X-Git-Url: http://git.hcoop.net/hcoop/zz_old/fwtool.git/blobdiff_plain/f5a6c05e5e465bc230dceafbdd145659fc629d81..6e5c291d4db524fdb5c24342ef0f28b3f9550c3b:/closed.conf diff --git a/closed.conf b/closed.conf dissimilarity index 61% index 9ce2d56..92b64b4 100644 --- a/closed.conf +++ b/closed.conf @@ -1,250 +1,208 @@ - -option iptables -option clearall -option createchains -option automod - -############# Define variables -set IFCONFIG "/sbin/ifconfig" -set AWK "/usr/bin/awk" -set GREP "/bin/grep" -set CAT "/bin/cat" -set SED "/bin/sed" - -set MASK "29" # Our netmask is /29 = 255.255.255.248 -set IPS "64.20.38.170" -set IFS "eth0" -set IPSPEC "64.20.38.170/%MASK" - -set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` -#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` - -############# Port/protocol combinations we allow in and out -set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" -set TCP_OUT_DELAY "ssh,ftp,auth" -set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" -set TCP_OUT_THROUGHPUT "ftp-data" -#set TCP_OUT_COST "" - -set UDP_IN "ntp,domain" -set UDP_OUT "1:65535" - -set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" -set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" - - -# Make us insensitive to the environment - -# Allow traffic in areas outside of our scope -policy DROP { - table mangle chain forward; - table filter chain forward; - table filter chain (INPUT,OUTPUT); -} -policy ACCEPT { - table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); - table nat chain (PREROUTING,OUTPUT,POSTROUTING); -} - -###################################################################### -# Built-in chains that jump to our custom ones - -chain INPUT { - state INVALID goto LDROP; - fragment goto LDROP; -# goto IANA_BAN; -# goto LOCAL_BAN; - #goto PORTSCAN; # Do we need this? There are better, dedicated tools - - state (ESTABLISHED,RELATED) ACCEPT; - - if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; - if lo goto LDROP; - - #incoming traffic - goto badguys; - protocol tcp goto fw_tcp; - protocol udp goto fw_udp; - protocol icmp goto fw_icmp; - - goto LDROP; -} - -chain OUTPUT { - state INVALID goto LDENY; - fragment goto LDENY; - - state (ESTABLISHED,RELATED) ACCEPT; - - of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - of lo saddr %IPSPEC ACCEPT; - of lo goto LDENY; - - # queueing goes here, maybe some special fw rules as well - proto tcp goto tosqueue; # ACCEPT must be handled here - - proto udp dport %UDP_OUT ACCEPT; - proto icmp icmptype %ICMP_OUT ACCEPT; - - goto LDENY; -} - -##################################################################### -# Deal with known offenders right away -# Make difference between notorious ones and unusual ones -chain badguys { - - saddr( - # Mailbombing nion's email - 152.163.210.178 - 205.188.135.170 - 64.12.187.193 - - # Executed nion's CGI script 400,000 times - 24.186.165.67 - - # docelic, Wed Aug 3 04:18:56 EDT 2005 - # Trying out new server with all kinds of usernames on ssh - # (All of those seem to be from the same "mastermind") - 211.48.20.153 - 62.36.240.114 - 62.75.240.62 - 210.204.193.1 - 84.26.59.170 - # docelic, Sun Aug 21 01:29:10 EDT 2005 - 63.76.235.2 - 80.48.31.252 - 220.194.55.126 - 163.26.229.131 - 201.6.223.150 - 64.34.171.56 - 82.177.98.1 - 61.185.219.23 - 62.62.224.184 - 212.0.107.141 - 60.248.227.34 - 63.246.10.45 - # docelic, Sun Aug 21 22:14:15 EDT 2005 - 210.184.124.11 - 210.238.188.155 - 63.247.76.10 - - # Log says reverse mapping failed for this address - # (hundreds of entries) - 114.67.19.241 - ) { - DROP; - } -} - -##################################################################### -# TCP traffic -chain fw_tcp proto tcp { - # Standard allowances - syn dport %TCP_IN sport 1024: { - limit 5/s ACCEPT; - limit 20/m LOG log-prefix "SYN flood attack:" LOG; - goto LDROP; - } - - # Should be covered by (RELATED,ESTABLISHED) ACCEPT above - #dport %TCP_IN accept; - - # deny scanning via DNS port - sport domain { - dport domain ACCEPT; - syn goto LDROP; - } - - # special case to allow active ftp transfers to our machine! - sport ftp-data dport 1024: { - ACCEPT; - } - - # awkward incoming connections - syn { - goto LDROP; - } - - # want to deny inside-out fake stuff? uncomment this: - # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! - dport 14000: { - goto LDROP; - } -} - -##################################################################### -# UDP traffic -chain fw_udp proto udp { - # Standard allowances - dport %UDP_IN sport 1024: { - ACCEPT; - } - - # again no dns fumbling around - sport domain dport domain saddr %NSIP { - ACCEPT; - } -} - - -##################################################################### -# ICMP traffic -chain fw_icmp proto icmp { - # Standard allowances - icmptype %ICMP_IN { - ACCEPT; - } - - #icmp-type echo-request limit 1/s ACCEPT; - #icmptype ( ping pong destination-unreachable time-exceeded) { - # ACCEPT; - #} - # never seen hits on this one: -} - - -##################################################################### -# TOS (Type-of-service) adjustments -chain tosqueue { - protocol tcp { - # rapid response protocols -# dport %TCP_OUT_DELAY settos min-delay ACCEPT; - dport %TCP_OUT_DELAY ACCEPT; - sport %TCP_OUT_DELAY ACCEPT; - # keep these from timing out -# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; - dport %TCP_OUT_RELIABILITY ACCEPT; - sport %TCP_OUT_RELIABILITY ACCEPT; - # bulk stuff -# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; - dport %TCP_OUT_THROUGHPUT ACCEPT; - sport %TCP_OUT_THROUGHPUT ACCEPT; -# dport (ftp-data,8888,6699) settos max-throughput ACCEPT; - dport (ftp-data,8888,6699) ACCEPT; - sport (ftp-data,8888,6699) ACCEPT; - } - -# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; - goto LDENY; -} - -##################################################################### -# Supporting targets -chain LDROP { - LOG { - log-level info logprefix "Dropped"; - log-level warn fragment log-prefix "FRAGMENT Dropped"; - } - DROP; -} - -chain LDENY { - LOG { - log-level info proto tcp logprefix "Denied"; - log-level warn fragment log-prefix "FRAGMENT Denied"; - } - DENY; -} - + +option clearall +option createchains +option automod + +############# Define variables +def $IFCONFIG = "/sbin/ifconfig"; +def $AWK = "/usr/bin/awk"; +def $GREP = "/bin/grep"; +def $CAT = "/bin/cat"; +def $SED = "/bin/sed"; + +def $MASK = 29; # Our netmask is /29 = 255.255.255.248 +def $IPS = 64.20.38.170; +def $IFS = eth0; +def $IPSPEC = "64.20.38.170/$MASK"; +def $WE = (127.0.0.1/8 $IPSPEC); + +def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; +#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` + +def $BADGUYS = `/etc/firewall/print_badguys`; + +############# Port/protocol combinations we allow in and out +def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000); +# 10000 is webmin; 20000 is usermin +def $TCP_OUT_DELAY = (ssh ftp auth); +def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); +def $TCP_OUT_THROUGHPUT = (ftp-data); +#set TCP_OUT_COST "" + +def $UDP_IN = (ntp domain); +def $UDP_OUT = 1:65535; + +def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); +def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); + + +# Make us insensitive to the environment +table mangle chain FORWARD policy DROP; +table filter chain FORWARD policy DROP; +table filter chain (INPUT OUTPUT) policy DROP; + +# Allow traffic in areas outside of our scope +table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; +table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; + +###################################################################### +# Built-in chains that jump to our custom ones + +chain INPUT { + state INVALID goto ldrop; + fragment goto ldrop; +# goto IANA_BAN; +# goto LOCAL_BAN; + #goto PORTSCAN; # Do we need this? There are better, dedicated tools + + state (ESTABLISHED RELATED) ACCEPT; + + proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT; + proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT; + proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; + if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; +# if lo goto ldrop; + + #incoming traffic + goto badguys; + protocol tcp goto fw_tcp; + protocol udp goto fw_udp; + protocol icmp goto fw_icmp; + + goto ldrop; +} + +chain OUTPUT { + state INVALID goto lreject; + fragment goto lreject; + + state (ESTABLISHED RELATED) ACCEPT; + + proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; + of lo saddr $IPSPEC ACCEPT; +# of lo goto lreject; + + # queueing goes here, maybe some special fw rules as well + proto tcp goto tosqueue; # ACCEPT must be handled here + + proto udp dport $UDP_OUT ACCEPT; + proto icmp icmp-type $ICMP_OUT ACCEPT; + + goto lreject; +} + +##################################################################### +# Deal with known offenders right away +# Make difference between notorious ones and unusual ones +chain badguys { + saddr $BADGUYS REJECT; +} + +##################################################################### +# TCP traffic +chain fw_tcp proto tcp { + # Standard allowances + syn dport $TCP_IN sport 1024: { + limit 5/s ACCEPT; + limit 20/m LOG log-prefix "SYN flood attack:"; + goto ldrop; + } + + # deny scanning via DNS port + sport domain { + dport domain ACCEPT; + syn goto ldrop; + } + + # special case to allow active ftp transfers to our machine! + sport ftp-data dport 1024: { + ACCEPT; + } + + include 'users_tcp_in.conf'; + + # awkward incoming connections + syn { + goto ldrop; + } +} + +##################################################################### +# UDP traffic +chain fw_udp proto udp { + # Standard allowances + dport $UDP_IN sport 1024: { + ACCEPT; + } + + # again no dns fumbling around + sport domain dport domain saddr $NSIP { + ACCEPT; + } +} + + +##################################################################### +# ICMP traffic +chain fw_icmp proto icmp { + # Standard allowances + icmp-type $ICMP_IN { + ACCEPT; + } + + #icmp-type echo-request limit 1/s ACCEPT; + #icmptype ( ping pong destination-unreachable time-exceeded) { + # ACCEPT; + #} + # never seen hits on this one: +} + + +##################################################################### +# TOS (Type-of-service) adjustments +chain tosqueue { + protocol tcp { + # rapid response protocols +# dport $TCP_OUT_DELAY settos min-delay ACCEPT; + dport $TCP_OUT_DELAY ACCEPT; + sport $TCP_OUT_DELAY ACCEPT; + # keep these from timing out +# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; + dport $TCP_OUT_RELIABILITY ACCEPT; + sport $TCP_OUT_RELIABILITY ACCEPT; + # bulk stuff +# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; + dport $TCP_OUT_THROUGHPUT ACCEPT; + sport $TCP_OUT_THROUGHPUT ACCEPT; +# dport (ftp-data 8888 6699) settos max-throughput ACCEPT; + dport (ftp-data 8888 6699) ACCEPT; + sport (ftp-data 8888 6699) ACCEPT; + } + +# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; + + include 'users_tcp_out.conf'; + + goto lreject; +} + +##################################################################### +# Supporting targets +chain ldrop { + LOG { + log-level info log-prefix "Dropped"; + log-level warn fragment log-prefix "FRAGMENT Dropped"; + } + REJECT; +} + +chain lreject { + LOG { + log-level info proto tcp log-prefix "Denied"; + log-level warn fragment log-prefix "FRAGMENT Denied"; + } + REJECT; +} + +include 'users.conf';