Commit | Line | Data |
---|---|---|
17bb0bf0 | 1 | |
17bb0bf0 DO |
2 | option clearall |
3 | option createchains | |
4 | option automod | |
5 | ||
6 | ############# Define variables | |
9b2115e2 AC |
7 | def $IFCONFIG = "/sbin/ifconfig"; |
8 | def $AWK = "/usr/bin/awk"; | |
9 | def $GREP = "/bin/grep"; | |
10 | def $CAT = "/bin/cat"; | |
11 | def $SED = "/bin/sed"; | |
17bb0bf0 | 12 | |
9b2115e2 AC |
13 | def $MASK = 29; # Our netmask is /29 = 255.255.255.248 |
14 | def $IPS = 64.20.38.170; | |
15 | def $IFS = eth0; | |
16 | def $IPSPEC = "64.20.38.170/$MASK"; | |
d901c26a | 17 | def $WE = (127.0.0.1/8 $IPSPEC); |
17bb0bf0 | 18 | |
9b2115e2 AC |
19 | def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; |
20 | #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` | |
21 | ||
22 | def $BADGUYS = `/etc/firewall/print_badguys`; | |
17bb0bf0 DO |
23 | |
24 | ############# Port/protocol combinations we allow in and out | |
d901c26a AC |
25 | def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000); |
26 | # 10000 is webmin; 20000 is usermin | |
9b2115e2 AC |
27 | def $TCP_OUT_DELAY = (ssh ftp auth); |
28 | def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); | |
29 | def $TCP_OUT_THROUGHPUT = (ftp-data); | |
9132939d | 30 | #set TCP_OUT_COST "" |
7a910192 | 31 | |
9b2115e2 AC |
32 | def $UDP_IN = (ntp domain); |
33 | def $UDP_OUT = 1:65535; | |
7a910192 | 34 | |
9b2115e2 AC |
35 | def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); |
36 | def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); | |
17bb0bf0 DO |
37 | |
38 | ||
39 | # Make us insensitive to the environment | |
9b2115e2 AC |
40 | table mangle chain FORWARD policy DROP; |
41 | table filter chain FORWARD policy DROP; | |
42 | table filter chain (INPUT OUTPUT) policy DROP; | |
9132939d DO |
43 | |
44 | # Allow traffic in areas outside of our scope | |
9b2115e2 AC |
45 | table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; |
46 | table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; | |
17bb0bf0 | 47 | |
17bb0bf0 DO |
48 | ###################################################################### |
49 | # Built-in chains that jump to our custom ones | |
50 | ||
51 | chain INPUT { | |
9b2115e2 AC |
52 | state INVALID goto ldrop; |
53 | fragment goto ldrop; | |
17bb0bf0 DO |
54 | # goto IANA_BAN; |
55 | # goto LOCAL_BAN; | |
9132939d | 56 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
17bb0bf0 | 57 | |
9b2115e2 | 58 | state (ESTABLISHED RELATED) ACCEPT; |
17bb0bf0 | 59 | |
d901c26a AC |
60 | proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT; |
61 | proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT; | |
62 | proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; | |
9b2115e2 | 63 | if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; |
d901c26a | 64 | # if lo goto ldrop; |
9132939d DO |
65 | |
66 | #incoming traffic | |
67 | goto badguys; | |
68 | protocol tcp goto fw_tcp; | |
69 | protocol udp goto fw_udp; | |
70 | protocol icmp goto fw_icmp; | |
71 | ||
9b2115e2 | 72 | goto ldrop; |
17bb0bf0 DO |
73 | } |
74 | ||
75 | chain OUTPUT { | |
9b2115e2 AC |
76 | state INVALID goto lreject; |
77 | fragment goto lreject; | |
17bb0bf0 | 78 | |
9b2115e2 | 79 | state (ESTABLISHED RELATED) ACCEPT; |
17bb0bf0 | 80 | |
d901c26a AC |
81 | proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; |
82 | saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; | |
9b2115e2 | 83 | of lo saddr $IPSPEC ACCEPT; |
d901c26a | 84 | # of lo goto lreject; |
17bb0bf0 | 85 | |
17bb0bf0 DO |
86 | # queueing goes here, maybe some special fw rules as well |
87 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
88 | ||
9b2115e2 AC |
89 | proto udp dport $UDP_OUT ACCEPT; |
90 | proto icmp icmp-type $ICMP_OUT ACCEPT; | |
9132939d | 91 | |
9b2115e2 | 92 | goto lreject; |
17bb0bf0 DO |
93 | } |
94 | ||
95 | ##################################################################### | |
96 | # Deal with known offenders right away | |
97 | # Make difference between notorious ones and unusual ones | |
98 | chain badguys { | |
9b2115e2 | 99 | saddr $BADGUYS REJECT; |
17bb0bf0 DO |
100 | } |
101 | ||
102 | ##################################################################### | |
103 | # TCP traffic | |
104 | chain fw_tcp proto tcp { | |
17bb0bf0 | 105 | # Standard allowances |
9b2115e2 | 106 | syn dport $TCP_IN sport 1024: { |
9132939d | 107 | limit 5/s ACCEPT; |
9b2115e2 AC |
108 | limit 20/m LOG log-prefix "SYN flood attack:"; |
109 | goto ldrop; | |
17bb0bf0 DO |
110 | } |
111 | ||
17bb0bf0 DO |
112 | # deny scanning via DNS port |
113 | sport domain { | |
114 | dport domain ACCEPT; | |
9b2115e2 | 115 | syn goto ldrop; |
17bb0bf0 DO |
116 | } |
117 | ||
118 | # special case to allow active ftp transfers to our machine! | |
119 | sport ftp-data dport 1024: { | |
120 | ACCEPT; | |
121 | } | |
122 | ||
9b2115e2 AC |
123 | include 'users_tcp_in.conf'; |
124 | ||
17bb0bf0 DO |
125 | # awkward incoming connections |
126 | syn { | |
9b2115e2 | 127 | goto ldrop; |
17bb0bf0 | 128 | } |
9132939d | 129 | } |
17bb0bf0 DO |
130 | |
131 | ##################################################################### | |
132 | # UDP traffic | |
133 | chain fw_udp proto udp { | |
17bb0bf0 | 134 | # Standard allowances |
9b2115e2 | 135 | dport $UDP_IN sport 1024: { |
17bb0bf0 DO |
136 | ACCEPT; |
137 | } | |
138 | ||
139 | # again no dns fumbling around | |
9b2115e2 | 140 | sport domain dport domain saddr $NSIP { |
7a910192 DO |
141 | ACCEPT; |
142 | } | |
17bb0bf0 DO |
143 | } |
144 | ||
145 | ||
146 | ##################################################################### | |
147 | # ICMP traffic | |
148 | chain fw_icmp proto icmp { | |
17bb0bf0 | 149 | # Standard allowances |
9b2115e2 | 150 | icmp-type $ICMP_IN { |
17bb0bf0 DO |
151 | ACCEPT; |
152 | } | |
153 | ||
154 | #icmp-type echo-request limit 1/s ACCEPT; | |
155 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
156 | # ACCEPT; | |
157 | #} | |
158 | # never seen hits on this one: | |
17bb0bf0 DO |
159 | } |
160 | ||
161 | ||
162 | ##################################################################### | |
163 | # TOS (Type-of-service) adjustments | |
164 | chain tosqueue { | |
9132939d | 165 | protocol tcp { |
17bb0bf0 | 166 | # rapid response protocols |
9b2115e2 AC |
167 | # dport $TCP_OUT_DELAY settos min-delay ACCEPT; |
168 | dport $TCP_OUT_DELAY ACCEPT; | |
169 | sport $TCP_OUT_DELAY ACCEPT; | |
17bb0bf0 | 170 | # keep these from timing out |
9b2115e2 AC |
171 | # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
172 | dport $TCP_OUT_RELIABILITY ACCEPT; | |
173 | sport $TCP_OUT_RELIABILITY ACCEPT; | |
17bb0bf0 | 174 | # bulk stuff |
9b2115e2 AC |
175 | # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
176 | dport $TCP_OUT_THROUGHPUT ACCEPT; | |
177 | sport $TCP_OUT_THROUGHPUT ACCEPT; | |
178 | # dport (ftp-data 8888 6699) settos max-throughput ACCEPT; | |
179 | dport (ftp-data 8888 6699) ACCEPT; | |
180 | sport (ftp-data 8888 6699) ACCEPT; | |
17bb0bf0 DO |
181 | } |
182 | ||
9b2115e2 AC |
183 | # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; |
184 | ||
185 | include 'users_tcp_out.conf'; | |
186 | ||
187 | goto lreject; | |
17bb0bf0 DO |
188 | } |
189 | ||
190 | ##################################################################### | |
191 | # Supporting targets | |
9b2115e2 | 192 | chain ldrop { |
17bb0bf0 | 193 | LOG { |
9b2115e2 | 194 | log-level info log-prefix "Dropped"; |
17bb0bf0 DO |
195 | log-level warn fragment log-prefix "FRAGMENT Dropped"; |
196 | } | |
9b2115e2 | 197 | REJECT; |
17bb0bf0 DO |
198 | } |
199 | ||
9b2115e2 | 200 | chain lreject { |
17bb0bf0 | 201 | LOG { |
9b2115e2 | 202 | log-level info proto tcp log-prefix "Denied"; |
17bb0bf0 DO |
203 | log-level warn fragment log-prefix "FRAGMENT Denied"; |
204 | } | |
9b2115e2 | 205 | REJECT; |
17bb0bf0 DO |
206 | } |
207 | ||
9b2115e2 | 208 | include 'users.conf'; |