[hcoop/zz_old/fwtool.git] / closed.conf


option iptables
option clearall
option createchains
option automod

############# Define variables
set IFCONFIG   "/sbin/ifconfig"
set AWK 	     "/usr/bin/awk"
set GREP 	     "/bin/grep" 
set CAT 	     "/bin/cat"
set SED 	     "/bin/sed"

set MASK	     "29"  # Our netmask is /29 = 255.255.255.248
set IPS        "64.20.38.170"
set IFS        "eth0"
set IPSPEC     "64.20.38.170/%MASK"

set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
#set NTPIP	   `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`

############# Port/protocol combinations we allow in and out
set TCP_IN	   "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
set TCP_OUT	   "1:65535"
set UDP_IN	   "ntp"
set UDP_OUT	   "1:65535"
set ICMP_IN	   "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
set ICMP_OUT	 "ping,pong,fragmentation-needed,source-quench,parameter-problem"


# Make us insensitive to the environment
policy DROP {
	table filter chain (INPUT FORWARD);
	table mangle chain (PREROUTING);
	table nat chain (PREROUTING POSTROUTING);
}
policy DENY {
	table filter chain (OUTPUT);
	table mangle chain (OUTPUT);
	table nat chain (OUTPUT);
}


######################################################################
# Built-in chains that jump to our custom ones

chain INPUT {

	state INVALID goto UNUSUAL DROP;
	fragment goto UNUSUAL DROP;

#	goto IANA_BAN;
#	goto LOCAL_BAN;
	goto PORTSCAN;

	state (ESTABLISHED,RELATED) ACCEPT;

	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	if lo goto UNUSUAL DROP;

	if ppp0 ACCEPT;

	#incoming traffic, seperate by interface
	if %IFS {
		goto badguys;
		protocol tcp goto fw_tcp;
		protocol udp goto fw_udp;
		protocol icmp goto fw_icmp;
	}
}

chain OUTPUT {

	state INVALID goto UNUSUAL DENY;
	fragment goto UNUSUAL DENY;

	state (ESTABLISHED,RELATED) ACCEPT;

	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	of lo goto UNUSUAL DENY;

	of ppp0 ACCEPT;

	saddr !%IPSPEC goto UNUSUAL DENY;

	# again uncomment for trojan horses protection and inside out
	# violations....
	proto (tcp,udp) sport 14000: goto LDENY;

	# queueing goes here, maybe some special fw rules as well
	proto tcp goto tosqueue; # ACCEPT must be handled here

	proto udp dport %UDP_OUT ACCEPT;
	proto icmp icmptype %ICMP_OUT ACCEPT;
}

#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
	#saddr spammer.net.com DROP; # you may specify computer names as well
	saddr 10/8 DROP; # or network addresses like this impossible one
	daddr 10/8 DROP; # maybe even from guys fooling you around
	saddr 123.45.6.78 DROP; # a single machine, very bad
	saddr 123.45.6/24 DROP; # better to include the entire subnet

	saddr(
		# Mailbombing nion's email
		152.163.210.178
		205.188.135.170
		64.12.187.193

		# Executed nion's CGI script 400,000 times
		24.186.165.67

		# docelic, Wed Aug  3 04:18:56 EDT 2005
		# Trying out new server with all kinds of usernames on ssh
		# (All of those seem to be from the same "mastermind")
		211.48.20.153
		62.36.240.114
		62.75.240.62
		210.204.193.1
		84.26.59.170

		# Log says reverse mapping failed for this address
		# (hundreds of entries)
		114.67.19.241
	) {
		DROP;
	}
}

#####################################################################
# TCP traffic
chain fw_tcp proto tcp {

	# Standard allowances
	syn dport %TCP_IN sport 1024: {
		limit 200/s ACCEPT;
		limit 5/m LOG log-prefix "SYN flood attack:" LOG;
		DROP;
	}

	# drop all syns: (incoming connections)
	syn {
		log-prefix "tcp SYN Dropped" LOG;
		DROP;
	}
	
	dport :1023 {
		log-prefix "TCP packet not syn std port" LOG;
		DROP;
	}

	# deny scanning via DNS port
	sport domain {
		dport domain ACCEPT;
		syn goto LDENY;
	}

	# special case to allow active ftp transfers to our machine!
	sport ftp-data dport 1024: {
		ACCEPT;
	}

	# awkward incoming connections
	syn {
		goto LDENY;
	}

	# lock suid ports
	sport :1023 {
		goto LDENY;
	}

	# want to deny inside-out fake stuff? uncomment this:
	# (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
	dport 14000: { 
		goto LDENY;
	}


#####################################################################
# UDP traffic
chain fw_udp proto udp {

	# Standard allowances
	dport %UDP_IN sport 1024: {
		ACCEPT;
	}

	# again no dns fumbling around
	#sport domain dport domain saddr (**DNS IPS**) {
	#	ACCEPT;
	#}
	goto LDENY;
}


#####################################################################
# ICMP traffic
chain fw_icmp proto icmp {

	# Standard allowances
	icmptype %ICMP_IN {
		ACCEPT;
	}

	#icmp-type echo-request limit 1/s ACCEPT;
	#icmptype ( ping pong destination-unreachable time-exceeded) {
	#	ACCEPT;
	#}
	# never seen hits on this one:
	goto LDENY;
}


#####################################################################
# TOS (Type-of-service) adjustments
chain tosqueue {

	protocol tcp reverse {
		# rapid response protocols
		dport (ssh,ftp) settos min-delay ACCEPT;
		# keep these from timing out
		dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
		# bulk stuff
		dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
    dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
	}

	# remove any bits set by clients for different
	# protocols, since they might be tricking their
	# packets into a unfair priority... It wouldn't
	# surprise me if IE uses this... :-O
	settos min-cost ACCEPT;
}

#####################################################################
# Supporting targets
chain LDROP {
	LOG {
		log-level info logprefix "Dropped";
		log-level warn fragment log-prefix "FRAGMENT Dropped";
	}
	DROP;
}

chain UNUSUAL {
	LOG { log-level info logprefix "Unusual"; }
}

chain LDENY {
	LOG {
		log-level info proto tcp logprefix "Denied";
		log-level warn fragment log-prefix "FRAGMENT Denied";
	}
	DENY;
}

chain TCPACCEPT {
	proto tcp {
		syn limit 100/s ACCEPT;
		! syn ACCEPT;
	}
	logprefix "Mismatch in TCPACCEPT" LOG;
	DENY;
}

chain UDPACCEPT {
	proto udp ACCEPT;
	logprefix "Mismatch in UDPACCEPT" LOG;
	DENY;
}


#chain IANA_BAN {
#	saddr %IANA_BANS DROP;
#}
#
#chain LOCAL_BAN {
#	saddr %LOCAL_BANS DROP;
#}

chain PORTSCAN {
	proto tcp {
		tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
			limit 5/min log-prefix "NULL SCAN:" log-level 5
			log-tcp-options log-ip-options LOG;
			DROP;
		}
		tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
			limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
			DROP;
		}
		tcp-flags SYN:RST SYN:RST {
			limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
			DROP;
		}
		tcp-flags FIN:SYN FIN:SYN {
			limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
			DROP;
		}
	}
}
Commit	Line	Data
17bb0bf0 DO	1
	2	option iptables
	3	option clearall
	4	option createchains
	5	option automod
	6
	7	############# Define variables
	8	set IFCONFIG "/sbin/ifconfig"
	9	set AWK "/usr/bin/awk"
	10	set GREP "/bin/grep"
	11	set CAT "/bin/cat"
	12	set SED "/bin/sed"
	13
	14	set MASK "29" # Our netmask is /29 = 255.255.255.248
	15	set IPS "64.20.38.170"
	16	set IFS "eth0"
	17	set IPSPEC "64.20.38.170/%MASK"
	18
	19	set NSIP `%CAT /etc/resolv.conf \| %GREP nameserver \| %AWK '{print $2}'`
	20	#set NTPIP `%CAT /etc/ntp.conf \| %GREP server \| %AWK '{print $2}'`
	21
	22	############# Port/protocol combinations we allow in and out
	23	set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
	24	set TCP_OUT "1:65535"
	25	set UDP_IN "ntp"
	26	set UDP_OUT "1:65535"
	27	set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
	28	set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
	29
	30
	31	# Make us insensitive to the environment
	32	policy DROP {
	33	table filter chain (INPUT FORWARD);
	34	table mangle chain (PREROUTING);
	35	table nat chain (PREROUTING POSTROUTING);
	36	}
	37	policy DENY {
	38	table filter chain (OUTPUT);
	39	table mangle chain (OUTPUT);
	40	table nat chain (OUTPUT);
	41	}
	42
	43
	44	######################################################################
	45	# Built-in chains that jump to our custom ones
	46
	47	chain INPUT {
	48
	49	state INVALID goto UNUSUAL DROP;
	50	fragment goto UNUSUAL DROP;
	51
	52	# goto IANA_BAN;
	53	# goto LOCAL_BAN;
	54	goto PORTSCAN;
	55
	56	state (ESTABLISHED,RELATED) ACCEPT;
	57
	58	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	59	if lo goto UNUSUAL DROP;
	60
	61	if ppp0 ACCEPT;
	62
	63	#incoming traffic, seperate by interface
	64	if %IFS {
65	goto badguys;
66	protocol tcp goto fw_tcp;
67	protocol udp goto fw_udp;
68	protocol icmp goto fw_icmp;
69	}
70	}
71
72	chain OUTPUT {
73
74	state INVALID goto UNUSUAL DENY;
75	fragment goto UNUSUAL DENY;
76
77	state (ESTABLISHED,RELATED) ACCEPT;
78
79	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
80	of lo goto UNUSUAL DENY;
81
82	of ppp0 ACCEPT;
83
84	saddr !%IPSPEC goto UNUSUAL DENY;
85
86	# again uncomment for trojan horses protection and inside out
87	# violations....
88	proto (tcp,udp) sport 14000: goto LDENY;
89
90	# queueing goes here, maybe some special fw rules as well
91	proto tcp goto tosqueue; # ACCEPT must be handled here
92
93	proto udp dport %UDP_OUT ACCEPT;
94	proto icmp icmptype %ICMP_OUT ACCEPT;
95	}
96
97	#####################################################################
98	# Deal with known offenders right away
99	# Make difference between notorious ones and unusual ones
100	chain badguys {
101	#saddr spammer.net.com DROP; # you may specify computer names as well
102	saddr 10/8 DROP; # or network addresses like this impossible one
103	daddr 10/8 DROP; # maybe even from guys fooling you around
104	saddr 123.45.6.78 DROP; # a single machine, very bad
105	saddr 123.45.6/24 DROP; # better to include the entire subnet
106
107	saddr(
108	# Mailbombing nion's email
109	152.163.210.178
110	205.188.135.170
111	64.12.187.193
112
113	# Executed nion's CGI script 400,000 times
114	24.186.165.67
115
116	# docelic, Wed Aug 3 04:18:56 EDT 2005
117	# Trying out new server with all kinds of usernames on ssh
118	# (All of those seem to be from the same "mastermind")
119	211.48.20.153
120	62.36.240.114
121	62.75.240.62
122	210.204.193.1
123	84.26.59.170
124
125	# Log says reverse mapping failed for this address
126	# (hundreds of entries)
127	114.67.19.241
128	) {
129	DROP;
130	}
131	}
132
133	#####################################################################
134	# TCP traffic
135	chain fw_tcp proto tcp {
136
137	# Standard allowances
138	syn dport %TCP_IN sport 1024: {
139	limit 200/s ACCEPT;
140	limit 5/m LOG log-prefix "SYN flood attack:" LOG;
141	DROP;
142	}
143
144	# drop all syns: (incoming connections)
145	syn {
146	log-prefix "tcp SYN Dropped" LOG;
147	DROP;
148	}
149
150	dport :1023 {
151	log-prefix "TCP packet not syn std port" LOG;
152	DROP;
153	}
154
155	# deny scanning via DNS port
156	sport domain {
157	dport domain ACCEPT;
158	syn goto LDENY;
159	}
160
161	# special case to allow active ftp transfers to our machine!
162	sport ftp-data dport 1024: {
163	ACCEPT;
164	}
165
166	# awkward incoming connections
167	syn {
168	goto LDENY;
169	}
170
171	# lock suid ports
172	sport :1023 {
173	goto LDENY;
174	}
175
176	# want to deny inside-out fake stuff? uncomment this:
177	# (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
178	dport 14000: {
179	goto LDENY;
180	}
181
182
183	#####################################################################
184	# UDP traffic
185	chain fw_udp proto udp {
186
187	# Standard allowances
188	dport %UDP_IN sport 1024: {
189	ACCEPT;
190	}
191
192	# again no dns fumbling around
193	#sport domain dport domain saddr (DNS IPS) {
194	# ACCEPT;
195	#}
196	goto LDENY;
197	}
198
199
200	#####################################################################
201	# ICMP traffic
202	chain fw_icmp proto icmp {
203
204	# Standard allowances
205	icmptype %ICMP_IN {
206	ACCEPT;
207	}
208
209	#icmp-type echo-request limit 1/s ACCEPT;
210	#icmptype ( ping pong destination-unreachable time-exceeded) {
211	# ACCEPT;
212	#}
213	# never seen hits on this one:
214	goto LDENY;
215	}
216
217
218	#####################################################################
219	# TOS (Type-of-service) adjustments
220	chain tosqueue {
221
222	protocol tcp reverse {
223	# rapid response protocols
224	dport (ssh,ftp) settos min-delay ACCEPT;
225	# keep these from timing out
226	dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
227	# bulk stuff
228	dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
229	dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
230	}
231
232	# remove any bits set by clients for different
233	# protocols, since they might be tricking their
234	# packets into a unfair priority... It wouldn't
235	# surprise me if IE uses this... :-O
236	settos min-cost ACCEPT;
237	}
238
239	#####################################################################
240	# Supporting targets
241	chain LDROP {
242	LOG {
243	log-level info logprefix "Dropped";
244	log-level warn fragment log-prefix "FRAGMENT Dropped";
245	}
246	DROP;
247	}
248
249	chain UNUSUAL {
250	LOG { log-level info logprefix "Unusual"; }
251	}
252
253	chain LDENY {
254	LOG {
255	log-level info proto tcp logprefix "Denied";
256	log-level warn fragment log-prefix "FRAGMENT Denied";
257	}
258	DENY;
259	}
260
261	chain TCPACCEPT {
262	proto tcp {
263	syn limit 100/s ACCEPT;
264	! syn ACCEPT;
265	}
266	logprefix "Mismatch in TCPACCEPT" LOG;
267	DENY;
268	}
269
270	chain UDPACCEPT {
271	proto udp ACCEPT;
272	logprefix "Mismatch in UDPACCEPT" LOG;
273	DENY;
274	}
275
276
277
278	#chain IANA_BAN {
279	# saddr %IANA_BANS DROP;
280	#}
281	#
282	#chain LOCAL_BAN {
283	# saddr %LOCAL_BANS DROP;
284	#}
285
286	chain PORTSCAN {
287	proto tcp {
288	tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
289	limit 5/min log-prefix "NULL SCAN:" log-level 5
290	log-tcp-options log-ip-options LOG;
291	DROP;
292	}
293	tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
294	limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
295	DROP;
296	}
297	tcp-flags SYN:RST SYN:RST {
298	limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
299	DROP;
300	}
301	tcp-flags FIN:SYN FIN:SYN {
302	limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
303	DROP;
304	}
305	}
306	}
307