HCoop / hcoop / zz_old / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Updated
[hcoop/zz_old/fwtool.git] / closed.conf
1
2 option iptables
3 option clearall
4 option createchains
5 option automod
6
7 ############# Define variables
8 set IFCONFIG "/sbin/ifconfig"
9 set AWK "/usr/bin/awk"
10 set GREP "/bin/grep"
11 set CAT "/bin/cat"
12 set SED "/bin/sed"
13
14 set MASK "29" # Our netmask is /29 = 255.255.255.248
15 set IPS "64.20.38.170"
16 set IFS "eth0"
17 set IPSPEC "64.20.38.170/%MASK"
18
19 set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
20 #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
21
22 ############# Port/protocol combinations we allow in and out
23 set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
24 set TCP_OUT_DELAY "ssh,ftp,auth"
25 set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
26 set TCP_OUT_THROUGHPUT "ftp-data"
27 #set TCP_OUT_COST ""
28
29 set UDP_IN "ntp,domain"
30 set UDP_OUT "1:65535"
31
32 set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
33 set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
34
35
36 # Make us insensitive to the environment
37
38 # Allow traffic in areas outside of our scope
39 policy DROP {
40 table mangle chain forward;
41 table filter chain forward;
42 table filter chain (INPUT,OUTPUT);
43 }
44 policy ACCEPT {
45 table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
46 table nat chain (PREROUTING,OUTPUT,POSTROUTING);
47 }
48
49 ######################################################################
50 # Built-in chains that jump to our custom ones
51
52 chain INPUT {
53 state INVALID goto LDROP;
54 fragment goto LDROP;
55 # goto IANA_BAN;
56 # goto LOCAL_BAN;
57 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
58
59 state (ESTABLISHED,RELATED) ACCEPT;
60
61 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
62 if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
63 if lo goto LDROP;
64
65 #incoming traffic
66 goto badguys;
67 protocol tcp goto fw_tcp;
68 protocol udp goto fw_udp;
69 protocol icmp goto fw_icmp;
70
71 goto LDROP;
72 }
73
74 chain OUTPUT {
75 state INVALID goto LDENY;
76 fragment goto LDENY;
77
78 state (ESTABLISHED,RELATED) ACCEPT;
79
80 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
81 of lo saddr %IPSPEC ACCEPT;
82 of lo goto LDENY;
83
84 # queueing goes here, maybe some special fw rules as well
85 proto tcp goto tosqueue; # ACCEPT must be handled here
86
87 proto udp dport %UDP_OUT ACCEPT;
88 proto icmp icmptype %ICMP_OUT ACCEPT;
89
90 goto LDENY;
91 }
92
93 #####################################################################
94 # Deal with known offenders right away
95 # Make difference between notorious ones and unusual ones
96 chain badguys {
97
98 saddr(
99 # Mailbombing nion's email
100 152.163.210.178
101 205.188.135.170
102 64.12.187.193
103
104 # Executed nion's CGI script 400,000 times
105 24.186.165.67
106
107 # docelic, Wed Aug 3 04:18:56 EDT 2005
108 # Trying out new server with all kinds of usernames on ssh
109 # (All of those seem to be from the same "mastermind")
110 211.48.20.153
111 62.36.240.114
112 62.75.240.62
113 210.204.193.1
114 84.26.59.170
115 # docelic, Sun Aug 21 01:29:10 EDT 2005
116 63.76.235.2
117 80.48.31.252
118 220.194.55.126
119 163.26.229.131
120 201.6.223.150
121 64.34.171.56
122 82.177.98.1
123 61.185.219.23
124 62.62.224.184
125 212.0.107.141
126 60.248.227.34
127 63.246.10.45
128 # docelic, Sun Aug 21 22:14:15 EDT 2005
129 210.184.124.11
130 210.238.188.155
131 63.247.76.10
132
133 # Log says reverse mapping failed for this address
134 # (hundreds of entries)
135 114.67.19.241
136 ) {
137 DROP;
138 }
139 }
140
141 #####################################################################
142 # TCP traffic
143 chain fw_tcp proto tcp {
144 # Standard allowances
145 syn dport %TCP_IN sport 1024: {
146 limit 5/s ACCEPT;
147 limit 20/m LOG log-prefix "SYN flood attack:" LOG;
148 goto LDROP;
149 }
150
151 # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
152 #dport %TCP_IN accept;
153
154 # deny scanning via DNS port
155 sport domain {
156 dport domain ACCEPT;
157 syn goto LDROP;
158 }
159
160 # special case to allow active ftp transfers to our machine!
161 sport ftp-data dport 1024: {
162 ACCEPT;
163 }
164
165 # awkward incoming connections
166 syn {
167 goto LDROP;
168 }
169
170 # want to deny inside-out fake stuff? uncomment this:
171 # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
172 dport 14000: {
173 goto LDROP;
174 }
175 }
176
177 #####################################################################
178 # UDP traffic
179 chain fw_udp proto udp {
180 # Standard allowances
181 dport %UDP_IN sport 1024: {
182 ACCEPT;
183 }
184
185 # again no dns fumbling around
186 sport domain dport domain saddr %NSIP {
187 ACCEPT;
188 }
189 }
190
191
192 #####################################################################
193 # ICMP traffic
194 chain fw_icmp proto icmp {
195 # Standard allowances
196 icmptype %ICMP_IN {
197 ACCEPT;
198 }
199
200 #icmp-type echo-request limit 1/s ACCEPT;
201 #icmptype ( ping pong destination-unreachable time-exceeded) {
202 # ACCEPT;
203 #}
204 # never seen hits on this one:
205 }
206
207
208 #####################################################################
209 # TOS (Type-of-service) adjustments
210 chain tosqueue {
211 protocol tcp {
212 # rapid response protocols
213 # dport %TCP_OUT_DELAY settos min-delay ACCEPT;
214 dport %TCP_OUT_DELAY ACCEPT;
215 sport %TCP_OUT_DELAY ACCEPT;
216 # keep these from timing out
217 # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
218 dport %TCP_OUT_RELIABILITY ACCEPT;
219 sport %TCP_OUT_RELIABILITY ACCEPT;
220 # bulk stuff
221 # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
222 dport %TCP_OUT_THROUGHPUT ACCEPT;
223 sport %TCP_OUT_THROUGHPUT ACCEPT;
224 # dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
225 dport (ftp-data,8888,6699) ACCEPT;
226 sport (ftp-data,8888,6699) ACCEPT;
227 }
228
229 # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
230 goto LDENY;
231 }
232
233 #####################################################################
234 # Supporting targets
235 chain LDROP {
236 LOG {
237 log-level info logprefix "Dropped";
238 log-level warn fragment log-prefix "FRAGMENT Dropped";
239 }
240 DROP;
241 }
242
243 chain LDENY {
244 LOG {
245 log-level info proto tcp logprefix "Denied";
246 log-level warn fragment log-prefix "FRAGMENT Denied";
247 }
248 DENY;
249 }
250
Unnamed repository; edit this file to name it for gitweb.