option iptables option clearall option createchains option automod ############# Define variables set IFCONFIG "/sbin/ifconfig" set AWK "/usr/bin/awk" set GREP "/bin/grep" set CAT "/bin/cat" set SED "/bin/sed" set MASK "29" # Our netmask is /29 = 255.255.255.248 set IPS "64.20.38.170" set IFS "eth0" set IPSPEC "64.20.38.170/%MASK" set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` ############# Port/protocol combinations we allow in and out set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" set TCP_OUT_DELAY "ssh,ftp,auth" set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" set TCP_OUT_THROUGHPUT "ftp-data" #set TCP_OUT_COST "" set UDP_IN "ntp,domain" set UDP_OUT "1:65535" set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" # Make us insensitive to the environment # Allow traffic in areas outside of our scope policy DROP { table mangle chain forward; table filter chain forward; table filter chain (INPUT,OUTPUT); } policy ACCEPT { table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); table nat chain (PREROUTING,OUTPUT,POSTROUTING); } ###################################################################### # Built-in chains that jump to our custom ones chain INPUT { state INVALID goto LDROP; fragment goto LDROP; # goto IANA_BAN; # goto LOCAL_BAN; #goto PORTSCAN; # Do we need this? There are better, dedicated tools state (ESTABLISHED,RELATED) ACCEPT; if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; if lo goto LDROP; #incoming traffic goto badguys; protocol tcp goto fw_tcp; protocol udp goto fw_udp; protocol icmp goto fw_icmp; goto LDROP; } chain OUTPUT { state INVALID goto LDENY; fragment goto LDENY; state (ESTABLISHED,RELATED) ACCEPT; of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; of lo saddr %IPSPEC ACCEPT; of lo goto LDENY; # queueing goes here, maybe some special fw rules as well proto tcp goto tosqueue; # ACCEPT must be handled here proto udp dport %UDP_OUT ACCEPT; proto icmp icmptype %ICMP_OUT ACCEPT; goto LDENY; } %BADGUYS = `cat /etc/firewall/badguys | grep -v '^#'` ##################################################################### # Deal with known offenders right away # Make difference between notorious ones and unusual ones chain badguys { saddr %BADGUYS DROP; } ##################################################################### # TCP traffic chain fw_tcp proto tcp { # Standard allowances syn dport %TCP_IN sport 1024: { limit 5/s ACCEPT; limit 20/m LOG log-prefix "SYN flood attack:" LOG; goto LDROP; } # Should be covered by (RELATED,ESTABLISHED) ACCEPT above #dport %TCP_IN accept; # deny scanning via DNS port sport domain { dport domain ACCEPT; syn goto LDROP; } # special case to allow active ftp transfers to our machine! sport ftp-data dport 1024: { ACCEPT; } # awkward incoming connections syn { goto LDROP; } # want to deny inside-out fake stuff? uncomment this: # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! dport 14000: { goto LDROP; } } ##################################################################### # UDP traffic chain fw_udp proto udp { # Standard allowances dport %UDP_IN sport 1024: { ACCEPT; } # again no dns fumbling around sport domain dport domain saddr %NSIP { ACCEPT; } } ##################################################################### # ICMP traffic chain fw_icmp proto icmp { # Standard allowances icmptype %ICMP_IN { ACCEPT; } #icmp-type echo-request limit 1/s ACCEPT; #icmptype ( ping pong destination-unreachable time-exceeded) { # ACCEPT; #} # never seen hits on this one: } ##################################################################### # TOS (Type-of-service) adjustments chain tosqueue { protocol tcp { # rapid response protocols # dport %TCP_OUT_DELAY settos min-delay ACCEPT; dport %TCP_OUT_DELAY ACCEPT; sport %TCP_OUT_DELAY ACCEPT; # keep these from timing out # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; dport %TCP_OUT_RELIABILITY ACCEPT; sport %TCP_OUT_RELIABILITY ACCEPT; # bulk stuff # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; dport %TCP_OUT_THROUGHPUT ACCEPT; sport %TCP_OUT_THROUGHPUT ACCEPT; # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; dport (ftp-data,8888,6699) ACCEPT; sport (ftp-data,8888,6699) ACCEPT; } # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; goto LDENY; } ##################################################################### # Supporting targets chain LDROP { LOG { log-level info logprefix "Dropped"; log-level warn fragment log-prefix "FRAGMENT Dropped"; } DROP; } chain LDENY { LOG { log-level info proto tcp logprefix "Denied"; log-level warn fragment log-prefix "FRAGMENT Denied"; } DENY; }