-
-option iptables
-option clearall
-option createchains
-option automod
-
-############# Define variables
-set IFCONFIG "/sbin/ifconfig"
-set AWK "/usr/bin/awk"
-set GREP "/bin/grep"
-set CAT "/bin/cat"
-set SED "/bin/sed"
-
-set MASK "29" # Our netmask is /29 = 255.255.255.248
-set IPS "64.20.38.170"
-set IFS "eth0"
-set IPSPEC "64.20.38.170/%MASK"
-
-set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
-#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
-
-############# Port/protocol combinations we allow in and out
-set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT_DELAY "ssh,ftp,auth"
-set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
-set TCP_OUT_THROUGHPUT "ftp-data"
-#set TCP_OUT_COST ""
-
-set UDP_IN "ntp,domain"
-set UDP_OUT "1:65535"
-
-set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
-set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
-
-
-# Make us insensitive to the environment
-
-# Allow traffic in areas outside of our scope
-policy DROP {
- table mangle chain forward;
- table filter chain forward;
- table filter chain (INPUT,OUTPUT);
-}
-policy ACCEPT {
- table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
- table nat chain (PREROUTING,OUTPUT,POSTROUTING);
-}
-
-######################################################################
-# Built-in chains that jump to our custom ones
-
-chain INPUT {
- state INVALID goto LDROP;
- fragment goto LDROP;
-# goto IANA_BAN;
-# goto LOCAL_BAN;
- #goto PORTSCAN; # Do we need this? There are better, dedicated tools
-
- state (ESTABLISHED,RELATED) ACCEPT;
-
- if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
- if lo goto LDROP;
-
- #incoming traffic
- goto badguys;
- protocol tcp goto fw_tcp;
- protocol udp goto fw_udp;
- protocol icmp goto fw_icmp;
-
- goto LDROP;
-}
-
-chain OUTPUT {
- state INVALID goto LDENY;
- fragment goto LDENY;
-
- state (ESTABLISHED,RELATED) ACCEPT;
-
- of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- of lo saddr %IPSPEC ACCEPT;
- of lo goto LDENY;
-
- # queueing goes here, maybe some special fw rules as well
- proto tcp goto tosqueue; # ACCEPT must be handled here
-
- proto udp dport %UDP_OUT ACCEPT;
- proto icmp icmptype %ICMP_OUT ACCEPT;
-
- goto LDENY;
-}
-
-#####################################################################
-# Deal with known offenders right away
-# Make difference between notorious ones and unusual ones
-chain badguys {
-
- saddr(
- # Mailbombing nion's email
- 152.163.210.178
- 205.188.135.170
- 64.12.187.193
-
- # Executed nion's CGI script 400,000 times
- 24.186.165.67
-
- # docelic, Wed Aug 3 04:18:56 EDT 2005
- # Trying out new server with all kinds of usernames on ssh
- # (All of those seem to be from the same "mastermind")
- 211.48.20.153
- 62.36.240.114
- 62.75.240.62
- 210.204.193.1
- 84.26.59.170
- # docelic, Sun Aug 21 01:29:10 EDT 2005
- 63.76.235.2
- 80.48.31.252
- 220.194.55.126
- 163.26.229.131
- 201.6.223.150
- 64.34.171.56
- 82.177.98.1
- 61.185.219.23
- 62.62.224.184
- 212.0.107.141
- 60.248.227.34
- 63.246.10.45
- # docelic, Sun Aug 21 22:14:15 EDT 2005
- 210.184.124.11
- 210.238.188.155
- 63.247.76.10
-
- # Log says reverse mapping failed for this address
- # (hundreds of entries)
- 114.67.19.241
- ) {
- DROP;
- }
-}
-
-#####################################################################
-# TCP traffic
-chain fw_tcp proto tcp {
- # Standard allowances
- syn dport %TCP_IN sport 1024: {
- limit 5/s ACCEPT;
- limit 20/m LOG log-prefix "SYN flood attack:" LOG;
- goto LDROP;
- }
-
- # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
- #dport %TCP_IN accept;
-
- # deny scanning via DNS port
- sport domain {
- dport domain ACCEPT;
- syn goto LDROP;
- }
-
- # special case to allow active ftp transfers to our machine!
- sport ftp-data dport 1024: {
- ACCEPT;
- }
-
- # awkward incoming connections
- syn {
- goto LDROP;
- }
-
- # want to deny inside-out fake stuff? uncomment this:
- # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
- dport 14000: {
- goto LDROP;
- }
-}
-
-#####################################################################
-# UDP traffic
-chain fw_udp proto udp {
- # Standard allowances
- dport %UDP_IN sport 1024: {
- ACCEPT;
- }
-
- # again no dns fumbling around
- sport domain dport domain saddr %NSIP {
- ACCEPT;
- }
-}
-
-
-#####################################################################
-# ICMP traffic
-chain fw_icmp proto icmp {
- # Standard allowances
- icmptype %ICMP_IN {
- ACCEPT;
- }
-
- #icmp-type echo-request limit 1/s ACCEPT;
- #icmptype ( ping pong destination-unreachable time-exceeded) {
- # ACCEPT;
- #}
- # never seen hits on this one:
-}
-
-
-#####################################################################
-# TOS (Type-of-service) adjustments
-chain tosqueue {
- protocol tcp {
- # rapid response protocols
-# dport %TCP_OUT_DELAY settos min-delay ACCEPT;
- dport %TCP_OUT_DELAY ACCEPT;
- sport %TCP_OUT_DELAY ACCEPT;
- # keep these from timing out
-# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
- dport %TCP_OUT_RELIABILITY ACCEPT;
- sport %TCP_OUT_RELIABILITY ACCEPT;
- # bulk stuff
-# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
- dport %TCP_OUT_THROUGHPUT ACCEPT;
- sport %TCP_OUT_THROUGHPUT ACCEPT;
-# dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
- dport (ftp-data,8888,6699) ACCEPT;
- sport (ftp-data,8888,6699) ACCEPT;
- }
-
-# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
- goto LDENY;
-}
-
-#####################################################################
-# Supporting targets
-chain LDROP {
- LOG {
- log-level info logprefix "Dropped";
- log-level warn fragment log-prefix "FRAGMENT Dropped";
- }
- DROP;
-}
-
-chain LDENY {
- LOG {
- log-level info proto tcp logprefix "Denied";
- log-level warn fragment log-prefix "FRAGMENT Denied";
- }
- DENY;
-}
-
+
+option clearall
+option createchains
+option automod
+
+############# Define variables
+def $IFCONFIG = "/sbin/ifconfig";
+def $AWK = "/usr/bin/awk";
+def $GREP = "/bin/grep";
+def $CAT = "/bin/cat";
+def $SED = "/bin/sed";
+
+def $MASK = 29; # Our netmask is /29 = 255.255.255.248
+def $IPS = 64.20.38.170;
+def $IFS = eth0;
+def $IPSPEC = "64.20.38.170/$MASK";
+def $WE = (127.0.0.1/8 $IPSPEC);
+
+def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
+#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
+
+def $BADGUYS = `/etc/firewall/print_badguys`;
+
+############# Port/protocol combinations we allow in and out
+def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000);
+# 10000 is webmin; 20000 is usermin
+def $TCP_OUT_DELAY = (ssh ftp auth);
+def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
+def $TCP_OUT_THROUGHPUT = (ftp-data);
+#set TCP_OUT_COST ""
+
+def $UDP_IN = (ntp domain);
+def $UDP_OUT = 1:65535;
+
+def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
+def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
+
+
+# Make us insensitive to the environment
+table mangle chain FORWARD policy DROP;
+table filter chain FORWARD policy DROP;
+table filter chain (INPUT OUTPUT) policy DROP;
+
+# Allow traffic in areas outside of our scope
+table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
+table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
+
+######################################################################
+# Built-in chains that jump to our custom ones
+
+chain INPUT {
+ state INVALID goto ldrop;
+ fragment goto ldrop;
+# goto IANA_BAN;
+# goto LOCAL_BAN;
+ #goto PORTSCAN; # Do we need this? There are better, dedicated tools
+
+ state (ESTABLISHED RELATED) ACCEPT;
+
+ proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT;
+ proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT;
+ proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
+ if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
+# if lo goto ldrop;
+
+ #incoming traffic
+ goto badguys;
+ protocol tcp goto fw_tcp;
+ protocol udp goto fw_udp;
+ protocol icmp goto fw_icmp;
+
+ goto ldrop;
+}
+
+chain OUTPUT {
+ state INVALID goto lreject;
+ fragment goto lreject;
+
+ state (ESTABLISHED RELATED) ACCEPT;
+
+ proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
+ of lo saddr $IPSPEC ACCEPT;
+# of lo goto lreject;
+
+ # queueing goes here, maybe some special fw rules as well
+ proto tcp goto tosqueue; # ACCEPT must be handled here
+
+ proto udp dport $UDP_OUT ACCEPT;
+ proto icmp icmp-type $ICMP_OUT ACCEPT;
+
+ goto lreject;
+}
+
+#####################################################################
+# Deal with known offenders right away
+# Make difference between notorious ones and unusual ones
+chain badguys {
+ saddr $BADGUYS REJECT;
+}
+
+#####################################################################
+# TCP traffic
+chain fw_tcp proto tcp {
+ # Standard allowances
+ syn dport $TCP_IN sport 1024: {
+ limit 5/s ACCEPT;
+ limit 20/m LOG log-prefix "SYN flood attack:";
+ goto ldrop;
+ }
+
+ # deny scanning via DNS port
+ sport domain {
+ dport domain ACCEPT;
+ syn goto ldrop;
+ }
+
+ # special case to allow active ftp transfers to our machine!
+ sport ftp-data dport 1024: {
+ ACCEPT;
+ }
+
+ include 'users_tcp_in.conf';
+
+ # awkward incoming connections
+ syn {
+ goto ldrop;
+ }
+}
+
+#####################################################################
+# UDP traffic
+chain fw_udp proto udp {
+ # Standard allowances
+ dport $UDP_IN sport 1024: {
+ ACCEPT;
+ }
+
+ # again no dns fumbling around
+ sport domain dport domain saddr $NSIP {
+ ACCEPT;
+ }
+}
+
+
+#####################################################################
+# ICMP traffic
+chain fw_icmp proto icmp {
+ # Standard allowances
+ icmp-type $ICMP_IN {
+ ACCEPT;
+ }
+
+ #icmp-type echo-request limit 1/s ACCEPT;
+ #icmptype ( ping pong destination-unreachable time-exceeded) {
+ # ACCEPT;
+ #}
+ # never seen hits on this one:
+}
+
+
+#####################################################################
+# TOS (Type-of-service) adjustments
+chain tosqueue {
+ protocol tcp {
+ # rapid response protocols
+# dport $TCP_OUT_DELAY settos min-delay ACCEPT;
+ dport $TCP_OUT_DELAY ACCEPT;
+ sport $TCP_OUT_DELAY ACCEPT;
+ # keep these from timing out
+# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+ dport $TCP_OUT_RELIABILITY ACCEPT;
+ sport $TCP_OUT_RELIABILITY ACCEPT;
+ # bulk stuff
+# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
+ dport $TCP_OUT_THROUGHPUT ACCEPT;
+ sport $TCP_OUT_THROUGHPUT ACCEPT;
+# dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
+ dport (ftp-data 8888 6699) ACCEPT;
+ sport (ftp-data 8888 6699) ACCEPT;
+ }
+
+# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
+
+ include 'users_tcp_out.conf';
+
+ goto lreject;
+}
+
+#####################################################################
+# Supporting targets
+chain ldrop {
+ LOG {
+ log-level info log-prefix "Dropped";
+ log-level warn fragment log-prefix "FRAGMENT Dropped";
+ }
+ REJECT;
+}
+
+chain lreject {
+ LOG {
+ log-level info proto tcp log-prefix "Denied";
+ log-level warn fragment log-prefix "FRAGMENT Denied";
+ }
+ REJECT;
+}
+
+include 'users.conf';