Commit | Line | Data |
---|---|---|
17bb0bf0 DO |
1 | |
2 | option iptables | |
3 | option clearall | |
4 | option createchains | |
5 | option automod | |
6 | ||
7 | ############# Define variables | |
8 | set IFCONFIG "/sbin/ifconfig" | |
9 | set AWK "/usr/bin/awk" | |
10 | set GREP "/bin/grep" | |
11 | set CAT "/bin/cat" | |
12 | set SED "/bin/sed" | |
13 | ||
14 | set MASK "29" # Our netmask is /29 = 255.255.255.248 | |
15 | set IPS "64.20.38.170" | |
16 | set IFS "eth0" | |
17 | set IPSPEC "64.20.38.170/%MASK" | |
18 | ||
19 | set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` | |
20 | #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` | |
21 | ||
22 | ############# Port/protocol combinations we allow in and out | |
23 | set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" | |
9132939d | 24 | set TCP_OUT_DELAY "ssh,ftp,auth" |
7a910192 | 25 | set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" |
9132939d DO |
26 | set TCP_OUT_THROUGHPUT "ftp-data" |
27 | #set TCP_OUT_COST "" | |
7a910192 | 28 | |
9132939d | 29 | set UDP_IN "ntp,domain" |
17bb0bf0 | 30 | set UDP_OUT "1:65535" |
7a910192 | 31 | |
17bb0bf0 DO |
32 | set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" |
33 | set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" | |
34 | ||
35 | ||
36 | # Make us insensitive to the environment | |
9132939d DO |
37 | |
38 | # Allow traffic in areas outside of our scope | |
17bb0bf0 | 39 | policy DROP { |
9132939d DO |
40 | table mangle chain forward; |
41 | table filter chain forward; | |
42 | table filter chain (INPUT,OUTPUT); | |
17bb0bf0 | 43 | } |
9132939d DO |
44 | policy ACCEPT { |
45 | table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); | |
46 | table nat chain (PREROUTING,OUTPUT,POSTROUTING); | |
17bb0bf0 DO |
47 | } |
48 | ||
17bb0bf0 DO |
49 | ###################################################################### |
50 | # Built-in chains that jump to our custom ones | |
51 | ||
52 | chain INPUT { | |
9132939d DO |
53 | state INVALID goto LDROP; |
54 | fragment goto LDROP; | |
17bb0bf0 DO |
55 | # goto IANA_BAN; |
56 | # goto LOCAL_BAN; | |
9132939d | 57 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
17bb0bf0 DO |
58 | |
59 | state (ESTABLISHED,RELATED) ACCEPT; | |
60 | ||
61 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9132939d DO |
62 | if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; |
63 | if lo goto LDROP; | |
64 | ||
65 | #incoming traffic | |
66 | goto badguys; | |
67 | protocol tcp goto fw_tcp; | |
68 | protocol udp goto fw_udp; | |
69 | protocol icmp goto fw_icmp; | |
70 | ||
71 | goto LDROP; | |
17bb0bf0 DO |
72 | } |
73 | ||
74 | chain OUTPUT { | |
9132939d DO |
75 | state INVALID goto LDENY; |
76 | fragment goto LDENY; | |
17bb0bf0 DO |
77 | |
78 | state (ESTABLISHED,RELATED) ACCEPT; | |
79 | ||
80 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
f5a6c05e | 81 | of lo saddr %IPSPEC ACCEPT; |
9132939d | 82 | of lo goto LDENY; |
17bb0bf0 | 83 | |
17bb0bf0 DO |
84 | # queueing goes here, maybe some special fw rules as well |
85 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
86 | ||
87 | proto udp dport %UDP_OUT ACCEPT; | |
88 | proto icmp icmptype %ICMP_OUT ACCEPT; | |
9132939d DO |
89 | |
90 | goto LDENY; | |
17bb0bf0 DO |
91 | } |
92 | ||
83056e62 AC |
93 | %BADGUYS = `cat /etc/firewall/badguys | grep -v '^#'` |
94 | ||
17bb0bf0 DO |
95 | ##################################################################### |
96 | # Deal with known offenders right away | |
97 | # Make difference between notorious ones and unusual ones | |
98 | chain badguys { | |
83056e62 | 99 | saddr %BADGUYS DROP; |
17bb0bf0 DO |
100 | } |
101 | ||
102 | ##################################################################### | |
103 | # TCP traffic | |
104 | chain fw_tcp proto tcp { | |
17bb0bf0 DO |
105 | # Standard allowances |
106 | syn dport %TCP_IN sport 1024: { | |
9132939d DO |
107 | limit 5/s ACCEPT; |
108 | limit 20/m LOG log-prefix "SYN flood attack:" LOG; | |
109 | goto LDROP; | |
17bb0bf0 DO |
110 | } |
111 | ||
9132939d DO |
112 | # Should be covered by (RELATED,ESTABLISHED) ACCEPT above |
113 | #dport %TCP_IN accept; | |
17bb0bf0 DO |
114 | |
115 | # deny scanning via DNS port | |
116 | sport domain { | |
117 | dport domain ACCEPT; | |
9132939d | 118 | syn goto LDROP; |
17bb0bf0 DO |
119 | } |
120 | ||
121 | # special case to allow active ftp transfers to our machine! | |
122 | sport ftp-data dport 1024: { | |
123 | ACCEPT; | |
124 | } | |
125 | ||
126 | # awkward incoming connections | |
127 | syn { | |
9132939d | 128 | goto LDROP; |
17bb0bf0 DO |
129 | } |
130 | ||
131 | # want to deny inside-out fake stuff? uncomment this: | |
132 | # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! | |
133 | dport 14000: { | |
9132939d | 134 | goto LDROP; |
17bb0bf0 | 135 | } |
9132939d | 136 | } |
17bb0bf0 DO |
137 | |
138 | ##################################################################### | |
139 | # UDP traffic | |
140 | chain fw_udp proto udp { | |
17bb0bf0 DO |
141 | # Standard allowances |
142 | dport %UDP_IN sport 1024: { | |
143 | ACCEPT; | |
144 | } | |
145 | ||
146 | # again no dns fumbling around | |
7a910192 DO |
147 | sport domain dport domain saddr %NSIP { |
148 | ACCEPT; | |
149 | } | |
17bb0bf0 DO |
150 | } |
151 | ||
152 | ||
153 | ##################################################################### | |
154 | # ICMP traffic | |
155 | chain fw_icmp proto icmp { | |
17bb0bf0 DO |
156 | # Standard allowances |
157 | icmptype %ICMP_IN { | |
158 | ACCEPT; | |
159 | } | |
160 | ||
161 | #icmp-type echo-request limit 1/s ACCEPT; | |
162 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
163 | # ACCEPT; | |
164 | #} | |
165 | # never seen hits on this one: | |
17bb0bf0 DO |
166 | } |
167 | ||
168 | ||
169 | ##################################################################### | |
170 | # TOS (Type-of-service) adjustments | |
171 | chain tosqueue { | |
9132939d | 172 | protocol tcp { |
17bb0bf0 | 173 | # rapid response protocols |
9132939d DO |
174 | # dport %TCP_OUT_DELAY settos min-delay ACCEPT; |
175 | dport %TCP_OUT_DELAY ACCEPT; | |
176 | sport %TCP_OUT_DELAY ACCEPT; | |
17bb0bf0 | 177 | # keep these from timing out |
9132939d DO |
178 | # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
179 | dport %TCP_OUT_RELIABILITY ACCEPT; | |
180 | sport %TCP_OUT_RELIABILITY ACCEPT; | |
17bb0bf0 | 181 | # bulk stuff |
9132939d DO |
182 | # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
183 | dport %TCP_OUT_THROUGHPUT ACCEPT; | |
184 | sport %TCP_OUT_THROUGHPUT ACCEPT; | |
185 | # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; | |
186 | dport (ftp-data,8888,6699) ACCEPT; | |
187 | sport (ftp-data,8888,6699) ACCEPT; | |
17bb0bf0 DO |
188 | } |
189 | ||
9132939d DO |
190 | # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; |
191 | goto LDENY; | |
17bb0bf0 DO |
192 | } |
193 | ||
194 | ##################################################################### | |
195 | # Supporting targets | |
196 | chain LDROP { | |
197 | LOG { | |
198 | log-level info logprefix "Dropped"; | |
199 | log-level warn fragment log-prefix "FRAGMENT Dropped"; | |
200 | } | |
201 | DROP; | |
202 | } | |
203 | ||
17bb0bf0 DO |
204 | chain LDENY { |
205 | LOG { | |
206 | log-level info proto tcp logprefix "Denied"; | |
207 | log-level warn fragment log-prefix "FRAGMENT Denied"; | |
208 | } | |
209 | DENY; | |
210 | } | |
211 |