| 1 | |
| 2 | option iptables |
| 3 | option clearall |
| 4 | option createchains |
| 5 | option automod |
| 6 | |
| 7 | ############# Define variables |
| 8 | set IFCONFIG "/sbin/ifconfig" |
| 9 | set AWK "/usr/bin/awk" |
| 10 | set GREP "/bin/grep" |
| 11 | set CAT "/bin/cat" |
| 12 | set SED "/bin/sed" |
| 13 | |
| 14 | set MASK "29" # Our netmask is /29 = 255.255.255.248 |
| 15 | set IPS "64.20.38.170" |
| 16 | set IFS "eth0" |
| 17 | set IPSPEC "64.20.38.170/%MASK" |
| 18 | |
| 19 | set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` |
| 20 | #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` |
| 21 | |
| 22 | ############# Port/protocol combinations we allow in and out |
| 23 | set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" |
| 24 | set TCP_OUT_DELAY "ssh,ftp,auth" |
| 25 | set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" |
| 26 | set TCP_OUT_THROUGHPUT "ftp-data" |
| 27 | #set TCP_OUT_COST "" |
| 28 | |
| 29 | set UDP_IN "ntp,domain" |
| 30 | set UDP_OUT "1:65535" |
| 31 | |
| 32 | set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" |
| 33 | set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" |
| 34 | |
| 35 | |
| 36 | # Make us insensitive to the environment |
| 37 | |
| 38 | # Allow traffic in areas outside of our scope |
| 39 | policy DROP { |
| 40 | table mangle chain forward; |
| 41 | table filter chain forward; |
| 42 | table filter chain (INPUT,OUTPUT); |
| 43 | } |
| 44 | policy ACCEPT { |
| 45 | table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); |
| 46 | table nat chain (PREROUTING,OUTPUT,POSTROUTING); |
| 47 | } |
| 48 | |
| 49 | ###################################################################### |
| 50 | # Built-in chains that jump to our custom ones |
| 51 | |
| 52 | chain INPUT { |
| 53 | state INVALID goto LDROP; |
| 54 | fragment goto LDROP; |
| 55 | # goto IANA_BAN; |
| 56 | # goto LOCAL_BAN; |
| 57 | #goto PORTSCAN; # Do we need this? There are better, dedicated tools |
| 58 | |
| 59 | state (ESTABLISHED,RELATED) ACCEPT; |
| 60 | |
| 61 | if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; |
| 62 | if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; |
| 63 | if lo goto LDROP; |
| 64 | |
| 65 | #incoming traffic |
| 66 | goto badguys; |
| 67 | protocol tcp goto fw_tcp; |
| 68 | protocol udp goto fw_udp; |
| 69 | protocol icmp goto fw_icmp; |
| 70 | |
| 71 | goto LDROP; |
| 72 | } |
| 73 | |
| 74 | chain OUTPUT { |
| 75 | state INVALID goto LDENY; |
| 76 | fragment goto LDENY; |
| 77 | |
| 78 | state (ESTABLISHED,RELATED) ACCEPT; |
| 79 | |
| 80 | of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; |
| 81 | of lo saddr %IPSPEC ACCEPT; |
| 82 | of lo goto LDENY; |
| 83 | |
| 84 | # queueing goes here, maybe some special fw rules as well |
| 85 | proto tcp goto tosqueue; # ACCEPT must be handled here |
| 86 | |
| 87 | proto udp dport %UDP_OUT ACCEPT; |
| 88 | proto icmp icmptype %ICMP_OUT ACCEPT; |
| 89 | |
| 90 | goto LDENY; |
| 91 | } |
| 92 | |
| 93 | %BADGUYS = `cat /etc/firewall/badguys | grep -v '^#'` |
| 94 | |
| 95 | ##################################################################### |
| 96 | # Deal with known offenders right away |
| 97 | # Make difference between notorious ones and unusual ones |
| 98 | chain badguys { |
| 99 | saddr %BADGUYS DROP; |
| 100 | } |
| 101 | |
| 102 | ##################################################################### |
| 103 | # TCP traffic |
| 104 | chain fw_tcp proto tcp { |
| 105 | # Standard allowances |
| 106 | syn dport %TCP_IN sport 1024: { |
| 107 | limit 5/s ACCEPT; |
| 108 | limit 20/m LOG log-prefix "SYN flood attack:" LOG; |
| 109 | goto LDROP; |
| 110 | } |
| 111 | |
| 112 | # Should be covered by (RELATED,ESTABLISHED) ACCEPT above |
| 113 | #dport %TCP_IN accept; |
| 114 | |
| 115 | # deny scanning via DNS port |
| 116 | sport domain { |
| 117 | dport domain ACCEPT; |
| 118 | syn goto LDROP; |
| 119 | } |
| 120 | |
| 121 | # special case to allow active ftp transfers to our machine! |
| 122 | sport ftp-data dport 1024: { |
| 123 | ACCEPT; |
| 124 | } |
| 125 | |
| 126 | # awkward incoming connections |
| 127 | syn { |
| 128 | goto LDROP; |
| 129 | } |
| 130 | |
| 131 | # want to deny inside-out fake stuff? uncomment this: |
| 132 | # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! |
| 133 | dport 14000: { |
| 134 | goto LDROP; |
| 135 | } |
| 136 | } |
| 137 | |
| 138 | ##################################################################### |
| 139 | # UDP traffic |
| 140 | chain fw_udp proto udp { |
| 141 | # Standard allowances |
| 142 | dport %UDP_IN sport 1024: { |
| 143 | ACCEPT; |
| 144 | } |
| 145 | |
| 146 | # again no dns fumbling around |
| 147 | sport domain dport domain saddr %NSIP { |
| 148 | ACCEPT; |
| 149 | } |
| 150 | } |
| 151 | |
| 152 | |
| 153 | ##################################################################### |
| 154 | # ICMP traffic |
| 155 | chain fw_icmp proto icmp { |
| 156 | # Standard allowances |
| 157 | icmptype %ICMP_IN { |
| 158 | ACCEPT; |
| 159 | } |
| 160 | |
| 161 | #icmp-type echo-request limit 1/s ACCEPT; |
| 162 | #icmptype ( ping pong destination-unreachable time-exceeded) { |
| 163 | # ACCEPT; |
| 164 | #} |
| 165 | # never seen hits on this one: |
| 166 | } |
| 167 | |
| 168 | |
| 169 | ##################################################################### |
| 170 | # TOS (Type-of-service) adjustments |
| 171 | chain tosqueue { |
| 172 | protocol tcp { |
| 173 | # rapid response protocols |
| 174 | # dport %TCP_OUT_DELAY settos min-delay ACCEPT; |
| 175 | dport %TCP_OUT_DELAY ACCEPT; |
| 176 | sport %TCP_OUT_DELAY ACCEPT; |
| 177 | # keep these from timing out |
| 178 | # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; |
| 179 | dport %TCP_OUT_RELIABILITY ACCEPT; |
| 180 | sport %TCP_OUT_RELIABILITY ACCEPT; |
| 181 | # bulk stuff |
| 182 | # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; |
| 183 | dport %TCP_OUT_THROUGHPUT ACCEPT; |
| 184 | sport %TCP_OUT_THROUGHPUT ACCEPT; |
| 185 | # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; |
| 186 | dport (ftp-data,8888,6699) ACCEPT; |
| 187 | sport (ftp-data,8888,6699) ACCEPT; |
| 188 | } |
| 189 | |
| 190 | # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; |
| 191 | goto LDENY; |
| 192 | } |
| 193 | |
| 194 | ##################################################################### |
| 195 | # Supporting targets |
| 196 | chain LDROP { |
| 197 | LOG { |
| 198 | log-level info logprefix "Dropped"; |
| 199 | log-level warn fragment log-prefix "FRAGMENT Dropped"; |
| 200 | } |
| 201 | DROP; |
| 202 | } |
| 203 | |
| 204 | chain LDENY { |
| 205 | LOG { |
| 206 | log-level info proto tcp logprefix "Denied"; |
| 207 | log-level warn fragment log-prefix "FRAGMENT Denied"; |
| 208 | } |
| 209 | DENY; |
| 210 | } |
| 211 | |