############# Port/protocol combinations we allow in and out
set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT_DELAY "ssh,ftp"
+set TCP_OUT_DELAY "ssh,ftp,auth"
set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
-set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv"
-set TCP_OUT_COST ""
+set TCP_OUT_THROUGHPUT "ftp-data"
+#set TCP_OUT_COST ""
-set UDP_IN "ntp"
+set UDP_IN "ntp,domain"
set UDP_OUT "1:65535"
set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
# Make us insensitive to the environment
+
+# Allow traffic in areas outside of our scope
policy DROP {
- table filter chain (INPUT FORWARD);
- table mangle chain (PREROUTING);
- table nat chain (PREROUTING POSTROUTING);
+ table mangle chain forward;
+ table filter chain forward;
+ table filter chain (INPUT,OUTPUT);
}
-policy DENY {
- table filter chain (OUTPUT);
- table mangle chain (OUTPUT);
- table nat chain (OUTPUT);
+policy ACCEPT {
+ table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
+ table nat chain (PREROUTING,OUTPUT,POSTROUTING);
}
-
######################################################################
# Built-in chains that jump to our custom ones
chain INPUT {
-
- state INVALID goto UNUSUAL DROP;
- fragment goto UNUSUAL DROP;
-
+ state INVALID goto LDROP;
+ fragment goto LDROP;
# goto IANA_BAN;
# goto LOCAL_BAN;
- goto PORTSCAN;
+ #goto PORTSCAN; # Do we need this? There are better, dedicated tools
state (ESTABLISHED,RELATED) ACCEPT;
if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- if lo goto UNUSUAL DROP;
-
- #incoming traffic, seperate by interface
- if %IFS {
- goto badguys;
- protocol tcp goto fw_tcp;
- protocol udp goto fw_udp;
- protocol icmp goto fw_icmp;
- }
+ if lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
+ if lo goto LDROP;
+
+ #incoming traffic
+ goto badguys;
+ protocol tcp goto fw_tcp;
+ protocol udp goto fw_udp;
+ protocol icmp goto fw_icmp;
+
+ goto LDROP;
}
chain OUTPUT {
-
- state INVALID goto UNUSUAL DENY;
- fragment goto UNUSUAL DENY;
+ state INVALID goto LDENY;
+ fragment goto LDENY;
state (ESTABLISHED,RELATED) ACCEPT;
of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
- of lo goto UNUSUAL DENY;
+ of lo saddr %IPSPEC daddr %IPSPEC ACCEPT;
+ of lo goto LDENY;
- saddr !%IPSPEC goto UNUSUAL DENY;
+ saddr !%IPSPEC goto LDENY;
# again uncomment for trojan horses protection and inside out
# violations....
proto udp dport %UDP_OUT ACCEPT;
proto icmp icmptype %ICMP_OUT ACCEPT;
+
+ goto LDENY;
}
#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
- #saddr spammer.net.com DROP; # you may specify computer names as well
- saddr 10/8 DROP; # or network addresses like this impossible one
- daddr 10/8 DROP; # maybe even from guys fooling you around
- saddr 123.45.6.78 DROP; # a single machine, very bad
- saddr 123.45.6/24 DROP; # better to include the entire subnet
saddr(
# Mailbombing nion's email
#####################################################################
# TCP traffic
chain fw_tcp proto tcp {
-
# Standard allowances
syn dport %TCP_IN sport 1024: {
- limit 200/s ACCEPT;
- limit 5/m LOG log-prefix "SYN flood attack:" LOG;
- DROP;
+ limit 5/s ACCEPT;
+ limit 20/m LOG log-prefix "SYN flood attack:" LOG;
+ goto LDROP;
}
- # drop all syns: (incoming connections)
- syn {
- log-prefix "tcp SYN Dropped" LOG;
- DROP;
- }
-
- dport :1023 {
- log-prefix "TCP packet not syn std port" LOG;
- DROP;
- }
+ # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
+ #dport %TCP_IN accept;
# deny scanning via DNS port
sport domain {
dport domain ACCEPT;
- syn goto LDENY;
+ syn goto LDROP;
}
# special case to allow active ftp transfers to our machine!
# awkward incoming connections
syn {
- goto LDENY;
- }
-
- # lock suid ports
- sport :1023 {
- goto LDENY;
+ goto LDROP;
}
# want to deny inside-out fake stuff? uncomment this:
# (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
dport 14000: {
- goto LDENY;
+ goto LDROP;
}
-
+}
#####################################################################
# UDP traffic
chain fw_udp proto udp {
-
# Standard allowances
dport %UDP_IN sport 1024: {
ACCEPT;
sport domain dport domain saddr %NSIP {
ACCEPT;
}
- goto LDENY;
}
#####################################################################
# ICMP traffic
chain fw_icmp proto icmp {
-
# Standard allowances
icmptype %ICMP_IN {
ACCEPT;
# ACCEPT;
#}
# never seen hits on this one:
- goto LDENY;
}
#####################################################################
# TOS (Type-of-service) adjustments
chain tosqueue {
-
- protocol tcp reverse {
+ protocol tcp {
# rapid response protocols
- dport %TCP_OUT_DELAY settos min-delay ACCEPT;
+# dport %TCP_OUT_DELAY settos min-delay ACCEPT;
+ dport %TCP_OUT_DELAY ACCEPT;
+ sport %TCP_OUT_DELAY ACCEPT;
# keep these from timing out
- dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+ dport %TCP_OUT_RELIABILITY ACCEPT;
+ sport %TCP_OUT_RELIABILITY ACCEPT;
# bulk stuff
- dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
- dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
+# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
+ dport %TCP_OUT_THROUGHPUT ACCEPT;
+ sport %TCP_OUT_THROUGHPUT ACCEPT;
+# dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
+ dport (ftp-data,8888,6699) ACCEPT;
+ sport (ftp-data,8888,6699) ACCEPT;
}
- proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
+# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
+ goto LDENY;
}
#####################################################################
DROP;
}
-chain UNUSUAL {
- LOG { log-level info logprefix "Unusual"; }
-}
-
chain LDENY {
LOG {
log-level info proto tcp logprefix "Denied";
DENY;
}
-chain TCPACCEPT {
- proto tcp {
- syn limit 100/s ACCEPT;
- ! syn ACCEPT;
- }
- logprefix "Mismatch in TCPACCEPT" LOG;
- DENY;
-}
-
-chain UDPACCEPT {
- proto udp ACCEPT;
- logprefix "Mismatch in UDPACCEPT" LOG;
- DENY;
-}
-
-
-
-#chain IANA_BAN {
-# saddr %IANA_BANS DROP;
-#}
-#
-#chain LOCAL_BAN {
-# saddr %LOCAL_BANS DROP;
-#}
-
-chain PORTSCAN {
- proto tcp {
- tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
- limit 5/min log-prefix "NULL SCAN:" log-level 5
- log-tcp-options log-ip-options LOG;
- DROP;
- }
- tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
- limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
- DROP;
- }
- tcp-flags SYN:RST SYN:RST {
- limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
- DROP;
- }
- tcp-flags FIN:SYN FIN:SYN {
- limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
- DROP;
- }
- }
-}
-