HCoop / hcoop / zz_old / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Separate TCP_OUT on TOS, remove ppp0, let DNS through
[hcoop/zz_old/fwtool.git] / closed.conf
1
2 option iptables
3 option clearall
4 option createchains
5 option automod
6
7 ############# Define variables
8 set IFCONFIG "/sbin/ifconfig"
9 set AWK "/usr/bin/awk"
10 set GREP "/bin/grep"
11 set CAT "/bin/cat"
12 set SED "/bin/sed"
13
14 set MASK "29" # Our netmask is /29 = 255.255.255.248
15 set IPS "64.20.38.170"
16 set IFS "eth0"
17 set IPSPEC "64.20.38.170/%MASK"
18
19 set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
20 #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
21
22 ############# Port/protocol combinations we allow in and out
23 set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
24 set TCP_OUT_DELAY "ssh,ftp"
25 set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
26 set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv"
27 set TCP_OUT_COST ""
28
29 set UDP_IN "ntp"
30 set UDP_OUT "1:65535"
31
32 set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
33 set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
34
35
36 # Make us insensitive to the environment
37 policy DROP {
38 table filter chain (INPUT FORWARD);
39 table mangle chain (PREROUTING);
40 table nat chain (PREROUTING POSTROUTING);
41 }
42 policy DENY {
43 table filter chain (OUTPUT);
44 table mangle chain (OUTPUT);
45 table nat chain (OUTPUT);
46 }
47
48
49 ######################################################################
50 # Built-in chains that jump to our custom ones
51
52 chain INPUT {
53
54 state INVALID goto UNUSUAL DROP;
55 fragment goto UNUSUAL DROP;
56
57 # goto IANA_BAN;
58 # goto LOCAL_BAN;
59 goto PORTSCAN;
60
61 state (ESTABLISHED,RELATED) ACCEPT;
62
63 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
64 if lo goto UNUSUAL DROP;
65
66 #incoming traffic, seperate by interface
67 if %IFS {
68 goto badguys;
69 protocol tcp goto fw_tcp;
70 protocol udp goto fw_udp;
71 protocol icmp goto fw_icmp;
72 }
73 }
74
75 chain OUTPUT {
76
77 state INVALID goto UNUSUAL DENY;
78 fragment goto UNUSUAL DENY;
79
80 state (ESTABLISHED,RELATED) ACCEPT;
81
82 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
83 of lo goto UNUSUAL DENY;
84
85 saddr !%IPSPEC goto UNUSUAL DENY;
86
87 # again uncomment for trojan horses protection and inside out
88 # violations....
89 proto (tcp,udp) sport 14000: goto LDENY;
90
91 # queueing goes here, maybe some special fw rules as well
92 proto tcp goto tosqueue; # ACCEPT must be handled here
93
94 proto udp dport %UDP_OUT ACCEPT;
95 proto icmp icmptype %ICMP_OUT ACCEPT;
96 }
97
98 #####################################################################
99 # Deal with known offenders right away
100 # Make difference between notorious ones and unusual ones
101 chain badguys {
102 #saddr spammer.net.com DROP; # you may specify computer names as well
103 saddr 10/8 DROP; # or network addresses like this impossible one
104 daddr 10/8 DROP; # maybe even from guys fooling you around
105 saddr 123.45.6.78 DROP; # a single machine, very bad
106 saddr 123.45.6/24 DROP; # better to include the entire subnet
107
108 saddr(
109 # Mailbombing nion's email
110 152.163.210.178
111 205.188.135.170
112 64.12.187.193
113
114 # Executed nion's CGI script 400,000 times
115 24.186.165.67
116
117 # docelic, Wed Aug 3 04:18:56 EDT 2005
118 # Trying out new server with all kinds of usernames on ssh
119 # (All of those seem to be from the same "mastermind")
120 211.48.20.153
121 62.36.240.114
122 62.75.240.62
123 210.204.193.1
124 84.26.59.170
125
126 # Log says reverse mapping failed for this address
127 # (hundreds of entries)
128 114.67.19.241
129 ) {
130 DROP;
131 }
132 }
133
134 #####################################################################
135 # TCP traffic
136 chain fw_tcp proto tcp {
137
138 # Standard allowances
139 syn dport %TCP_IN sport 1024: {
140 limit 200/s ACCEPT;
141 limit 5/m LOG log-prefix "SYN flood attack:" LOG;
142 DROP;
143 }
144
145 # drop all syns: (incoming connections)
146 syn {
147 log-prefix "tcp SYN Dropped" LOG;
148 DROP;
149 }
150
151 dport :1023 {
152 log-prefix "TCP packet not syn std port" LOG;
153 DROP;
154 }
155
156 # deny scanning via DNS port
157 sport domain {
158 dport domain ACCEPT;
159 syn goto LDENY;
160 }
161
162 # special case to allow active ftp transfers to our machine!
163 sport ftp-data dport 1024: {
164 ACCEPT;
165 }
166
167 # awkward incoming connections
168 syn {
169 goto LDENY;
170 }
171
172 # lock suid ports
173 sport :1023 {
174 goto LDENY;
175 }
176
177 # want to deny inside-out fake stuff? uncomment this:
178 # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
179 dport 14000: {
180 goto LDENY;
181 }
182
183
184 #####################################################################
185 # UDP traffic
186 chain fw_udp proto udp {
187
188 # Standard allowances
189 dport %UDP_IN sport 1024: {
190 ACCEPT;
191 }
192
193 # again no dns fumbling around
194 sport domain dport domain saddr %NSIP {
195 ACCEPT;
196 }
197 goto LDENY;
198 }
199
200
201 #####################################################################
202 # ICMP traffic
203 chain fw_icmp proto icmp {
204
205 # Standard allowances
206 icmptype %ICMP_IN {
207 ACCEPT;
208 }
209
210 #icmp-type echo-request limit 1/s ACCEPT;
211 #icmptype ( ping pong destination-unreachable time-exceeded) {
212 # ACCEPT;
213 #}
214 # never seen hits on this one:
215 goto LDENY;
216 }
217
218
219 #####################################################################
220 # TOS (Type-of-service) adjustments
221 chain tosqueue {
222
223 protocol tcp reverse {
224 # rapid response protocols
225 dport %TCP_OUT_DELAY settos min-delay ACCEPT;
226 # keep these from timing out
227 dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
228 # bulk stuff
229 dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
230 dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
231 }
232
233 proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
234 }
235
236 #####################################################################
237 # Supporting targets
238 chain LDROP {
239 LOG {
240 log-level info logprefix "Dropped";
241 log-level warn fragment log-prefix "FRAGMENT Dropped";
242 }
243 DROP;
244 }
245
246 chain UNUSUAL {
247 LOG { log-level info logprefix "Unusual"; }
248 }
249
250 chain LDENY {
251 LOG {
252 log-level info proto tcp logprefix "Denied";
253 log-level warn fragment log-prefix "FRAGMENT Denied";
254 }
255 DENY;
256 }
257
258 chain TCPACCEPT {
259 proto tcp {
260 syn limit 100/s ACCEPT;
261 ! syn ACCEPT;
262 }
263 logprefix "Mismatch in TCPACCEPT" LOG;
264 DENY;
265 }
266
267 chain UDPACCEPT {
268 proto udp ACCEPT;
269 logprefix "Mismatch in UDPACCEPT" LOG;
270 DENY;
271 }
272
273
274
275 #chain IANA_BAN {
276 # saddr %IANA_BANS DROP;
277 #}
278 #
279 #chain LOCAL_BAN {
280 # saddr %LOCAL_BANS DROP;
281 #}
282
283 chain PORTSCAN {
284 proto tcp {
285 tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
286 limit 5/min log-prefix "NULL SCAN:" log-level 5
287 log-tcp-options log-ip-options LOG;
288 DROP;
289 }
290 tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
291 limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
292 DROP;
293 }
294 tcp-flags SYN:RST SYN:RST {
295 limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
296 DROP;
297 }
298 tcp-flags FIN:SYN FIN:SYN {
299 limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
300 DROP;
301 }
302 }
303 }
304
Unnamed repository; edit this file to name it for gitweb.