7 ############# Define variables
8 set IFCONFIG "/sbin/ifconfig"
14 set MASK "29" # Our netmask is /29 = 255.255.255.248
15 set IPS "64.20.38.170"
17 set IPSPEC "64.20.38.170/%MASK"
19 set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
20 #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
22 ############# Port/protocol combinations we allow in and out
23 set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
27 set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
28 set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
31 # Make us insensitive to the environment
33 table filter chain (INPUT FORWARD);
34 table mangle chain (PREROUTING);
35 table nat chain (PREROUTING POSTROUTING);
38 table filter chain (OUTPUT);
39 table mangle chain (OUTPUT);
40 table nat chain (OUTPUT);
44 ######################################################################
45 # Built-in chains that jump to our custom ones
49 state INVALID goto UNUSUAL DROP;
50 fragment goto UNUSUAL DROP;
56 state (ESTABLISHED,RELATED) ACCEPT;
58 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
59 if lo goto UNUSUAL DROP;
63 #incoming traffic, seperate by interface
66 protocol tcp goto fw_tcp;
67 protocol udp goto fw_udp;
68 protocol icmp goto fw_icmp;
74 state INVALID goto UNUSUAL DENY;
75 fragment goto UNUSUAL DENY;
77 state (ESTABLISHED,RELATED) ACCEPT;
79 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
80 of lo goto UNUSUAL DENY;
84 saddr !%IPSPEC goto UNUSUAL DENY;
86 # again uncomment for trojan horses protection and inside out
88 proto (tcp,udp) sport 14000: goto LDENY;
90 # queueing goes here, maybe some special fw rules as well
91 proto tcp goto tosqueue; # ACCEPT must be handled here
93 proto udp dport %UDP_OUT ACCEPT;
94 proto icmp icmptype %ICMP_OUT ACCEPT;
97 #####################################################################
98 # Deal with known offenders right away
99 # Make difference between notorious ones and unusual ones
101 #saddr spammer.net.com DROP; # you may specify computer names as well
102 saddr 10/8 DROP; # or network addresses like this impossible one
103 daddr 10/8 DROP; # maybe even from guys fooling you around
104 saddr 123.45.6.78 DROP; # a single machine, very bad
105 saddr 123.45.6/24 DROP; # better to include the entire subnet
108 # Mailbombing nion's email
113 # Executed nion's CGI script 400,000 times
116 # docelic, Wed Aug 3 04:18:56 EDT 2005
117 # Trying out new server with all kinds of usernames on ssh
118 # (All of those seem to be from the same "mastermind")
125 # Log says reverse mapping failed for this address
126 # (hundreds of entries)
133 #####################################################################
135 chain fw_tcp proto tcp {
137 # Standard allowances
138 syn dport %TCP_IN sport 1024: {
140 limit 5/m LOG log-prefix "SYN flood attack:" LOG;
144 # drop all syns: (incoming connections)
146 log-prefix "tcp SYN Dropped" LOG;
151 log-prefix "TCP packet not syn std port" LOG;
155 # deny scanning via DNS port
161 # special case to allow active ftp transfers to our machine!
162 sport ftp-data dport 1024: {
166 # awkward incoming connections
176 # want to deny inside-out fake stuff? uncomment this:
177 # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
183 #####################################################################
185 chain fw_udp proto udp {
187 # Standard allowances
188 dport %UDP_IN sport 1024: {
192 # again no dns fumbling around
193 #sport domain dport domain saddr (**DNS IPS**) {
200 #####################################################################
202 chain fw_icmp proto icmp {
204 # Standard allowances
209 #icmp-type echo-request limit 1/s ACCEPT;
210 #icmptype ( ping pong destination-unreachable time-exceeded) {
213 # never seen hits on this one:
218 #####################################################################
219 # TOS (Type-of-service) adjustments
222 protocol tcp reverse {
223 # rapid response protocols
224 dport (ssh,ftp) settos min-delay ACCEPT;
225 # keep these from timing out
226 dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
228 dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
229 dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
232 # remove any bits set by clients for different
233 # protocols, since they might be tricking their
234 # packets into a unfair priority... It wouldn't
235 # surprise me if IE uses this... :-O
236 settos min-cost ACCEPT;
239 #####################################################################
243 log-level info logprefix "Dropped";
244 log-level warn fragment log-prefix "FRAGMENT Dropped";
250 LOG { log-level info logprefix "Unusual"; }
255 log-level info proto tcp logprefix "Denied";
256 log-level warn fragment log-prefix "FRAGMENT Denied";
263 syn limit 100/s ACCEPT;
266 logprefix "Mismatch in TCPACCEPT" LOG;
272 logprefix "Mismatch in UDPACCEPT" LOG;
279 # saddr %IANA_BANS DROP;
283 # saddr %LOCAL_BANS DROP;
288 tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
289 limit 5/min log-prefix "NULL SCAN:" log-level 5
290 log-tcp-options log-ip-options LOG;
293 tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
294 limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
297 tcp-flags SYN:RST SYN:RST {
298 limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
301 tcp-flags FIN:SYN FIN:SYN {
302 limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;