option iptables option clearall option createchains option automod ############# Define variables set IFCONFIG "/sbin/ifconfig" set AWK "/usr/bin/awk" set GREP "/bin/grep" set CAT "/bin/cat" set SED "/bin/sed" set MASK "29" # Our netmask is /29 = 255.255.255.248 set IPS "64.20.38.170" set IFS "eth0" set IPSPEC "64.20.38.170/%MASK" set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` #set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` ############# Port/protocol combinations we allow in and out set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" set TCP_OUT_DELAY "ssh,ftp,auth" set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" set TCP_OUT_THROUGHPUT "ftp-data" #set TCP_OUT_COST "" set UDP_IN "ntp,domain" set UDP_OUT "1:65535" set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" # Make us insensitive to the environment # Allow traffic in areas outside of our scope policy DROP { table mangle chain forward; table filter chain forward; table filter chain (INPUT,OUTPUT); } policy ACCEPT { table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); table nat chain (PREROUTING,OUTPUT,POSTROUTING); } ###################################################################### # Built-in chains that jump to our custom ones chain INPUT { state INVALID goto LDROP; fragment goto LDROP; # goto IANA_BAN; # goto LOCAL_BAN; #goto PORTSCAN; # Do we need this? There are better, dedicated tools state (ESTABLISHED,RELATED) ACCEPT; if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; if lo goto LDROP; #incoming traffic goto badguys; protocol tcp goto fw_tcp; protocol udp goto fw_udp; protocol icmp goto fw_icmp; goto LDROP; } chain OUTPUT { state INVALID goto LDENY; fragment goto LDENY; state (ESTABLISHED,RELATED) ACCEPT; of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; of lo saddr %IPSPEC daddr %IPSPEC ACCEPT; of lo goto LDENY; saddr !%IPSPEC goto LDENY; # again uncomment for trojan horses protection and inside out # violations.... proto (tcp,udp) sport 14000: goto LDENY; # queueing goes here, maybe some special fw rules as well proto tcp goto tosqueue; # ACCEPT must be handled here proto udp dport %UDP_OUT ACCEPT; proto icmp icmptype %ICMP_OUT ACCEPT; goto LDENY; } ##################################################################### # Deal with known offenders right away # Make difference between notorious ones and unusual ones chain badguys { saddr( # Mailbombing nion's email 152.163.210.178 205.188.135.170 64.12.187.193 # Executed nion's CGI script 400,000 times 24.186.165.67 # docelic, Wed Aug 3 04:18:56 EDT 2005 # Trying out new server with all kinds of usernames on ssh # (All of those seem to be from the same "mastermind") 211.48.20.153 62.36.240.114 62.75.240.62 210.204.193.1 84.26.59.170 # Log says reverse mapping failed for this address # (hundreds of entries) 114.67.19.241 ) { DROP; } } ##################################################################### # TCP traffic chain fw_tcp proto tcp { # Standard allowances syn dport %TCP_IN sport 1024: { limit 5/s ACCEPT; limit 20/m LOG log-prefix "SYN flood attack:" LOG; goto LDROP; } # Should be covered by (RELATED,ESTABLISHED) ACCEPT above #dport %TCP_IN accept; # deny scanning via DNS port sport domain { dport domain ACCEPT; syn goto LDROP; } # special case to allow active ftp transfers to our machine! sport ftp-data dport 1024: { ACCEPT; } # awkward incoming connections syn { goto LDROP; } # want to deny inside-out fake stuff? uncomment this: # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! dport 14000: { goto LDROP; } } ##################################################################### # UDP traffic chain fw_udp proto udp { # Standard allowances dport %UDP_IN sport 1024: { ACCEPT; } # again no dns fumbling around sport domain dport domain saddr %NSIP { ACCEPT; } } ##################################################################### # ICMP traffic chain fw_icmp proto icmp { # Standard allowances icmptype %ICMP_IN { ACCEPT; } #icmp-type echo-request limit 1/s ACCEPT; #icmptype ( ping pong destination-unreachable time-exceeded) { # ACCEPT; #} # never seen hits on this one: } ##################################################################### # TOS (Type-of-service) adjustments chain tosqueue { protocol tcp { # rapid response protocols # dport %TCP_OUT_DELAY settos min-delay ACCEPT; dport %TCP_OUT_DELAY ACCEPT; sport %TCP_OUT_DELAY ACCEPT; # keep these from timing out # dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; dport %TCP_OUT_RELIABILITY ACCEPT; sport %TCP_OUT_RELIABILITY ACCEPT; # bulk stuff # dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; dport %TCP_OUT_THROUGHPUT ACCEPT; sport %TCP_OUT_THROUGHPUT ACCEPT; # dport (ftp-data,8888,6699) settos max-throughput ACCEPT; dport (ftp-data,8888,6699) ACCEPT; sport (ftp-data,8888,6699) ACCEPT; } # proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; goto LDENY; } ##################################################################### # Supporting targets chain LDROP { LOG { log-level info logprefix "Dropped"; log-level warn fragment log-prefix "FRAGMENT Dropped"; } DROP; } chain LDENY { LOG { log-level info proto tcp logprefix "Denied"; log-level warn fragment log-prefix "FRAGMENT Denied"; } DENY; }