-
-option iptables
-option clearall
-option createchains
-option automod
-
-############# Define variables
-set IFCONFIG "/sbin/ifconfig"
-set AWK "/usr/bin/awk"
-set GREP "/bin/grep"
-set CAT "/bin/cat"
-set SED "/bin/sed"
-
-set MASK "29" # Our netmask is /29 = 255.255.255.248
-set IPS "64.20.38.170"
-set IFS "eth0"
-set IPSPEC "64.20.38.170/%MASK"
-
-set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
-#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
-
-############# Port/protocol combinations we allow in and out
-set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT_DELAY "ssh,ftp"
-set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
-set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv"
-set TCP_OUT_COST ""
-
-set UDP_IN "ntp"
-set UDP_OUT "1:65535"
-
-set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
-set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
-
-
-# Make us insensitive to the environment
-policy DROP {
- table filter chain (INPUT FORWARD);
- table mangle chain (PREROUTING);
- table nat chain (PREROUTING POSTROUTING);
-}
-policy DENY {
- table filter chain (OUTPUT);
- table mangle chain (OUTPUT);
- table nat chain (OUTPUT);
-}
-
-
-######################################################################
-# Built-in chains that jump to our custom ones
-
-chain INPUT {
-
- state INVALID goto UNUSUAL DROP;
- fragment goto UNUSUAL DROP;
-
-# goto IANA_BAN;
-# goto LOCAL_BAN;
- goto PORTSCAN;
-
- state (ESTABLISHED,RELATED) ACCEPT;
-
- if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- if lo goto UNUSUAL DROP;
-
- #incoming traffic, seperate by interface
- if %IFS {
- goto badguys;
- protocol tcp goto fw_tcp;
- protocol udp goto fw_udp;
- protocol icmp goto fw_icmp;
- }
-}
-
-chain OUTPUT {
-
- state INVALID goto UNUSUAL DENY;
- fragment goto UNUSUAL DENY;
-
- state (ESTABLISHED,RELATED) ACCEPT;
-
- of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- of lo goto UNUSUAL DENY;
-
- saddr !%IPSPEC goto UNUSUAL DENY;
-
- # again uncomment for trojan horses protection and inside out
- # violations....
- proto (tcp,udp) sport 14000: goto LDENY;
-
- # queueing goes here, maybe some special fw rules as well
- proto tcp goto tosqueue; # ACCEPT must be handled here
-
- proto udp dport %UDP_OUT ACCEPT;
- proto icmp icmptype %ICMP_OUT ACCEPT;
-}
-
-#####################################################################
-# Deal with known offenders right away
-# Make difference between notorious ones and unusual ones
-chain badguys {
- #saddr spammer.net.com DROP; # you may specify computer names as well
- saddr 10/8 DROP; # or network addresses like this impossible one
- daddr 10/8 DROP; # maybe even from guys fooling you around
- saddr 123.45.6.78 DROP; # a single machine, very bad
- saddr 123.45.6/24 DROP; # better to include the entire subnet
-
- saddr(
- # Mailbombing nion's email
- 152.163.210.178
- 205.188.135.170
- 64.12.187.193
-
- # Executed nion's CGI script 400,000 times
- 24.186.165.67
-
- # docelic, Wed Aug 3 04:18:56 EDT 2005
- # Trying out new server with all kinds of usernames on ssh
- # (All of those seem to be from the same "mastermind")
- 211.48.20.153
- 62.36.240.114
- 62.75.240.62
- 210.204.193.1
- 84.26.59.170
-
- # Log says reverse mapping failed for this address
- # (hundreds of entries)
- 114.67.19.241
- ) {
- DROP;
- }
-}
-
-#####################################################################
-# TCP traffic
-chain fw_tcp proto tcp {
-
- # Standard allowances
- syn dport %TCP_IN sport 1024: {
- limit 200/s ACCEPT;
- limit 5/m LOG log-prefix "SYN flood attack:" LOG;
- DROP;
- }
-
- # drop all syns: (incoming connections)
- syn {
- log-prefix "tcp SYN Dropped" LOG;
- DROP;
- }
-
- dport :1023 {
- log-prefix "TCP packet not syn std port" LOG;
- DROP;
- }
-
- # deny scanning via DNS port
- sport domain {
- dport domain ACCEPT;
- syn goto LDENY;
- }
-
- # special case to allow active ftp transfers to our machine!
- sport ftp-data dport 1024: {
- ACCEPT;
- }
-
- # awkward incoming connections
- syn {
- goto LDENY;
- }
-
- # lock suid ports
- sport :1023 {
- goto LDENY;
- }
-
- # want to deny inside-out fake stuff? uncomment this:
- # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
- dport 14000: {
- goto LDENY;
- }
-
-
-#####################################################################
-# UDP traffic
-chain fw_udp proto udp {
-
- # Standard allowances
- dport %UDP_IN sport 1024: {
- ACCEPT;
- }
-
- # again no dns fumbling around
- sport domain dport domain saddr %NSIP {
- ACCEPT;
- }
- goto LDENY;
-}
-
-
-#####################################################################
-# ICMP traffic
-chain fw_icmp proto icmp {
-
- # Standard allowances
- icmptype %ICMP_IN {
- ACCEPT;
- }
-
- #icmp-type echo-request limit 1/s ACCEPT;
- #icmptype ( ping pong destination-unreachable time-exceeded) {
- # ACCEPT;
- #}
- # never seen hits on this one:
- goto LDENY;
-}
-
-
-#####################################################################
-# TOS (Type-of-service) adjustments
-chain tosqueue {
-
- protocol tcp reverse {
- # rapid response protocols
- dport %TCP_OUT_DELAY settos min-delay ACCEPT;
- # keep these from timing out
- dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
- # bulk stuff
- dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
- dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
- }
-
- proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
-}
-
-#####################################################################
-# Supporting targets
-chain LDROP {
- LOG {
- log-level info logprefix "Dropped";
- log-level warn fragment log-prefix "FRAGMENT Dropped";
- }
- DROP;
-}
-
-chain UNUSUAL {
- LOG { log-level info logprefix "Unusual"; }
-}
-
-chain LDENY {
- LOG {
- log-level info proto tcp logprefix "Denied";
- log-level warn fragment log-prefix "FRAGMENT Denied";
- }
- DENY;
-}
-
-chain TCPACCEPT {
- proto tcp {
- syn limit 100/s ACCEPT;
- ! syn ACCEPT;
- }
- logprefix "Mismatch in TCPACCEPT" LOG;
- DENY;
-}
-
-chain UDPACCEPT {
- proto udp ACCEPT;
- logprefix "Mismatch in UDPACCEPT" LOG;
- DENY;
-}
-
-
-
-#chain IANA_BAN {
-# saddr %IANA_BANS DROP;
-#}
-#
-#chain LOCAL_BAN {
-# saddr %LOCAL_BANS DROP;
-#}
-
-chain PORTSCAN {
- proto tcp {
- tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
- limit 5/min log-prefix "NULL SCAN:" log-level 5
- log-tcp-options log-ip-options LOG;
- DROP;
- }
- tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
- limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
- DROP;
- }
- tcp-flags SYN:RST SYN:RST {
- limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
- DROP;
- }
- tcp-flags FIN:SYN FIN:SYN {
- limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
- DROP;
- }
- }
-}
-
+
+option clearall
+option createchains
+option automod
+
+############# Define variables
+def $IFCONFIG = "/sbin/ifconfig";
+def $AWK = "/usr/bin/awk";
+def $GREP = "/bin/grep";
+def $CAT = "/bin/cat";
+def $SED = "/bin/sed";
+
+def $MASK = 29; # Our netmask is /29 = 255.255.255.248
+def $IPS = 64.20.38.170;
+def $IFS = eth0;
+def $IPSPEC = "64.20.38.170/$MASK";
+
+def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
+#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
+
+def $BADGUYS = `/etc/firewall/print_badguys`;
+
+############# Port/protocol combinations we allow in and out
+def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
+def $TCP_OUT_DELAY = (ssh ftp auth);
+def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
+def $TCP_OUT_THROUGHPUT = (ftp-data);
+#set TCP_OUT_COST ""
+
+def $UDP_IN = (ntp domain);
+def $UDP_OUT = 1:65535;
+
+def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
+def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
+
+
+# Make us insensitive to the environment
+table mangle chain FORWARD policy DROP;
+table filter chain FORWARD policy DROP;
+table filter chain (INPUT OUTPUT) policy DROP;
+
+# Allow traffic in areas outside of our scope
+table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
+table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
+
+######################################################################
+# Built-in chains that jump to our custom ones
+
+chain INPUT {
+ state INVALID goto ldrop;
+ fragment goto ldrop;
+# goto IANA_BAN;
+# goto LOCAL_BAN;
+ #goto PORTSCAN; # Do we need this? There are better, dedicated tools
+
+ state (ESTABLISHED RELATED) ACCEPT;
+
+ if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
+ if lo goto ldrop;
+
+ #incoming traffic
+ goto badguys;
+ protocol tcp goto fw_tcp;
+ protocol udp goto fw_udp;
+ protocol icmp goto fw_icmp;
+
+ goto ldrop;
+}
+
+chain OUTPUT {
+ state INVALID goto lreject;
+ fragment goto lreject;
+
+ state (ESTABLISHED RELATED) ACCEPT;
+
+ of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ of lo saddr $IPSPEC ACCEPT;
+ of lo goto lreject;
+
+ # queueing goes here, maybe some special fw rules as well
+ proto tcp goto tosqueue; # ACCEPT must be handled here
+
+ proto udp dport $UDP_OUT ACCEPT;
+ proto icmp icmp-type $ICMP_OUT ACCEPT;
+
+ goto lreject;
+}
+
+#####################################################################
+# Deal with known offenders right away
+# Make difference between notorious ones and unusual ones
+chain badguys {
+ saddr $BADGUYS REJECT;
+}
+
+#####################################################################
+# TCP traffic
+chain fw_tcp proto tcp {
+ # Standard allowances
+ syn dport $TCP_IN sport 1024: {
+ limit 5/s ACCEPT;
+ limit 20/m LOG log-prefix "SYN flood attack:";
+ goto ldrop;
+ }
+
+ # deny scanning via DNS port
+ sport domain {
+ dport domain ACCEPT;
+ syn goto ldrop;
+ }
+
+ # special case to allow active ftp transfers to our machine!
+ sport ftp-data dport 1024: {
+ ACCEPT;
+ }
+
+ include 'users_tcp_in.conf';
+
+ # awkward incoming connections
+ syn {
+ goto ldrop;
+ }
+}
+
+#####################################################################
+# UDP traffic
+chain fw_udp proto udp {
+ # Standard allowances
+ dport $UDP_IN sport 1024: {
+ ACCEPT;
+ }
+
+ # again no dns fumbling around
+ sport domain dport domain saddr $NSIP {
+ ACCEPT;
+ }
+}
+
+
+#####################################################################
+# ICMP traffic
+chain fw_icmp proto icmp {
+ # Standard allowances
+ icmp-type $ICMP_IN {
+ ACCEPT;
+ }
+
+ #icmp-type echo-request limit 1/s ACCEPT;
+ #icmptype ( ping pong destination-unreachable time-exceeded) {
+ # ACCEPT;
+ #}
+ # never seen hits on this one:
+}
+
+
+#####################################################################
+# TOS (Type-of-service) adjustments
+chain tosqueue {
+ protocol tcp {
+ # rapid response protocols
+# dport $TCP_OUT_DELAY settos min-delay ACCEPT;
+ dport $TCP_OUT_DELAY ACCEPT;
+ sport $TCP_OUT_DELAY ACCEPT;
+ # keep these from timing out
+# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+ dport $TCP_OUT_RELIABILITY ACCEPT;
+ sport $TCP_OUT_RELIABILITY ACCEPT;
+ # bulk stuff
+# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
+ dport $TCP_OUT_THROUGHPUT ACCEPT;
+ sport $TCP_OUT_THROUGHPUT ACCEPT;
+# dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
+ dport (ftp-data 8888 6699) ACCEPT;
+ sport (ftp-data 8888 6699) ACCEPT;
+ }
+
+# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
+
+ include 'users_tcp_out.conf';
+
+ goto lreject;
+}
+
+#####################################################################
+# Supporting targets
+chain ldrop {
+ LOG {
+ log-level info log-prefix "Dropped";
+ log-level warn fragment log-prefix "FRAGMENT Dropped";
+ }
+ REJECT;
+}
+
+chain lreject {
+ LOG {
+ log-level info proto tcp log-prefix "Denied";
+ log-level warn fragment log-prefix "FRAGMENT Denied";
+ }
+ REJECT;
+}
+
+include 'users.conf';
HCoop / hcoop / zz_old / fwtool.git / blobdiff