOIS \
--protocol tcp


ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $WHOIS \
--destination $LOCALHOST $UNPRIVPORTS \
--protocol tcp ! -y #SYN BIT Check

################################################## ##########################
# NAT/MASQ Setup
################################################## ##########################

echo "NAT / MASQ Configuration"
ipchains --masquerading \
--set 600 15 300


ipchains --append forward \
--jump MASQ \
--source $INTERNAL_NETWORK \
--destination $ANYWHERE

ipchains --append forward \
--jump DENY \
--source $ANYWHERE \
--destination $ANYWHERE --log

################################################## ##########################
# Entries that we want to reject but not bother logging
################################################## ##########################
echo "Deny without logging"
#
# I for one have IGMP packets coming from my ISP, which I don't care to
# receive, nor log the drops.

ipchains --append input \
--jump DENY \
--source $ANYWHERE \
--destination 224.0.0.1 \
--protocol IGMP




################################################## ##########################
# Default, log all that we don't allow
################################################## ##########################

echo "Input default policy, log all that we do not allow"
ipchains --append input \
--jump DENY \
--source $ANYWHERE \
--destination $ANYWHERE --log

echo "Output default policy, log all that we do not allow"
ipchains --append output \
--jump DENY \
--source $ANYWHERE \
--destination $ANYWHERE --log

echo "Forward default policy, log all that we do not allow"
ipchains --append forward \
--jump DENY \
--source $ANYWHERE \
--destination $ANYWHERE --log