6 ############# Define variables
7 def $IFCONFIG = "/sbin/ifconfig";
8 def $AWK = "/usr/bin/awk";
9 def $GREP = "/bin/grep";
10 def $CAT = "/bin/cat";
11 def $SED = "/bin/sed";
13 def $MASK = 29; # Our netmask is /29 = 255.255.255.248
14 def $IPS = 64.20.38.170;
16 def $IPSPEC = "64.20.38.170/$MASK";
18 def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
19 #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
21 def $BADGUYS = `/etc/firewall/print_badguys`;
23 ############# Port/protocol combinations we allow in and out
24 def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
25 def $TCP_OUT_DELAY = (ssh ftp auth);
26 def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
27 def $TCP_OUT_THROUGHPUT = (ftp-data);
30 def $UDP_IN = (ntp domain);
31 def $UDP_OUT = 1:65535;
33 def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
34 def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
37 # Make us insensitive to the environment
38 table mangle chain FORWARD policy DROP;
39 table filter chain FORWARD policy DROP;
40 table filter chain (INPUT OUTPUT) policy DROP;
42 # Allow traffic in areas outside of our scope
43 table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
44 table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
46 ######################################################################
47 # Built-in chains that jump to our custom ones
50 state INVALID goto ldrop;
54 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
56 state (ESTABLISHED RELATED) ACCEPT;
58 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
59 if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
64 protocol tcp goto fw_tcp;
65 protocol udp goto fw_udp;
66 protocol icmp goto fw_icmp;
72 state INVALID goto lreject;
73 fragment goto lreject;
75 state (ESTABLISHED RELATED) ACCEPT;
77 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
78 of lo saddr $IPSPEC ACCEPT;
81 # queueing goes here, maybe some special fw rules as well
82 proto tcp goto tosqueue; # ACCEPT must be handled here
84 proto udp dport $UDP_OUT ACCEPT;
85 proto icmp icmp-type $ICMP_OUT ACCEPT;
90 #####################################################################
91 # Deal with known offenders right away
92 # Make difference between notorious ones and unusual ones
94 saddr $BADGUYS REJECT;
97 #####################################################################
99 chain fw_tcp proto tcp {
100 # Standard allowances
101 syn dport $TCP_IN sport 1024: {
103 limit 20/m LOG log-prefix "SYN flood attack:";
107 # deny scanning via DNS port
113 # special case to allow active ftp transfers to our machine!
114 sport ftp-data dport 1024: {
118 include 'users_tcp_in.conf';
120 # awkward incoming connections
126 #####################################################################
128 chain fw_udp proto udp {
129 # Standard allowances
130 dport $UDP_IN sport 1024: {
134 # again no dns fumbling around
135 sport domain dport domain saddr $NSIP {
141 #####################################################################
143 chain fw_icmp proto icmp {
144 # Standard allowances
149 #icmp-type echo-request limit 1/s ACCEPT;
150 #icmptype ( ping pong destination-unreachable time-exceeded) {
153 # never seen hits on this one:
157 #####################################################################
158 # TOS (Type-of-service) adjustments
161 # rapid response protocols
162 # dport $TCP_OUT_DELAY settos min-delay ACCEPT;
163 dport $TCP_OUT_DELAY ACCEPT;
164 sport $TCP_OUT_DELAY ACCEPT;
165 # keep these from timing out
166 # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
167 dport $TCP_OUT_RELIABILITY ACCEPT;
168 sport $TCP_OUT_RELIABILITY ACCEPT;
170 # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
171 dport $TCP_OUT_THROUGHPUT ACCEPT;
172 sport $TCP_OUT_THROUGHPUT ACCEPT;
173 # dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
174 dport (ftp-data 8888 6699) ACCEPT;
175 sport (ftp-data 8888 6699) ACCEPT;
178 # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
180 include 'users_tcp_out.conf';
185 #####################################################################
189 log-level info log-prefix "Dropped";
190 log-level warn fragment log-prefix "FRAGMENT Dropped";
197 log-level info proto tcp log-prefix "Denied";
198 log-level warn fragment log-prefix "FRAGMENT Denied";
203 include 'users.conf';