Commit | Line | Data |
---|---|---|
17bb0bf0 DO |
1 | |
2 | option iptables | |
3 | option clearall | |
4 | option createchains | |
5 | option automod | |
6 | ||
7 | ############# Define variables | |
8 | set IFCONFIG "/sbin/ifconfig" | |
9 | set AWK "/usr/bin/awk" | |
10 | set GREP "/bin/grep" | |
11 | set CAT "/bin/cat" | |
12 | set SED "/bin/sed" | |
13 | ||
14 | set MASK "29" # Our netmask is /29 = 255.255.255.248 | |
15 | set IPS "64.20.38.170" | |
16 | set IFS "eth0" | |
17 | set IPSPEC "64.20.38.170/%MASK" | |
18 | ||
19 | set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` | |
20 | #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` | |
21 | ||
22 | ############# Port/protocol combinations we allow in and out | |
23 | set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" | |
9132939d | 24 | set TCP_OUT_DELAY "ssh,ftp,auth" |
7a910192 | 25 | set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" |
9132939d DO |
26 | set TCP_OUT_THROUGHPUT "ftp-data" |
27 | #set TCP_OUT_COST "" | |
7a910192 | 28 | |
9132939d | 29 | set UDP_IN "ntp,domain" |
17bb0bf0 | 30 | set UDP_OUT "1:65535" |
7a910192 | 31 | |
17bb0bf0 DO |
32 | set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" |
33 | set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" | |
34 | ||
35 | ||
36 | # Make us insensitive to the environment | |
9132939d DO |
37 | |
38 | # Allow traffic in areas outside of our scope | |
17bb0bf0 | 39 | policy DROP { |
9132939d DO |
40 | table mangle chain forward; |
41 | table filter chain forward; | |
42 | table filter chain (INPUT,OUTPUT); | |
17bb0bf0 | 43 | } |
9132939d DO |
44 | policy ACCEPT { |
45 | table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); | |
46 | table nat chain (PREROUTING,OUTPUT,POSTROUTING); | |
17bb0bf0 DO |
47 | } |
48 | ||
17bb0bf0 DO |
49 | ###################################################################### |
50 | # Built-in chains that jump to our custom ones | |
51 | ||
52 | chain INPUT { | |
9132939d DO |
53 | state INVALID goto LDROP; |
54 | fragment goto LDROP; | |
17bb0bf0 DO |
55 | # goto IANA_BAN; |
56 | # goto LOCAL_BAN; | |
9132939d | 57 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
17bb0bf0 DO |
58 | |
59 | state (ESTABLISHED,RELATED) ACCEPT; | |
60 | ||
61 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
9132939d DO |
62 | if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; |
63 | if lo goto LDROP; | |
64 | ||
65 | #incoming traffic | |
66 | goto badguys; | |
67 | protocol tcp goto fw_tcp; | |
68 | protocol udp goto fw_udp; | |
69 | protocol icmp goto fw_icmp; | |
70 | ||
71 | goto LDROP; | |
17bb0bf0 DO |
72 | } |
73 | ||
74 | chain OUTPUT { | |
9132939d DO |
75 | state INVALID goto LDENY; |
76 | fragment goto LDENY; | |
17bb0bf0 DO |
77 | |
78 | state (ESTABLISHED,RELATED) ACCEPT; | |
79 | ||
80 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; | |
f5a6c05e | 81 | of lo saddr %IPSPEC ACCEPT; |
9132939d | 82 | of lo goto LDENY; |
17bb0bf0 | 83 | |
17bb0bf0 DO |
84 | # queueing goes here, maybe some special fw rules as well |
85 | proto tcp goto tosqueue; # ACCEPT must be handled here | |
86 | ||
87 | proto udp dport %UDP_OUT ACCEPT; | |
88 | proto icmp icmptype %ICMP_OUT ACCEPT; | |
9132939d DO |
89 | |
90 | goto LDENY; | |
17bb0bf0 DO |
91 | } |
92 | ||
93 | ##################################################################### | |
94 | # Deal with known offenders right away | |
95 | # Make difference between notorious ones and unusual ones | |
96 | chain badguys { | |
17bb0bf0 DO |
97 | |
98 | saddr( | |
99 | # Mailbombing nion's email | |
100 | 152.163.210.178 | |
101 | 205.188.135.170 | |
102 | 64.12.187.193 | |
103 | ||
104 | # Executed nion's CGI script 400,000 times | |
105 | 24.186.165.67 | |
106 | ||
107 | # docelic, Wed Aug 3 04:18:56 EDT 2005 | |
108 | # Trying out new server with all kinds of usernames on ssh | |
109 | # (All of those seem to be from the same "mastermind") | |
110 | 211.48.20.153 | |
111 | 62.36.240.114 | |
112 | 62.75.240.62 | |
113 | 210.204.193.1 | |
114 | 84.26.59.170 | |
f5a6c05e DO |
115 | # docelic, Sun Aug 21 01:29:10 EDT 2005 |
116 | 63.76.235.2 | |
117 | 80.48.31.252 | |
118 | 220.194.55.126 | |
119 | 163.26.229.131 | |
120 | 201.6.223.150 | |
121 | 64.34.171.56 | |
122 | 82.177.98.1 | |
123 | 61.185.219.23 | |
124 | 62.62.224.184 | |
125 | 212.0.107.141 | |
126 | 60.248.227.34 | |
127 | 63.246.10.45 | |
128 | # docelic, Sun Aug 21 22:14:15 EDT 2005 | |
129 | 210.184.124.11 | |
130 | 210.238.188.155 | |
131 | 63.247.76.10 | |
17bb0bf0 DO |
132 | |
133 | # Log says reverse mapping failed for this address | |
134 | # (hundreds of entries) | |
135 | 114.67.19.241 | |
136 | ) { | |
137 | DROP; | |
138 | } | |
139 | } | |
140 | ||
141 | ##################################################################### | |
142 | # TCP traffic | |
143 | chain fw_tcp proto tcp { | |
17bb0bf0 DO |
144 | # Standard allowances |
145 | syn dport %TCP_IN sport 1024: { | |
9132939d DO |
146 | limit 5/s ACCEPT; |
147 | limit 20/m LOG log-prefix "SYN flood attack:" LOG; | |
148 | goto LDROP; | |
17bb0bf0 DO |
149 | } |
150 | ||
9132939d DO |
151 | # Should be covered by (RELATED,ESTABLISHED) ACCEPT above |
152 | #dport %TCP_IN accept; | |
17bb0bf0 DO |
153 | |
154 | # deny scanning via DNS port | |
155 | sport domain { | |
156 | dport domain ACCEPT; | |
9132939d | 157 | syn goto LDROP; |
17bb0bf0 DO |
158 | } |
159 | ||
160 | # special case to allow active ftp transfers to our machine! | |
161 | sport ftp-data dport 1024: { | |
162 | ACCEPT; | |
163 | } | |
164 | ||
165 | # awkward incoming connections | |
166 | syn { | |
9132939d | 167 | goto LDROP; |
17bb0bf0 DO |
168 | } |
169 | ||
170 | # want to deny inside-out fake stuff? uncomment this: | |
171 | # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! | |
172 | dport 14000: { | |
9132939d | 173 | goto LDROP; |
17bb0bf0 | 174 | } |
9132939d | 175 | } |
17bb0bf0 DO |
176 | |
177 | ##################################################################### | |
178 | # UDP traffic | |
179 | chain fw_udp proto udp { | |
17bb0bf0 DO |
180 | # Standard allowances |
181 | dport %UDP_IN sport 1024: { | |
182 | ACCEPT; | |
183 | } | |
184 | ||
185 | # again no dns fumbling around | |
7a910192 DO |
186 | sport domain dport domain saddr %NSIP { |
187 | ACCEPT; | |
188 | } | |
17bb0bf0 DO |
189 | } |
190 | ||
191 | ||
192 | ##################################################################### | |
193 | # ICMP traffic | |
194 | chain fw_icmp proto icmp { | |
17bb0bf0 DO |
195 | # Standard allowances |
196 | icmptype %ICMP_IN { | |
197 | ACCEPT; | |
198 | } | |
199 | ||
200 | #icmp-type echo-request limit 1/s ACCEPT; | |
201 | #icmptype ( ping pong destination-unreachable time-exceeded) { | |
202 | # ACCEPT; | |
203 | #} | |
204 | # never seen hits on this one: | |
17bb0bf0 DO |
205 | } |
206 | ||
207 | ||
208 | ##################################################################### | |
209 | # TOS (Type-of-service) adjustments | |
210 | chain tosqueue { | |
9132939d | 211 | protocol tcp { |
17bb0bf0 | 212 | # rapid response protocols |
9132939d DO |
213 | # dport %TCP_OUT_DELAY settos min-delay ACCEPT; |
214 | dport %TCP_OUT_DELAY ACCEPT; | |
215 | sport %TCP_OUT_DELAY ACCEPT; | |
17bb0bf0 | 216 | # keep these from timing out |
9132939d DO |
217 | # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
218 | dport %TCP_OUT_RELIABILITY ACCEPT; | |
219 | sport %TCP_OUT_RELIABILITY ACCEPT; | |
17bb0bf0 | 220 | # bulk stuff |
9132939d DO |
221 | # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
222 | dport %TCP_OUT_THROUGHPUT ACCEPT; | |
223 | sport %TCP_OUT_THROUGHPUT ACCEPT; | |
224 | # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; | |
225 | dport (ftp-data,8888,6699) ACCEPT; | |
226 | sport (ftp-data,8888,6699) ACCEPT; | |
17bb0bf0 DO |
227 | } |
228 | ||
9132939d DO |
229 | # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; |
230 | goto LDENY; | |
17bb0bf0 DO |
231 | } |
232 | ||
233 | ##################################################################### | |
234 | # Supporting targets | |
235 | chain LDROP { | |
236 | LOG { | |
237 | log-level info logprefix "Dropped"; | |
238 | log-level warn fragment log-prefix "FRAGMENT Dropped"; | |
239 | } | |
240 | DROP; | |
241 | } | |
242 | ||
17bb0bf0 DO |
243 | chain LDENY { |
244 | LOG { | |
245 | log-level info proto tcp logprefix "Denied"; | |
246 | log-level warn fragment log-prefix "FRAGMENT Denied"; | |
247 | } | |
248 | DENY; | |
249 | } | |
250 |