Код:
#------------------------------------------------------------
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
-A INPUT -i eth1 --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: "
-A INPUT -i eth1 --fragment -p icmp -j DROP
-A OUTPUT -o eth1 --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: "
-A OUTPUT -o eth1 --fragment -p icmp -j DROP
-A FORWARD -o eth1 --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "
-A FORWARD -o eth1 --fragment -p icmp -j DROP
-A INPUT -i eth1 -p icmp --icmp-type source-quench -d x.x.x.x -j ACCEPT
-A OUTPUT -o eth1 -p icmp --icmp-type source-quench -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type source-quench -j ACCEPT
-A INPUT -i eth1 -p icmp --icmp-type parameter-problem -d x.x.x.x -j ACCEPT
-A OUTPUT -o eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
-A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j ACCEPT
#Use $LAN_INTERFACE = eth0 $LAN_ADDRESSES = 10.10.10.0/25
-A OUTPUT -o eth0 -p icmp --icmp-type destination-unreachable -d 10.10.10.0/25 -j ACCEPT
-A FORWARD -o eth0 -p icmp --icmp-type destination-unreachable -d 10.10.10.0/25 -j ACCEPT
-A OUTPUT -o eth1 -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type fragmentation-needed -j ACCEPT
# Dont log dropped outgoing ICMP error messages
-A OUTPUT -o eth1 -p icmp --icmp-type destination-unreachable -j DROP
-A FORWARD -o eth1 -p icmp --icmp-type destination-unreachable -j DROP
# Intermediate traceroute responses
-A INPUT -i eth1 -p icmp --icmp-type time-exceeded -d x.x.x.x -j ACCEPT
#Use $LAN_INTERFACE = eth0 $LAN_ADDRESSES = 10.10.10.0/25
-A OUTPUT -o eth0 -p icmp --icmp-type time-exceeded -d 10.10.10.0/25 -j ACCEPT
-A FORWARD -o eth0 -p icmp --icmp-type time-exceeded -d 10.10.10.0/25 -j ACCEPT
# allow outgoing pings to anywhere
-A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
#-A FORWARD -o $DMZ_INTERFACE -p icmp --icmp-type echo-request -s $LAN_ADDRESSES -j ACCEPT
# allow incoming pings from trusted hosts
# Use $MY_ISP = any/0
-A INPUT -i eth1 -p icmp -s any/0 --icmp-type echo-request -d x.x.x.x -j ACCEPT
-A OUTPUT -o eth1 -p icmp -s x.x.x.x --icmp-type echo-reply -d any/0 -j ACCEPT
#-A INPUT -i $LAN_INTERFACE -p icmp -s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR -j ACCEPT
#------------------------------------------------------------
# Logging Dropped Packets
# Don't log dropped incoming echo-requests
-A INPUT -i eth1 -p icmp --icmp-type ! 8 -d x.x.x.x -j LOG
#
-A INPUT -i eth1 -p tcp -d x.x.x.x -j LOG
#
-A OUTPUT -o eth1 -j LOG