closed.conf

   1
   2 option iptables
   3 option clearall
   4 option createchains
   5 option automod
   6
   7 ############# Define variables
   8 set IFCONFIG   "/sbin/ifconfig"
   9 set AWK              "/usr/bin/awk"
  10 set GREP             "/bin/grep"
  11 set CAT              "/bin/cat"
  12 set SED              "/bin/sed"
  13
  14 set MASK             "29"  # Our netmask is /29 = 255.255.255.248
  15 set IPS        "64.20.38.170"
  16 set IFS        "eth0"
  17 set IPSPEC     "64.20.38.170/%MASK"
  18
  19 set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
  20 #set NTPIP         `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
  21
  22 ############# Port/protocol combinations we allow in and out
  23 set TCP_IN         "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
  24 set TCP_OUT_DELAY          "ssh,ftp,auth"
  25 set TCP_OUT_RELIABILITY    "http,nntp,smtp,pop3,auth,domain"
  26 set TCP_OUT_THROUGHPUT     "ftp-data"
  27 #set TCP_OUT_COST          ""
  28
  29 set UDP_IN         "ntp,domain"
  30 set UDP_OUT        "1:65535"
  31
  32 set ICMP_IN        "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
  33 set ICMP_OUT     "ping,pong,fragmentation-needed,source-quench,parameter-problem"
  34
  35
  36 # Make us insensitive to the environment
  37
  38 # Allow traffic in areas outside of our scope
  39 policy DROP {
  40         table mangle chain forward;
  41         table filter chain forward;
  42         table filter chain (INPUT,OUTPUT);
  43 }
  44 policy ACCEPT {
  45         table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
  46         table nat    chain (PREROUTING,OUTPUT,POSTROUTING);
  47 }
  48
  49 ######################################################################
  50 # Built-in chains that jump to our custom ones
  51
  52 chain INPUT {
  53         state INVALID goto LDROP;
  54         fragment goto LDROP;
  55 #       goto IANA_BAN;
  56 #       goto LOCAL_BAN;
  57         #goto PORTSCAN; # Do we need this? There are better, dedicated tools
  58
  59         state (ESTABLISHED,RELATED) ACCEPT;
  60
  61         if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
  62         if lo saddr %IPSPEC     daddr %IPSPEC     ACCEPT;
  63         if lo goto LDROP;
  64
  65         #incoming traffic
  66         goto badguys;
  67         protocol tcp goto fw_tcp;
  68         protocol udp goto fw_udp;
  69         protocol icmp goto fw_icmp;
  70
  71         goto LDROP;
  72 }
  73
  74 chain OUTPUT {
  75         state INVALID goto LDENY;
  76         fragment goto LDENY;
  77
  78         state (ESTABLISHED,RELATED) ACCEPT;
  79
  80         of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
  81         of lo saddr %IPSPEC     daddr %IPSPEC     ACCEPT;
  82         of lo goto LDENY;
  83
  84         saddr !%IPSPEC goto LDENY;
  85
  86         # again uncomment for trojan horses protection and inside out
  87         # violations....
  88         proto (tcp,udp) sport 14000: goto LDENY;
  89
  90         # queueing goes here, maybe some special fw rules as well
  91         proto tcp goto tosqueue; # ACCEPT must be handled here
  92
  93         proto udp dport %UDP_OUT ACCEPT;
  94         proto icmp icmptype %ICMP_OUT ACCEPT;
  95
  96         goto LDENY;
  97 }
  98
  99 #####################################################################
 100 # Deal with known offenders right away
 101 # Make difference between notorious ones and unusual ones
 102 chain badguys {
 103
 104         saddr(
 105                 # Mailbombing nion's email
 106                 152.163.210.178
 107                 205.188.135.170
 108                 64.12.187.193
 109
 110                 # Executed nion's CGI script 400,000 times
 111                 24.186.165.67
 112
 113                 # docelic, Wed Aug  3 04:18:56 EDT 2005
 114                 # Trying out new server with all kinds of usernames on ssh
 115                 # (All of those seem to be from the same "mastermind")
 116                 211.48.20.153
 117                 62.36.240.114
 118                 62.75.240.62
 119                 210.204.193.1
 120                 84.26.59.170
 121
 122                 # Log says reverse mapping failed for this address
 123                 # (hundreds of entries)
 124                 114.67.19.241
 125         ) {
 126                 DROP;
 127         }
 128 }
 129
 130 #####################################################################
 131 # TCP traffic
 132 chain fw_tcp proto tcp {
 133         # Standard allowances
 134         syn dport %TCP_IN sport 1024: {
 135                 limit 5/s ACCEPT;
 136                 limit 20/m LOG log-prefix "SYN flood attack:" LOG;
 137                 goto LDROP;
 138         }
 139
 140         # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
 141         #dport %TCP_IN accept;
 142
 143         # deny scanning via DNS port
 144         sport domain {
 145                 dport domain ACCEPT;
 146                 syn goto LDROP;
 147         }
 148
 149         # special case to allow active ftp transfers to our machine!
 150         sport ftp-data dport 1024: {
 151                 ACCEPT;
 152         }
 153
 154         # awkward incoming connections
 155         syn {
 156                 goto LDROP;
 157         }
 158
 159         # want to deny inside-out fake stuff? uncomment this:
 160         # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
 161         dport 14000: {
 162                 goto LDROP;
 163         }
 164 }
 165
 166 #####################################################################
 167 # UDP traffic
 168 chain fw_udp proto udp {
 169         # Standard allowances
 170         dport %UDP_IN sport 1024: {
 171                 ACCEPT;
 172         }
 173
 174         # again no dns fumbling around
 175         sport domain dport domain saddr %NSIP {
 176                 ACCEPT;
 177         }
 178 }
 179
 180
 181 #####################################################################
 182 # ICMP traffic
 183 chain fw_icmp proto icmp {
 184         # Standard allowances
 185         icmptype %ICMP_IN {
 186                 ACCEPT;
 187         }
 188
 189         #icmp-type echo-request limit 1/s ACCEPT;
 190         #icmptype ( ping pong destination-unreachable time-exceeded) {
 191         #       ACCEPT;
 192         #}
 193         # never seen hits on this one:
 194 }
 195
 196
 197 #####################################################################
 198 # TOS (Type-of-service) adjustments
 199 chain tosqueue {
 200         protocol tcp {
 201                 # rapid response protocols
 202 #               dport %TCP_OUT_DELAY settos min-delay ACCEPT;
 203                 dport %TCP_OUT_DELAY ACCEPT;
 204                 sport %TCP_OUT_DELAY ACCEPT;
 205                 # keep these from timing out
 206 #               dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
 207                 dport %TCP_OUT_RELIABILITY ACCEPT;
 208                 sport %TCP_OUT_RELIABILITY ACCEPT;
 209                 # bulk stuff
 210 #               dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
 211                 dport %TCP_OUT_THROUGHPUT ACCEPT;
 212                 sport %TCP_OUT_THROUGHPUT ACCEPT;
 213 #    dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
 214     dport (ftp-data,8888,6699) ACCEPT;
 215     sport (ftp-data,8888,6699) ACCEPT;
 216         }
 217
 218 #       proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
 219         goto LDENY;
 220 }
 221
 222 #####################################################################
 223 # Supporting targets
 224 chain LDROP {
 225         LOG {
 226                 log-level info logprefix "Dropped";
 227                 log-level warn fragment log-prefix "FRAGMENT Dropped";
 228         }
 229         DROP;
 230 }
 231
 232 chain LDENY {
 233         LOG {
 234                 log-level info proto tcp logprefix "Denied";
 235                 log-level warn fragment log-prefix "FRAGMENT Denied";
 236         }
 237         DENY;
 238 }
 239