From 17bb0bf0c668091f3ebe0a43c958bc52bcf26390 Mon Sep 17 00:00:00 2001 From: Davor Ocelic Date: Sun, 14 Aug 2005 10:00:03 +0000 Subject: [PATCH] - Beginning of fwtool : initial global fw rules for FERM tool --- closed.conf | 307 ++++++++++++++++++++++++++++++++++++++++++++++++++++ open.conf | 10 ++ 2 files changed, 317 insertions(+) create mode 100644 closed.conf create mode 100644 open.conf diff --git a/closed.conf b/closed.conf new file mode 100644 index 0000000..db8b559 --- /dev/null +++ b/closed.conf @@ -0,0 +1,307 @@ + +option iptables +option clearall +option createchains +option automod + +############# Define variables +set IFCONFIG "/sbin/ifconfig" +set AWK "/usr/bin/awk" +set GREP "/bin/grep" +set CAT "/bin/cat" +set SED "/bin/sed" + +set MASK "29" # Our netmask is /29 = 255.255.255.248 +set IPS "64.20.38.170" +set IFS "eth0" +set IPSPEC "64.20.38.170/%MASK" + +set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` +#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` + +############# Port/protocol combinations we allow in and out +set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" +set TCP_OUT "1:65535" +set UDP_IN "ntp" +set UDP_OUT "1:65535" +set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" +set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" + + +# Make us insensitive to the environment +policy DROP { + table filter chain (INPUT FORWARD); + table mangle chain (PREROUTING); + table nat chain (PREROUTING POSTROUTING); +} +policy DENY { + table filter chain (OUTPUT); + table mangle chain (OUTPUT); + table nat chain (OUTPUT); +} + + +###################################################################### +# Built-in chains that jump to our custom ones + +chain INPUT { + + state INVALID goto UNUSUAL DROP; + fragment goto UNUSUAL DROP; + +# goto IANA_BAN; +# goto LOCAL_BAN; + goto PORTSCAN; + + state (ESTABLISHED,RELATED) ACCEPT; + + if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + if lo goto UNUSUAL DROP; + + if ppp0 ACCEPT; + + #incoming traffic, seperate by interface + if %IFS { + goto badguys; + protocol tcp goto fw_tcp; + protocol udp goto fw_udp; + protocol icmp goto fw_icmp; + } +} + +chain OUTPUT { + + state INVALID goto UNUSUAL DENY; + fragment goto UNUSUAL DENY; + + state (ESTABLISHED,RELATED) ACCEPT; + + of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + of lo goto UNUSUAL DENY; + + of ppp0 ACCEPT; + + saddr !%IPSPEC goto UNUSUAL DENY; + + # again uncomment for trojan horses protection and inside out + # violations.... + proto (tcp,udp) sport 14000: goto LDENY; + + # queueing goes here, maybe some special fw rules as well + proto tcp goto tosqueue; # ACCEPT must be handled here + + proto udp dport %UDP_OUT ACCEPT; + proto icmp icmptype %ICMP_OUT ACCEPT; +} + +##################################################################### +# Deal with known offenders right away +# Make difference between notorious ones and unusual ones +chain badguys { + #saddr spammer.net.com DROP; # you may specify computer names as well + saddr 10/8 DROP; # or network addresses like this impossible one + daddr 10/8 DROP; # maybe even from guys fooling you around + saddr 123.45.6.78 DROP; # a single machine, very bad + saddr 123.45.6/24 DROP; # better to include the entire subnet + + saddr( + # Mailbombing nion's email + 152.163.210.178 + 205.188.135.170 + 64.12.187.193 + + # Executed nion's CGI script 400,000 times + 24.186.165.67 + + # docelic, Wed Aug 3 04:18:56 EDT 2005 + # Trying out new server with all kinds of usernames on ssh + # (All of those seem to be from the same "mastermind") + 211.48.20.153 + 62.36.240.114 + 62.75.240.62 + 210.204.193.1 + 84.26.59.170 + + # Log says reverse mapping failed for this address + # (hundreds of entries) + 114.67.19.241 + ) { + DROP; + } +} + +##################################################################### +# TCP traffic +chain fw_tcp proto tcp { + + # Standard allowances + syn dport %TCP_IN sport 1024: { + limit 200/s ACCEPT; + limit 5/m LOG log-prefix "SYN flood attack:" LOG; + DROP; + } + + # drop all syns: (incoming connections) + syn { + log-prefix "tcp SYN Dropped" LOG; + DROP; + } + + dport :1023 { + log-prefix "TCP packet not syn std port" LOG; + DROP; + } + + # deny scanning via DNS port + sport domain { + dport domain ACCEPT; + syn goto LDENY; + } + + # special case to allow active ftp transfers to our machine! + sport ftp-data dport 1024: { + ACCEPT; + } + + # awkward incoming connections + syn { + goto LDENY; + } + + # lock suid ports + sport :1023 { + goto LDENY; + } + + # want to deny inside-out fake stuff? uncomment this: + # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! + dport 14000: { + goto LDENY; + } + + +##################################################################### +# UDP traffic +chain fw_udp proto udp { + + # Standard allowances + dport %UDP_IN sport 1024: { + ACCEPT; + } + + # again no dns fumbling around + #sport domain dport domain saddr (**DNS IPS**) { + # ACCEPT; + #} + goto LDENY; +} + + +##################################################################### +# ICMP traffic +chain fw_icmp proto icmp { + + # Standard allowances + icmptype %ICMP_IN { + ACCEPT; + } + + #icmp-type echo-request limit 1/s ACCEPT; + #icmptype ( ping pong destination-unreachable time-exceeded) { + # ACCEPT; + #} + # never seen hits on this one: + goto LDENY; +} + + +##################################################################### +# TOS (Type-of-service) adjustments +chain tosqueue { + + protocol tcp reverse { + # rapid response protocols + dport (ssh,ftp) settos min-delay ACCEPT; + # keep these from timing out + dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT; + # bulk stuff + dport (ftp-data,napster,napserv) settos max-throughput ACCEPT; + dport (ftp-data,8888,6699) settos max-throughput ACCEPT; + } + + # remove any bits set by clients for different + # protocols, since they might be tricking their + # packets into a unfair priority... It wouldn't + # surprise me if IE uses this... :-O + settos min-cost ACCEPT; +} + +##################################################################### +# Supporting targets +chain LDROP { + LOG { + log-level info logprefix "Dropped"; + log-level warn fragment log-prefix "FRAGMENT Dropped"; + } + DROP; +} + +chain UNUSUAL { + LOG { log-level info logprefix "Unusual"; } +} + +chain LDENY { + LOG { + log-level info proto tcp logprefix "Denied"; + log-level warn fragment log-prefix "FRAGMENT Denied"; + } + DENY; +} + +chain TCPACCEPT { + proto tcp { + syn limit 100/s ACCEPT; + ! syn ACCEPT; + } + logprefix "Mismatch in TCPACCEPT" LOG; + DENY; +} + +chain UDPACCEPT { + proto udp ACCEPT; + logprefix "Mismatch in UDPACCEPT" LOG; + DENY; +} + + + +#chain IANA_BAN { +# saddr %IANA_BANS DROP; +#} +# +#chain LOCAL_BAN { +# saddr %LOCAL_BANS DROP; +#} + +chain PORTSCAN { + proto tcp { + tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE { + limit 5/min log-prefix "NULL SCAN:" log-level 5 + log-tcp-options log-ip-options LOG; + DROP; + } + tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG { + limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG; + DROP; + } + tcp-flags SYN:RST SYN:RST { + limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG; + DROP; + } + tcp-flags FIN:SYN FIN:SYN { + limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG; + DROP; + } + } +} + diff --git a/open.conf b/open.conf new file mode 100644 index 0000000..ea7a5aa --- /dev/null +++ b/open.conf @@ -0,0 +1,10 @@ + +option iptables +option clearall +option createchains + +policy ACCEPT { + table filter chain (INPUT FORWARD OUTPUT); + table mangle chain (PREROUTING OUTPUT); + table nat chain (PREROUTING POSTROUTING OUTPUT); +} -- 2.20.1