[Slackware 9.1] Iptables FXP probleem

#!/bin/bash
####################################################
#
# Config section, you can change this with your ip's
#
####################################################

for i in `ifconfig -a|grep -i eth|awk '{print $1}'`; do A="$A $i";done
B=`echo $A|wc -w|awk '{print $1}'`

echo ""
echo "Found $B nics :$A"
echo ""

EXTIF=`echo $A|awk '{print $1}'`
INTIF1=`echo $A|awk '{print $2}'`
INTIF2=`echo $A|awk '{print $3}'`
LOIF="lo"
LAN1="10.0.1.0/24"
LAN2="10.0.2.0/24"

LOIP=`ifconfig $LOIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`

EXTIP=`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
EXTMASK=`ifconfig $EXTIF | grep Mask | cut -d : -f 4`
EXTBCAST=`ifconfig $EXTIF | grep inet | cut -d : -f 3 | cut -d \  -f 1`

INTIP1=`ifconfig $INTIF1 | grep inet | cut -d : -f 2 | cut -d \  -f 1`
INTMASK1=`ifconfig $INTIF1 | grep Mask | cut -d : -f 4`
INTBCAST1=`ifconfig $INTIF1 | grep inet | cut -d : -f 3 | cut -d \  -f 1`

INTIP2=`ifconfig $INTIF2 | grep inet | cut -d : -f 2 | cut -d \  -f 1`
INTMASK2=`ifconfig $INTIF2 | grep Mask | cut -d : -f 4`
INTBCAST2=`ifconfig $INTIF2 | grep inet | cut -d : -f 3 | cut -d \  -f 1`

####################################################
#
# Script section, don't change anything below here
# if you don't know what you're doing
#
####################################################

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo -n "Reduce DoS'ing ability... "
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo -e "\033[32mDone!\033[0m"

echo -n "Flushing Chains... "
iptables -F
iptables -X
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo -e "\033[32mDone!\033[0m"

echo -n "Set default policies for the INPUT, FORWARD and OUTPUT chains... "
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
echo -e "\033[32mDone!\033[0m"

echo -n "Accept the packets we actually want to forward... "
iptables -A FORWARD -i $INTIF1 -s 0/0 -j ACCEPT
iptables -A FORWARD -i $INTIF2 -s 0/0 -j ACCEPT
iptables -A FORWARD -i ppp+ -s 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:
"
echo -e "\033[32mDone!\033[0m"

echo -n "Create chains... "
iptables -N icmp_packets
echo -n "ICMP_PACKETS, "
iptables -N tcp_packets
echo -n "TCP_PACKETS, "
iptables -N udpincoming_packets
echo -n "UDPINCOMING_PACKETS, "
iptables -N illegal
echo -n "ILLEGAL, "
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
echo -n "ALLOWED... "
echo -e "\033[32mDone!\033[0m"

echo ""
echo -e "\033[31mILLEGAL chain -> "
echo -e "\033[0m"

echo -n " Drop illegal flag combinations which also prevents most port scanning... "
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ALL ALL -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ALL NONE -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A illegal -i $EXTIF -p tcp --tcp-flags ACK,URG URG -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Refuse directed broadcasts used in Smurf/Fraggle type DOS attacks... "
iptables -A illegal -i $EXTIF -d 255.255.255.255 -j DROP
iptables -A illegal -i $EXTIF -d $EXTBCAST -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Refuse spoofed packets pretending to be from your IP address... "
iptables -A illegal -i $EXTIF -s $EXTIP -d $EXTIP -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Drop Fragments... "
iptables -A illegal -i $EXTIF -f -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Make sure packets are associated with known connections... "
iptables -A illegal -i $EXTIF -m state --state INVALID -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Make sure NEW tcp connections are SYN packets... "
iptables -A illegal -i $EXTIF -p tcp ! --syn -m state --state NEW -j DROP
echo -e "\033[32mDone!\033[0m"

echo -n " Refuse bogus IP ranges... "
iptables -A illegal -i $EXTIF -s 255.255.255.255/32 -j DROP    # Broadcast
iptables -A illegal -i $EXTIF -s 127.0.0.0/8 -j DROP           # Loopback
iptables -A illegal -i $EXTIF -s 169.254.0.0/16 -j DROP        # Link local networks
iptables -A illegal -i $EXTIF -s 192.0.2.0/24 -j DROP          # Test-net
iptables -A illegal -i $EXTIF -s 248.0.0.0/5 -j DROP           # Unallocated
iptables -A illegal -i $EXTIF -s 10.0.0.0/8 -j DROP            # Class A private (RFC 1918)
iptables -A illegal -i $EXTIF -s 172.16.0.0/16 -j DROP         # Class B private (RFC 1918)
iptables -A illegal -i $EXTIF -s 192.168.0.0/16 -j DROP        # Class C private (RFC 1918)
iptables -A illegal -i $EXTIF -s 224.0.0.0/4 -j DROP           # Class D multicast
iptables -A illegal -i $EXTIF -s 240.0.0.0/5 -j DROP           # Class E reserved
echo -e "\033[32mDone!\033[0m"

echo ""
echo -n "Change ICMP rules... "
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type echo-request -j DROP
iptables -A icmp_packets -p ICMP -d $INTBCAST1 -j DROP
iptables -A icmp_packets -p ICMP -d $INTBCAST2 -j DROP
echo -e "\033[32mDone!\033[0m"

echo ""
echo -e "\033[31mChange TCP/UDP rules -> "
echo -e "\033[0m"
echo -n " TCP ports... "
iptables -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 47 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 1024:65535 -j allowed
echo -e "\033[32mDone!\033[0m"
echo -n " UDP ports... "
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 1024:65535 -j ACCEPT
echo -e "\033[32mDone!\033[0m"

echo ""
echo -e "\033[31mINPUT chain -> "
echo -e "\033[0m"

echo -n " Incoming packets from the internet... "
iptables -A INPUT -p ICMP -i $EXTIF -j icmp_packets
iptables -A INPUT -p TCP -i $EXTIF -j tcp_packets
iptables -A INPUT -p UDP -i $EXTIF -j udpincoming_packets
iptables -A INPUT -p TCP -i $EXTIF -j illegal
echo -e "\033[32mDone!\033[0m"

echo -n " Special networks not part of the Internet... "
iptables -A INPUT -p ALL -i $INTIF1 -d $INTBCAST1 -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $INTIP1 -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
iptables -A INPUT -p ALL -i $INTIF1 -s 0/0 -j ACCEPT
iptables -A INPUT -p ALL -i $INTIF2 -s 0/0 -j ACCEPT
iptables -A INPUT -p ALL -i ppp+ -s 0/0 -j ACCEPT
iptables -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo -e "\033[32mDone!\033[0m"

echo ""
echo -e "\033[31mOUTPUT chain -> "
echo -e "\033[0m"

echo -n " Special OUTPUT rules to decide which IP's to allow... "
iptables -A OUTPUT -p ALL -s $LOIP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INTIP1 -j ACCEPT
iptables -A OUTPUT -p ALL -s $INTIP2 -j ACCEPT
iptables -A OUTPUT -p ALL -s $EXTIP -j ACCEPT
echo -e "\033[32mDone!\033[0m"

echo -n " Log weird packets that don't match the above... "
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
echo -e "\033[32mDone!\033[0m"
echo ""

echo -n "Forwarding ports... " 
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 4000:4050 -j DNAT --to-destination 10.0.2.69
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 3389 -j DNAT --to-destination 10.0.2.69
echo -e "\033[32mDone!\033[0m"

echo -n "Enable simple IP Forwarding and NAT... "
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
echo -e "\033[32mDone!\033[0m"

echo -n "Allow pptpd connections... "
iptables -t nat -A PREROUTING -i $EXTIF -p TCP --sport 1024:65535 --dport 1723 -j ACCEPT
iptables -A FORWARD -i ppp+ -o $EXTIF -p 47 -s 0/0 -d 0/0 -j ACCEPT
iptables -A FORWARD -o ppp+ -i $EXTIF -p 47 -s 0/0 -d 0/0 -j ACCEPT
iptables -A FORWARD -p gre -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d 0/0 -j ACCEPT
echo -e "\033[32mDone!\033[0m"

echo ""