option iptables
option clearall
option createchains
option automod

############# Define variables
set IFCONFIG   "/sbin/ifconfig"
set AWK 	     "/usr/bin/awk"
set GREP 	     "/bin/grep" 
set CAT 	     "/bin/cat"
set SED 	     "/bin/sed"

set MASK	     "29"  # Our netmask is /29 = 255.255.255.248
set IPS        "64.20.38.170"
set IFS        "eth0"
set IPSPEC     "64.20.38.170/%MASK"

set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
#set NTPIP	   `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`

############# Port/protocol combinations we allow in and out
set TCP_IN	   "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
set TCP_OUT	   "1:65535"
set UDP_IN	   "ntp"
set UDP_OUT	   "1:65535"
set ICMP_IN	   "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
set ICMP_OUT	 "ping,pong,fragmentation-needed,source-quench,parameter-problem"


# Make us insensitive to the environment
policy DROP {
	table filter chain (INPUT FORWARD);
	table mangle chain (PREROUTING);
	table nat chain (PREROUTING POSTROUTING);
}
policy DENY {
	table filter chain (OUTPUT);
	table mangle chain (OUTPUT);
	table nat chain (OUTPUT);
}


######################################################################
# Built-in chains that jump to our custom ones

chain INPUT {

	state INVALID goto UNUSUAL DROP;
	fragment goto UNUSUAL DROP;

#	goto IANA_BAN;
#	goto LOCAL_BAN;
	goto PORTSCAN;

	state (ESTABLISHED,RELATED) ACCEPT;

	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	if lo goto UNUSUAL DROP;

	if ppp0 ACCEPT;

	#incoming traffic, seperate by interface
	if %IFS {
		goto badguys;
		protocol tcp goto fw_tcp;
		protocol udp goto fw_udp;
		protocol icmp goto fw_icmp;
	}
}

chain OUTPUT {

	state INVALID goto UNUSUAL DENY;
	fragment goto UNUSUAL DENY;

	state (ESTABLISHED,RELATED) ACCEPT;

	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	of lo goto UNUSUAL DENY;

	of ppp0 ACCEPT;

	saddr !%IPSPEC goto UNUSUAL DENY;

	# again uncomment for trojan horses protection and inside out
	# violations....
	proto (tcp,udp) sport 14000: goto LDENY;

	# queueing goes here, maybe some special fw rules as well
	proto tcp goto tosqueue; # ACCEPT must be handled here

	proto udp dport %UDP_OUT ACCEPT;
	proto icmp icmptype %ICMP_OUT ACCEPT;
}

#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
	#saddr spammer.net.com DROP; # you may specify computer names as well
	saddr 10/8 DROP; # or network addresses like this impossible one
	daddr 10/8 DROP; # maybe even from guys fooling you around
	saddr 123.45.6.78 DROP; # a single machine, very bad
	saddr 123.45.6/24 DROP; # better to include the entire subnet

	saddr(
		# Mailbombing nion's email
		152.163.210.178
		205.188.135.170
		64.12.187.193

		# Executed nion's CGI script 400,000 times
		24.186.165.67

		# docelic, Wed Aug  3 04:18:56 EDT 2005
		# Trying out new server with all kinds of usernames on ssh
		# (All of those seem to be from the same "mastermind")
		211.48.20.153
		62.36.240.114
		62.75.240.62
		210.204.193.1
		84.26.59.170

		# Log says reverse mapping failed for this address
		# (hundreds of entries)
		114.67.19.241
	) {
		DROP;
	}
}

#####################################################################
# TCP traffic
chain fw_tcp proto tcp {

	# Standard allowances
	syn dport %TCP_IN sport 1024: {
		limit 200/s ACCEPT;
		limit 5/m LOG log-prefix "SYN flood attack:" LOG;
		DROP;
	}

	# drop all syns: (incoming connections)
	syn {
		log-prefix "tcp SYN Dropped" LOG;
		DROP;
	}
	
	dport :1023 {
		log-prefix "TCP packet not syn std port" LOG;
		DROP;
	}

	# deny scanning via DNS port
	sport domain {
		dport domain ACCEPT;
		syn goto LDENY;
	}

	# special case to allow active ftp transfers to our machine!
	sport ftp-data dport 1024: {
		ACCEPT;
	}

	# awkward incoming connections
	syn {
		goto LDENY;
	}

	# lock suid ports
	sport :1023 {
		goto LDENY;
	}

	# want to deny inside-out fake stuff? uncomment this:
	# (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
	dport 14000: { 
		goto LDENY;
	}


#####################################################################
# UDP traffic
chain fw_udp proto udp {

	# Standard allowances
	dport %UDP_IN sport 1024: {
		ACCEPT;
	}

	# again no dns fumbling around
	#sport domain dport domain saddr (**DNS IPS**) {
	#	ACCEPT;
	#}
	goto LDENY;
}


#####################################################################
# ICMP traffic
chain fw_icmp proto icmp {

	# Standard allowances
	icmptype %ICMP_IN {
		ACCEPT;
	}

	#icmp-type echo-request limit 1/s ACCEPT;
	#icmptype ( ping pong destination-unreachable time-exceeded) {
	#	ACCEPT;
	#}
	# never seen hits on this one:
	goto LDENY;
}


#####################################################################
# TOS (Type-of-service) adjustments
chain tosqueue {

	protocol tcp reverse {
		# rapid response protocols
		dport (ssh,ftp) settos min-delay ACCEPT;
		# keep these from timing out
		dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
		# bulk stuff
		dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
    dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
	}

	# remove any bits set by clients for different
	# protocols, since they might be tricking their
	# packets into a unfair priority... It wouldn't
	# surprise me if IE uses this... :-O
	settos min-cost ACCEPT;
}

#####################################################################
# Supporting targets
chain LDROP {
	LOG {
		log-level info logprefix "Dropped";
		log-level warn fragment log-prefix "FRAGMENT Dropped";
	}
	DROP;
}

chain UNUSUAL {
	LOG { log-level info logprefix "Unusual"; }
}

chain LDENY {
	LOG {
		log-level info proto tcp logprefix "Denied";
		log-level warn fragment log-prefix "FRAGMENT Denied";
	}
	DENY;
}

chain TCPACCEPT {
	proto tcp {
		syn limit 100/s ACCEPT;
		! syn ACCEPT;
	}
	logprefix "Mismatch in TCPACCEPT" LOG;
	DENY;
}

chain UDPACCEPT {
	proto udp ACCEPT;
	logprefix "Mismatch in UDPACCEPT" LOG;
	DENY;
}



#chain IANA_BAN {
#	saddr %IANA_BANS DROP;
#}
#
#chain LOCAL_BAN {
#	saddr %LOCAL_BANS DROP;
#}

chain PORTSCAN {
	proto tcp {
		tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
			limit 5/min log-prefix "NULL SCAN:" log-level 5
			log-tcp-options log-ip-options LOG;
			DROP;
		}
		tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
			limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
			DROP;
		}
		tcp-flags SYN:RST SYN:RST {
			limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
			DROP;
		}
		tcp-flags FIN:SYN FIN:SYN {
			limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
			DROP;
		}
	}
}