Commit | Line | Data |
---|---|---|
17bb0bf0 DO |
1 | |
2 | option iptables | |
3 | option clearall | |
4 | option createchains | |
5 | option automod | |
6 | ||
7 | ############# Define variables | |
8 | set IFCONFIG "/sbin/ifconfig" | |
9 | set AWK "/usr/bin/awk" | |
10 | set GREP "/bin/grep" | |
11 | set CAT "/bin/cat" | |
12 | set SED "/bin/sed" | |
13 | ||
14 | set MASK "29" # Our netmask is /29 = 255.255.255.248 | |
15 | set IPS "64.20.38.170" | |
16 | set IFS "eth0" | |
17 | set IPSPEC "64.20.38.170/%MASK" | |
18 | ||
19 | set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` | |
20 | #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` | |
21 | ||
22 | ############# Port/protocol combinations we allow in and out | |
23 | set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" | |
24 | set TCP_OUT "1:65535" | |
25 | set UDP_IN "ntp" | |
26 | set UDP_OUT "1:65535" | |
27 | set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" | |
28 | set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" | |
29 | ||
30 | ||
31 | # Make us insensitive to the environment | |
32 | policy DROP { | |
33 | table filter chain (INPUT FORWARD); | |
34 | table mangle chain (PREROUTING); | |
35 | table nat chain (PREROUTING POSTROUTING); | |
36 | } | |
37 | policy DENY { | |
38 | table filter chain (OUTPUT); | |
39 | table mangle chain (OUTPUT); | |
40 | table nat chain (OUTPUT); | |
41 | } | |
42 | ||
43 | ||
44 | ###################################################################### | |
45 | # Built-in chains that jump to our custom ones | |
46 | ||
47 | chain INPUT { | |
48 | ||
49 | state INVALID goto UNUSUAL DROP; | |
50 | fragment goto UNUSUAL DROP; | |
51 | ||
52 | # goto IANA_BAN; | |
53 | # goto LOCAL_BAN; | |
54 | goto PORTSCAN; | |
55 | ||
56 | state (ESTABLISHED,RELATED) ACCEPT; | |
57 | ||
58 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
59 | if lo goto UNUSUAL DROP; | |
60 | ||
61 | if ppp0 ACCEPT; | |
62 | ||
63 | #incoming traffic, seperate by interface | |
64 | if %IFS { | |
65 | goto badguys; | |
66 | protocol tcp goto fw_tcp; | |
67 | protocol udp goto fw_udp; | |
68 | protocol icmp goto fw_icmp; | |
69 | } | |
70 | } | |
71 | ||
72 | chain OUTPUT { | |
73 | ||
74 | state INVALID goto UNUSUAL DENY; | |
75 | fragment goto UNUSUAL DENY; | |
76 | ||
77 | state (ESTABLISHED,RELATED) ACCEPT; | |
78 | ||
79 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
80 | of lo goto UNUSUAL DENY; | |
81 | ||
82 | of ppp0 ACCEPT; | |
83 | ||
84 | saddr !%IPSPEC goto UNUSUAL DENY; | |
85 | ||
86 | # again uncomment for trojan horses protection and inside out | |
87 | # violations.... | |
88 | proto (tcp,udp) sport 14000: goto LDENY; | |
89 | ||
90 | # queueing goes here, maybe some special fw rules as well | |
91 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
92 | ||
93 | proto udp dport %UDP_OUT ACCEPT; | |
94 | proto icmp icmptype %ICMP_OUT ACCEPT; | |
95 | } | |
96 | ||
97 | ##################################################################### | |
98 | # Deal with known offenders right away | |
99 | # Make difference between notorious ones and unusual ones | |
100 | chain badguys { | |
101 | #saddr spammer.net.com DROP; # you may specify computer names as well | |
102 | saddr 10/8 DROP; # or network addresses like this impossible one | |
103 | daddr 10/8 DROP; # maybe even from guys fooling you around | |
104 | saddr 123.45.6.78 DROP; # a single machine, very bad | |
105 | saddr 123.45.6/24 DROP; # better to include the entire subnet | |
106 | ||
107 | saddr( | |
108 | # Mailbombing nion's email | |
109 | 152.163.210.178 | |
110 | 205.188.135.170 | |
111 | 64.12.187.193 | |
112 | ||
113 | # Executed nion's CGI script 400,000 times | |
114 | 24.186.165.67 | |
115 | ||
116 | # docelic, Wed Aug 3 04:18:56 EDT 2005 | |
117 | # Trying out new server with all kinds of usernames on ssh | |
118 | # (All of those seem to be from the same "mastermind") | |
119 | 211.48.20.153 | |
120 | 62.36.240.114 | |
121 | 62.75.240.62 | |
122 | 210.204.193.1 | |
123 | 84.26.59.170 | |
124 | ||
125 | # Log says reverse mapping failed for this address | |
126 | # (hundreds of entries) | |
127 | 114.67.19.241 | |
128 | ) { | |
129 | DROP; | |
130 | } | |
131 | } | |
132 | ||
133 | ##################################################################### | |
134 | # TCP traffic | |
135 | chain fw_tcp proto tcp { | |
136 | ||
137 | # Standard allowances | |
138 | syn dport %TCP_IN sport 1024: { | |
139 | limit 200/s ACCEPT; | |
140 | limit 5/m LOG log-prefix "SYN flood attack:" LOG; | |
141 | DROP; | |
142 | } | |
143 | ||
144 | # drop all syns: (incoming connections) | |
145 | syn { | |
146 | log-prefix "tcp SYN Dropped" LOG; | |
147 | DROP; | |
148 | } | |
149 | ||
150 | dport :1023 { | |
151 | log-prefix "TCP packet not syn std port" LOG; | |
152 | DROP; | |
153 | } | |
154 | ||
155 | # deny scanning via DNS port | |
156 | sport domain { | |
157 | dport domain ACCEPT; | |
158 | syn goto LDENY; | |
159 | } | |
160 | ||
161 | # special case to allow active ftp transfers to our machine! | |
162 | sport ftp-data dport 1024: { | |
163 | ACCEPT; | |
164 | } | |
165 | ||
166 | # awkward incoming connections | |
167 | syn { | |
168 | goto LDENY; | |
169 | } | |
170 | ||
171 | # lock suid ports | |
172 | sport :1023 { | |
173 | goto LDENY; | |
174 | } | |
175 | ||
176 | # want to deny inside-out fake stuff? uncomment this: | |
177 | # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! | |
178 | dport 14000: { | |
179 | goto LDENY; | |
180 | } | |
181 | ||
182 | ||
183 | ##################################################################### | |
184 | # UDP traffic | |
185 | chain fw_udp proto udp { | |
186 | ||
187 | # Standard allowances | |
188 | dport %UDP_IN sport 1024: { | |
189 | ACCEPT; | |
190 | } | |
191 | ||
192 | # again no dns fumbling around | |
193 | #sport domain dport domain saddr (**DNS IPS**) { | |
194 | # ACCEPT; | |
195 | #} | |
196 | goto LDENY; | |
197 | } | |
198 | ||
199 | ||
200 | ##################################################################### | |
201 | # ICMP traffic | |
202 | chain fw_icmp proto icmp { | |
203 | ||
204 | # Standard allowances | |
205 | icmptype %ICMP_IN { | |
206 | ACCEPT; | |
207 | } | |
208 | ||
209 | #icmp-type echo-request limit 1/s ACCEPT; | |
210 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
211 | # ACCEPT; | |
212 | #} | |
213 | # never seen hits on this one: | |
214 | goto LDENY; | |
215 | } | |
216 | ||
217 | ||
218 | ##################################################################### | |
219 | # TOS (Type-of-service) adjustments | |
220 | chain tosqueue { | |
221 | ||
222 | protocol tcp reverse { | |
223 | # rapid response protocols | |
224 | dport (ssh,ftp) settos min-delay ACCEPT; | |
225 | # keep these from timing out | |
226 | dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT; | |
227 | # bulk stuff | |
228 | dport (ftp-data,napster,napserv) settos max-throughput ACCEPT; | |
229 | dport (ftp-data,8888,6699) settos max-throughput ACCEPT; | |
230 | } | |
231 | ||
232 | # remove any bits set by clients for different | |
233 | # protocols, since they might be tricking their | |
234 | # packets into a unfair priority... It wouldn't | |
235 | # surprise me if IE uses this... :-O | |
236 | settos min-cost ACCEPT; | |
237 | } | |
238 | ||
239 | ##################################################################### | |
240 | # Supporting targets | |
241 | chain LDROP { | |
242 | LOG { | |
243 | log-level info logprefix "Dropped"; | |
244 | log-level warn fragment log-prefix "FRAGMENT Dropped"; | |
245 | } | |
246 | DROP; | |
247 | } | |
248 | ||
249 | chain UNUSUAL { | |
250 | LOG { log-level info logprefix "Unusual"; } | |
251 | } | |
252 | ||
253 | chain LDENY { | |
254 | LOG { | |
255 | log-level info proto tcp logprefix "Denied"; | |
256 | log-level warn fragment log-prefix "FRAGMENT Denied"; | |
257 | } | |
258 | DENY; | |
259 | } | |
260 | ||
261 | chain TCPACCEPT { | |
262 | proto tcp { | |
263 | syn limit 100/s ACCEPT; | |
264 | ! syn ACCEPT; | |
265 | } | |
266 | logprefix "Mismatch in TCPACCEPT" LOG; | |
267 | DENY; | |
268 | } | |
269 | ||
270 | chain UDPACCEPT { | |
271 | proto udp ACCEPT; | |
272 | logprefix "Mismatch in UDPACCEPT" LOG; | |
273 | DENY; | |
274 | } | |
275 | ||
276 | ||
277 | ||
278 | #chain IANA_BAN { | |
279 | # saddr %IANA_BANS DROP; | |
280 | #} | |
281 | # | |
282 | #chain LOCAL_BAN { | |
283 | # saddr %LOCAL_BANS DROP; | |
284 | #} | |
285 | ||
286 | chain PORTSCAN { | |
287 | proto tcp { | |
288 | tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE { | |
289 | limit 5/min log-prefix "NULL SCAN:" log-level 5 | |
290 | log-tcp-options log-ip-options LOG; | |
291 | DROP; | |
292 | } | |
293 | tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG { | |
294 | limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG; | |
295 | DROP; | |
296 | } | |
297 | tcp-flags SYN:RST SYN:RST { | |
298 | limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG; | |
299 | DROP; | |
300 | } | |
301 | tcp-flags FIN:SYN FIN:SYN { | |
302 | limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG; | |
303 | DROP; | |
304 | } | |
305 | } | |
306 | } | |
307 |