X-Git-Url: https://git.hcoop.net/hcoop/zz_old/fwtool.git/blobdiff_plain/17bb0bf0c668091f3ebe0a43c958bc52bcf26390..9b2115e21e28936f7db6294f2c7ff9a81387de0c:/closed.conf diff --git a/closed.conf b/closed.conf dissimilarity index 69% index db8b559..4c785b6 100644 --- a/closed.conf +++ b/closed.conf @@ -1,307 +1,203 @@ - -option iptables -option clearall -option createchains -option automod - -############# Define variables -set IFCONFIG "/sbin/ifconfig" -set AWK "/usr/bin/awk" -set GREP "/bin/grep" -set CAT "/bin/cat" -set SED "/bin/sed" - -set MASK "29" # Our netmask is /29 = 255.255.255.248 -set IPS "64.20.38.170" -set IFS "eth0" -set IPSPEC "64.20.38.170/%MASK" - -set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` -#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` - -############# Port/protocol combinations we allow in and out -set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" -set TCP_OUT "1:65535" -set UDP_IN "ntp" -set UDP_OUT "1:65535" -set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" -set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" - - -# Make us insensitive to the environment -policy DROP { - table filter chain (INPUT FORWARD); - table mangle chain (PREROUTING); - table nat chain (PREROUTING POSTROUTING); -} -policy DENY { - table filter chain (OUTPUT); - table mangle chain (OUTPUT); - table nat chain (OUTPUT); -} - - -###################################################################### -# Built-in chains that jump to our custom ones - -chain INPUT { - - state INVALID goto UNUSUAL DROP; - fragment goto UNUSUAL DROP; - -# goto IANA_BAN; -# goto LOCAL_BAN; - goto PORTSCAN; - - state (ESTABLISHED,RELATED) ACCEPT; - - if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - if lo goto UNUSUAL DROP; - - if ppp0 ACCEPT; - - #incoming traffic, seperate by interface - if %IFS { - goto badguys; - protocol tcp goto fw_tcp; - protocol udp goto fw_udp; - protocol icmp goto fw_icmp; - } -} - -chain OUTPUT { - - state INVALID goto UNUSUAL DENY; - fragment goto UNUSUAL DENY; - - state (ESTABLISHED,RELATED) ACCEPT; - - of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - of lo goto UNUSUAL DENY; - - of ppp0 ACCEPT; - - saddr !%IPSPEC goto UNUSUAL DENY; - - # again uncomment for trojan horses protection and inside out - # violations.... - proto (tcp,udp) sport 14000: goto LDENY; - - # queueing goes here, maybe some special fw rules as well - proto tcp goto tosqueue; # ACCEPT must be handled here - - proto udp dport %UDP_OUT ACCEPT; - proto icmp icmptype %ICMP_OUT ACCEPT; -} - -##################################################################### -# Deal with known offenders right away -# Make difference between notorious ones and unusual ones -chain badguys { - #saddr spammer.net.com DROP; # you may specify computer names as well - saddr 10/8 DROP; # or network addresses like this impossible one - daddr 10/8 DROP; # maybe even from guys fooling you around - saddr 123.45.6.78 DROP; # a single machine, very bad - saddr 123.45.6/24 DROP; # better to include the entire subnet - - saddr( - # Mailbombing nion's email - 152.163.210.178 - 205.188.135.170 - 64.12.187.193 - - # Executed nion's CGI script 400,000 times - 24.186.165.67 - - # docelic, Wed Aug 3 04:18:56 EDT 2005 - # Trying out new server with all kinds of usernames on ssh - # (All of those seem to be from the same "mastermind") - 211.48.20.153 - 62.36.240.114 - 62.75.240.62 - 210.204.193.1 - 84.26.59.170 - - # Log says reverse mapping failed for this address - # (hundreds of entries) - 114.67.19.241 - ) { - DROP; - } -} - -##################################################################### -# TCP traffic -chain fw_tcp proto tcp { - - # Standard allowances - syn dport %TCP_IN sport 1024: { - limit 200/s ACCEPT; - limit 5/m LOG log-prefix "SYN flood attack:" LOG; - DROP; - } - - # drop all syns: (incoming connections) - syn { - log-prefix "tcp SYN Dropped" LOG; - DROP; - } - - dport :1023 { - log-prefix "TCP packet not syn std port" LOG; - DROP; - } - - # deny scanning via DNS port - sport domain { - dport domain ACCEPT; - syn goto LDENY; - } - - # special case to allow active ftp transfers to our machine! - sport ftp-data dport 1024: { - ACCEPT; - } - - # awkward incoming connections - syn { - goto LDENY; - } - - # lock suid ports - sport :1023 { - goto LDENY; - } - - # want to deny inside-out fake stuff? uncomment this: - # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! - dport 14000: { - goto LDENY; - } - - -##################################################################### -# UDP traffic -chain fw_udp proto udp { - - # Standard allowances - dport %UDP_IN sport 1024: { - ACCEPT; - } - - # again no dns fumbling around - #sport domain dport domain saddr (**DNS IPS**) { - # ACCEPT; - #} - goto LDENY; -} - - -##################################################################### -# ICMP traffic -chain fw_icmp proto icmp { - - # Standard allowances - icmptype %ICMP_IN { - ACCEPT; - } - - #icmp-type echo-request limit 1/s ACCEPT; - #icmptype ( ping pong destination-unreachable time-exceeded) { - # ACCEPT; - #} - # never seen hits on this one: - goto LDENY; -} - - -##################################################################### -# TOS (Type-of-service) adjustments -chain tosqueue { - - protocol tcp reverse { - # rapid response protocols - dport (ssh,ftp) settos min-delay ACCEPT; - # keep these from timing out - dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT; - # bulk stuff - dport (ftp-data,napster,napserv) settos max-throughput ACCEPT; - dport (ftp-data,8888,6699) settos max-throughput ACCEPT; - } - - # remove any bits set by clients for different - # protocols, since they might be tricking their - # packets into a unfair priority... It wouldn't - # surprise me if IE uses this... :-O - settos min-cost ACCEPT; -} - -##################################################################### -# Supporting targets -chain LDROP { - LOG { - log-level info logprefix "Dropped"; - log-level warn fragment log-prefix "FRAGMENT Dropped"; - } - DROP; -} - -chain UNUSUAL { - LOG { log-level info logprefix "Unusual"; } -} - -chain LDENY { - LOG { - log-level info proto tcp logprefix "Denied"; - log-level warn fragment log-prefix "FRAGMENT Denied"; - } - DENY; -} - -chain TCPACCEPT { - proto tcp { - syn limit 100/s ACCEPT; - ! syn ACCEPT; - } - logprefix "Mismatch in TCPACCEPT" LOG; - DENY; -} - -chain UDPACCEPT { - proto udp ACCEPT; - logprefix "Mismatch in UDPACCEPT" LOG; - DENY; -} - - - -#chain IANA_BAN { -# saddr %IANA_BANS DROP; -#} -# -#chain LOCAL_BAN { -# saddr %LOCAL_BANS DROP; -#} - -chain PORTSCAN { - proto tcp { - tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE { - limit 5/min log-prefix "NULL SCAN:" log-level 5 - log-tcp-options log-ip-options LOG; - DROP; - } - tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG { - limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG; - DROP; - } - tcp-flags SYN:RST SYN:RST { - limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG; - DROP; - } - tcp-flags FIN:SYN FIN:SYN { - limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG; - DROP; - } - } -} - + +option clearall +option createchains +option automod + +############# Define variables +def $IFCONFIG = "/sbin/ifconfig"; +def $AWK = "/usr/bin/awk"; +def $GREP = "/bin/grep"; +def $CAT = "/bin/cat"; +def $SED = "/bin/sed"; + +def $MASK = 29; # Our netmask is /29 = 255.255.255.248 +def $IPS = 64.20.38.170; +def $IFS = eth0; +def $IPSPEC = "64.20.38.170/$MASK"; + +def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; +#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` + +def $BADGUYS = `/etc/firewall/print_badguys`; + +############# Port/protocol combinations we allow in and out +def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s); +def $TCP_OUT_DELAY = (ssh ftp auth); +def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); +def $TCP_OUT_THROUGHPUT = (ftp-data); +#set TCP_OUT_COST "" + +def $UDP_IN = (ntp domain); +def $UDP_OUT = 1:65535; + +def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); +def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); + + +# Make us insensitive to the environment +table mangle chain FORWARD policy DROP; +table filter chain FORWARD policy DROP; +table filter chain (INPUT OUTPUT) policy DROP; + +# Allow traffic in areas outside of our scope +table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; +table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; + +###################################################################### +# Built-in chains that jump to our custom ones + +chain INPUT { + state INVALID goto ldrop; + fragment goto ldrop; +# goto IANA_BAN; +# goto LOCAL_BAN; + #goto PORTSCAN; # Do we need this? There are better, dedicated tools + + state (ESTABLISHED RELATED) ACCEPT; + + if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; + if lo goto ldrop; + + #incoming traffic + goto badguys; + protocol tcp goto fw_tcp; + protocol udp goto fw_udp; + protocol icmp goto fw_icmp; + + goto ldrop; +} + +chain OUTPUT { + state INVALID goto lreject; + fragment goto lreject; + + state (ESTABLISHED RELATED) ACCEPT; + + of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + of lo saddr $IPSPEC ACCEPT; + of lo goto lreject; + + # queueing goes here, maybe some special fw rules as well + proto tcp goto tosqueue; # ACCEPT must be handled here + + proto udp dport $UDP_OUT ACCEPT; + proto icmp icmp-type $ICMP_OUT ACCEPT; + + goto lreject; +} + +##################################################################### +# Deal with known offenders right away +# Make difference between notorious ones and unusual ones +chain badguys { + saddr $BADGUYS REJECT; +} + +##################################################################### +# TCP traffic +chain fw_tcp proto tcp { + # Standard allowances + syn dport $TCP_IN sport 1024: { + limit 5/s ACCEPT; + limit 20/m LOG log-prefix "SYN flood attack:"; + goto ldrop; + } + + # deny scanning via DNS port + sport domain { + dport domain ACCEPT; + syn goto ldrop; + } + + # special case to allow active ftp transfers to our machine! + sport ftp-data dport 1024: { + ACCEPT; + } + + include 'users_tcp_in.conf'; + + # awkward incoming connections + syn { + goto ldrop; + } +} + +##################################################################### +# UDP traffic +chain fw_udp proto udp { + # Standard allowances + dport $UDP_IN sport 1024: { + ACCEPT; + } + + # again no dns fumbling around + sport domain dport domain saddr $NSIP { + ACCEPT; + } +} + + +##################################################################### +# ICMP traffic +chain fw_icmp proto icmp { + # Standard allowances + icmp-type $ICMP_IN { + ACCEPT; + } + + #icmp-type echo-request limit 1/s ACCEPT; + #icmptype ( ping pong destination-unreachable time-exceeded) { + # ACCEPT; + #} + # never seen hits on this one: +} + + +##################################################################### +# TOS (Type-of-service) adjustments +chain tosqueue { + protocol tcp { + # rapid response protocols +# dport $TCP_OUT_DELAY settos min-delay ACCEPT; + dport $TCP_OUT_DELAY ACCEPT; + sport $TCP_OUT_DELAY ACCEPT; + # keep these from timing out +# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; + dport $TCP_OUT_RELIABILITY ACCEPT; + sport $TCP_OUT_RELIABILITY ACCEPT; + # bulk stuff +# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; + dport $TCP_OUT_THROUGHPUT ACCEPT; + sport $TCP_OUT_THROUGHPUT ACCEPT; +# dport (ftp-data 8888 6699) settos max-throughput ACCEPT; + dport (ftp-data 8888 6699) ACCEPT; + sport (ftp-data 8888 6699) ACCEPT; + } + +# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; + + include 'users_tcp_out.conf'; + + goto lreject; +} + +##################################################################### +# Supporting targets +chain ldrop { + LOG { + log-level info log-prefix "Dropped"; + log-level warn fragment log-prefix "FRAGMENT Dropped"; + } + REJECT; +} + +chain lreject { + LOG { + log-level info proto tcp log-prefix "Denied"; + log-level warn fragment log-prefix "FRAGMENT Denied"; + } + REJECT; +} + +include 'users.conf';