Rocover Mysql Password

Sedikit trics buat kakek yang dah pikun dengan password²nya :p
1. Stop mysql
/etc/rc.d/rc.mysqld stop

2. Pindah ke dir di mana mysql kakek berada. Klo mysql cucu berada di direktori /usr/mysql
cd /usr/mysql/

2. Jalankan mysqld_safe dengan option --skip-grant-tables&
./bin/mysqld_safe --skip-grant-tables&

3. Konek ke mysql sebagai root
/usr/mysql/bin/mysql -u root

4. Gunakan database mysql
use mysql;

5. Jalankan perintah update dan ganti ---> passwordbaru <--- dengan password yang akan kakek
gunakan untuk password mysql.
update user set password = password('passwordbaru') where user = 'root' and host='localhost';

6. Flush
flush privileges;
7. Keluar dari mysql
quit
8. Stop mysql
/etc/rc.d/rc.mysqld stop

9. Jalankan mysql lagi
/etc/rc.d/rc.mysqld start

# Di Uji pada "mysql Ver 12.22 Distrib 4.0.20, for pc-linux (i686)"
# Dengan OS Slackware Linux 10.2
# Moga kakek ngga' lupa lagi dengan password mysql

1. FLUSH/DEL RULES
iptables -F

2. NAT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 202.157.56.3

3. REDIRECT
iptables -t nat -A PREROUTING -p tcp -s 192.168.10.0/24 --dport 80 -j REDIRECT --to-port 3128 --> gateway + squid dalam satu mesin
iptables -t nat -A PREROUTING -p tcp -s 192.168.10.0/24 --dport 80 -j DNAT --to 202.149.79.50:8200 --> gateway terpisah dengan squid


4. BLOKIR CLIENT
iptables -I INPUT -s 192.168.10.5/32 -d 0/0 -j DROP

5. BLOKIR IRC
iptables -I INPUT -p tcp -s 192.168.10.5/32 -d 0/0 --destination-port 6667 -j DROP

6. BLOKIR PORT COMPLETE
for PORT in 69 111 135 137 138 139 213 445 554 1025 1034 1080 1214 2049 4000 4444 4662 4661 6257 6346 6347 6699 6700 7070 10858 31415 48523 54470
do
iptables -A FORWARD -p tcp --dport $PORT -j REJECT
iptables -A FORWARD -p udp --dport $PORT -j REJECT
done

7. REDIRECT ACCESS
iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 192.168.10.4:3000

semua yang access lewat port 3000 otomatis ditujukan ke ip 192.168.10.4 port 3000

# /etc/bashrc
# Pertama buat file bashrc di direktori /etc
#vi /etc/bashrc
#kemudian pastekan file ini
#Lalu masukan di /etc/profile masukan kata
# source /etc/bashrc
#Keluar dari shell and jadi dech :)

PS1='\[\033[1;34m\]\[\033)0\016\]\[\]lq\[\017\033(B\](\[\033[1;32m\]\u\[\033[1;34m\]@\[\033[1;32m\]\H\[\033[1;34m\])(\[\033[1;32m\]\T\[\033[\033[1;34m\])\n\[\033)0\016\]\[\]mq\[\017\033(B\]\[\033[1;34m\](\[\033[m\]\w\[\033[1;34m\])\[\033[1;34m\]->\[\033[0m\]'
echo -e '\e[37;44m'"Sugeng Rawuh wonten Anjink-cYborg server"; tput sgr0
# by default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ "`id -gn`" = "`id -un`" -a `id -u` -gt 99 ]; then
umask 002
else
umask 022
fi

# are we an interactive shell?
if [ "$PS1" ]; then
if [ -x /usr/bin/tput ]; then
if [ "x`tput kbs`" != "x" ]; then # We can't do this with "dumb" terminal
stty erase `tput kbs`
elif [ -x /usr/bin/wc ]; then
if [ "`tput kbs|wc -c `" -gt 0 ]; then # We can't do this with "dumb" terminal
stty erase `tput kbs`
fi
fi
fi
case $TERM in
xterm*)
if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
else
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
fi
;;
screen)
if [ -e /etc/sysconfig/bash-prompt-screen ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
else
PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"'
fi
;;
*)
[ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
;;
esac
# Turn on checkwinsize
shopt -s checkwinsize
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "

if [ "x$SHLVL" != "x1" ]; then # We're not a login shell
for i in /etc/profile.d/*.sh; do
if [ -r "$i" ]; then
. $i
fi
done
fi
fi

Router dengan LINUX ( Fedora Core-2 )

Author : ibank ( ibank@cracked.or.id )

Research : http://ibank.cracked.or.id

Forum : #Cracked On DaL.NeT

Release Date:
05 April 2004

#############################################


Note : Sebelum install mending buat netscafe dolo, idupin TV atau mp3 :P


1. Install LINUX melalui CDRoom/Ftp/DOS.
( saya gunakan Fedora Core-2 )

* Custom
* Automatic
* Remove all partition
* DHCP uncheck
* setting IP
> IP addres
gateway
DNS
* no firewell
* Development tools (check list)
install .....


2. setelah tahap install selesai, lalu isikan ip address untuk Routernya pada eth0 dan eth1.
Ok sekarang kita berasumsi mempunyai blok ip public dan local :

- untuk ip public :

Blok IP = 202.162.198.154 - 158 -----> range ip yg bisa di pakai.
Subnetmask = 255.255.255.248 -----> Netmask.
GateWay = 202.162.198.153

- Untuk Ip Local :

Blok Ip = 192.168.0.1 - 254
Subnetmask = 255.255.255.0

Sekarang kita Konfigurasi eth0 dan eth1 :

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=202.162.198.154
NETMASK=255.255.255.248
GATEWAY=202.162.198.153

# vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0


# vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=RouterName

# /etc/init.d/network restart

# ifconfig


3. Untuk memforward paket pastikan :

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

# sysctl -p /etc/sysctl.conf


4. OK sekarang kita install squid versi .rpm agar lebih cepat :P
dalam hal ini saya gunakan squid-2.5.STABLE4-2.i686.rpm :

# wget http://hostname/mirror/squid-2.5.STABLE4-2.i686.rpm

# rpm -ivh squid-2.5.STABLE4-2.i686.rpm

# squid -z

# vi /etc/squid/squid.conf


#Konfigurasi untuk ip dan port squid nya.
http_port 192.168.0.1:3128

#Konfigurasi untuk cache dir.
cache_dir diskd /var/spool/squid 512 16 256

#direktory log cache.
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

#group dan user squid
cache_effective_user squid
cache_effective_group squid


# /etc/init.d/squid start

# ps ax|grep squid

#pastikan squid berjalan baik :
Squid -D
(squid) -D
diskd 255450 3578665 455678


# netstat -pln | grep squid

# tail -f /var/log/squid/cache.log

# ntsysv

#untuk mengaktivkan service squid :
(*) squid --> cek list


# vi /etc/wgetrc

#untuk Konfigurasi proxy :
http_proxy = http://192.168.0.1:3128/
use_proxy = on
waitretry = 10


5. Sekarang Kita Konfigurasi Iptables dan NAT untuk transparant Proxy :


# iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

# /etc/init.d/iptables save

# /etc/init.d/iptables restart

# iptables -t nat -nL

# reboot

Instalasi Mrtg
by: ......
siapkan alat dan bahan :

1. net-snmp-5.1.1.tar.gz
2. zlib-1.2.2.tar.gz
3. libpng-1.2.6.tar.gz
4. gd-2.0.11.tar.gz
5. httpd-2.0.50.tar.gz
6. mrtg-2.10.14.tar.gz


A. Tahap Installasi alat dan bahan :
--------------------------------

1. install snmp :
# tar -zxvf net-snmp-5.1.1.tar.gz
# mv net-snmp-5.1.1 snmp
# cd snmp
# ./configure --prefix=/usr/snmpd --with-default-snmp-version=3 --with-sys-contact=error_crush@yahoo.com --with-sys-location=Java --with-logfile=/var/log/snmpd.log --with-persistent-directory=/var/net-snmp
# make
# umask 022
# make install
# mkdir /usr/dotconf
# vi /usr/dotconf/snmpd.conf

###############################################
com2sec pengguna default pengguna
group pengguna v1 pengguna
group pengguna v2c pengguna
group pengguna usm pengguna
view all included .1
community "pengguna"
access pengguna "" any noauth exact all none none
###############################################

# /usr/snmpd/sbin/snmpd -c /usr/dotconf/snmpd.conf
# netstat -pln | grep snmpd
# /usr/snmpd/bin/snmpwalk -v1 -c pengguna localhost system
<-----tahap pengecekan

2.install zlib
# tar -zxvf zlib-1.2.1.tar.gz
# mv zlib-1.2.1 zlib
# cd zlib
# ./configure --prefix=/usr/zlib
# make
# make install

3. install libpng :
# tar -zxvf libpng-1.2.8rc5
# mv libpng-1.2.8rc5 libpng
# cd libpng
# cp scripts/makefile.std makefile
# make install

4. install gd :
# tar -zxvf gd-2.0.32.tar.gz
# mv gd-2.0.32 /usr/gd
# cd gd
# env CPPFLAGS="-I/usr/include/zlib -I/usr/include/libpng" LDFLAGS="-L/usr/include/zlib -L/usr/include/libpng" ./configure --disable-shared --without-freetype --without-jpeg
# make
# make install
5. install httpd :
# tar -zxvf httpd-2.0.50.tar.gz
# mv httpd-2.0.50 httpd
# cd httpd
# ./configure --enable-layout=Solaris
# make
# make install

6. install mrtg :
# tar -zxvf mrtg-2.10.14.tar.gz
# mv mrtg-2.10.14 mrtg
# cd mrtg
# ./configure --prefix=/usr/mrtg --with-gd=/usr/gd --with-z=/usr/zlib --with-png=/usr/include/libpng
# make
# make install
# mkdir /etc/mrtg
# touch /etc/mrtg/server.cfg
# /usr/mrtg/bin/cfgmaker --global 'WorkDir:/var/apache/htdocs/mrtg' --global 'Options[_]: bits,growright' --output /etc/mrtg/server.cfg pengguna@192.168.10.245

7. njalanin mrtg + setting² lainnya
# mkdir /var/apache/htdocs/mrtg
# /usr/mrtg/bin/mrtg /etc/mrtg/server.cfg
# crontab -e
masukan---> */5 * * * * /usr/mrtg/bin/mrtg /etc/mrtg/server.cfg

8. Bikin idex mrtg
#/usr/mrtg/bin/indexmaker --output=/var/apache/htdocs/mrtg/index.html --nolegend --enumerate --show=day /etc/mrtg/server.cfg
9. Konfigurasi start up
# cd /etc/rc.d/rc.lokal
#masukan kata berikut
###############################
#snmpd
/usr/snmpd/sbin/snmpd -c /usr/dotconf/snmpd.conf
#mrtg
rm -f /etc/mrtg/server.pid
/usr/mrtg/bin/mrtg /etc/mrtg/server.cfg
#env LANG=C /usr/mrtg/bin/mrtg /etc/mrtg/server.cfg <===tambahan bila ada kekurangan lib
10. Tambahkan di /etc/mrtg/server.cfg
RunAsDaemon: YES
Interval: 5
Refresh: 300

3.3 Bridge Config

Depending upon your kernel version you will need either the old bridge configuration utility (BRCFG) for kernels before 2.2.14, or the new bridge configuration utility (bridgex) for later kernels; these utilities allow you to control the bridging in your kernel when CONFIG_BRIDGE is turned on. BRCFG is distributed as source with pre-compiled executables. I do not know what kernel the executable was compiled with, but I got different results after I recompiled it with my kernel (2.2.13) include files. Unfortunately, to do this I had to patch them slightly. Here are the patches:

diff -C 3 -r /tmp/BRCFG/brcfg.c ./brcfg.c
*** /tmp/BRCFG/brcfg.c Wed Feb 21 19:11:59 1996
--- ./brcfg.c Wed Dec 8 12:52:23 1999
***************
*** 1,6 ****

! #include
! #include
#include

#include "br.h"
--- 1,6 ----

! #include
! #include
#include

#include "br.h"


Apply the patch, recompile brcfg and install it somewhere appropriate (I chose /usr/sbin).

For kernels later than 2.2.13 you definitely want to use the newer bridge configuration utility bridgex. I am not sure if it works with earlier kernels or not. Not that the URL for this utility is found in the kernel configuration help file /usr/src/linux/Documentation/Configure.help, so if the URL mentioned here is not correct, look in the help file (it is the help for the CONFIG_BRIDGE kernel configuration item. The bridgex tarball contains an already compiled executable, but you should probably remake it using the included Makefile. Note that the bridgex utility takes slightly different arguments than does the BRCFG package (that will be covered later when I talk about configuring the bridge).
3.4 Kernel Configuration

You will need to patch and configure your kernel for bridging and the bridging filter (as well as firewalling, networking, etc. if you do not already have it). The following kernel configuration items will be needed (at least):

CONFIG_EXPERIMENTAL=y
CONFIG_BRIDGE=y
CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y


You should grab the Bridge Filter Patch and apply it to your kernel. Recompile and install your kernel and then reboot.
3.5 Putting It All Together

So you should have your two NIC's working, a newly configured kernel, and brcfg installed. Now you need to construct a startup script to put it all together. I did this using the RedHat type startup scripts (/etc/rc.d). I put specific network addresses and masks in /etc/sysconfig/network:

GATEWAY=192.168.2.129 # the address of the DSL router
GATEWAYDEV=eth1 # the NIC that the router is connected to
ETH0_ADDR=192.168.2.130 # the IP address for the NIC on our LAN
ETH0_MASK=255.255.255.192 # the netmask of our LAN
ETH0_BROAD=192.168.2.191 # the broadcast address of our LAN
ETH1_ADDR=192.168.2.130 # the IP address for the NIC on the DSL side
# can be different from ETH0_ADDR if you want
ETH1_MASK=$ETH0_MASK # the DSL side netmask, should be the same as eth0
ETH1_BROAD=$ETH1_BROAD # ditto for the broadcast address


Next I created a script in /etc/rc.d/init.d/bridge to setup the bridge. I include two scripts here. The first script is used with the old BRCFG utility, the second for the newer bridgex. First the one for the older BRCFG:

#!/bin/sh
#
# bridge This shell script takes care of installing bridging for dsl with BRCFG
#
# description: Uses brcfg to start bridging and ifconfigs eths
# processname: bridge
# config:

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# See how we were called.
case "$1" in
start)
echo -n "Configuring bridge: "
ifconfig eth0 $ETH0_ADDR netmask $ETH0_MASK broadcast $ETH0_BROAD
ifconfig eth1 $ETH1_ADDR netmask $ETH1_MASK broadcast $ETH1_BROAD
route add $GATEWAY dev $GATEWAYDEV
route add default gw $GATEWAY dev $GATEWAYDEV
ifconfig eth0 promisc
ifconfig eth1 promisc
brcfg -enable
echo
;;
stop)
# Stop daemons.
brcfg -disable
ifconfig eth0 down
ifconfig eth1 down
;;
restart)
$0 stop
$0 start
;;
status)
ifconfig eth0
ifconfig eth1
brcfg
;;
*)
echo "Usage: bridge {start|stop|restart|status}"
exit 1
esac

exit 0


The next script is the one to use with the newer bridge configuration utility bridgex. Note that bridgex is much more configurable than the older BRCFG and so you may want to look man page included with the bridgex tarball and custom configure this script:

#!/bin/sh
#
# bridge This shell script takes care of installing bridging for dsl with BRCFG
#!/bin/sh
#
# bridge This shell script takes care of installing bridging for dsl with bridgex
#
# description: Uses brcfg to start bridging and ifconfigs eths
# processname: bridge
# config:

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# See how we were called.
case "$1" in
start)
echo -n "Configuring bridge: "
ifconfig eth0 $ETH0_ADDR netmask $ETH0_MASK broadcast $ETH0_BROAD
ifconfig eth1 $ETH1_ADDR netmask $ETH1_MASK broadcast $ETH1_BROAD
route add default gw $GATEWAY dev $GATEWAYDEV
ifconfig eth0 promisc
ifconfig eth1 promisc
brcfg start
brcfg device eth0 enable
brcfg device eth1 enable
echo
;;
stop)
# Stop daemons.
brcfg stop
ifconfig eth0 down
ifconfig eth1 down
;;
restart)
$0 stop
$0 start
;;
status)
ifconfig eth0
ifconfig eth1
brcfg
;;
*)
echo "Usage: bridge {start|stop|restart|status}"
exit 1
esac

exit 0


The script is run during bootup. It assigns addresses to each NIC, adds a default route that goes to the DSL router, adds a specific route direct to the DSL router, puts each NIC in "promiscuous" mode, and then enables bridging. I linked this script into the following directories in /etc/rc.d:

/etc/rc.d/rc0.d/K90bridge
/etc/rc.d/rc1.d/K90bridge
/etc/rc.d/rc2.d/S11bridge
/etc/rc.d/rc3.d/S11bridge
/etc/rc.d/rc4.d/S11bridge
/etc/rc.d/rc5.d/S11bridge
/etc/rc.d/rc6.d/K90bridge


This makes it run right after the network start script. You should disable other configuration of eth0 (or eth1) such as done in the /etc/rc.d/init.d/network script (in RedHat by removing files ifcfg-eth? from /etc/sysconfig/network-scripts/).

To try things out, I suggest rebooting in single user mode (specify "single" as an arg to the kernel, e.g. in lilo "lilo: linux single") and running the startup scripts in /etc/rc.d/rc3.d one at a time until you get to the bridge startup. Startup the bridge and then see if you can reach some machines (you probably want to use "ping -n" for this to keep the nameserver out of the equation):

ping the DSL router
ping a local machine
ping a machine on the global net

If you can ping all those places, there is a good chance that things are working. Note that the bridge takes a few moments to startup. You can monitor the status of the bridge by issuing the command brcfg with no arguments.
----------------------------------------------------------------------------
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: David Whitmarsh
# (c) 2001, 2002 Sparkle Computer Co ltd.
# based on rc.firewall by Oskar Andreasson
# parts (c) of BoingWorld.com, use at your own risk,
# do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com and Sparkle Computer Co Ltd
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# BR_IP is used to access the firewall accross the network
# For maxium security don't set one up - but then you must do
# everything directly on the firewall.

BR_IP="xxx.xxx.xxx.57"
BR_IFACE=br0

LAN_BCAST_ADDRESS="xxx.xxx.xxx.63"
INTERNAL_ADDRESS_RANGE="xxx.xxx.xxx.56/29"

INET_IFACE="eth1"
LAN_IFACE="eth0"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#
# Take down the interfaces before setting up the bridge
#

ifdown $INET_IFACE
ifdown $LAN_IFACE
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0

# Clean up for a restart

$IPTABLES -F
$IPTABLES -X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table

$IPTABLES -t mangle -P PREROUTING DROP

# Now we are pretty secure, let's start the bridge
# This will create a new interface

brctl addbr $BR_IFACE

# and add the interfaces to it
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE

# make us visible to the network again (optional)
if [ "$BR_IP" != "" ] ; then
ifconfig $BR_IFACE $BR_IP
else
# otherwise we must at least bring the interface up for the bridge to work.
ifconfig $BR_IFACE up
fi

# Block obvious spoofs

$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

# Accept internal packets on the internal i/f
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $INTERNAL_ADDRESS_RANGE -j ACCEPT

# Accept external packets on the external i/f

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s $INTERNAL_ADDRESS_RANGE -j ACCEPT

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT # echo reply
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT # dest unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT # redirect
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # time exceeded
$IPTABLES -A FORWARD -p ICMP -j icmp_packets

#
# UDP ports
#
$IPTABLES -N udpincoming_packets

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT # DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT # ntp
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT # speakfreely
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT #icq

$IPTABLES -A FORWARD -p UDP -j udpincoming_packets

#

$IPTABLES -N tcp_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# TCP rules
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 80 -j allowed # smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d lisa.sparkle-cc.co.uk --dport 6346 -j allowed # gnutella
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 25 -j allowed # smtp

$IPTABLES -A FORWARD -p TCP -j tcp_packets

#
# Input to the firewall itself. Leave these out if you don't want the firewall
# to be visible on the network at all.
# Note that the PREROUTING restrictions above mean that only packets form inside
# the firewall can fulfill the source condition. So the firewall machine should not be
# visible to the internet.
#

$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $LAN_BCAST_ADDRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $BR_IP -j ACCEPT

# But you *will* need this

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#

$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $BR_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT OUTPUT packet died: "