From 9132939dd36717447eb17a6dc337e5e115089a73 Mon Sep 17 00:00:00 2001 From: Davor Ocelic Date: Thu, 18 Aug 2005 23:18:19 +0000 Subject: [PATCH] Web and ssh work! A lot of tuning and style --- closed.conf | 177 +++++++++++++++++----------------------------------- 1 file changed, 56 insertions(+), 121 deletions(-) diff --git a/closed.conf b/closed.conf index 5e79bb4..51d8ce4 100644 --- a/closed.conf +++ b/closed.conf @@ -21,12 +21,12 @@ set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` ############# Port/protocol combinations we allow in and out set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" -set TCP_OUT_DELAY "ssh,ftp" +set TCP_OUT_DELAY "ssh,ftp,auth" set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" -set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv" -set TCP_OUT_COST "" +set TCP_OUT_THROUGHPUT "ftp-data" +#set TCP_OUT_COST "" -set UDP_IN "ntp" +set UDP_IN "ntp,domain" set UDP_OUT "1:65535" set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" @@ -34,55 +34,54 @@ set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" # Make us insensitive to the environment + +# Allow traffic in areas outside of our scope policy DROP { - table filter chain (INPUT FORWARD); - table mangle chain (PREROUTING); - table nat chain (PREROUTING POSTROUTING); + table mangle chain forward; + table filter chain forward; + table filter chain (INPUT,OUTPUT); } -policy DENY { - table filter chain (OUTPUT); - table mangle chain (OUTPUT); - table nat chain (OUTPUT); +policy ACCEPT { + table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); + table nat chain (PREROUTING,OUTPUT,POSTROUTING); } - ###################################################################### # Built-in chains that jump to our custom ones chain INPUT { - - state INVALID goto UNUSUAL DROP; - fragment goto UNUSUAL DROP; - + state INVALID goto LDROP; + fragment goto LDROP; # goto IANA_BAN; # goto LOCAL_BAN; - goto PORTSCAN; + #goto PORTSCAN; # Do we need this? There are better, dedicated tools state (ESTABLISHED,RELATED) ACCEPT; if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - if lo goto UNUSUAL DROP; - - #incoming traffic, seperate by interface - if %IFS { - goto badguys; - protocol tcp goto fw_tcp; - protocol udp goto fw_udp; - protocol icmp goto fw_icmp; - } + if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; + if lo goto LDROP; + + #incoming traffic + goto badguys; + protocol tcp goto fw_tcp; + protocol udp goto fw_udp; + protocol icmp goto fw_icmp; + + goto LDROP; } chain OUTPUT { - - state INVALID goto UNUSUAL DENY; - fragment goto UNUSUAL DENY; + state INVALID goto LDENY; + fragment goto LDENY; state (ESTABLISHED,RELATED) ACCEPT; of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - of lo goto UNUSUAL DENY; + of lo saddr %IPSPEC daddr %IPSPEC ACCEPT; + of lo goto LDENY; - saddr !%IPSPEC goto UNUSUAL DENY; + saddr !%IPSPEC goto LDENY; # again uncomment for trojan horses protection and inside out # violations.... @@ -93,17 +92,14 @@ chain OUTPUT { proto udp dport %UDP_OUT ACCEPT; proto icmp icmptype %ICMP_OUT ACCEPT; + + goto LDENY; } ##################################################################### # Deal with known offenders right away # Make difference between notorious ones and unusual ones chain badguys { - #saddr spammer.net.com DROP; # you may specify computer names as well - saddr 10/8 DROP; # or network addresses like this impossible one - daddr 10/8 DROP; # maybe even from guys fooling you around - saddr 123.45.6.78 DROP; # a single machine, very bad - saddr 123.45.6/24 DROP; # better to include the entire subnet saddr( # Mailbombing nion's email @@ -134,29 +130,20 @@ chain badguys { ##################################################################### # TCP traffic chain fw_tcp proto tcp { - # Standard allowances syn dport %TCP_IN sport 1024: { - limit 200/s ACCEPT; - limit 5/m LOG log-prefix "SYN flood attack:" LOG; - DROP; + limit 5/s ACCEPT; + limit 20/m LOG log-prefix "SYN flood attack:" LOG; + goto LDROP; } - # drop all syns: (incoming connections) - syn { - log-prefix "tcp SYN Dropped" LOG; - DROP; - } - - dport :1023 { - log-prefix "TCP packet not syn std port" LOG; - DROP; - } + # Should be covered by (RELATED,ESTABLISHED) ACCEPT above + #dport %TCP_IN accept; # deny scanning via DNS port sport domain { dport domain ACCEPT; - syn goto LDENY; + syn goto LDROP; } # special case to allow active ftp transfers to our machine! @@ -166,25 +153,19 @@ chain fw_tcp proto tcp { # awkward incoming connections syn { - goto LDENY; - } - - # lock suid ports - sport :1023 { - goto LDENY; + goto LDROP; } # want to deny inside-out fake stuff? uncomment this: # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! dport 14000: { - goto LDENY; + goto LDROP; } - +} ##################################################################### # UDP traffic chain fw_udp proto udp { - # Standard allowances dport %UDP_IN sport 1024: { ACCEPT; @@ -194,14 +175,12 @@ chain fw_udp proto udp { sport domain dport domain saddr %NSIP { ACCEPT; } - goto LDENY; } ##################################################################### # ICMP traffic chain fw_icmp proto icmp { - # Standard allowances icmptype %ICMP_IN { ACCEPT; @@ -212,25 +191,32 @@ chain fw_icmp proto icmp { # ACCEPT; #} # never seen hits on this one: - goto LDENY; } ##################################################################### # TOS (Type-of-service) adjustments chain tosqueue { - - protocol tcp reverse { + protocol tcp { # rapid response protocols - dport %TCP_OUT_DELAY settos min-delay ACCEPT; +# dport %TCP_OUT_DELAY settos min-delay ACCEPT; + dport %TCP_OUT_DELAY ACCEPT; + sport %TCP_OUT_DELAY ACCEPT; # keep these from timing out - dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; +# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; + dport %TCP_OUT_RELIABILITY ACCEPT; + sport %TCP_OUT_RELIABILITY ACCEPT; # bulk stuff - dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; - dport (ftp-data,8888,6699) settos max-throughput ACCEPT; +# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; + dport %TCP_OUT_THROUGHPUT ACCEPT; + sport %TCP_OUT_THROUGHPUT ACCEPT; +# dport (ftp-data,8888,6699) settos max-throughput ACCEPT; + dport (ftp-data,8888,6699) ACCEPT; + sport (ftp-data,8888,6699) ACCEPT; } - proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; +# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; + goto LDENY; } ##################################################################### @@ -243,10 +229,6 @@ chain LDROP { DROP; } -chain UNUSUAL { - LOG { log-level info logprefix "Unusual"; } -} - chain LDENY { LOG { log-level info proto tcp logprefix "Denied"; @@ -255,50 +237,3 @@ chain LDENY { DENY; } -chain TCPACCEPT { - proto tcp { - syn limit 100/s ACCEPT; - ! syn ACCEPT; - } - logprefix "Mismatch in TCPACCEPT" LOG; - DENY; -} - -chain UDPACCEPT { - proto udp ACCEPT; - logprefix "Mismatch in UDPACCEPT" LOG; - DENY; -} - - - -#chain IANA_BAN { -# saddr %IANA_BANS DROP; -#} -# -#chain LOCAL_BAN { -# saddr %LOCAL_BANS DROP; -#} - -chain PORTSCAN { - proto tcp { - tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE { - limit 5/min log-prefix "NULL SCAN:" log-level 5 - log-tcp-options log-ip-options LOG; - DROP; - } - tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG { - limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG; - DROP; - } - tcp-flags SYN:RST SYN:RST { - limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG; - DROP; - } - tcp-flags FIN:SYN FIN:SYN { - limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG; - DROP; - } - } -} - -- 2.20.1