Commit | Line | Data |
---|---|---|
17bb0bf0 | 1 | |
17bb0bf0 DO |
2 | option clearall |
3 | option createchains | |
4 | option automod | |
5 | ||
6 | ############# Define variables | |
9b2115e2 AC |
7 | def $IFCONFIG = "/sbin/ifconfig"; |
8 | def $AWK = "/usr/bin/awk"; | |
9 | def $GREP = "/bin/grep"; | |
10 | def $CAT = "/bin/cat"; | |
11 | def $SED = "/bin/sed"; | |
17bb0bf0 | 12 | |
9b2115e2 AC |
13 | def $MASK = 29; # Our netmask is /29 = 255.255.255.248 |
14 | def $IPS = 64.20.38.170; | |
15 | def $IFS = eth0; | |
16 | def $IPSPEC = "64.20.38.170/$MASK"; | |
17bb0bf0 | 17 | |
9b2115e2 AC |
18 | def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; |
19 | #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` | |
20 | ||
21 | def $BADGUYS = `/etc/firewall/print_badguys`; | |
17bb0bf0 DO |
22 | |
23 | ############# Port/protocol combinations we allow in and out | |
9b2115e2 AC |
24 | def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s); |
25 | def $TCP_OUT_DELAY = (ssh ftp auth); | |
26 | def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); | |
27 | def $TCP_OUT_THROUGHPUT = (ftp-data); | |
9132939d | 28 | #set TCP_OUT_COST "" |
7a910192 | 29 | |
9b2115e2 AC |
30 | def $UDP_IN = (ntp domain); |
31 | def $UDP_OUT = 1:65535; | |
7a910192 | 32 | |
9b2115e2 AC |
33 | def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); |
34 | def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); | |
17bb0bf0 DO |
35 | |
36 | ||
37 | # Make us insensitive to the environment | |
9b2115e2 AC |
38 | table mangle chain FORWARD policy DROP; |
39 | table filter chain FORWARD policy DROP; | |
40 | table filter chain (INPUT OUTPUT) policy DROP; | |
9132939d DO |
41 | |
42 | # Allow traffic in areas outside of our scope | |
9b2115e2 AC |
43 | table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; |
44 | table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; | |
17bb0bf0 | 45 | |
17bb0bf0 DO |
46 | ###################################################################### |
47 | # Built-in chains that jump to our custom ones | |
48 | ||
49 | chain INPUT { | |
9b2115e2 AC |
50 | state INVALID goto ldrop; |
51 | fragment goto ldrop; | |
17bb0bf0 DO |
52 | # goto IANA_BAN; |
53 | # goto LOCAL_BAN; | |
9132939d | 54 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
17bb0bf0 | 55 | |
9b2115e2 | 56 | state (ESTABLISHED RELATED) ACCEPT; |
17bb0bf0 DO |
57 | |
58 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9b2115e2 AC |
59 | if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; |
60 | if lo goto ldrop; | |
9132939d DO |
61 | |
62 | #incoming traffic | |
63 | goto badguys; | |
64 | protocol tcp goto fw_tcp; | |
65 | protocol udp goto fw_udp; | |
66 | protocol icmp goto fw_icmp; | |
67 | ||
9b2115e2 | 68 | goto ldrop; |
17bb0bf0 DO |
69 | } |
70 | ||
71 | chain OUTPUT { | |
9b2115e2 AC |
72 | state INVALID goto lreject; |
73 | fragment goto lreject; | |
17bb0bf0 | 74 | |
9b2115e2 | 75 | state (ESTABLISHED RELATED) ACCEPT; |
17bb0bf0 DO |
76 | |
77 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9b2115e2 AC |
78 | of lo saddr $IPSPEC ACCEPT; |
79 | of lo goto lreject; | |
17bb0bf0 | 80 | |
17bb0bf0 DO |
81 | # queueing goes here, maybe some special fw rules as well |
82 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
83 | ||
9b2115e2 AC |
84 | proto udp dport $UDP_OUT ACCEPT; |
85 | proto icmp icmp-type $ICMP_OUT ACCEPT; | |
9132939d | 86 | |
9b2115e2 | 87 | goto lreject; |
17bb0bf0 DO |
88 | } |
89 | ||
90 | ##################################################################### | |
91 | # Deal with known offenders right away | |
92 | # Make difference between notorious ones and unusual ones | |
93 | chain badguys { | |
9b2115e2 | 94 | saddr $BADGUYS REJECT; |
17bb0bf0 DO |
95 | } |
96 | ||
97 | ##################################################################### | |
98 | # TCP traffic | |
99 | chain fw_tcp proto tcp { | |
17bb0bf0 | 100 | # Standard allowances |
9b2115e2 | 101 | syn dport $TCP_IN sport 1024: { |
9132939d | 102 | limit 5/s ACCEPT; |
9b2115e2 AC |
103 | limit 20/m LOG log-prefix "SYN flood attack:"; |
104 | goto ldrop; | |
17bb0bf0 DO |
105 | } |
106 | ||
17bb0bf0 DO |
107 | # deny scanning via DNS port |
108 | sport domain { | |
109 | dport domain ACCEPT; | |
9b2115e2 | 110 | syn goto ldrop; |
17bb0bf0 DO |
111 | } |
112 | ||
113 | # special case to allow active ftp transfers to our machine! | |
114 | sport ftp-data dport 1024: { | |
115 | ACCEPT; | |
116 | } | |
117 | ||
9b2115e2 AC |
118 | include 'users_tcp_in.conf'; |
119 | ||
17bb0bf0 DO |
120 | # awkward incoming connections |
121 | syn { | |
9b2115e2 | 122 | goto ldrop; |
17bb0bf0 | 123 | } |
9132939d | 124 | } |
17bb0bf0 DO |
125 | |
126 | ##################################################################### | |
127 | # UDP traffic | |
128 | chain fw_udp proto udp { | |
17bb0bf0 | 129 | # Standard allowances |
9b2115e2 | 130 | dport $UDP_IN sport 1024: { |
17bb0bf0 DO |
131 | ACCEPT; |
132 | } | |
133 | ||
134 | # again no dns fumbling around | |
9b2115e2 | 135 | sport domain dport domain saddr $NSIP { |
7a910192 DO |
136 | ACCEPT; |
137 | } | |
17bb0bf0 DO |
138 | } |
139 | ||
140 | ||
141 | ##################################################################### | |
142 | # ICMP traffic | |
143 | chain fw_icmp proto icmp { | |
17bb0bf0 | 144 | # Standard allowances |
9b2115e2 | 145 | icmp-type $ICMP_IN { |
17bb0bf0 DO |
146 | ACCEPT; |
147 | } | |
148 | ||
149 | #icmp-type echo-request limit 1/s ACCEPT; | |
150 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
151 | # ACCEPT; | |
152 | #} | |
153 | # never seen hits on this one: | |
17bb0bf0 DO |
154 | } |
155 | ||
156 | ||
157 | ##################################################################### | |
158 | # TOS (Type-of-service) adjustments | |
159 | chain tosqueue { | |
9132939d | 160 | protocol tcp { |
17bb0bf0 | 161 | # rapid response protocols |
9b2115e2 AC |
162 | # dport $TCP_OUT_DELAY settos min-delay ACCEPT; |
163 | dport $TCP_OUT_DELAY ACCEPT; | |
164 | sport $TCP_OUT_DELAY ACCEPT; | |
17bb0bf0 | 165 | # keep these from timing out |
9b2115e2 AC |
166 | # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
167 | dport $TCP_OUT_RELIABILITY ACCEPT; | |
168 | sport $TCP_OUT_RELIABILITY ACCEPT; | |
17bb0bf0 | 169 | # bulk stuff |
9b2115e2 AC |
170 | # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
171 | dport $TCP_OUT_THROUGHPUT ACCEPT; | |
172 | sport $TCP_OUT_THROUGHPUT ACCEPT; | |
173 | # dport (ftp-data 8888 6699) settos max-throughput ACCEPT; | |
174 | dport (ftp-data 8888 6699) ACCEPT; | |
175 | sport (ftp-data 8888 6699) ACCEPT; | |
17bb0bf0 DO |
176 | } |
177 | ||
9b2115e2 AC |
178 | # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; |
179 | ||
180 | include 'users_tcp_out.conf'; | |
181 | ||
182 | goto lreject; | |
17bb0bf0 DO |
183 | } |
184 | ||
185 | ##################################################################### | |
186 | # Supporting targets | |
9b2115e2 | 187 | chain ldrop { |
17bb0bf0 | 188 | LOG { |
9b2115e2 | 189 | log-level info log-prefix "Dropped"; |
17bb0bf0 DO |
190 | log-level warn fragment log-prefix "FRAGMENT Dropped"; |
191 | } | |
9b2115e2 | 192 | REJECT; |
17bb0bf0 DO |
193 | } |
194 | ||
9b2115e2 | 195 | chain lreject { |
17bb0bf0 | 196 | LOG { |
9b2115e2 | 197 | log-level info proto tcp log-prefix "Denied"; |
17bb0bf0 DO |
198 | log-level warn fragment log-prefix "FRAGMENT Denied"; |
199 | } | |
9b2115e2 | 200 | REJECT; |
17bb0bf0 DO |
201 | } |
202 | ||
9b2115e2 | 203 | include 'users.conf'; |