option clearall option createchains option automod ############# Define variables def $IFCONFIG = "/sbin/ifconfig"; def $AWK = "/usr/bin/awk"; def $GREP = "/bin/grep"; def $CAT = "/bin/cat"; def $SED = "/bin/sed"; def $MASK = 29; # Our netmask is /29 = 255.255.255.248 def $IPS = 64.20.38.170; def $IFS = eth0; def $IPSPEC = "64.20.38.170/$MASK"; def $WE = (127.0.0.1/8 $IPSPEC); def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` def $BADGUYS = `/etc/firewall/print_badguys`; ############# Port/protocol combinations we allow in and out def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000); # 10000 is webmin; 20000 is usermin def $TCP_OUT_DELAY = (ssh ftp auth); def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); def $TCP_OUT_THROUGHPUT = (ftp-data); #set TCP_OUT_COST "" def $UDP_IN = (ntp domain); def $UDP_OUT = 1:65535; def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); # Make us insensitive to the environment table mangle chain FORWARD policy DROP; table filter chain FORWARD policy DROP; table filter chain (INPUT OUTPUT) policy DROP; # Allow traffic in areas outside of our scope table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; ###################################################################### # Built-in chains that jump to our custom ones chain INPUT { state INVALID goto ldrop; fragment goto ldrop; # goto IANA_BAN; # goto LOCAL_BAN; #goto PORTSCAN; # Do we need this? There are better, dedicated tools state (ESTABLISHED RELATED) ACCEPT; proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT; proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT; proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; # if lo goto ldrop; #incoming traffic goto badguys; protocol tcp goto fw_tcp; protocol udp goto fw_udp; protocol icmp goto fw_icmp; goto ldrop; } chain OUTPUT { state INVALID goto lreject; fragment goto lreject; state (ESTABLISHED RELATED) ACCEPT; proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; of lo saddr $IPSPEC ACCEPT; # of lo goto lreject; # queueing goes here, maybe some special fw rules as well proto tcp goto tosqueue; # ACCEPT must be handled here proto udp dport $UDP_OUT ACCEPT; proto icmp icmp-type $ICMP_OUT ACCEPT; goto lreject; } ##################################################################### # Deal with known offenders right away # Make difference between notorious ones and unusual ones chain badguys { saddr $BADGUYS REJECT; } ##################################################################### # TCP traffic chain fw_tcp proto tcp { # Standard allowances syn dport $TCP_IN sport 1024: { limit 5/s ACCEPT; limit 20/m LOG log-prefix "SYN flood attack:"; goto ldrop; } # deny scanning via DNS port sport domain { dport domain ACCEPT; syn goto ldrop; } # special case to allow active ftp transfers to our machine! sport ftp-data dport 1024: { ACCEPT; } include 'users_tcp_in.conf'; # awkward incoming connections syn { goto ldrop; } } ##################################################################### # UDP traffic chain fw_udp proto udp { # Standard allowances dport $UDP_IN sport 1024: { ACCEPT; } # again no dns fumbling around sport domain dport domain saddr $NSIP { ACCEPT; } } ##################################################################### # ICMP traffic chain fw_icmp proto icmp { # Standard allowances icmp-type $ICMP_IN { ACCEPT; } #icmp-type echo-request limit 1/s ACCEPT; #icmptype ( ping pong destination-unreachable time-exceeded) { # ACCEPT; #} # never seen hits on this one: } ##################################################################### # TOS (Type-of-service) adjustments chain tosqueue { protocol tcp { # rapid response protocols # dport $TCP_OUT_DELAY settos min-delay ACCEPT; dport $TCP_OUT_DELAY ACCEPT; sport $TCP_OUT_DELAY ACCEPT; # keep these from timing out # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; dport $TCP_OUT_RELIABILITY ACCEPT; sport $TCP_OUT_RELIABILITY ACCEPT; # bulk stuff # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; dport $TCP_OUT_THROUGHPUT ACCEPT; sport $TCP_OUT_THROUGHPUT ACCEPT; # dport (ftp-data 8888 6699) settos max-throughput ACCEPT; dport (ftp-data 8888 6699) ACCEPT; sport (ftp-data 8888 6699) ACCEPT; } # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; include 'users_tcp_out.conf'; goto lreject; } ##################################################################### # Supporting targets chain ldrop { LOG { log-level info log-prefix "Dropped"; log-level warn fragment log-prefix "FRAGMENT Dropped"; } REJECT; } chain lreject { LOG { log-level info proto tcp log-prefix "Denied"; log-level warn fragment log-prefix "FRAGMENT Denied"; } REJECT; } include 'users.conf';