--- /dev/null
+
+option iptables
+option clearall
+option createchains
+option automod
+
+############# Define variables
+set IFCONFIG "/sbin/ifconfig"
+set AWK "/usr/bin/awk"
+set GREP "/bin/grep"
+set CAT "/bin/cat"
+set SED "/bin/sed"
+
+set MASK "29" # Our netmask is /29 = 255.255.255.248
+set IPS "64.20.38.170"
+set IFS "eth0"
+set IPSPEC "64.20.38.170/%MASK"
+
+set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
+#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'`
+
+############# Port/protocol combinations we allow in and out
+set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
+set TCP_OUT "1:65535"
+set UDP_IN "ntp"
+set UDP_OUT "1:65535"
+set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
+set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
+
+
+# Make us insensitive to the environment
+policy DROP {
+ table filter chain (INPUT FORWARD);
+ table mangle chain (PREROUTING);
+ table nat chain (PREROUTING POSTROUTING);
+}
+policy DENY {
+ table filter chain (OUTPUT);
+ table mangle chain (OUTPUT);
+ table nat chain (OUTPUT);
+}
+
+
+######################################################################
+# Built-in chains that jump to our custom ones
+
+chain INPUT {
+
+ state INVALID goto UNUSUAL DROP;
+ fragment goto UNUSUAL DROP;
+
+# goto IANA_BAN;
+# goto LOCAL_BAN;
+ goto PORTSCAN;
+
+ state (ESTABLISHED,RELATED) ACCEPT;
+
+ if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ if lo goto UNUSUAL DROP;
+
+ if ppp0 ACCEPT;
+
+ #incoming traffic, seperate by interface
+ if %IFS {
+ goto badguys;
+ protocol tcp goto fw_tcp;
+ protocol udp goto fw_udp;
+ protocol icmp goto fw_icmp;
+ }
+}
+
+chain OUTPUT {
+
+ state INVALID goto UNUSUAL DENY;
+ fragment goto UNUSUAL DENY;
+
+ state (ESTABLISHED,RELATED) ACCEPT;
+
+ of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ of lo goto UNUSUAL DENY;
+
+ of ppp0 ACCEPT;
+
+ saddr !%IPSPEC goto UNUSUAL DENY;
+
+ # again uncomment for trojan horses protection and inside out
+ # violations....
+ proto (tcp,udp) sport 14000: goto LDENY;
+
+ # queueing goes here, maybe some special fw rules as well
+ proto tcp goto tosqueue; # ACCEPT must be handled here
+
+ proto udp dport %UDP_OUT ACCEPT;
+ proto icmp icmptype %ICMP_OUT ACCEPT;
+}
+
+#####################################################################
+# Deal with known offenders right away
+# Make difference between notorious ones and unusual ones
+chain badguys {
+ #saddr spammer.net.com DROP; # you may specify computer names as well
+ saddr 10/8 DROP; # or network addresses like this impossible one
+ daddr 10/8 DROP; # maybe even from guys fooling you around
+ saddr 123.45.6.78 DROP; # a single machine, very bad
+ saddr 123.45.6/24 DROP; # better to include the entire subnet
+
+ saddr(
+ # Mailbombing nion's email
+ 152.163.210.178
+ 205.188.135.170
+ 64.12.187.193
+
+ # Executed nion's CGI script 400,000 times
+ 24.186.165.67
+
+ # docelic, Wed Aug 3 04:18:56 EDT 2005
+ # Trying out new server with all kinds of usernames on ssh
+ # (All of those seem to be from the same "mastermind")
+ 211.48.20.153
+ 62.36.240.114
+ 62.75.240.62
+ 210.204.193.1
+ 84.26.59.170
+
+ # Log says reverse mapping failed for this address
+ # (hundreds of entries)
+ 114.67.19.241
+ ) {
+ DROP;
+ }
+}
+
+#####################################################################
+# TCP traffic
+chain fw_tcp proto tcp {
+
+ # Standard allowances
+ syn dport %TCP_IN sport 1024: {
+ limit 200/s ACCEPT;
+ limit 5/m LOG log-prefix "SYN flood attack:" LOG;
+ DROP;
+ }
+
+ # drop all syns: (incoming connections)
+ syn {
+ log-prefix "tcp SYN Dropped" LOG;
+ DROP;
+ }
+
+ dport :1023 {
+ log-prefix "TCP packet not syn std port" LOG;
+ DROP;
+ }
+
+ # deny scanning via DNS port
+ sport domain {
+ dport domain ACCEPT;
+ syn goto LDENY;
+ }
+
+ # special case to allow active ftp transfers to our machine!
+ sport ftp-data dport 1024: {
+ ACCEPT;
+ }
+
+ # awkward incoming connections
+ syn {
+ goto LDENY;
+ }
+
+ # lock suid ports
+ sport :1023 {
+ goto LDENY;
+ }
+
+ # want to deny inside-out fake stuff? uncomment this:
+ # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
+ dport 14000: {
+ goto LDENY;
+ }
+
+
+#####################################################################
+# UDP traffic
+chain fw_udp proto udp {
+
+ # Standard allowances
+ dport %UDP_IN sport 1024: {
+ ACCEPT;
+ }
+
+ # again no dns fumbling around
+ #sport domain dport domain saddr (**DNS IPS**) {
+ # ACCEPT;
+ #}
+ goto LDENY;
+}
+
+
+#####################################################################
+# ICMP traffic
+chain fw_icmp proto icmp {
+
+ # Standard allowances
+ icmptype %ICMP_IN {
+ ACCEPT;
+ }
+
+ #icmp-type echo-request limit 1/s ACCEPT;
+ #icmptype ( ping pong destination-unreachable time-exceeded) {
+ # ACCEPT;
+ #}
+ # never seen hits on this one:
+ goto LDENY;
+}
+
+
+#####################################################################
+# TOS (Type-of-service) adjustments
+chain tosqueue {
+
+ protocol tcp reverse {
+ # rapid response protocols
+ dport (ssh,ftp) settos min-delay ACCEPT;
+ # keep these from timing out
+ dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
+ # bulk stuff
+ dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
+ dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
+ }
+
+ # remove any bits set by clients for different
+ # protocols, since they might be tricking their
+ # packets into a unfair priority... It wouldn't
+ # surprise me if IE uses this... :-O
+ settos min-cost ACCEPT;
+}
+
+#####################################################################
+# Supporting targets
+chain LDROP {
+ LOG {
+ log-level info logprefix "Dropped";
+ log-level warn fragment log-prefix "FRAGMENT Dropped";
+ }
+ DROP;
+}
+
+chain UNUSUAL {
+ LOG { log-level info logprefix "Unusual"; }
+}
+
+chain LDENY {
+ LOG {
+ log-level info proto tcp logprefix "Denied";
+ log-level warn fragment log-prefix "FRAGMENT Denied";
+ }
+ DENY;
+}
+
+chain TCPACCEPT {
+ proto tcp {
+ syn limit 100/s ACCEPT;
+ ! syn ACCEPT;
+ }
+ logprefix "Mismatch in TCPACCEPT" LOG;
+ DENY;
+}
+
+chain UDPACCEPT {
+ proto udp ACCEPT;
+ logprefix "Mismatch in UDPACCEPT" LOG;
+ DENY;
+}
+
+
+
+#chain IANA_BAN {
+# saddr %IANA_BANS DROP;
+#}
+#
+#chain LOCAL_BAN {
+# saddr %LOCAL_BANS DROP;
+#}
+
+chain PORTSCAN {
+ proto tcp {
+ tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
+ limit 5/min log-prefix "NULL SCAN:" log-level 5
+ log-tcp-options log-ip-options LOG;
+ DROP;
+ }
+ tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
+ limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
+ DROP;
+ }
+ tcp-flags SYN:RST SYN:RST {
+ limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
+ DROP;
+ }
+ tcp-flags FIN:SYN FIN:SYN {
+ limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
+ DROP;
+ }
+ }
+}
+
HCoop / hcoop / zz_old / fwtool.git / commitdiff