-option iptables
option clearall
option createchains
option automod
############# Define variables
-set IFCONFIG "/sbin/ifconfig"
-set AWK "/usr/bin/awk"
-set GREP "/bin/grep"
-set CAT "/bin/cat"
-set SED "/bin/sed"
+def $IFCONFIG = "/sbin/ifconfig";
+def $AWK = "/usr/bin/awk";
+def $GREP = "/bin/grep";
+def $CAT = "/bin/cat";
+def $SED = "/bin/sed";
-set MASK "29" # Our netmask is /29 = 255.255.255.248
-set IPS "64.20.38.170"
-set IFS "eth0"
-set IPSPEC "64.20.38.170/%MASK"
+def $MASK = 29; # Our netmask is /29 = 255.255.255.248
+def $IPS = 64.20.38.170;
+def $IFS = eth0;
+def $IPSPEC = "64.20.38.170/$MASK";
-set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
-#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
+def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
+#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
+
+def $BADGUYS = `/etc/firewall/print_badguys`;
############# Port/protocol combinations we allow in and out
-set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT_DELAY "ssh,ftp,auth"
-set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
-set TCP_OUT_THROUGHPUT "ftp-data"
+def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
+def $TCP_OUT_DELAY = (ssh ftp auth);
+def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
+def $TCP_OUT_THROUGHPUT = (ftp-data);
#set TCP_OUT_COST ""
-set UDP_IN "ntp,domain"
-set UDP_OUT "1:65535"
+def $UDP_IN = (ntp domain);
+def $UDP_OUT = 1:65535;
-set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
-set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
+def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
+def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
# Make us insensitive to the environment
+table mangle chain FORWARD policy DROP;
+table filter chain FORWARD policy DROP;
+table filter chain (INPUT OUTPUT) policy DROP;
# Allow traffic in areas outside of our scope
-policy DROP {
- table mangle chain forward;
- table filter chain forward;
- table filter chain (INPUT,OUTPUT);
-}
-policy ACCEPT {
- table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
- table nat chain (PREROUTING,OUTPUT,POSTROUTING);
-}
+table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
+table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
######################################################################
# Built-in chains that jump to our custom ones
chain INPUT {
- state INVALID goto LDROP;
- fragment goto LDROP;
+ state INVALID goto ldrop;
+ fragment goto ldrop;
# goto IANA_BAN;
# goto LOCAL_BAN;
#goto PORTSCAN; # Do we need this? There are better, dedicated tools
- state (ESTABLISHED,RELATED) ACCEPT;
+ state (ESTABLISHED RELATED) ACCEPT;
if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
- if lo goto LDROP;
+ if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
+ if lo goto ldrop;
#incoming traffic
goto badguys;
protocol udp goto fw_udp;
protocol icmp goto fw_icmp;
- goto LDROP;
+ goto ldrop;
}
chain OUTPUT {
- state INVALID goto LDENY;
- fragment goto LDENY;
+ state INVALID goto lreject;
+ fragment goto lreject;
- state (ESTABLISHED,RELATED) ACCEPT;
+ state (ESTABLISHED RELATED) ACCEPT;
of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- of lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
- of lo goto LDENY;
-
- saddr !%IPSPEC goto LDENY;
-
- # again uncomment for trojan horses protection and inside out
- # violations....
- proto (tcp,udp) sport 14000: goto LDENY;
+ of lo saddr $IPSPEC ACCEPT;
+ of lo goto lreject;
# queueing goes here, maybe some special fw rules as well
proto tcp goto tosqueue; # ACCEPT must be handled here
- proto udp dport %UDP_OUT ACCEPT;
- proto icmp icmptype %ICMP_OUT ACCEPT;
+ proto udp dport $UDP_OUT ACCEPT;
+ proto icmp icmp-type $ICMP_OUT ACCEPT;
- goto LDENY;
+ goto lreject;
}
#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
-
- saddr(
- # Mailbombing nion's email
- 152.163.210.178
- 205.188.135.170
- 64.12.187.193
-
- # Executed nion's CGI script 400,000 times
- 24.186.165.67
-
- # docelic, Wed Aug 3 04:18:56 EDT 2005
- # Trying out new server with all kinds of usernames on ssh
- # (All of those seem to be from the same "mastermind")
- 211.48.20.153
- 62.36.240.114
- 62.75.240.62
- 210.204.193.1
- 84.26.59.170
-
- # Log says reverse mapping failed for this address
- # (hundreds of entries)
- 114.67.19.241
- ) {
- DROP;
- }
+ saddr $BADGUYS REJECT;
}
#####################################################################
# TCP traffic
chain fw_tcp proto tcp {
# Standard allowances
- syn dport %TCP_IN sport 1024: {
+ syn dport $TCP_IN sport 1024: {
limit 5/s ACCEPT;
- limit 20/m LOG log-prefix "SYN flood attack:" LOG;
- goto LDROP;
+ limit 20/m LOG log-prefix "SYN flood attack:";
+ goto ldrop;
}
- # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
- #dport %TCP_IN accept;
-
# deny scanning via DNS port
sport domain {
dport domain ACCEPT;
- syn goto LDROP;
+ syn goto ldrop;
}
# special case to allow active ftp transfers to our machine!
ACCEPT;
}
+ include 'users_tcp_in.conf';
+
# awkward incoming connections
syn {
- goto LDROP;
- }
-
- # want to deny inside-out fake stuff? uncomment this:
- # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
- dport 14000: {
- goto LDROP;
+ goto ldrop;
}
}
# UDP traffic
chain fw_udp proto udp {
# Standard allowances
- dport %UDP_IN sport 1024: {
+ dport $UDP_IN sport 1024: {
ACCEPT;
}
# again no dns fumbling around
- sport domain dport domain saddr %NSIP {
+ sport domain dport domain saddr $NSIP {
ACCEPT;
}
}
# ICMP traffic
chain fw_icmp proto icmp {
# Standard allowances
- icmptype %ICMP_IN {
+ icmp-type $ICMP_IN {
ACCEPT;
}
chain tosqueue {
protocol tcp {
# rapid response protocols
-# dport %TCP_OUT_DELAY settos min-delay ACCEPT;
- dport %TCP_OUT_DELAY ACCEPT;
- sport %TCP_OUT_DELAY ACCEPT;
+# dport $TCP_OUT_DELAY settos min-delay ACCEPT;
+ dport $TCP_OUT_DELAY ACCEPT;
+ sport $TCP_OUT_DELAY ACCEPT;
# keep these from timing out
-# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
- dport %TCP_OUT_RELIABILITY ACCEPT;
- sport %TCP_OUT_RELIABILITY ACCEPT;
+# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+ dport $TCP_OUT_RELIABILITY ACCEPT;
+ sport $TCP_OUT_RELIABILITY ACCEPT;
# bulk stuff
-# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
- dport %TCP_OUT_THROUGHPUT ACCEPT;
- sport %TCP_OUT_THROUGHPUT ACCEPT;
-# dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
- dport (ftp-data,8888,6699) ACCEPT;
- sport (ftp-data,8888,6699) ACCEPT;
+# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
+ dport $TCP_OUT_THROUGHPUT ACCEPT;
+ sport $TCP_OUT_THROUGHPUT ACCEPT;
+# dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
+ dport (ftp-data 8888 6699) ACCEPT;
+ sport (ftp-data 8888 6699) ACCEPT;
}
-# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
- goto LDENY;
+# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
+
+ include 'users_tcp_out.conf';
+
+ goto lreject;
}
#####################################################################
# Supporting targets
-chain LDROP {
+chain ldrop {
LOG {
- log-level info logprefix "Dropped";
+ log-level info log-prefix "Dropped";
log-level warn fragment log-prefix "FRAGMENT Dropped";
}
- DROP;
+ REJECT;
}
-chain LDENY {
+chain lreject {
LOG {
- log-level info proto tcp logprefix "Denied";
+ log-level info proto tcp log-prefix "Denied";
log-level warn fragment log-prefix "FRAGMENT Denied";
}
- DENY;
+ REJECT;
}
+include 'users.conf';