7 ############# Define variables
8 set IFCONFIG "/sbin/ifconfig"
14 set MASK "29" # Our netmask is /29 = 255.255.255.248
15 set IPS "64.20.38.170"
17 set IPSPEC "64.20.38.170/%MASK"
19 set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
20 #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
22 ############# Port/protocol combinations we allow in and out
23 set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
24 set TCP_OUT_DELAY "ssh,ftp,auth"
25 set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
26 set TCP_OUT_THROUGHPUT "ftp-data"
29 set UDP_IN "ntp,domain"
32 set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
33 set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
36 # Make us insensitive to the environment
38 # Allow traffic in areas outside of our scope
40 table mangle chain forward;
41 table filter chain forward;
42 table filter chain (INPUT,OUTPUT);
45 table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
46 table nat chain (PREROUTING,OUTPUT,POSTROUTING);
49 ######################################################################
50 # Built-in chains that jump to our custom ones
53 state INVALID goto LDROP;
57 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
59 state (ESTABLISHED,RELATED) ACCEPT;
61 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
62 if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
67 protocol tcp goto fw_tcp;
68 protocol udp goto fw_udp;
69 protocol icmp goto fw_icmp;
75 state INVALID goto LDENY;
78 state (ESTABLISHED,RELATED) ACCEPT;
80 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
81 of lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
84 saddr !%IPSPEC goto LDENY;
86 # again uncomment for trojan horses protection and inside out
88 proto (tcp,udp) sport 14000: goto LDENY;
90 # queueing goes here, maybe some special fw rules as well
91 proto tcp goto tosqueue; # ACCEPT must be handled here
93 proto udp dport %UDP_OUT ACCEPT;
94 proto icmp icmptype %ICMP_OUT ACCEPT;
99 #####################################################################
100 # Deal with known offenders right away
101 # Make difference between notorious ones and unusual ones
105 # Mailbombing nion's email
110 # Executed nion's CGI script 400,000 times
113 # docelic, Wed Aug 3 04:18:56 EDT 2005
114 # Trying out new server with all kinds of usernames on ssh
115 # (All of those seem to be from the same "mastermind")
122 # Log says reverse mapping failed for this address
123 # (hundreds of entries)
130 #####################################################################
132 chain fw_tcp proto tcp {
133 # Standard allowances
134 syn dport %TCP_IN sport 1024: {
136 limit 20/m LOG log-prefix "SYN flood attack:" LOG;
140 # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
141 #dport %TCP_IN accept;
143 # deny scanning via DNS port
149 # special case to allow active ftp transfers to our machine!
150 sport ftp-data dport 1024: {
154 # awkward incoming connections
159 # want to deny inside-out fake stuff? uncomment this:
160 # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
166 #####################################################################
168 chain fw_udp proto udp {
169 # Standard allowances
170 dport %UDP_IN sport 1024: {
174 # again no dns fumbling around
175 sport domain dport domain saddr %NSIP {
181 #####################################################################
183 chain fw_icmp proto icmp {
184 # Standard allowances
189 #icmp-type echo-request limit 1/s ACCEPT;
190 #icmptype ( ping pong destination-unreachable time-exceeded) {
193 # never seen hits on this one:
197 #####################################################################
198 # TOS (Type-of-service) adjustments
201 # rapid response protocols
202 # dport %TCP_OUT_DELAY settos min-delay ACCEPT;
203 dport %TCP_OUT_DELAY ACCEPT;
204 sport %TCP_OUT_DELAY ACCEPT;
205 # keep these from timing out
206 # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
207 dport %TCP_OUT_RELIABILITY ACCEPT;
208 sport %TCP_OUT_RELIABILITY ACCEPT;
210 # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
211 dport %TCP_OUT_THROUGHPUT ACCEPT;
212 sport %TCP_OUT_THROUGHPUT ACCEPT;
213 # dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
214 dport (ftp-data,8888,6699) ACCEPT;
215 sport (ftp-data,8888,6699) ACCEPT;
218 # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
222 #####################################################################
226 log-level info logprefix "Dropped";
227 log-level warn fragment log-prefix "FRAGMENT Dropped";
234 log-level info proto tcp logprefix "Denied";
235 log-level warn fragment log-prefix "FRAGMENT Denied";