====== Computer Setup - Firewall ======
[[Computer Setup:Firewall|Firewall]]
----
cat /sys/module/xt_recent/parameters/ip_list_tot
cat /sys/module/xt_recent/parameters/ip_pkt_lisA
cat /sys/module/xt_recent/parameters/ip_list_uid
cat /sys/module/xt_recent/parameters/ip_list_tot
echo 100000 > /sys/module/xt_recent/parameters/ip_list_tot
/sbin/modprobe ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
most /proc/net/xt_recent/ATTACK
/proc/net/xt_recent/BANNED1
/proc/net/xt_recent/BANNED2
/proc/net/xt_recent/BANNED3
/proc/net/xt_recent/BANNED4
/var/log/iptables.log
grep src=64. /proc/net/xt_recent/*
echo -64.20.227.134 > /proc/net/xt_recent/ATTACK
echo -64.20.227.134 > /proc/net/xt_recent/BANNED1
grep 192.168.1. /proc/net/xt_recent/*
wc /proc/net/xt_recent/*
apt install ipcalc
ipcalc 0.0.0.0/7
ipcalc 224.0.0.0/3
ipcalc 96.0.0.0/4
----
===== Firewall Reset =====
#!/bin/bash
#
# Resets all firewall rules
echo "Stopping firewall and allowing everyone..."
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# Flush all the rules in the filter, nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# Erase all chains that are not default in filter, nat and mangle tables.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
----
===== Firewall =====
#!/bin/bash
#
# Modify the following settings as required:
#
# You should check/test that the firewall really works, using
# iptables -vnL, nmap, ping, telnet, ...
#
# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
LOAD_MODULES=yes
LOAD_MODULES_IPV6=no
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
RMMOD=/sbin/rmmod
ARP=/usr/sbin/arp
#
# REJECT target works basically the same as the DROP target, but it also sends
# back an error message to the host sending the packet that was blocked.
#
# The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT
# chains or their sub chains.
#
# REJECT --reject-with tcp-reset # RFC 793. TCP RST packets are used to close open TCP connections gracefully.
# REJECT --icmp-net-unreachable #
# REJECT --icmp-host-unreachable #
# REJECT --icmp-port-unreachable # Default
# REJECT --icmp-proto-unreachable #
# REJECT --icmp-net-prohibited #
# REJECT --icmp-host-prohibited #
#*********************************************************
#
# Interfaces
#
#SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'`
#SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2`
#tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:])
#ifconfig em1 | grep -m 1 inet | tr -d [:alpha:]
#INET_IP=$(echo $tmp | cut -d : -f2)
#INET_BCAST=$(echo $tmp | cut -d : -f3)
#INET_MASK=$(echo $tmp | cut -d : -f4)
#unset tmp
#
# Internet Interface
#
#INET_IFACE="eth0"
#INET_IFACE="em1"
INET_IFACE="br0"
#INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1)
INET_GW="192.168.1.1"
INET_IP="192.168.1.2"
INET_NET="192.168.1.0/24"
INET_BCAST="192.168.1.255"
#
#
# Local Interface Information
#
#LOCAL_IFACE="eth1"
LOCAL_IFACE="em2"
#LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}')
LOCAL_IP="192.168.0.2"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
#
#
# Localhost Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
#
# Standard Definitions
#
ALL="0/0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
#
#
# DNS servers
#
DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4"
#
###########################################################################
#
# Module loading.
#
if [ $LOAD_MODULES == "yes" ]; then
#
# Initially load modules
#
$DEPMOD -a
#
# Required modules
#
$MODPROBE ip_tables # Required; all IPv4 modules depend on this one.
#$MODPROBE ip6_tables # Required; all IPv6 modules depend on this one.
$MODPROBE ip_conntrack # Allows connection tracking state match, which allows you to write rules matching the state of a connection.
$MODPROBE ip_conntrack_ftp # Permits active FTP; requires ip_conntrack. Recognises connection is related to original port 21.
$MODPROBE iptable_filter #
$MODPROBE iptable_mangle # Implement the mangle table.
$MODPROBE iptable_nat # Implement the NAT table.
$MODPROBE ip_nat_ftp #
$MODPROBE ipt_LOG #
$MODPROBE ipt_limit # Allows log limits.
$MODPROBE ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
#
# To prevent the dmesg command showing errors such as:
# xt_recent: hitcount (25) is larger than packets to be remembered (20)
#
# The following command shows all the xt_recent parameters:
# head /sys/module/xt_recent/parameters/*
#
# ls -al /proc/net/xt_recent/
#
# Use modinfo xt_recent to see the possible parameters.
#
# ls -1 /sys/module/xt_recent/parameters/
# Any of the parameters can be checked by simply:
# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
#
#$RMMOD xt_recent
$MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255
#$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
#
# Non-Required modules
#
#$MODPROBE ipt_owner #
#$MODPROBE ipt_REJECT # Implement the REJECT target.
#$MODPROBE ipt_MASQUERADE #
#$MODPROBE ip_conntrack_ftp #
#$MODPROBE ip_conntrack_irc #
#$MODPROBE ip_nat_ftp #
#$MODPROBE ip_nat_irc #
#
fi
#*********************************************************
# What to allow
#
# 0=no
# 1=yes
#
ALLOW_APPLESHARE_IN=0 # 500
ALLOW_APPLESHARE_OUT=0 # 500
ALLOW_BITTORRENT_IN=0 #
ALLOW_BITTORRENT_OUT=0 #
ALLOW_BOOTP_CLIENT_IN=0 # 68 DHCP boot protocol client
ALLOW_BOOTP_CLIENT_OUT=0 # 68 DHCP boot protocol client
ALLOW_BOOTP_SERVER_IN=0 # 67 DHCP boot protocol server
ALLOW_BOOTP_SERVER_OUT=0 # 67 DHCP boot protocol server
ALLOW_CHARGEN_IN=0 # 19
ALLOW_CHARGEN_OUT=0 # 19
ALLOW_CORBA_IIOP_IN=0 # 535
ALLOW_CORBA_IIOP_OUT=0 # 535
ALLOW_CUPS_IN=0 # CUPS printer service
ALLOW_CUPS_OUT=0 # CUPS printer service
ALLOW_CVS_IN=0 #
ALLOW_CVS_OUT=0 #
ALLOW_DAYTIME_IN=0 # 13 daytime-server
ALLOW_DAYTIME_OUT=0 # 13 daytime-server
ALLOW_DHCP_BROADCAST_IN=1 #
ALLOW_DHCP_BROADCAST_OUT=1 #
ALLOW_DISCARD_IN=0 # 9 discard-server
ALLOW_DISCARD_OUT=0 # 9 discard-server
ALLOW_DNS_IN=1 # 53
ALLOW_DNS_OUT=1 # 53
ALLOW_ECHO_IN=0 # 7 echo-server
ALLOW_ECHO_OUT=0 # 7 echo-server
ALLOW_FINGER_IN=0 # 79
ALLOW_FINGER_OUT=0 # 79
ALLOW_FTP_IN=1 # 20, 21=ftp-data
ALLOW_FTP_OUT=1 # 20, 21=ftp-data
ALLOW_HTTP_IN=1 # 80
ALLOW_HTTP_OUT=1 # 80
ALLOW_HTTPS_IN=1 # 443
ALLOW_HTTPS_OUT=1 # 443
ALLOW_ICMP_PARAM_PROBLEM_IN=0 #
ALLOW_IDENT_IN=1 # 59??? What about 113? Are these different?
ALLOW_IDENT_OUT=1 # 59??? What about 113? Are these different?
ALLOW_IMAP_IN=1 # 143
ALLOW_IMAP_OUT=1 # 143
ALLOW_IMAPS_IN=1 # 993
ALLOW_IMAPS_OUT=1 # 993
ALLOW_IRC_IN=0 #
ALLOW_IRC_OUT=0 #
ALLOW_KAZAA_IN=0 # 1214
ALLOW_KAZAA_OUT=0 # 1214
ALLOW_KPASSWD_IN=0 # 464
ALLOW_KPASSWD_OUT=0 # 464
ALLOW_KRB5_IN=0 # 88 Kerberos
ALLOW_KRB5_OUT=0 # 88 Kerberos
ALLOW_LDAP_IN=0 # 389
ALLOW_LDAP_OUT=0 # 389
ALLOW_LDAPS_IN=0 # 636 Secure LDAP
ALLOW_LDAPS_OUT=0 # 636 Secure LDAP
ALLOW_LINUX_CONF_IN=0 # 98
ALLOW_LINUX_CONF_OUT=0 # 98
ALLOW_LINUX_MOUNTD_BUG_IN=0 # 635
ALLOW_LINUX_MOUNTD_BUG_OUT=0 # 635
ALLOW_MS_EXCHANGE_IN=0 # 691
ALLOW_MS_EXCHANGE_OUT=0 # 691
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003.
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003
ALLOW_MS_FT_DS_IN=0 # 445
ALLOW_MS_FT_DS_OUT=0 # 445
ALLOW_MS_RPC_IN=0 # 135
ALLOW_MS_RPC_OUT=0 # 135
ALLOW_MS_RPC_OVER_HTTP_IN=0 # 593
ALLOW_MS_RPC_OVER_HTTP_OUT=0 # 593
ALLOW_MSSQL_IN=0 # 1433 MSSQL database
ALLOW_MSSQL_OUT=0 # 1433 MSSQL database
ALLOW_MSSQL_MONITOR_IN=0 # 1434 MSSQL monitor
ALLOW_MSSQL_MONITOR_OUT=0 # 1434 MSSQL monitor
ALLOW_MYSQL_IN=0 # 3306 MySQL database
ALLOW_MYSQL_OUT=0 # 3306 MySQL database
ALLOW_NC_IN=0 # 2030
ALLOW_NC_OUT=0 # 2030
ALLOW_NCP_IN=0 # 524
ALLOW_NCP_OUT=0 # 524
ALLOW_NETWORK_LOG_CLIENT_IN=0 # 1394
ALLOW_NETWORK_LOG_CLIENT_OUT=0 # 1394
ALLOW_NFS_IN=0 # 1025
ALLOW_NFS_OUT=0 # 1025
ALLOW_NNTP_IN=0 # 119 NNTP news
ALLOW_NNTP_OUT=0 # 119 NNTP news
ALLOW_NTP_IN=1 # 123
ALLOW_NTP_OUT=1 # 123
ALLOW_OPENVPN_IN=0 #
ALLOW_OPENVPN_OUT=0 #
ALLOW_PCANYWHERE_IN=0 # 5623
ALLOW_PCANYWHERE_OUT=0 # 5623
ALLOW_PC_SERVER_BACKDOOR_IN=0 # 600
ALLOW_PC_SERVER_BACKDOOR_OUT=0 # 600
ALLOW_PHASE_ZERO_IN=0 # 555
ALLOW_PHASE_ZERO_OUT=0 # 555
ALLOW_PING_IN=0 #
ALLOW_PING_OUT=1 #
ALLOW_PLESK_IN=0 # PLESK desktop
ALLOW_PLESK_OUT=0 # PLESK desktop
ALLOW_PLEX_IN=1 # PLEX
ALLOW_PLEX_OUT=1 # PLEX
ALLOW_POP2_IN=0 # 109
ALLOW_POP2_OUT=0 # 109
ALLOW_POP3_IN=1 # 110
ALLOW_POP3_OUT=1 # 110
ALLOW_POP3S_IN=1 # 995
ALLOW_POP3S_OUT=1 # 995
ALLOW_POSTGRESQL_IN=0 #
ALLOW_POSTGRESQL_OUT=0 #
ALLOW_PRINT_IN=0 # 515 Allow printer port
ALLOW_PRINT_OUT=0 # 515 Allow printer port
ALLOW_REAL_SERVER_IN=0 # 554
ALLOW_REAL_SERVER_OUT=0 # 554
ALLOW_ROUTE_IN=0 # 520
ALLOW_ROUTE_OUT=0 # 520
ALLOW_RWHO_IN=0 # 513
ALLOW_RWHO_OUT=0 # 513
ALLOW_RWHOIS_IN=1 # 4321
ALLOW_RWHOIS_OUT=1 # 4321
ALLOW_SAMBA_IN=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SAMBA_OUT=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SGI_IRIX_TCPMUX_IN=0 # 1
ALLOW_SGI_IRIX_TCPMUX_OUT=0 # 1
ALLOW_SMTP_IN=1 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTP_OUT=1 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTPS_IN=1 # 465
ALLOW_SMTPS_OUT=1 # 465
ALLOW_SNMP_IN=0 # 161
ALLOW_SNMP_OUT=0 # 161
ALLOW_SOCKS5_IN=0 # 1080
ALLOW_SOCKS5_OUT=0 # 1080
ALLOW_SSH_IN=1 # 22
ALLOW_SSH_OUT=1 # 22
ALLOW_SQL_IN=0 # 1114
ALLOW_SQL_OUT=0 # 1114
ALLOW_SQUID_IN=0 # 3128 SQUID proxy
ALLOW_SQUID_OUT=0 # 3128 SQUID proxy
ALLOW_SUB7_IN=0 # 1243
ALLOW_SUB7_OUT=0 # 1243
ALLOW_SUBMISSION_IN=1 # 587
ALLOW_SUBMISSION_OUT=1 # 587
ALLOW_SUNRPC_IN=0 # 111 Also RPCbind
ALLOW_SUNRPC_OUT=0 # 111 Also RPCbind
ALLOW_SVN_IN=0 #
ALLOW_SVN_OUT=0 #
ALLOW_TELNET_IN=0 # 23
ALLOW_TELNET_OUT=0 # 23
ALLOW_TFTP_IN=0 # 69 Trivial FTP
ALLOW_TFTP_OUT=0 # 69 Trivial FTP
ALLOW_TIME_IN=0 # 37
ALLOW_TIME_OUT=0 # 37
ALLOW_TIME_SERVER_IN=0 # 525
ALLOW_TIME_SERVER_OUT=0 # 525
ALLOW_TOMCAT_IN=0 # 9080
ALLOW_TOMCAT_OUT=0 # 9080
ALLOW_TOR_OUT=0 #
ALLOW_TRACEROUTE_IN=0 #
ALLOW_TRACEROUTE_OUT=1 #
ALLOW_UNIX_SYSSTAT_IN=0 # 11
ALLOW_UNIX_SYSSTAT_OUT=0 # 11
ALLOW_UPNP_IN=0 # 2869 Universal Plug and Play
ALLOW_UPNP_OUT=0 # 2869 Universal Plug and Play
ALLOW_WEBLOGIN_IN=1 # 2054 Needed for sharing
ALLOW_WEBLOGIN_OUT=0 # 2054 Needed for sharing
ALLOW_WHOIS_IN=1 # 43 See also RWHOIS
ALLOW_WHOIS_OUT=1 # 43 See also RWHOIS
ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027
ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027
ALLOW_TRACEROUTE_IN=1 #
ALLOW_TRACEROUTE_OUT=1 #
ALLOW_XDMCP_IN=0 # 177
ALLOW_XDMCP_OUT=0 # 177
ALLOW_XWINDOWS_IN=0 #
ALLOW_XWINDOWS_OUT=0 #
ALLOW_XWINDOWS_FONTSERVER_IN=0 #
ALLOW_XWINDOWS_FONTSERVER_OUT=0 #
BLOCK_AKAMAI=1 #
BLOCK_BROADCASTS=1 #
BLOCK_BRUTE_FORCE_ATTACKS=1 #
BLOCK_CONNECTIONS_COUNT=1 #
BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1 #
BLOCK_FACEBOOK=0 #
BLOCK_FLOODS=1 #
BLOCK_SAMBA_WITHOUT_LOGGING=0 #
BLOCK_OVERSIZE_ICMP_PACKETS=1 #
BLOCK_VIRUSES=1 #
DO_BAD_PACKETS_LAST=0 # Less logging
DO_KERNEL_SECURE=1 # Set various kernel network protection on
DO_LOG_SCANS=1 # if 1 will log well known scans whilst dropping them
DO_MASQUERADE=0 # if 0 will use SNAT / DNAT
DO_PORT_KNOCKING=0 # if 1 will allow Port Knocking
DO_QUICK_NTP=0 # if 1 will allow NTP in without any checks
DO_QUOTA=0 # If 1 then will switch on quota checking
DO_REJECT_INSTEAD_OF_DROP=0 # Reject instead of drop
DO_STEALTH_ALL_IN=0 # Stealth all incoming
DO_WHITELISTING=0 # Dangerous if made a 1
#
#*********************************************************
#
# /proc sysctl settings
#
PROC_SYSCTL_IP_FORWARD=1 # To enable ipforward, VERY important
PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1 # Block ALL the pings from everywhere
PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf)
PROC_SYSCTL_ICMP_ERROR_MESG=1 # Protect against bogus error messages
PROC_SYSCTL_LOG_MARTIANS=1 # Log packets with impossible addresses
PROC_SYSCTL_IP_SPOOFING=1 # Disable spoofing attacks on ALL interfaces
PROC_SYSCTL_REDUCE_DOS=1 # Reduces the timeouts and the posibility of a DOS
PROC_SYSCTL_SYN_COOKIES=1 # Enable tcp syn cookies protection
PROC_SYSCTL_TIME_STAMPS=1 # Enable tcp timestamps protection
PROC_SYSCTL_SOURCE_ROUTED=1 # Ignore source routed packets
PROC_SYSCTL_ACCEPT_REDIRECTS=1 # Ignore accepted redirected packets
PROC_SYSCTL_SEND_REDIRECTS=1 # Ignore send redirected packets
PROC_SYSCTL_SECURE_REDIRECTS=1 # Enable secure redirects
PROC_SYSCTL_DISABLE_BOOTP_RELAY=1 # Disable BootP relays
PROC_SYSCTL_DISABLE_PROXY_ARP=1 # Disable Proxy ARP
#
#*********************************************************
# Trusted hosts
#
# Hosts that are auto allowed into the system if WhiteListing
# is allowed.
#
TRUSTED_HOSTS="192.168.0.10"
UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
#UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com"
#
#*********************************************************
# Port Knocking
#
# Port knocking is a method of externally opening ports on a firewall by
# generating a connection attempt on a set of prespecified closed ports.
#
# Once a correct sequence of connection attempts is received, the firewall
# rules are dynamically modified to allow the host which sent the connection
# attempts to connect over specific port(s).
#
PORT_KNOCK_1="3456"
PORT_KNOCK_2="4567"
PORT_KNOCK_3="1234"
PORT_KNOCK_ALLOW="22"
#
#*********************************************************
# Websites to stop
#
#WEB_FACEBOOK="facebook.com"
#
#*********************************************************
# Connection limits
#
# Against brute-force attacks.
#
# 4 connect/min 5 connects/3 mins 10 connects/10 mins 25 connects/20 mins 50 connects/40 mins ...
# Offense #1 10 min 30 min 1 hour 2 hours 3 hours
# Offense #2 30 min 1 hour 2 hours 3 hours 6 hours
# Offense #3 1 hour 2 hours 3 hours 6 hours 1 day
# Offense #4 2 hours 3 hours 6 hours 1 day 1 week
# Offense #5 3 hours 6 hours 1 day 1 week 1 month
# Offense #6 6 hours 1 day 1 week 1 month 1 month
# Offense #7 1 day 1 week 1 month 1 month 1 month
# Offense #8 1 week 1 month 1 month 1 month 1 month
# Offense #9 1 month 1 month 1 month 1 month 1 month
#
CONNECTION_MAX_1=4 # 4 Connections
CONNECTION_MAX_2=5 # 5 Connections
CONNECTION_MAX_3=10 # 10 Connections
CONNECTION_MAX_4=25 # 25 Connections
CONNECTION_MAX_5=50 # 50 Connections
CONNECTION_MAX_6=75 # 75 Connections
CONNECTION_MAX_7=100 # 100 Connections
CONNECTION_MAX_8=200 # 200 Connections
CONNECTION_MAX_9=255 # 255 Connections
#
CONNECTION_LIMIT_1=60 # 1 Minute
CONNECTION_LIMIT_2=180 # 3 Minutes
CONNECTION_LIMIT_3=600 # 10 Minutes
CONNECTION_LIMIT_4=1200 # 20 Minutes
CONNECTION_LIMIT_5=2400 # 40 Minutes
CONNECTION_LIMIT_6=3600 # 60 Minutes (1 hour)
CONNECTION_LIMIT_7=7200 # 120 Minutes (2 hours)
CONNECTION_LIMIT_8=10800 # 180 Minutes (3 hours)
CONNECTION_LIMIT_9=21600 # 360 minutes (6 hours)
#
# Offence timeouts
CONNECTION_TIMEOUT_1=600 # 10 Minute
CONNECTION_TIMEOUT_2=1800 # 30 Minutes
CONNECTION_TIMEOUT_3=3600 # 60 Minutes (1 hour)
CONNECTION_TIMEOUT_4=7200 # 120 Minutes (2 hours)
CONNECTION_TIMEOUT_5=10800 # 180 Minutes (3 hours)
CONNECTION_TIMEOUT_6=21600 # 360 Minutes (6 hours)
CONNECTION_TIMEOUT_7=86400 # 24 hours (1 day)
CONNECTION_TIMEOUT_8=604800 # 168 hours (1 week)
CONNECTION_TIMEOUT_9=2635200 # 732 hours (1 month)
#*********************************************************
# Log limit
#
LOG_LEVEL=7
#LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
#LOG="$LOG --log-ip-options"
#LOG="--log-ip-options --log-tcp-options
#
#*********************************************************
# String Search Algorith
#
STRING_ALGO="bm"
STRING_ALGO2="kmp"
#
#*********************************************************
# Quota limits
#
QUOTA_LIMIT_TCP="2147483648" # 2 GB Quota limit
QUOTA_LIMIT_UDP="2147483648" # 2 GB Quota limit
QUOTA_LIMIT_ICMP="2147483648" # 2 GB Quota limit
#
#*********************************************************
# DNS limits
#
# Limits the number of DNS queries per second to 5/s
# with a burst rate of 15/s and does not require buffer space changes.
#
# Limit the requests per second to 5, which leads to 35 requests in 7 seconds.
# To solve the first-second burst, allow for 15 requests to happen in each of
# the seven seconds.
# DNS open time.
DNS_TIMEOUT="7"
# DNS Requests per second
DNS_BURST="15"
# DNS Requests per 7 seconds
DNS_TOTAL_REQUESTS="35"
#
#*********************************************************
# Flooding limits
#
#
# Limit per second
LIMIT_PER_SECOND="4"
#
# Limit for SYN connections
LIMIT_SYN_MAX="9"
#
# Limit for SYN-Flood detection
LIMIT_SYN="5/s"
#
#
# Burst Limit for SYN-Flood detection
LIMIT_SYN_BURST="10"
#
#
# Overall Limit for Logging in Logging-Chains
LIMIT_LOG="2/s"
#
#
# Burst Limit for Logging in Logging-Chains
LIMIT_LOG_BURST="10"
#
#
# Overall Limit for TCP-Flood-Detection
LIMIT_TCP="5/s"
#
#
# Burst Limit for TCP-Flood-Detection
LIMIT_TCP_BURST="10"
#
#
# Overall Limit for UDP-Flood-Detection
LIMIT_UDP="5/s"
#
#
# Burst Limit for TCP-Flood-Detection
LIMIT_UDP_BURST="10"
#
#
# Overall Limit for Ping-Flood-Detection
LIMIT_PING="5/s"
#
#
# Burst Limit for Ping-Flood-Detection
LIMIT_PING_BURST="10"
#
#**************************************************
#********** Do not edit beyond this line **********
#**************************************************
#
# IP Mask for all IP addresses
PORTS_UNIVERSE="0.0.0.0/0"
PORTS_BROADCAST="255.255.255.255"
#
#
# Ports for Dropbox Lan Sync Broadcasts
PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500"
#
#
# Ports for IRC-Connection-Tracking
PORTS_IRC="6665,6666,6667,6668,6669,7000"
#
#
# Ports for PLEX
PORTS_PLEX="32412:32414"
#
#
# Ports for TOR
# (http://tor.eff.org)
PORTS_TOR="9001,9002,9030,9031,9090,9091"
#
#
# Ports for traceroute
PORTS_TRACEROUTE_SRC="32769:65535"
PORTS_TRACEROUTE_DEST="33434:33523"
#
#
# Specification of the high unprivileged IP ports.
PORTS_UNPRIV="1024:65535"
PORTS_PSSH="1000:1023"
#
#
# Specification of X Window System (TCP)
PORTS_XWIN="6000:6063"
#
#*********************************************************
# AKAMAI
#
# http://www.matveev.se/net/akamai.htm
#
RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19"
RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15"
RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17"
#*********************************************************
# IANA RESERVED
#
RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3"
#
#*********************************************************
# Mitigate ARP spoofing/poisoning and similar attacks.
#------------------------------------------------------------------------------
# Hardcode static ARP cache entries here
# $ARP -s IP-ADDRESS MAC-ADDRESS
#
#*********************************************************
# Delete all existing rules
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
#
# Zero all packets and counters.
#
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
#
# Set Policies
# By default, drop everything except outgoing traffic
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#if [ $BLOCK_BROADCASTS -eq 1 ]
#then
#$IPTABLES -A INPUT DROP
#$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 192.168.255.255 -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
#fi
#*********************************************************
#
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#
# Save these settings in the /etc/sysctl.conf file to make it permanent
#
#------------------------------------------
if [ $DO_KERNEL_SECURE -eq 1 ]
then
#------------------------------------------
# Allow port forwarding - Enable IP NAT in the Linux kernel
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " ip_forward activated"
fi
fi
#
#------------------------------------------
# Disabling IP Spoofing
#
#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo " .....Blocking IP spoofing attacks"
fi
#
#------------------------------------------
# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
#
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the
# network interface they're arriving on. This has security advantages because
# it prevents so-called IP spoofing, however it can pose problems if you use
# asymmetric routing (packets from you to a host take a different path than
# packets from that host to you) or if you operate a non-routing host which
# has several IP addresses on different interfaces.
# (Note - If you turn on IP forwarding, you will also get this).
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
#
fi
#
#------------------------------------------
# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " .....Blocking all incoming pings from everywhere"
fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " .....Allowing all incoming pings from everywhere"
fi
fi
#
#------------------------------------------
# Don't respond to broadcast pings
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
#
if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " .....Blocking all broadcast pings"
fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " .....Allowing all broadcast pings"
fi
fi
#
#------------------------------------------
# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
#
# The proc entry containing that value is read-only, and cannot be made writable easily.
#
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
#
#------------------------------------------
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
#
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo " .....TCP syn cookies protection enabled"
fi
fi
#
#------------------------------------------
# Kill timestamps
#
#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo " .....TCP timestamps protection enabled"
fi
fi
#
#------------------------------------------
# Block source routing
#
# Don't accept source routed packets. Attackers can use source routing
# to generate traffic pretending to be from inside your network, but
# which is routed back along the path from which it came, namely outside,
# so attackers can compromise your network. Source routing is rarely
# used for legitimate purposes.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo " .....Ignore source routed packets"
fi
#
#------------------------------------------
# Don't accept source routed packets.
#
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
#
fi
#
#------------------------------------------
# Kill redirects
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
# your routing tables, possibly to a bad end.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " .....Ignore accept redirected packets"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
fi
#
if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo " .....Ignore send redirected packets"
fi
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
fi
#
#------------------------------------------
# Don't accept or send ICMP redirects.
#
#for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
#for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#
#------------------------------------------
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
#
#for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
fi
#
#
#------------------------------------------
# Enable bad error message protection
# Don't log invalid responses to broadcast frames, they just clutter the logs.
#
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " .....Enable error message protection"
fi
fi
#
#------------------------------------------
# Log martians
#
# Log packets with impossible addresses
# Log spoofed packets, source routed packets, redirect packets.
#
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo " .....Logging packets with impossible addresses"
fi
#
#------------------------------------------
# Log packets with impossible addresses.
#
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
#
fi
#
#------------------------------------------
# Disable bootp_relay. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
fi
#
#------------------------------------------
# Disable proxy_arp. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
fi
#
#------------------------------------------
# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
#
#------------------------------------------
# Set out local port range
#
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#
#------------------------------------------
# Reduce timeouts for DoS protection
#
#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#
#------------------------------------------
# Other
#
#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#echo 0 > /proc/sys/net/ipv4/tcp_sack
#
if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo " .....Denial of Service Reduction Measures"
fi
#
fi
#
#*********************************************************
#
# Completely disable IPv6.
#
# Block all IPv6 traffic
#
#------------------------------------------
# If the ip6tables command is available, try to block all IPv6 traffic.
#
if test -x $IP6TABLES; then
#------------------------------------------
# Set the default policies.
# Drop everything.
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null
#------------------------------------------
# The mangle table can pass everything.
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
#------------------------------------------
# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null
#------------------------------------------
# Delete all chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null
#------------------------------------------
# Zero all packets and counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi
#------------------------------------------
# Shellshock
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
#*********************************************************
#
# Create the chains
#
$IPTABLES -N IANA_RESERVED
$IPTABLES -N BAD_PACKETS
$IPTABLES -N BAD_TCP_PACKETS
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -N WHITELIST
fi
if [ $DO_PORT_KNOCKING -eq 1 ]
then
$IPTABLES -N PORT_KNOCK
$IPTABLES -N PORT_KNOCK_STAGE1
$IPTABLES -N PORT_KNOCK_STAGE2
$IPTABLES -N PORT_KNOCK_STAGE3
fi
$IPTABLES -N PRIVATE_PACKETS
$IPTABLES -N BLACKLIST
if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
then
$IPTABLES -N ATTACK
$IPTABLES -N ATTACK2
$IPTABLES -N ATTACK_CHECK
$IPTABLES -N ATTACKED1
$IPTABLES -N ATTACKED2
$IPTABLES -N ATTACKED3
$IPTABLES -N ATTACKED4
$IPTABLES -N ATTACKED5
$IPTABLES -N ATTACKED6
$IPTABLES -N ATTACKED7
$IPTABLES -N ATTACKED8
$IPTABLES -N ATTACKED9
$IPTABLES -N BAN1
$IPTABLES -N BAN2
$IPTABLES -N BAN3
$IPTABLES -N BAN4
$IPTABLES -N BAN5
$IPTABLES -N BAN6
$IPTABLES -N BAN7
$IPTABLES -N BAN8
$IPTABLES -N BAN9
fi
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -N FLOODS
fi
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -N VIRUS
fi
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -N SCANS
fi
$IPTABLES -N ICMP_IN
$IPTABLES -N ICMP_OUT
$IPTABLES -N TCP_IN
$IPTABLES -N TCP_OUT
$IPTABLES -N UDP_IN
$IPTABLES -N UDP_OUT
$IPTABLES -N NO_LOGGING
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -N QUOTA
fi
#
#*********************************************************
# Check Quotas
#
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN
$IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN
$IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN
$IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP "
$IPTABLES -A QUOTA -j DROP
fi
#
#*********************************************************
# Filter IANA RESERVED
#
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP "
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP
#$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP
#$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP
#$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP
#$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP
#$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP
#$IPTABLES -A IANA_RESERVED -s 192.0.2.0/24 -j DROP
#$IPTABLES -A IANA_RESERVED -s 197.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 198.18.0.0/15 -j DROP
#$IPTABLES -A IANA_RESERVED -s 223.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 224.0.0.0/3 -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A IANA_RESERVED -j RETURN
#
#
#*********************************************************
# Filter BAD packets
#
#------------------------------------------
# For TCP packet check if they are bad.
#
if [ $DO_BAD_PACKETS_LAST -eq 1 ]
then
$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
fi
#
#------------------------------------------
# Drop packets received on the external interface
# claiming a source of the local network
#
$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=local-source a=DROP "
$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -j DROP
#
#------------------------------------------
# Drop INVALID packets immediately (not ESTABLISHED, RELATED or NEW)
#
# Note: ICMPv6 Neighbor Discovery packets remain untracked, and will
# always be classified "INVALID" though they are not corrupted or
# thelike. Keep this in mind, and accept them before this rule!
# iptables -A INPUT -p 41 -j ACCEPT
#
$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=invalid a=DROP "
$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -j DROP
#
#------------------------------------------
# Drop packets with incoming fragments.
# This attack results in Linux Server panic resulting in possible data loss.
#
$IPTABLES -A BAD_PACKETS -p all -f -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=fragmeted a=DROP "
$IPTABLES -A BAD_PACKETS -p all -f -j DROP
#
#------------------------------------------
# For TCP packet check if they are bad.
#
if [ $DO_BAD_PACKETS_LAST -eq 0 ]
then
$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BAD_PACKETS -j RETURN
#
#*********************************************************
# Filter bad TCP packets
#
# Flags are: SYN ACK FIN RST URG PSH ALL NONE
#
# The only flag that is allowed to be sent along
# with a SYN is ACK, and this only in the 2nd
# packet of the 3-way-handshake.
#
#------------------------------------------
# Erroneous flags
#
# Allow these...
#
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Any TCP packet which is not a part of an established connection falls into
# one of three categories: (1) connection handshake, (2) stray resend, or
# (3) invalid. Here we discard stray resends and log obvious hack attempts.
# See table below:
#
# SYN RST ACK What it means Action
# =========== ============= =======
# 0 0 0 invalid logdrop
# 0 0 1 stray resend DROP
# 0 1 0 stray resend DROP
# 0 1 1 stray resend DROP
# 1 0 0 conn attempt ok
# 1 0 1 conn response ok
# 1 1 0 invalid logdrop
# 1 1 1 invalid logdrop
#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop
#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,RST RST -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST RST -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop
#iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop
#iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP
#iptables -A OUTPUT -p tcp --tcp-flags SYN,RST RST -j DROP
#iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop
#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
#-A INPUT -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j DROP
#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
#-A INPUT -m state –state INVALID -j DROP
## peter - 3 mar 2017
#-A INPUT -m state --state INVALID -j DROP
#-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
#-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
#-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#-A INPUT -p tcp --tcp-flags ALL ALL -j DROP # XMAS-ALL scan
#-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP # XMAS scan
#-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
#-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # XMAS-PSH scan
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/RST scan
#-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
#------------------------------------------
# Malformed packets
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-PSH-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-ALL-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FIN-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -j DROP
#
#------------------------------------------
# Sending SYN in conjunction with RST means, that a connection shall # This is A violation of RFC793.
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/RST-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/FIN-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Null-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=NMAP-ID-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FIN/RST a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#
#------------------------------------------
# FIN scan, nmap v3.0 sends ACK,FIN FIN
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FAF a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AUU a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:APP a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AFF a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -j DROP
##
# Seems to stop Firefox using HTTP to get web pages from this server
# Therefore disabled for now...
##
#$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:SUS a=DROP "
#$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -j DROP
#
#------------------------------------------
# Unclean packets...same as above (but this option is still listed as experimental)
#
#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j LOG --log-prefix "IPT=BAD_TCP:unclean a=DROP "
#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j DROP
#
#------------------------------------------
# New connections that have no syn set are most probably bad.
# Also known as ACK scan
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn2 a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
#$IPTABLES -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable
#
#------------------------------------------
# Port 0 fingerprint attempt
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:finger:0 a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -j DROP
#
#------------------------------------------
# Invalid TCP Options
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(64) a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(128) a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp -j RETURN
#
#*********************************************************
# Whitelisting
#
# Always allow these packets
#
# High-priority packets which should always be accepted without much
# delay.
#
# Using this chain will break firewall security and will result in
# this not passing certain security standards. However, there may
# be specific reasons where this might be useful.
#
#------------------------------------------
#
if [ $DO_WHITELISTING -eq 1 ]
then
#------------------------------------------
# Allow NTP
#
# To provide accurate timing, it is necessary to have a low delay
# when processing networking packets of the Network Time Protocol.
#
# These packets are sent as UDP packets to port 123. For this
# reason these packets are directly accepted, without checking
# further rules. These packets might originate from an attacker,
# and even be part of a DDOS attack, but we accept that situation.
# The processing of NTP packets has such a low overhead that even
# when packets are coming in at a very high speed, it wont take too
# much CPU resources. There are also no states preserved as with
# the TCP protocol which could cause buffer overflows. The only
# thing which might happen is saturation of the network, but that
# would happen with a DDOS attack independent of us accepting or
# dropping the incoming packets.
#
if [ $DO_QUICK_NTP -eq 1 ]
then
$IPTABLES -A WHITELIST -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
fi
#
#------------------------------------------
# ???Allow unpriviledged ports
#
#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -m conntrack --ctstate NEW -j ACCEPT
#
#------------------------------------------
# Add trusted hosts:
#
# The "remove" clears the whitelisted host out of the recently seen
# BLACKLIST table, and because it has an ACCEPT jump target, should
# stop further processing anyway.
#
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BLACKLIST -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED1 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED2 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED3 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED4 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED5 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED6 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED7 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED8 -j ACCEPT
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED9 -j ACCEPT
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A WHITELIST -j RETURN
#
#------------------------------------------
fi
#
#*********************************************************
# Port Knocking
#
# Allow Port Knocking
#
# Port knocking is a method of externally opening ports on a firewall by
# generating a connection attempt on a set of prespecified closed ports.
#
# Once a correct sequence of connection attempts is received, the firewall
# rules are dynamically modified to allow the host which sent the connection
# attempts to connect over specific port(s).
#------------------------------------------
#
if [ $DO_PORT_KNOCKING -eq 1 ]
then
#------------------------------------------
$IPTABLES -A PORT_KNOCK_STAGE1 -m recent --remove --name knock
$IPTABLES -A PORT_KNOCK_STAGE1 -p tcp --dport $PORT_KNOCK_1 -m recent --set --name knock2
$IPTABLES -A PORT_KNOCK_STAGE2 -m recent --remove --name knock2
$IPTABLES -A PORT_KNOCK_STAGE2 -p tcp --dport $PORT_KNOCK_2 -m recent --set --name heaven
$IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock2 -j PORT_KNOCK_STAGE2
$IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock -j PORT_KNOCK_STAGE1
$IPTABLES -A PORT_KNOCK_STAGE3 -p tcp --dport $PORT_KNOCK_3 -m recent --set --name knock
$IPTABLES -A PORT_KNOCK -p tcp --dport $PORT_KNOCK_ALLOW -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPTABLES -A PORT_KNOCK -p tcp --syn -j PORT_KNOCK_STAGE3
#------------------------------------------
# All good, so return
#
$IPTABLES -A PORT_KNOCK -j RETURN
#
#------------------------------------------
fi
#
#*********************************************************
# Filter Enemies
#
#------------------------------------------
#
# This will limit brute-force attacks.
#
# It performs multiple tests against the number of connections within specific
# timeframes. If any of the total connections has exceeded the maximum
# allowed connections for that specific timeframe then it is banned for a
# certain time period.
#
# If still further connections come in whilst it is banned then this will
# cause it to move to an even higher level of ban, i.e. to be banned for
# even longer.
#
# Whilst a connection is banned no subsequent connection attempts will be
# allowed before it will resume allowing connections again.
#
# The --rttl option also takes into account the TTL of the
# datagram when matching packets, so as to endeavour to mitigate
# against spoofed source addresses.
#
# Allows for whitelisting.
#
# The Linux kernel will maintain a list of portscan IPs which
# can be accessed at the location /proc/net/ipt_recent/BLACKLIST
#
if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
then
# Check for any offences.
# If so then drop for that period of time, into the specific banned group - which determines the timeout.
# Otherwise, if not yet banned, check if this is an attack.
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP
$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP
$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -j ATTACK_CHECK
# Check if we are under attack.
# If so jump to the specific ban.
# If not yet under attack, then record initial instance.
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK --rsource --rttl -j ATTACKED9
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK --rsource --rttl -j ATTACKED8
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK --rsource --rttl -j ATTACKED7
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK --rsource --rttl -j ATTACKED6
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK --rsource --rttl -j ATTACKED5
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK --rsource --rttl -j ATTACKED4
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK --rsource --rttl -j ATTACKED3
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK --rsource --rttl -j ATTACKED2
$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK --rsource --rttl -j ATTACKED1
# ATTACK2 only contains data if ATTACK is full.
# Contains the max allowed from /sys/module/xt_recent/parameters/ip_list_tot.
#if [ $(wc -l < /proc/net/xt_recent/ATTACK) >= 10000 ]
#then;
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1
#fi
#$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource
#
# To accomodate when /proc/net/xt_recent/ATTACK contains the max allowed
# as can be seen from /sys/module/xt_recent/parameters/ip_list_tot then
# instead of adding into ATTACH add to ATTACK2...
#
#if [ $(wc -l < /proc/net/xt_recent/ATTACK) < 10000 ]
#then;
$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource
#else
# Check if we are under attack.
# If so jump to the specific ban.
# If not yet under attack, then record initial instance.
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2
#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1
#$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK2 --rsource
#fi
#------------------------------------------
# All good, so return
#
#$IPTABLES -A ATTACK_CHECK -j ACCEPT
$IPTABLES -A ATTACK_CHECK -j RETURN
#
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED5 --rsource -j BAN6
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED4 --rsource -j BAN5
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED3 --rsource -j BAN4
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED2 --rsource -j BAN3
$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED1 --rsource -j BAN2
$IPTABLES -A ATTACKED1 -j BAN1
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED5 --rsource -j BAN6
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED4 --rsource -j BAN5
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED3 --rsource -j BAN4
$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED2 --rsource -j BAN3
$IPTABLES -A ATTACKED2 -j BAN2
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED5 --rsource -j BAN6
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED4 --rsource -j BAN5
$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED3 --rsource -j BAN4
$IPTABLES -A ATTACKED3 -j BAN3
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED5 --rsource -j BAN6
$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED4 --rsource -j BAN5
$IPTABLES -A ATTACKED4 -j BAN4
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED5 --rsource -j BAN6
$IPTABLES -A ATTACKED5 -j BAN5
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED6 --rsource -j BAN7
$IPTABLES -A ATTACKED6 -j BAN6
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED7 --rsource -j BAN8
$IPTABLES -A ATTACKED7 -j BAN7
# Loop through all BANNED groups and jump to 1st one found.
$IPTABLES -A ATTACKED8 -m recent --rcheck --name BANNED8 --rsource -j BAN9
$IPTABLES -A ATTACKED8 -j BAN8
# Only 1 possible group to jump to.
$IPTABLES -A ATTACKED9 -j BAN9
# Log and then Drop.
$IPTABLES -A BAN1 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN1 a=DROP "
$IPTABLES -A BAN1 -m recent --set --name BANNED1 --rsource -j DROP
# Log.
# Remove from prev BANNED group.
# Add to next higher BANNED group; therefore more delay.
# Drop.
$IPTABLES -A BAN2 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN2 a=DROP "
$IPTABLES -A BAN2 -m recent --remove --name BANNED1 --rsource
$IPTABLES -A BAN2 -m recent --set --name BANNED2 --rsource -j DROP
$IPTABLES -A BAN3 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN3 a=DROP "
$IPTABLES -A BAN3 -m recent --remove --name BANNED2 --rsource
$IPTABLES -A BAN3 -m recent --set --name BANNED3 --rsource -j DROP
$IPTABLES -A BAN4 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN4 a=DROP "
$IPTABLES -A BAN4 -m recent --remove --name BANNED3 --rsource
$IPTABLES -A BAN4 -m recent --set --name BANNED4 --rsource -j DROP
$IPTABLES -A BAN5 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN5 a=DROP "
$IPTABLES -A BAN5 -m recent --remove --name BANNED4 --rsource
$IPTABLES -A BAN5 -m recent --set --name BANNED5 --rsource -j DROP
$IPTABLES -A BAN6 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN6 a=DROP "
$IPTABLES -A BAN6 -m recent --remove --name BANNED5 --rsource
$IPTABLES -A BAN6 -m recent --set --name BANNED6 --rsource -j DROP
$IPTABLES -A BAN7 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN7 a=DROP "
$IPTABLES -A BAN7 -m recent --remove --name BANNED6 --rsource
$IPTABLES -A BAN7 -m recent --set --name BANNED7 --rsource -j DROP
$IPTABLES -A BAN8 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN8 a=DROP "
$IPTABLES -A BAN8 -m recent --remove --name BANNED7 --rsource
$IPTABLES -A BAN8 -m recent --set --name BANNED8 --rsource -j DROP
$IPTABLES -A BAN9 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN9 a=DROP "
$IPTABLES -A BAN9 -m recent --remove --name BANNED8 --rsource
$IPTABLES -A BAN9 -m recent --set --name BANNED9 --rsource -j DROP
#
fi
#
#------------------------------------------
#
# This will allow three connections from any given IP address
# within a 60 second period, and require 60 seconds of no
# subsequent connection attempts before it will resume allowing
# connections again.
#
# The --rttl option also takes into account the TTL of the
# datagram when matching packets, so as to endeavour to mitigate
# against spoofed source addresses.
#
# Does not not stop any established connections from the host
# that has made too many connections in a short period of time.
#
# Allows for whitelisting.
#
# The Linux kernel will maintain a list of portscan IPs which
# can be accessed at the location /proc/net/ipt_recent/BLACKLIST
#
##########################################################START
#
#
#
#
#if [ $BLOCK_CONNECTIONS_COUNT -eq 1 ]
#then
# These rules are set to simply count the number of new connections.
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_1
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_2
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_3
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_4
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_5
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_6
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_7
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_8
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_9
#
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_9 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_8 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_7 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_6 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_5 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_4 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_3 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_2 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j DROP
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_1 a=DROP "
#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j DROP
#
#fi
#
############################################################END
#
#------------------------------------------
# Block any other required ports
#
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 1433 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 3306 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 8086 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 10000 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -s 99.99.99.99 -j DROP
#
#------------------------------------------
# Block partizans
#
$IPTABLES -A BLACKLIST -s $UNTRUSTED_HOSTS -j DROP
#
#------------------------------------------
# Drop Private Network Address On Public Interface
#
#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INET Addr on Local a=DROP "
#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j DROP
#
#------------------------------------------
# Block any flooding
#
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -A BLACKLIST -j FLOODS
fi
#
#------------------------------------------
# Block Viruses
#
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -A BLACKLIST -j VIRUS
fi
#
#------------------------------------------
# Block Akamai
#
# http://www.matveev.se/net/akamai.htm
#
if [ $BLOCK_AKAMAI -eq 1 ]
then
$IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=AKAMAI a=DROP "
$IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -j DROP
#$IPTABLES -A BLACKLIST -s 2.16.0.0/13 -j DROP
#$IPTABLES -A BLACKLIST -s 2.23.144.0/20 -j DROP
#$IPTABLES -A BLACKLIST -s 23.0.0.0/12 -j DROP
#$IPTABLES -A BLACKLIST -s 23.32.0.0/11 -j DROP
#$IPTABLES -A BLACKLIST -s 23.64.0.0/14 -j DROP
#$IPTABLES -A BLACKLIST -s 62.115.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 72.246.0.0/15 -j DROP
#$IPTABLES -A BLACKLIST -s 80.239.128.0/19 -j DROP
#$IPTABLES -A BLACKLIST -s 80.239.160.0/19 -j DROP
#$IPTABLES -A BLACKLIST -s 80.239.192.0/19 -j DROP
#$IPTABLES -A BLACKLIST -s 80.239.224.0/19 -j DROP
#$IPTABLES -A BLACKLIST -s 84.53.168.0/22 -j DROP
#$IPTABLES -A BLACKLIST -s 88.221.176.0/21 -j DROP
#$IPTABLES -A BLACKLIST -s 96.6.0.0/15 -j DROP
#$IPTABLES -A BLACKLIST -s 96.16.0.0/15 -j DROP
#$IPTABLES -A BLACKLIST -s 217.208.0.0/13 -j DROP
#$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
#$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP
#$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP
fi
#
#------------------------------------------
if [ $BLOCK_FACEBOOK -eq 1 ]
then
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j DROP
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BLACKLIST -j RETURN
#
#*********************************************************
# Filter Floods
#
if [ $BLOCK_FLOODS -eq 1 ]
then
#
# Allow 4 TCP connects per second, no more
# Allow $LIMIT_PER_SECOND TCP connects per second, no more
#
#$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst $LIMIT_PER_SECOND -j RETURN
#
#------------------------------------------
# Block DDOS - SYN-flood
#
#$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN flood:1 a=DROP "
#$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j DROP
$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN Flood a=DROP "
$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j DROP
#
# PETER - possibably instead of dropping set a mark or a name and only if name set right at bottom then drop.
# - else it seems that 1st drop for e.g. tcp wont allow this to reach 2nd tcp check...
#------------------------------------------
# TCP Flood protection. Accept $LIMIT_TCP requests/sec, rest will be logged/dropped.
#
$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_TCP --limit-burst $LIMIT_TCP_BURST -j RETURN
$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Flood a=DROP "
$IPTABLES -A FLOODS -p tcp -m limit -j DROP
#
#------------------------------------------
# UDP Flood protection. Accept $LIMIT_UDP requests/sec, rest will be logged/dropped.
#
$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_UDP --limit-burst $LIMIT_UDP_BURST -j RETURN
$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP:Flood a=DROP "
$IPTABLES -A FLOODS -p udp -m limit -j DROP
#
#------------------------------------------
# TCP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped.
# 3 minutes ban for flooders
#
#
$IPTABLES -A FLOODS -p tcp -m limit --limit 2/s --limit-burst 6 -m comment --comment "IPT=TCP:Flood Limit " -j RETURN
$IPTABLES -A FLOODS -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=TCP:Flood Limit a=DROP "
$IPTABLES -A FLOODS -p tcp -m recent --name FLOOD --set -m comment --comment "IPT=TCP:Flood Limit a=DROP " -j DROP
#
#------------------------------------------
# Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!)
# 3 minutes ban for flooders
#
$IPTABLES -A FLOODS -p udp -m limit --limit 10/s --limit-burst 20 -m comment --comment "IPT=UDP:Flood Limit " -j RETURN
$IPTABLES -A FLOODS -p udp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=UDP:Flood Limit a=DROP"
$IPTABLES -A FLOODS -p udp -m recent --name FLOOD --set -m comment --comment "IPT=UDP:Flood Limit a=DROP " -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A FLOODS -j RETURN
#
#
fi
#
#*********************************************************
# Create a chain to filter known Viruses
#
#
if [ $BLOCK_VIRUSES -eq 1 ]
then
#
# One of the most powerful netfilter patches allows you to match
# packets based on their content.
#
# Use the experimental string-matching patch to filter out packets
# that match a certain string.
#
#------------------------------------------
# DROP HTTP packets related to CodeRed and Nimda viruses silently
#
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+dir" --algo $STRING_ALGO -j DROP
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+tftp" --algo $STRING_ALGO -j DROP
#
#------------------------------------------
# If you port forward your HTTP requests to an internal host,
# filter out the CodeRed virus in the FORWARD chain with this rule:
#
#$IPTABLES -A FORWARD -t filter -p tcp --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
#
#------------------------------------------
# Torrent ALGO Strings using Boyer-Moore
#
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent protocol" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "peer_id=" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".torrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce.php?passkey=" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "torrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "info_hash" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "/default.ida?" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c+dir" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c_tftp" -j DROP
#
#------------------------------------------
# Torrent Keys
#
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "peer_id" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent protocol" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "bittorrent-announce" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce.php?passkey=" -j DROP
#
#------------------------------------------
# Distributed Hash Table (DHT) Keywords
#
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "find_node" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "info_hash" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "get_peers" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce_peers" -j DROP
#
# Block Common Virus Ports
#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
#iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
# add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp
# add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
# add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp
# add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
# add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
# add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
# add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
# add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
# add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
# add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
# add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
# add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
# add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
# add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
# add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
# add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
# add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
# add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
# add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
# add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
# add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
# add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
# add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
# add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
# add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
# add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
# add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
# add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
#------------------------------------------
# All good, so return
#
$IPTABLES -A VIRUS -j RETURN
#
#
fi
#
#*********************************************************
# Create a chain to filter PRIVATE ADDRESS packets
# This chain is for inbound (from the Internet) private packets only.
#
#------------------------------------------
# Drop packets from private address ranges coming in on the external
# Drop multicast adresses
#
$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:0 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:A a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:127 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:169 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:B a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 192.16.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:C a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 192.0.0.0/24 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:D a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:239 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:240 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:248 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -j DROP
#
# 255=FAKE CLASS E
#
$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:255 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A PRIVATE_PACKETS -j RETURN
#
#*********************************************************
# Create a chain to filter incoming ICMP packets
# This chain is for inbound (from the Internet) icmp packets only.
#
# For more info on ICMP types.
#
# http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml
# iptables -p icmp -h
#
#
# Type 0 is for echo-reply
# Type 1 is Unassigned
# Type 2 is Unassigned
# Type 3 is for destination-unreachable
# Type 4 is for source quench (depreciated)
# Type 5 is for redirect
# Type 6 is for alternative host address
# Type 7 is Unassigned
# Type 8 is for echo-request.
# Type 9 is for router advertisement
# Type 10 is for router solicitation
# Type 11 is for time-exceeded
# Type 12 is for parameter problem
# Type 13 is for timestamp
# Type 14 is for timestamp-reply
# Type 15 is for information-request
# Type 16 is for information-reply
# Type 17 is for address-mask-request
# Type 18 is for address-mask-reply
# Type 19 is reserved (for security)
# Type 30 is for traceroute
# Type 31 is for datagram conversion error
# Type 32 is for mobile host redirect
# Type 33 is for IPv6 where-are you
# Type 34 is for IPv6 I-am-here
# Type 35 is for mobile registration request
# Type 36 is for mobile registration reply
# Type 37 is for domain name request
# Type 38 is for domain name reply
# Type 39 is for SKIP
# Type 40 is for Photunis
# Type 41 is for ICMP messages utilized by experimental mobility protocols such as Seamoby
#
#
#--reject-with icmp-port-unreachable
#--reject-with icmp6-port-unreachable
#
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-reply -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type required-option-missing -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type parameter-problem -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ip-header-bad -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type time-exceeded -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-route-failed -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unknown -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-reply -j ACCEPT
# Deny ICMP types inbound
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type destination-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type protocol-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type port-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type fragmentation-needed -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unknown -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-prohibited -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-prohibited -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-unreachable -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type communication-prohibited -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-precedence-violation -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type precedence-cutoff -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-quench -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type redirect -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-redirect -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-redirect -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-redirect -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-redirect -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix “PING REQUEST “
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-advertisement -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-solicitation -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-transit -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-request -j DROP
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-reply -j ACCEPT
#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-request -j DROP
#------------------------------------------
# Destination unreachable
#
# ICMP type 3 is necessary for path MTU discovery to work correctly.
# It should be enabled inbound to get top efficiency.
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type destination-unreachable -j ACCEPT
#
#------------------------------------------
# Drop Smurf attack
#
$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:0.255 a=DROP "
$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
#
#------------------------------------------
# Answer ping requests.
#
# First Block DOS - Ping of Death
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING-death a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j DROP
#------------------------------------------
# Now Block DDOS - Smurf
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:Smurf:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j DROP
#------------------------------------------
# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
#
if [ $ALLOW_PING_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -j DROP
#
if [ $ALLOW_PING_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
#$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT # Smurf
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -j DROP
#
#------------------------------------------
# Allow traceroute, though it is not required.
#
# Type 11 (Time Exceeded) is the only one accepted that would
# not already be covered by the established connection rule.
# Applied to INPUT on the external interface.
#
# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
#
if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:time:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -j DROP
#
if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:trace a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -j DROP
#
#------------------------------------------
# Block ICMP-Parameter-Problem
#
# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
#
if [ $ALLOW_ICMP_PARAM_PROBLEM_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:params a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -j DROP
#
#------------------------------------------
# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:redirect a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -j DROP
#
#------------------------------------------
# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
#
#------------------------------------------
# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -j DROP
#
#------------------------------------------
# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -j DROP
#
#------------------------------------------
# Block DOS - Jolt
#
#
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#
$IPTABLES -A ICMP_IN -p icmp --fragment -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP:frag a=DROP "
#$IPTABLES -A ICMP_IN -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:frag a=DROP "
$IPTABLES -A ICMP_IN -p icmp --fragment -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A ICMP_IN -p icmp -j DROP
#
#*********************************************************
# Create a chain to filter outgoing ICMP packets
# This chain is for outbound (to the Internet) icmp packets only.
#
#------------------------------------------
# Answer ping requests.
#
# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
#
if [ $ALLOW_PING_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m conntrack --ctstate NEW -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -j DROP
fi
#
if [ $ALLOW_PING_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -j DROP
fi
#
#------------------------------------------
# Time Exceeded
# Type 11 (Time Exceeded) is the only one accepted that would
# not already be covered by the established connection rule.
# Applied to INPUT on the external interface.
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:time:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j DROP
fi
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:trace a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j DROP
fi
#
#------------------------------------------
# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:redirect a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -j DROP
#
#------------------------------------------
# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
#
#------------------------------------------
# Block ICMP-Parameter-Problem
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:params a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -j DROP
#
#------------------------------------------
# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -j DROP
#
#------------------------------------------
# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -j DROP
#
#------------------------------------------
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#
$IPTABLES -A ICMP_OUT -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:frag a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --fragment -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A ICMP_OUT -p icmp -j DROP
#
#*********************************************************
# Create a chain to filter UDP packets
# Applied to INPUT on the external or Internet interface.
#
#------------------------------------------
# BitTorrent
#
if [ $ALLOW_BITTORRENT_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BITTORRENT
fi
#
#------------------------------------------
# CUPS Printing
#
if [ $ALLOW_CUPS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
#------------------------------------------
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
#
# If you receive your dynamic address by a different means, you
# can probably comment out this line.
#
if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
then
#$IPTABLES -A UDP_IN -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A UDP_IN -p udp --sport 67:68 --dport 67:68 -j ACCEPT
fi
#
#------------------------------------------
# Allow DNS
#
if [ $ALLOW_DNS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp --dport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
# -o $INET_IFACE -s $INET_IP
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate NEW --dport 53 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
#for ip in $DNS_SERVERS
#do
#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport $PORTS_UNPRIV -m state --state ESTABLISHED -j ACCEPT
#done
#$IPTABLES -A UDP_IN -p udp -s 0/0 --sport $PORTS_UNPRIV -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT
fi
#
#------------------------------------------
# Allow NC
#
if [ $ALLOW_NC_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC
fi
#
#------------------------------------------
# Allow NFS
#
if [ $ALLOW_NFS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
fi
#
#------------------------------------------
# Allow NTP
#
if [ $DO_QUICK_NTP -ne 0 ]
then
if [ $ALLOW_NTP_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
fi
fi
#
#------------------------------------------
# Allow SAMBA
#
if [ $ALLOW_SAMBA_IN -eq 1 ]
then
#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
fi
#
#------------------------------------------
# Allow TRACEROUTE
#
if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT
fi
#
#------------------------------------------
# Allow Weblogin
#
if [ $ALLOW_WEBLOGIN_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin
fi
#
#------------------------------------------
# Don't log route packets coming from routers - too much logging
#
$IPTABLES -A UDP_IN -p udp --dport 520 -m conntrack --ctstate NEW -j DROP
#
#------------------------------------------
# Block DDOS - Fraggle
#
#$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Fraggle a=DROP "
$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -j DROP
#
#------------------------------------------
# Block DOS - Teardrop
#
$IPTABLES -A UDP_IN -p udp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Teardrop a=DROP "
$IPTABLES -A UDP_IN -p udp --fragment -j DROP
#
#------------------------------------------
# Port 0 fingerprint attempt
#
$IPTABLES -A UDP_IN -p udp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:finger:0 a=DROP "
$IPTABLES -A UDP_IN -p udp --dport 0 -j DROP
#
#------------------------------------------
# Drop the rwho port (513 udp)
#
$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:rwho a=DROP "
$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m comment --comment "Block rwho port" -j DROP
#
#------------------------------------------
# Separate logging of special portscans/connection attempts
#
# Port Scanners
#
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -A UDP_IN -i $INET_IFACE -j SCANS
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A UDP_IN -p udp -j RETURN
#
#*********************************************************
# Create a chain to filter outgoing UDP packets
#
# This chain is for outbound (to the Internet) udp packets only.
#
#------------------------------------------
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT # Printing CUPS
fi
#
#------------------------------------------
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
#
# If you receive your dynamic address by a different means, you
# can probably comment this line.
#
if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ]
then
#$IPTABLES -A UDP_OUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A UDP_OUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
fi
#
#------------------------------------------
# Allow DNS
#
if [ $ALLOW_DNS_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 53 -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # DNS
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT
#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT
fi
#
#------------------------------------------
# Allow NTP Time to setup the Date/Time from NTP Server
#
if [ $ALLOW_NTP_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
fi
#
#------------------------------------------
# Allow SAMBA
#
if [ $ALLOW_SAMBA_OUT -eq 1 ]
then
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
#
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
fi
#
#------------------------------------------
# Allow TRACEROUTE
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -m conntrack --ctstate NEW -j ACCEPT
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A UDP_OUT -p udp -j RETURN
#
#*********************************************************
# Create a chain to filter incoming TCP packets
#
# Applied to INPUT on the external or Internet interface.
#
#------------------------------------------
# Stealth TCP ports.
#
# A quick and dirty way is to drop all tcp syn packets.
# This way you're virtually undetectable to portscanners.
# Basically, you're dropping all TCP packets that weren't initiated by your local computer/network.
#
if [ $DO_STEALTH_ALL_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --syn -j DROP
#
# I've noticed that this doesn't kill port 0 & 1 for some reason, so those have to be turned off as well.
#
$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 0 -j DROP
$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 1 -j DROP
fi
#
#------------------------------------------
# Ident - Silently reject Ident
#
# Dont DROP ident, because of possible delays when establishing an outbound connection
#
#$IPTABLES -A TCP_IN -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
#$IPTABLES -A TCP_IN -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "relationship" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "IDENT" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable
#
#------------------------------------------
# Allow BitTorrent
#
if [ $ALLOW_BITTORRENT_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BitTorrent
fi
#
#------------------------------------------
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
#------------------------------------------
# Allow CVS IN
#
if [ $ALLOW_CVS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS
fi
#
#------------------------------------------
# Allow DHCP Broadcast
#
if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
then
#$IPTABLES -A TCP_IN -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A TCP_IN -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
fi
#
#------------------------------------------
# Allow DNS
#
if [ $ALLOW_DNS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp --dport 53 -j ACCEPT # DNS
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport 53 -j ACCEPT # DNS
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
#$IPTABLES -A TCP_IN -p tcp --dport 953 -j ACCEPT # dns internal
fi
#
#------------------------------------------
# Allow FTP
#
if [ $ALLOW_FTP_IN -eq 1 ]
then
# When you attempt to use ftp on these settings, it stops when enter the PASV
# mode. At PASV mode, after establish the connection with port 21, client
# appoints >1024 port so that this becomes new connection and is rejected.
# You need to have been loaded ip_conntrack_ftp module to use ftp in PASV mode.
# Add one line above ip_conntrack ip_conntrack_ftp to /etc/modules.conf then
# it is loaded at boot up and ftp will be possible to use.
#
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
fi
#
#------------------------------------------
# Allow HTTP
#
if [ $ALLOW_HTTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
fi
#
#------------------------------------------
# Allow HTTPS
#
if [ $ALLOW_HTTPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
fi
#
#------------------------------------------
# Allow IMAP
#
if [ $ALLOW_IMAP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
fi
#
#------------------------------------------
# Allow IMAPS
#
if [ $ALLOW_IMAPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # imap
fi
#
#------------------------------------------
# Allow MySQL
#
if [ $ALLOW_MYSQL_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
fi
#
#------------------------------------------
# Allow NC
#
if [ $ALLOW_NC_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC
fi
#
#------------------------------------------
# Allow NFS
#
if [ $ALLOW_NFS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
fi
#
#------------------------------------------
# Allow NTP
#
if [ $ALLOW_NTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # ntp
fi
#
#------------------------------------------
# Allow NNTP
#
if [ $ALLOW_NNTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # nntp
fi
#
#------------------------------------------
# Allow PLESK
#
if [ $ALLOW_PLESK_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http
fi
#
#------------------------------------------
# Allow PLEX
#
if [ $ALLOW_PLEX_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX
fi
#
#------------------------------------------
# Allow POP3
#
if [ $ALLOW_POP3_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3
fi
#
#------------------------------------------
# Allow POP3S
#
if [ $ALLOW_POP3S_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S
fi
#
#------------------------------------------
# Allow POSTGRESQL
#
if [ $ALLOW_POSTGRESQL_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL
fi
#
#------------------------------------------
# Allow SAMBA
#
if [ $ALLOW_SAMBA_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT
fi
#
#------------------------------------------
# Allow SMTP
#
if [ $ALLOW_SMTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
fi
#
#------------------------------------------
# Allow SMTPS
#
if [ $ALLOW_SMTPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps
fi
#
#------------------------------------------
# Allow SSH
#
if [ $ALLOW_SSH_IN -eq 1 ]
then
# Allow three port 22 connections from any given IP address within a
# 60 second period, and requires 60 seconds of no subsequent connection
# attempts before it will resume allowing connections again.
#
# The --rttl option also takes into account the TTL of the datagram
# when matching packets, so as to endeavour to mitigate against spoofed
# source addresses.
#
# Does not not stop any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting.
#
# Linux kernel will maintain a list of portscan IPs which can be accessed at the location /proc/net/ipt_recent/SSH.
#
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:Brute a=DROP "
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
fi
#
#------------------------------------------
# Allow Squid
#
if [ $ALLOW_SQUID_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
fi
#
#------------------------------------------
# Allow Submission
# (RFC 2476)
#
if [ $ALLOW_SUBMISSION_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476)
fi
#
#------------------------------------------
# Allow SVN
#
if [ $ALLOW_SVN_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN
fi
#
#------------------------------------------
# Allow Telnet
#
if [ $ALLOW_TELNET_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
fi
#------------------------------------------
# Allow Weblogin
#
if [ $ALLOW_WEBLOGIN_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin
fi
#------------------------------------------
# Allow XWindows
#
if [ $ALLOW_XWINDOWS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6000:6009 -j ACCEPT # XWindows
fi
#
#------------------------------------------
# Allow XWindows Font Server
if [ $ALLOW_XWINDOWS_FONTSERVER_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 7100 -j ACCEPT # XWindows Font Server
fi
#
#------------------------------------------
# Separate logging of special portscans/connection attempts
#
# Port Scanners
#
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -A TCP_IN -i $INET_IFACE -j SCANS
fi
#
#------------------------------------------
# *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
#
# iptables -A TCP_IN -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
#
#------------------------------------------
# Allow unpriviledged ports
#
##$IPTABLES -A TCP_IN -p tcp -m tcp --dport $PORTS_UNPRIV -m state --state RELATED -j ACCEPT
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A TCP_IN -p tcp -j RETURN
#
#*********************************************************
# Create a chain to filter outgoing TCP packets
#
# Applied to OUTPUT on the external or Internet interface.
#
#------------------------------------------
# Ident - Silently reject Ident
#
# Dont DROP ident, because of possible delays when establishing an outbound connection
#
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with tcp-reset
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP -d $INET_GW --dport 113 -j ACCEPT
$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP --dport 113 -j ACCEPT
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "relationship" --rdest --set
$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "IDENT" --rdest --set
#
#------------------------------------------
# Public services running ON Server
#
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
#------------------------------------------
# Allow CVS
#
if [ $ALLOW_CVS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS
fi
#
#------------------------------------------
# Allow DHCP Broadcast
#
if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ]
then
#$IPTABLES -A TCP_OUT -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A TCP_OUT -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
fi
#
#------------------------------------------
# Allow DNS
#
if [ $ALLOW_DNS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
#$IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT
fi
#
#------------------------------------------
# Allow FTP
#
if [ $ALLOW_FTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
fi
#
#------------------------------------------
# Allow HTTP
#
if [ $ALLOW_HTTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
$IPTABLES -A TCP_OUT -p tcp -o INET_IFACE --sport 80 -m state --state ESTABLISHED -j ACCEPT
fi
#
#------------------------------------------
# Allow HTTPS
#
if [ $ALLOW_HTTPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
fi
#
#------------------------------------------
# Allow IMAP
#
if [ $ALLOW_IMAP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
fi
#
#------------------------------------------
# Allow IMAPS
#
if [ $ALLOW_IMAPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # IMAPS
fi
#
#------------------------------------------
# Allow IRC
#
# This usually needs the ip_conntrack_irc kernel module.
#
if [ $ALLOW_IRC_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 6667 -j ACCEPT # IRC
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
fi
#
#------------------------------------------
# Allow MySQL
#
if [ $ALLOW_MYSQL_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
fi
#------------------------------------------
# Allow NFS
#
if [ $ALLOW_NFS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
fi
#
#------------------------------------------
# Allow NTP
#
if [ $ALLOW_NTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # NTP
fi
#
#------------------------------------------
# Allow NNTP
#
if [ $ALLOW_NNTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # NNTP
fi
#
#------------------------------------------
# Allow OPENVPN
#
if [ $ALLOW_OPENVPN_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1194 -j ACCEPT # OPENVPN
fi
#
#------------------------------------------
# Allow PLESK
#
if [ $ALLOW_PLESK_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http
fi
#
#------------------------------------------
# Allow PLEX
#
if [ $ALLOW_PLEX_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX
fi
#
#------------------------------------------
# Allow POP3
#
if [ $ALLOW_POP3_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3
fi
#
#------------------------------------------
# Allow POP3S
#
if [ $ALLOW_POP3S_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S
fi
#
#------------------------------------------
# Allow POSTGRESQL
#
if [ $ALLOW_POSTGRESQL_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL
fi
#
#------------------------------------------
# Allow RWHOIS
#
if [ $ALLOW_RWHOIS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 4321 -j ACCEPT # RWHOIS
fi
#
#------------------------------------------
# Allow SAMBA
#
if [ $ALLOW_SAMBA_OUT -eq 1 ]
then
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
fi
#
#------------------------------------------
# Allow SMTP
#
if [ $ALLOW_SMTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 25 -j ACCEPT # smtp
fi
#
#------------------------------------------
# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
#
if [ $ALLOW_SMTPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 465 -j ACCEPT # smtps
fi
#
#------------------------------------------
# Allow SOCKS5
#
if [ $ALLOW_SOCKS5_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1080 -j ACCEPT # SOCKS5
fi
#
#------------------------------------------
# Allow SSH
#
if [ $ALLOW_SSH_OUT -eq 1 ]
then
# Allow three port 22 connections from any given IP address within a
# 60 second period, and requires 60 seconds of no subsequent connection
# attempts before it will resume allowing connections again.
#
# The --rttl option also takes into account the TTL of the datagram
# when matching packets, so as to endeavour to mitigate against spoofed
# source addresses.
#
# Does not not stop any established SSH connections from the host
# that has made too many SSH connections in a short period of time,
# and allows for whitelisting.
#
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
##$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j WHITELIST_SSH
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP "
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP "
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
fi
#
#------------------------------------------
# Allow Squid
#
if [ $ALLOW_SQUID_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
fi
#
#------------------------------------------
# Allow Submission
# (RFC 2476)
#
if [ $ALLOW_SUBMISSION_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476)
fi
#
#------------------------------------------
# Allow SVN
#
if [ $ALLOW_SVN_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN
fi
#
#------------------------------------------
# Allow Telnet
#
if [ $ALLOW_TELNET_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
fi
#
#------------------------------------------
# Allow TOR
# (http://tor.eff.org)
#
if [ $ALLOW_TOR_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_TOR -j ACCEPT # tor
fi
#
#------------------------------------------
# Allow WHOIS
#
if [ $ALLOW_WHOIS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 43 -j ACCEPT # WHOIS
fi
#
#------------------------------------------
# Allow unpriviledged ports
#
##$IPTABLES -A TCP_OUT -p tcp -m tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -j ACCEPT
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A TCP_OUT -p tcp -j RETURN
#
#*********************************************************
# Create a chain to filter known SCANS
# Applied to INPUT on the external or Internet interface.
#
# Trojan portscan, special services, etc
#
if [ $DO_LOG_SCANS -eq 1 ]
then
#------------------------------------------
# Deepthroat scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6670 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Deepthroat a=DROP "
$IPTABLES -A SCANS -p tcp --dport 6670 -j DROP
#
#------------------------------------------
# Subseven scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:1 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 1243 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:2 a=DROP "
$IPTABLES -A SCANS -p udp --dport 1243 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:3 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 27374 -j DROP
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:4 a=DROP "
$IPTABLES -A SCANS -p udp --dport 27374 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6711:6713 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:5 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 6711:6713 -j DROP
#
#------------------------------------------
# Netbus scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 12345:12346 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:1 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 12345:12346 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 20034 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:2 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 20034 -j DROP
#
#------------------------------------------
# Back Oriface scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 31337:31338 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Back-Orifice a=DROP "
$IPTABLES -A SCANS -p udp --dport 31337:31338 -j DROP
#
#------------------------------------------
# X-Win scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport $PORTS_XWIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=X-Win a=DROP "
$IPTABLES -A SCANS -p tcp --dport $PORTS_XWIN -j DROP
#
#------------------------------------------
# Hack'a'Tack 2000
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 28431 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Hack'a'Tack-2000 a=DROP "
$IPTABLES -A SCANS -p udp --dport 28431 -j DROP
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A SCANS -j RETURN
#
#
fi
#
#*********************************************************
# Create a chain to filter packets that are not to be logged.
# Applied to INPUT on the external or Internet interface.
#
#------------------------------------------
# Drop SMB, CIFS, and related Windows traffic without logging.
#
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
#
if [ $BLOCK_SAMBA_WITHOUT_LOGGING -eq 1 ]
then
$IPTABLES -A NO_LOGGING -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A NO_LOGGING -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
#
$IPTABLES -A NO_LOGGING -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A NO_LOGGING -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
fi
#
#------------------------------------------
# Ignore Dropbox LAN Sync broadcasts
#
# Do not log as too much logging.
#
if [ $BLOCK_DROPBOX_LAN_SYNC_BROADCASTS -eq 1 ]
then
$IPTABLES -A NO_LOGGING -p udp -m udp --dport $PORTS_DROPBOX_LAN_SYNC_BROADCASTS -j DROP
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A NO_LOGGING -j RETURN
#
#*********************************************************
#
# INPUT CHAIN
#
# Add comments to your rules:
#
# -m comment --comment "Comments help to read output of iptables -nvL"
#
#------------------------------------------
# Allow incoming for loopback interfaces
# Allow traffic on loopback interface (lo0)
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
#
#------------------------------------------
# Drop all traffic to 127/8 that doesn't use lo0
# Should already be catched by kernel/rp_filter
#
$IPTABLES -A INPUT -i !$LO_IFACE -d 127.0.0.0/8 -j REJECT
#
#------------------------------------------
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#$IPTABLES -A INPUT -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
# DROP 29691 - Microsoft something or other - I think against Win 10...
#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 29691 -j DROP
#$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW --dport 29691 -j DROP
#------------------------------------------
# Allow incoming from local INET
#
#$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
# peter enabled this... checking...
$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
#
#------------------------------------------
# Allow HTTP
#
if [ $ALLOW_HTTP_IN -eq 1 ]
then
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
fi
#
#------------------------------------------
# Allow HTTPS
#
if [ $ALLOW_HTTPS_IN -eq 1 ]
then
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
fi
#
#------------------------------------------
# This should be one of the first rules.
# so dns lookups are already allowed for our other rules.
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
#
#$IPTABLES -A INPUT -p tcp -m tcp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:TCP LIMIT a=DROP " --log-level $LOG_LEVEL
#$IPTABLES -A INPUT -p udp -m udp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:UDP LIMIT a=DROP " --log-level $LOG_LEVEL
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP BURST a=DROP "
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP TOTAL a=DROP "
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP BURST a=DROP "
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP TOTAL a=DROP "
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
#for ip in $DNS_SERVER
#do
# echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
# $IPTABLES -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
# $IPTABLES -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
# $IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#done
#PTR1
#------------------------------------------
# Allow packets not coming from the outside
#
$IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
#
#------------------------------------------
# This should be one of the first rules.
# to drop any previously detected attackers.
if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
then
# Check for any offences.
# If so then drop for that period of time, into the specific banned group - which determines the timeout.
# Otherwise, if not yet banned, check if this is an attack.
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP
$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP
$IPTABLES -A INPUT -m conntrack --ctstate NEW -j ATTACK_CHECK
fi
#------------------------------------------
# Allow incoming from the gateway
#
$IPTABLES -A INPUT -s $INET_GW -d $INET_IP -j ACCEPT
#
#------------------------------------------
# Allow incoming from local INET to local BCAST
#
$IPTABLES -A INPUT -s $INET_NET -d $INET_BCAST -j ACCEPT
$IPTABLES -A INPUT -d $PORTS_BROADCAST -j ACCEPT
#$IPTABLES -A INPUT -s $INET_NET -d $PORTS_BROADCAST -j ACCEPT
#$IPTABLES -A INPUT -s $INET_NET -d $PORTS_UNIVERSE -j ACCEPT
#
#------------------------------------------
# Allow incoming from local INET
#
#$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
#
#------------------------------------------
# Allow packets not coming from the outside
#
$IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
#
#------------------------------------------
# Check Quotas
#
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -A INPUT -j QUOTAS
fi
#
#------------------------------------------
# Drop invalid packets
#
$IPTABLES -A INPUT -j BAD_PACKETS
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
#$IPTABLES -A INPUT -j NO_LOGGING
#
#------------------------------------------
# Always allow certain packets
#
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -A INPUT -j WHITELIST
fi
#
#------------------------------------------
# Drop enemies
#
$IPTABLES -A INPUT -j BLACKLIST
#
#------------------------------------------
# Route the rest to the appropriate user chain
#
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j TCP_IN
$IPTABLES -A INPUT -p udp -i $INET_IFACE -j UDP_IN
$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j ICMP_IN
$IPTABLES -A INPUT -p igmp -j DROP
#
#------------------------------------------
# Drop any traffic from IANA-reserved IPs.
#
$IPTABLES -A INPUT -i $INET_IFACE -j IANA_RESERVED
#
#------------------------------------------
# Allow Port Knocking
#
if [ $DO_PORT_KNOCKING -eq 1 ]
then
$IPTABLES -A INPUT -j PORT_KNOCK
fi
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
$IPTABLES -A INPUT -j NO_LOGGING
#
#------------------------------------------
# Drop packets from private address ranges coming in on the external
#
$IPTABLES -A INPUT -i $INET_IFACE -j PRIVATE_PACKETS
#
#------------------------------------------
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
#
$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
#
#------------------------------------------
# Catch all
# Log packets that still don't match, and then DROP them.
#
if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
then
$IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=REJECT "
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT --reject-with icmp-proto-unreachable
else
$IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=DROP "
$IPTABLES -A INPUT -j DROP
fi
#
#*********************************************************
#
# OUTPUT CHAIN
#
#------------------------------------------
# Allow outgoing for loopback interfaces
# Allow traffic on loopback interface (lo0)
#
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
#
#------------------------------------------
# Drop all traffic to 127/8 that doesn't use lo0
# Should be already be catched by kernel/rp_filter
#
$IPTABLES -A OUTPUT -o !$LO_IFACE -d 127.0.0.0/8 -j REJECT
#
#------------------------------------------
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
#------------------------------------------
# Allow outgoing connections EXCEPT invalid
#
#$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#------------------------------------------
# This should be one of the first rules.
# so dns lookups are already allowed for your other rules
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
#
#$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
#$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
#$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS
#$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS
#------------------------------------------
# Allow established connections, and those not coming from the outside
#
$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $LOCAL_IFACE -j ACCEPT
#
#------------------------------------------
# Drop invalid packets
#
# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
#
$IPTABLES -A OUTPUT -j BAD_PACKETS
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
#$IPTABLES -A OUTPUT -j NO_LOGGING
#
#------------------------------------------
# Always allow certain packets
#
#if [ $DO_WHITELISTING -eq 1 ]
#then
#$IPTABLES -A OUTPUT -j WHITELIST
#fi
#
#------------------------------------------
# Drop enemies
#
#$IPTABLES -A OUTPUT -j BLACKLIST
#
#------------------------------------------
# Route the rest to the appropriate user chain
#
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -j TCP_OUT
$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -j UDP_OUT
$IPTABLES -A OUTPUT -p icmp -o $INET_IFACE -j ICMP_OUT
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
$IPTABLES -A OUTPUT -j NO_LOGGING
#
#------------------------------------------
# Catch all
#
# Log packets that still don't match, and then DROP them.
#
if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
then
$IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=REJECT "
$IPTABLES -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable
else
$IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=DROP "
$IPTABLES -A OUTPUT -j DROP
fi
#
#*********************************************************
#
# FORWARD CHAIN
#
#
$IPTABLES -A FORWARD -j BAD_PACKETS
#
#------------------------------------------
#FORWARD
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LOCAL_NET -j ACCEPT #forward everything from local LAN
$IPTABLES -A FORWARD -p udp -s $LOCAL_NET -j ACCEPT #forward everything from local LAN
#$IPTABLES -A FORWARD -i $INET_IFACE -j OUTBOUND #need both for pass-through
#$IPTABLES -A FORWARD -i $LOCAL_IFACE -j OUTBOUND #need both for pass-through
#------------------------------------------
# Allows new forwarded packets
#
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -s $LOCAL_NET -m conntrack --ctstate NEW -j ACCEPT
#
#------------------------------------------
# Don't forward from the outside to the inside.
#
$IPTABLES -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT
#$IPTABLES -A FORWARD -s $INET_NET -i $INET_IFACE -j DROP # Drop from internet which it claims are an addr in LAN ip range.
#
#------------------------------------------
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
#------------------------------------------
# Allow established connections, and those not coming from the outside
#
#$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
#
#
#------------------------------------------
# Drop invalid packets
#
$IPTABLES -A FORWARD -j BAD_PACKETS
#
#------------------------------------------
# Always allow certain packets
#
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -A FORWARD -j WHITELIST
fi
#
#------------------------------------------
# Allow outgoing connections from the LAN side
# Route packets to either TCP or UDP as appropriate
#
$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -j TCP_OUT
$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p udp -j UDP_OUT
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
#$IPTABLES -A FORWARD -j NO_LOGGING
#
#------------------------------------------
# Drop enemies
#
$IPTABLES -A FORWARD -j BLACKLIST
#
#------------------------------------------
# Do not log certain packets, as too much logging
#
$IPTABLES -A FORWARD -j NO_LOGGING
#
#------------------------------------------
# Catch all
# Log packets that still don't match, and then DROP them.
#
if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
then
$IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=REJECT "
$IPTABLES -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
else
$IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=DROP "
$IPTABLES -A FORWARD -j DROP
fi
#
#*********************************************************
#
# POSTROUTING CHAIN
#
#------------------------------------------
# Masquerade - Set up your gateway
#
if [ $DO_MASQUERADE -eq 1 ]
then
$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE
else
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from the local
# IP address.
#
# The reason for choosing MASQUERADE in the previous example
# anyway has the following reason: For SNAT one has to specify
# the new source-IP explicitly.
#
# For routers with a static IP address SNAT is the best choice
# because it is faster than MASQUERADE which has to check the
# current IP address of the outgoing network interface at every
# packet. Since SNAT is only meaningful for packets leaving the
# router it is used within the POSTROUTING chain only.
#
#$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -A POSTROUTING -t nat -s $LOCAL_IP -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
#
#------------------------------------------
# POSTROUTING statements for Many:1 NAT
#
#$IPTABLES -A POSTROUTING -t nat -s $LOCAL_NET -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
fi
#
#*********************************************************
#
# PREROUTING CHAIN
#
#------------------------------------------
# DROP packets from hosts with more than 16 active connections.
#$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --syn -d $INET_IP -m iplimit --iplimit-above 16 -j DROP
#
#------------------------------------------
if [ $DO_MASQUERADE -eq 0 ]
then
# PREROUTING statements for 1:1 NAT
#
#$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -j DNAT --to-destination $INET_IP
$IPTABLES -A PREROUTING -t nat -d $LOCAL_IP -i $INET_IFACE -j DNAT --to-destination $INET_IP
fi
#
#------------------------------------------
# Blocks oversized unfragmented ICMP packets.
#
if [ $BLOCK_OVERSIZE_ICMP_PACKETS -eq 1 ]
then
$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=PRE:oversize_ICMP a=DROP "
$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -j DROP
fi
#
#------------------------------------------
## RULES END ##
rules_number=`egrep '\-j' /sharewiz/firewall/firewall.sh | wc -l`
#rules_number=`egrep '\-j' `basename $0 | wc -l`
total_rules=$(( rules_number ))
echo ""
echo "$total_rules rules loaded."
echo ""
#------------------------------------------
# Exit gracefully.
#
exit 0