HCoop / hcoop / zz_old / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Refactored badguys
[hcoop/zz_old/fwtool.git] / closed.conf
1
2 option iptables
3 option clearall
4 option createchains
5 option automod
6
7 ############# Define variables
8 set IFCONFIG "/sbin/ifconfig"
9 set AWK "/usr/bin/awk"
10 set GREP "/bin/grep"
11 set CAT "/bin/cat"
12 set SED "/bin/sed"
13
14 set MASK "29" # Our netmask is /29 = 255.255.255.248
15 set IPS "64.20.38.170"
16 set IFS "eth0"
17 set IPSPEC "64.20.38.170/%MASK"
18
19 set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
20 #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
21
22 ############# Port/protocol combinations we allow in and out
23 set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
24 set TCP_OUT_DELAY "ssh,ftp,auth"
25 set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
26 set TCP_OUT_THROUGHPUT "ftp-data"
27 #set TCP_OUT_COST ""
28
29 set UDP_IN "ntp,domain"
30 set UDP_OUT "1:65535"
31
32 set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
33 set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
34
35
36 # Make us insensitive to the environment
37
38 # Allow traffic in areas outside of our scope
39 policy DROP {
40 table mangle chain forward;
41 table filter chain forward;
42 table filter chain (INPUT,OUTPUT);
43 }
44 policy ACCEPT {
45 table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
46 table nat chain (PREROUTING,OUTPUT,POSTROUTING);
47 }
48
49 ######################################################################
50 # Built-in chains that jump to our custom ones
51
52 chain INPUT {
53 state INVALID goto LDROP;
54 fragment goto LDROP;
55 # goto IANA_BAN;
56 # goto LOCAL_BAN;
57 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
58
59 state (ESTABLISHED,RELATED) ACCEPT;
60
61 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
62 if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
63 if lo goto LDROP;
64
65 #incoming traffic
66 goto badguys;
67 protocol tcp goto fw_tcp;
68 protocol udp goto fw_udp;
69 protocol icmp goto fw_icmp;
70
71 goto LDROP;
72 }
73
74 chain OUTPUT {
75 state INVALID goto LDENY;
76 fragment goto LDENY;
77
78 state (ESTABLISHED,RELATED) ACCEPT;
79
80 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
81 of lo saddr %IPSPEC ACCEPT;
82 of lo goto LDENY;
83
84 # queueing goes here, maybe some special fw rules as well
85 proto tcp goto tosqueue; # ACCEPT must be handled here
86
87 proto udp dport %UDP_OUT ACCEPT;
88 proto icmp icmptype %ICMP_OUT ACCEPT;
89
90 goto LDENY;
91 }
92
93 %BADGUYS = `cat /etc/firewall/badguys | grep -v '^#'`
94
95 #####################################################################
96 # Deal with known offenders right away
97 # Make difference between notorious ones and unusual ones
98 chain badguys {
99 saddr %BADGUYS DROP;
100 }
101
102 #####################################################################
103 # TCP traffic
104 chain fw_tcp proto tcp {
105 # Standard allowances
106 syn dport %TCP_IN sport 1024: {
107 limit 5/s ACCEPT;
108 limit 20/m LOG log-prefix "SYN flood attack:" LOG;
109 goto LDROP;
110 }
111
112 # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
113 #dport %TCP_IN accept;
114
115 # deny scanning via DNS port
116 sport domain {
117 dport domain ACCEPT;
118 syn goto LDROP;
119 }
120
121 # special case to allow active ftp transfers to our machine!
122 sport ftp-data dport 1024: {
123 ACCEPT;
124 }
125
126 # awkward incoming connections
127 syn {
128 goto LDROP;
129 }
130
131 # want to deny inside-out fake stuff? uncomment this:
132 # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
133 dport 14000: {
134 goto LDROP;
135 }
136 }
137
138 #####################################################################
139 # UDP traffic
140 chain fw_udp proto udp {
141 # Standard allowances
142 dport %UDP_IN sport 1024: {
143 ACCEPT;
144 }
145
146 # again no dns fumbling around
147 sport domain dport domain saddr %NSIP {
148 ACCEPT;
149 }
150 }
151
152
153 #####################################################################
154 # ICMP traffic
155 chain fw_icmp proto icmp {
156 # Standard allowances
157 icmptype %ICMP_IN {
158 ACCEPT;
159 }
160
161 #icmp-type echo-request limit 1/s ACCEPT;
162 #icmptype ( ping pong destination-unreachable time-exceeded) {
163 # ACCEPT;
164 #}
165 # never seen hits on this one:
166 }
167
168
169 #####################################################################
170 # TOS (Type-of-service) adjustments
171 chain tosqueue {
172 protocol tcp {
173 # rapid response protocols
174 # dport %TCP_OUT_DELAY settos min-delay ACCEPT;
175 dport %TCP_OUT_DELAY ACCEPT;
176 sport %TCP_OUT_DELAY ACCEPT;
177 # keep these from timing out
178 # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
179 dport %TCP_OUT_RELIABILITY ACCEPT;
180 sport %TCP_OUT_RELIABILITY ACCEPT;
181 # bulk stuff
182 # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
183 dport %TCP_OUT_THROUGHPUT ACCEPT;
184 sport %TCP_OUT_THROUGHPUT ACCEPT;
185 # dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
186 dport (ftp-data,8888,6699) ACCEPT;
187 sport (ftp-data,8888,6699) ACCEPT;
188 }
189
190 # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
191 goto LDENY;
192 }
193
194 #####################################################################
195 # Supporting targets
196 chain LDROP {
197 LOG {
198 log-level info logprefix "Dropped";
199 log-level warn fragment log-prefix "FRAGMENT Dropped";
200 }
201 DROP;
202 }
203
204 chain LDENY {
205 LOG {
206 log-level info proto tcp logprefix "Denied";
207 log-level warn fragment log-prefix "FRAGMENT Denied";
208 }
209 DENY;
210 }
211
Unnamed repository; edit this file to name it for gitweb.