Commit | Line | Data |
---|---|---|
17bb0bf0 DO |
1 | |
2 | option iptables | |
3 | option clearall | |
4 | option createchains | |
5 | option automod | |
6 | ||
7 | ############# Define variables | |
8 | set IFCONFIG "/sbin/ifconfig" | |
9 | set AWK "/usr/bin/awk" | |
10 | set GREP "/bin/grep" | |
11 | set CAT "/bin/cat" | |
12 | set SED "/bin/sed" | |
13 | ||
14 | set MASK "29" # Our netmask is /29 = 255.255.255.248 | |
15 | set IPS "64.20.38.170" | |
16 | set IFS "eth0" | |
17 | set IPSPEC "64.20.38.170/%MASK" | |
18 | ||
19 | set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` | |
20 | #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` | |
21 | ||
22 | ############# Port/protocol combinations we allow in and out | |
23 | set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" | |
9132939d | 24 | set TCP_OUT_DELAY "ssh,ftp,auth" |
7a910192 | 25 | set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" |
9132939d DO |
26 | set TCP_OUT_THROUGHPUT "ftp-data" |
27 | #set TCP_OUT_COST "" | |
7a910192 | 28 | |
9132939d | 29 | set UDP_IN "ntp,domain" |
17bb0bf0 | 30 | set UDP_OUT "1:65535" |
7a910192 | 31 | |
17bb0bf0 DO |
32 | set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" |
33 | set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" | |
34 | ||
35 | ||
36 | # Make us insensitive to the environment | |
9132939d DO |
37 | |
38 | # Allow traffic in areas outside of our scope | |
17bb0bf0 | 39 | policy DROP { |
9132939d DO |
40 | table mangle chain forward; |
41 | table filter chain forward; | |
42 | table filter chain (INPUT,OUTPUT); | |
17bb0bf0 | 43 | } |
9132939d DO |
44 | policy ACCEPT { |
45 | table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); | |
46 | table nat chain (PREROUTING,OUTPUT,POSTROUTING); | |
17bb0bf0 DO |
47 | } |
48 | ||
17bb0bf0 DO |
49 | ###################################################################### |
50 | # Built-in chains that jump to our custom ones | |
51 | ||
52 | chain INPUT { | |
9132939d DO |
53 | state INVALID goto LDROP; |
54 | fragment goto LDROP; | |
17bb0bf0 DO |
55 | # goto IANA_BAN; |
56 | # goto LOCAL_BAN; | |
9132939d | 57 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
17bb0bf0 DO |
58 | |
59 | state (ESTABLISHED,RELATED) ACCEPT; | |
60 | ||
61 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9132939d DO |
62 | if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; |
63 | if lo goto LDROP; | |
64 | ||
65 | #incoming traffic | |
66 | goto badguys; | |
67 | protocol tcp goto fw_tcp; | |
68 | protocol udp goto fw_udp; | |
69 | protocol icmp goto fw_icmp; | |
70 | ||
71 | goto LDROP; | |
17bb0bf0 DO |
72 | } |
73 | ||
74 | chain OUTPUT { | |
9132939d DO |
75 | state INVALID goto LDENY; |
76 | fragment goto LDENY; | |
17bb0bf0 DO |
77 | |
78 | state (ESTABLISHED,RELATED) ACCEPT; | |
79 | ||
80 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9132939d DO |
81 | of lo saddr %IPSPEC daddr %IPSPEC ACCEPT; |
82 | of lo goto LDENY; | |
17bb0bf0 | 83 | |
9132939d | 84 | saddr !%IPSPEC goto LDENY; |
17bb0bf0 DO |
85 | |
86 | # again uncomment for trojan horses protection and inside out | |
87 | # violations.... | |
88 | proto (tcp,udp) sport 14000: goto LDENY; | |
89 | ||
90 | # queueing goes here, maybe some special fw rules as well | |
91 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
92 | ||
93 | proto udp dport %UDP_OUT ACCEPT; | |
94 | proto icmp icmptype %ICMP_OUT ACCEPT; | |
9132939d DO |
95 | |
96 | goto LDENY; | |
17bb0bf0 DO |
97 | } |
98 | ||
99 | ##################################################################### | |
100 | # Deal with known offenders right away | |
101 | # Make difference between notorious ones and unusual ones | |
102 | chain badguys { | |
17bb0bf0 DO |
103 | |
104 | saddr( | |
105 | # Mailbombing nion's email | |
106 | 152.163.210.178 | |
107 | 205.188.135.170 | |
108 | 64.12.187.193 | |
109 | ||
110 | # Executed nion's CGI script 400,000 times | |
111 | 24.186.165.67 | |
112 | ||
113 | # docelic, Wed Aug 3 04:18:56 EDT 2005 | |
114 | # Trying out new server with all kinds of usernames on ssh | |
115 | # (All of those seem to be from the same "mastermind") | |
116 | 211.48.20.153 | |
117 | 62.36.240.114 | |
118 | 62.75.240.62 | |
119 | 210.204.193.1 | |
120 | 84.26.59.170 | |
121 | ||
122 | # Log says reverse mapping failed for this address | |
123 | # (hundreds of entries) | |
124 | 114.67.19.241 | |
125 | ) { | |
126 | DROP; | |
127 | } | |
128 | } | |
129 | ||
130 | ##################################################################### | |
131 | # TCP traffic | |
132 | chain fw_tcp proto tcp { | |
17bb0bf0 DO |
133 | # Standard allowances |
134 | syn dport %TCP_IN sport 1024: { | |
9132939d DO |
135 | limit 5/s ACCEPT; |
136 | limit 20/m LOG log-prefix "SYN flood attack:" LOG; | |
137 | goto LDROP; | |
17bb0bf0 DO |
138 | } |
139 | ||
9132939d DO |
140 | # Should be covered by (RELATED,ESTABLISHED) ACCEPT above |
141 | #dport %TCP_IN accept; | |
17bb0bf0 DO |
142 | |
143 | # deny scanning via DNS port | |
144 | sport domain { | |
145 | dport domain ACCEPT; | |
9132939d | 146 | syn goto LDROP; |
17bb0bf0 DO |
147 | } |
148 | ||
149 | # special case to allow active ftp transfers to our machine! | |
150 | sport ftp-data dport 1024: { | |
151 | ACCEPT; | |
152 | } | |
153 | ||
154 | # awkward incoming connections | |
155 | syn { | |
9132939d | 156 | goto LDROP; |
17bb0bf0 DO |
157 | } |
158 | ||
159 | # want to deny inside-out fake stuff? uncomment this: | |
160 | # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! | |
161 | dport 14000: { | |
9132939d | 162 | goto LDROP; |
17bb0bf0 | 163 | } |
9132939d | 164 | } |
17bb0bf0 DO |
165 | |
166 | ##################################################################### | |
167 | # UDP traffic | |
168 | chain fw_udp proto udp { | |
17bb0bf0 DO |
169 | # Standard allowances |
170 | dport %UDP_IN sport 1024: { | |
171 | ACCEPT; | |
172 | } | |
173 | ||
174 | # again no dns fumbling around | |
7a910192 DO |
175 | sport domain dport domain saddr %NSIP { |
176 | ACCEPT; | |
177 | } | |
17bb0bf0 DO |
178 | } |
179 | ||
180 | ||
181 | ##################################################################### | |
182 | # ICMP traffic | |
183 | chain fw_icmp proto icmp { | |
17bb0bf0 DO |
184 | # Standard allowances |
185 | icmptype %ICMP_IN { | |
186 | ACCEPT; | |
187 | } | |
188 | ||
189 | #icmp-type echo-request limit 1/s ACCEPT; | |
190 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
191 | # ACCEPT; | |
192 | #} | |
193 | # never seen hits on this one: | |
17bb0bf0 DO |
194 | } |
195 | ||
196 | ||
197 | ##################################################################### | |
198 | # TOS (Type-of-service) adjustments | |
199 | chain tosqueue { | |
9132939d | 200 | protocol tcp { |
17bb0bf0 | 201 | # rapid response protocols |
9132939d DO |
202 | # dport %TCP_OUT_DELAY settos min-delay ACCEPT; |
203 | dport %TCP_OUT_DELAY ACCEPT; | |
204 | sport %TCP_OUT_DELAY ACCEPT; | |
17bb0bf0 | 205 | # keep these from timing out |
9132939d DO |
206 | # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
207 | dport %TCP_OUT_RELIABILITY ACCEPT; | |
208 | sport %TCP_OUT_RELIABILITY ACCEPT; | |
17bb0bf0 | 209 | # bulk stuff |
9132939d DO |
210 | # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
211 | dport %TCP_OUT_THROUGHPUT ACCEPT; | |
212 | sport %TCP_OUT_THROUGHPUT ACCEPT; | |
213 | # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; | |
214 | dport (ftp-data,8888,6699) ACCEPT; | |
215 | sport (ftp-data,8888,6699) ACCEPT; | |
17bb0bf0 DO |
216 | } |
217 | ||
9132939d DO |
218 | # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; |
219 | goto LDENY; | |
17bb0bf0 DO |
220 | } |
221 | ||
222 | ##################################################################### | |
223 | # Supporting targets | |
224 | chain LDROP { | |
225 | LOG { | |
226 | log-level info logprefix "Dropped"; | |
227 | log-level warn fragment log-prefix "FRAGMENT Dropped"; | |
228 | } | |
229 | DROP; | |
230 | } | |
231 | ||
17bb0bf0 DO |
232 | chain LDENY { |
233 | LOG { | |
234 | log-level info proto tcp logprefix "Denied"; | |
235 | log-level warn fragment log-prefix "FRAGMENT Denied"; | |
236 | } | |
237 | DENY; | |
238 | } | |
239 |