====== Ubuntu - iptables - Firewall ======
===== Verify the IPTables package is installed =====
dpkg --list | grep iptables
returns:
ii iptables 1.6.0-2ubuntu3 amd64 administration tools for packet filtering and NAT
----
===== Verify the Kernel Module is loaded =====
lsmod | grep ip_tables
returns:
ip_tables 24576 4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
----
===== Creating iptables rules =====
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Allowing Loopback Traffic.
iptables -I INPUT -i lo -j ACCEPT
# Allow established connections.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH access.
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT
# Enable Web.
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Enable FTP.
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
# To block an IP range.
iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP
----
===== Enable kernel modules =====
To have FTP work correctly with iptables, ensure that the **ip_conntrack_ftp** module is loaded.
modprobe ip_conntrack_ftp
Check that the module is loaded
lsmod | grep conntrack
returns:
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_conntrack_ipv4 16384 84
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
xt_conntrack 16384 81
nf_conntrack 106496 9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
x_tables 36864 25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw
----
===== Setup an init script =====
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
### BEGIN INIT INFO
# Provides: firewall-sharewiz
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
IPTABLES=/sbin/iptables
NAME=firewall-sharewiz
opts="start stop restart reload status"
#if [[ $1 == start ]] ; then
case "$1" in
start)
/sharewiz/firewall/firewall.sh
;;
stop)
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
;;
restart|reload)
# $0 stop
# $0 start
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
/sharewiz/firewall/firewall.sh
;;
status)
$IPTABLES --list
$IPTABLES -t nat --list
$IPTABLES -t mangle --list
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2
exit 1
;;
esac
exit 0·
Set permissions
chmod 755 /etc/init.d/firewall-sharewiz
----
===== Create the firewall script =====
vi /sharewiz/firewall/firewall.sh
and populate as
#!/bin/bash
#
# Modify the following settings as required:
#
# You should check/test that the firewall really works, using
# iptables -vnL, nmap, ping, telnet, ...
#
# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
LOAD_MODULES=yes
LOAD_MODULES_IPV6=no
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
RMMOD=/sbin/rmmod
ARP=/usr/sbin/arp
#
# REJECT target works basically the same as the DROP target, but it also sends
# back an error message to the host sending the packet that was blocked.
#
# The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT
# chains or their sub chains.
#
# REJECT --reject-with tcp-reset # RFC 793. TCP RST packets are used to close open TCP connections gracefully.
# REJECT --icmp-net-unreachable #
# REJECT --icmp-host-unreachable #
# REJECT --icmp-port-unreachable # Default
# REJECT --icmp-proto-unreachable #
# REJECT --icmp-net-prohibited #
# REJECT --icmp-host-prohibited #
#*********************************************************
#
# Interfaces
#
#SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'`
#SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2`
#tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:])
#ifconfig em1 | grep -m 1 inet | tr -d [:alpha:]
#INET_IP=$(echo $tmp | cut -d : -f2)
#INET_BCAST=$(echo $tmp | cut -d : -f3)
#INET_MASK=$(echo $tmp | cut -d : -f4)
#unset tmp
#
# Internet Interface
#
#INET_IFACE="eth0"
#INET_IFACE="em1"
INET_IFACE="br0"
#INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1)
INET_GW="192.168.1.1"
INET_IP="192.168.1.2"
INET_NET="192.168.1.1/24"
INET_BCAST="192.168.1.255"
#
#
# Local Interface Information
#
#LOCAL_IFACE="eth1"
LOCAL_IFACE="em2"
#LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}')
LOCAL_IP="192.168.0.2"
LOCAL_NET="192.168.0.1/24"
LOCAL_BCAST="192.168.0.255"
#
#
# Localhost Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
#
# Standard Definitions
#
ALL="0/0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
#
#
# DNS servers
#
DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4"
#
###########################################################################
#
# Module loading.
#
if [ $LOAD_MODULES == "yes" ]; then
#
# Initially load modules
#
$DEPMOD -a
#
# Required modules
#
$MODPROBE ip_tables # Required; all IPv4 modules depend on this one.
$MODPROBE ip_conntrack # Stateful Connections. Allows connection tracking state match, which allows you to write rules matching the state of a connection.
$MODPROBE ip_conntrack_ftp # Permits active FTP; requires ip_conntrack. Recognizes connection is related to original port 21.
$MODPROBE iptable_filter # Filter Table.
$MODPROBE iptable_mangle # Mangle table.
$MODPROBE iptable_nat # NAT table.
$MODPROBE ip_nat_ftp #
$MODPROBE ipt_LOG #
$MODPROBE ipt_limit # Allows log limits.
$MODPROBE ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
#
#
# To prevent the dmesg command showing errors such as:·
# xt_recent: hitcount (25) is larger than packets to be remembered (20)
#
# The following command shows all the xt_recent parameters:
# head /sys/module/xt_recent/parameters/*
#
# ls -al /proc/net/xt_recent/
#
# Use modinfo xt_recent to see the possible parameters.
#
# ls -1 /sys/module/xt_recent/parameters/
# Any of the parameters can be checked by simply:
# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
#
#$RMMOD xt_recent
$MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255
#$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
# See also:
# xt_length
# xt_hl
# xt_tcpmss
# xt_TCPMSS
# xt_multiport
# xt_limit
# xt_dscp
#
# Non-Required modules
#
#$MODPROBE ipt_owner #
#$MODPROBE ipt_REJECT # Implement the REJECT target.
#$MODPROBE ipt_MASQUERADE # Masquerade Target.
#$MODPROBE ip_conntrack_ftp #
#$MODPROBE ip_conntrack_irc #
#$MODPROBE ip_conntrack_netbios_ns #
#$MODPROBE ip_nat_ftp #
#$MODPROBE ip_nat_irc #
#
#
# Other modules.
#
#$MODPROBE ipt_comment #
#$MODPROBE ipt_helper #
# ipt_length
# ipt_limit
# ipt_multiport
# ipt_REDIRECT
# ipt_REJECT
# ipt_state
# ipt_tcp
# ipt_TCPMSS # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit).
# ipt_tcpmss # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit).
# ipt_tos
# ipt_TOS
# ipt_ttl
# iptable_filter
# iptable_mangle
# iptable_nat
#
# IPv6 modules.
#
#$MODPROBE ip6_tables # Required; all IPv6 modules depend on this one.
#$MODPROBE ip6table_filter # Filter Table.
#$MODPROBE ip6table_mangle # Mangle table.
fi
#*********************************************************
# What to allow
#
# 0=no
# 1=yes
#
ALLOW_APPLESHARE_IN=0 # 500
ALLOW_APPLESHARE_OUT=0 # 500
ALLOW_BITTORRENT_IN=0 #
ALLOW_BITTORRENT_OUT=0 #
ALLOW_BOOTP_CLIENT_IN=0 # 68 DHCP boot protocol client
ALLOW_BOOTP_CLIENT_OUT=0 # 68 DHCP boot protocol client
ALLOW_BOOTP_SERVER_IN=0 # 67 DHCP boot protocol server
ALLOW_BOOTP_SERVER_OUT=0 # 67 DHCP boot protocol server
ALLOW_CHARGEN_IN=0 # 19
ALLOW_CHARGEN_OUT=0 # 19
ALLOW_CORBA_IIOP_IN=0 # 535
ALLOW_CORBA_IIOP_OUT=0 # 535
ALLOW_CUPS_IN=0 # CUPS printer service
ALLOW_CUPS_OUT=0 # CUPS printer service
ALLOW_CVS_IN=0 #
ALLOW_CVS_OUT=0 #
ALLOW_DAYTIME_IN=0 # 13 daytime-server
ALLOW_DAYTIME_OUT=0 # 13 daytime-server
ALLOW_DHCP_BROADCAST_IN=1 #
ALLOW_DHCP_BROADCAST_OUT=1 #
ALLOW_DISCARD_IN=0 # 9 discard-server
ALLOW_DISCARD_OUT=0 # 9 discard-server
ALLOW_DNS_IN=1 # 53
ALLOW_DNS_OUT=1 # 53
ALLOW_ECHO_IN=0 # 7 echo-server
ALLOW_ECHO_OUT=0 # 7 echo-server
ALLOW_FINGER_IN=0 # 79
ALLOW_FINGER_OUT=0 # 79
ALLOW_FTP_IN=1 # 20, 21=ftp-data
ALLOW_FTP_OUT=1 # 20, 21=ftp-data
ALLOW_HTTP_IN=1 # 80
ALLOW_HTTP_OUT=1 # 80
ALLOW_HTTPS_IN=1 # 443
ALLOW_HTTP_OUT=1 # 80
ALLOW_HTTPS_IN=1 # 443
ALLOW_HTTPS_OUT=1 # 443
ALLOW_ICMP_PARAM_PROBLEM_IN=0 #
ALLOW_IDENT_IN=1 # 59??? What about 113? Are these different?
ALLOW_IDENT_OUT=1 # 59??? What about 113? Are these different?
ALLOW_IMAP_IN=1 # 143
ALLOW_IMAP_OUT=1 # 143
ALLOW_IMAPS_IN=1 # 993
ALLOW_IMAPS_OUT=1 # 993
ALLOW_IRC_IN=0 #
ALLOW_IRC_OUT=0 #
ALLOW_KAZAA_IN=0 # 1214
ALLOW_KAZAA_OUT=0 # 1214
ALLOW_KPASSWD_IN=0 # 464
ALLOW_KPASSWD_OUT=0 # 464
ALLOW_KRB5_IN=0 # 88 Kerberos
ALLOW_KRB5_OUT=0 # 88 Kerberos
ALLOW_LDAP_IN=0 # 389
ALLOW_LDAP_OUT=0 # 389
ALLOW_LDAPS_IN=0 # 636 Secure LDAP
ALLOW_LDAPS_OUT=0 # 636 Secure LDAP
ALLOW_LINUX_CONF_IN=0 # 98
ALLOW_LINUX_CONF_OUT=0 # 98
ALLOW_LINUX_MOUNTD_BUG_IN=0 # 635
ALLOW_LINUX_MOUNTD_BUG_OUT=0 # 635
ALLOW_MS_EXCHANGE_IN=0 # 691
ALLOW_MS_EXCHANGE_OUT=0 # 691
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003.
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003
ALLOW_MS_FT_DS_IN=0 # 445
ALLOW_MS_FT_DS_OUT=0 # 445
ALLOW_MS_RPC_IN=0 # 135
ALLOW_MS_RPC_OUT=0 # 135
ALLOW_MS_RPC_OVER_HTTP_IN=0 # 593
ALLOW_MS_RPC_OVER_HTTP_OUT=0 # 593
ALLOW_MSSQL_IN=0 # 1433 MSSQL database
ALLOW_MSSQL_OUT=0 # 1433 MSSQL database
ALLOW_MSSQL_MONITOR_IN=0 # 1434 MSSQL monitor
ALLOW_MSSQL_MONITOR_OUT=0 # 1434 MSSQL monitor
ALLOW_MYSQL_IN=0 # 3306 MySQL database
ALLOW_MYSQL_OUT=0 # 3306 MySQL database
ALLOW_NC_IN=0 # 2030
ALLOW_NC_OUT=0 # 2030
ALLOW_NCP_IN=0 # 524
ALLOW_NCP_OUT=0 # 524
ALLOW_NETWORK_LOG_CLIENT_IN=0 # 1394
ALLOW_NETWORK_LOG_CLIENT_OUT=0 # 1394
ALLOW_NFS_IN=0 # 1025
ALLOW_NFS_OUT=0 # 1025
ALLOW_NNTP_IN=0 # 119 NNTP news
ALLOW_NNTP_OUT=0 # 119 NNTP news
ALLOW_NTP_IN=1 # 123
ALLOW_NTP_OUT=1 # 123
ALLOW_OPENVPN_IN=0 #
ALLOW_OPENVPN_OUT=0 #
ALLOW_PCANYWHERE_IN=0 # 5623
ALLOW_PCANYWHERE_OUT=0 # 5623
ALLOW_PC_SERVER_BACKDOOR_IN=0 # 600
ALLOW_PC_SERVER_BACKDOOR_OUT=0 # 600
ALLOW_PHASE_ZERO_IN=0 # 555
ALLOW_PHASE_ZERO_OUT=0 # 555
ALLOW_PING_IN=0 #
ALLOW_PING_OUT=1 #
ALLOW_PLESK_IN=0 # PLESK desktop
ALLOW_PLESK_OUT=0 # PLESK desktop
ALLOW_POP2_IN=0 # 109
ALLOW_POP2_OUT=0 # 109
ALLOW_POP3_IN=1 # 110
ALLOW_POP3_OUT=1 # 110
ALLOW_POP3S_IN=1 # 995
ALLOW_POP3S_OUT=1 # 995
ALLOW_POSTGRESQL_IN=0 #
ALLOW_POSTGRESQL_OUT=0 #
ALLOW_PRINT_IN=0 »»·»· # 515 Allow printer port
ALLOW_PRINT_OUT=0 »·»·»· # 515 Allow printer port
ALLOW_REAL_SERVER_IN=0 # 554
ALLOW_REAL_SERVER_OUT=0 # 554
ALLOW_ROUTE_IN=0 # 520
ALLOW_ROUTE_OUT=0 # 520
ALLOW_RWHO_IN=0 # 513
ALLOW_RWHO_OUT=0 # 513
ALLOW_RWHOIS_IN=1 # 4321
ALLOW_RWHOIS_OUT=1 # 4321
ALLOW_SAMBA_IN=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SAMBA_OUT=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SGI_IRIX_TCPMUX_IN=0 # 1
ALLOW_SGI_IRIX_TCPMUX_OUT=0 # 1
ALLOW_SMTP_IN=1 »·»·»· # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTP_OUT=1 »»·»· # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTPS_IN=0 # 465
ALLOW_SMTPS_OUT=0 # 465
ALLOW_SNMP_IN=0 # 161
ALLOW_SNMP_OUT=0 # 161
ALLOW_SOCKS5_IN=0 # 1080
ALLOW_SOCKS5_OUT=0 # 1080
ALLOW_SSH_IN=1 # 22
ALLOW_SSH_OUT=1 # 22
ALLOW_SQL_IN=0 # 1114
ALLOW_SQL_OUT=0 # 1114
ALLOW_SQUID_IN=0 »»·»· # 3128 SQUID proxy
ALLOW_SQUID_OUT=0 »·»·»· # 3128 SQUID proxy
ALLOW_SUB7_IN=0 # 1243
ALLOW_SUB7_OUT=0 # 1243
ALLOW_SUBMISSION_IN=1 # 587
ALLOW_SUBMISSION_OUT=1 # 587
ALLOW_SUNRPC_IN=0 # 111 Also RPCbind
ALLOW_SUNRPC_OUT=0 # 111 Also RPCbind
ALLOW_SVN_IN=0 #
ALLOW_SVN_OUT=0 #
ALLOW_TELNET_IN=0 # 23
ALLOW_TELNET_OUT=0 # 23
ALLOW_TFTP_IN=0 # 69 Trivial FTP
ALLOW_TFTP_OUT=0 # 69 Trivial FTP
ALLOW_TIME_IN=0 # 37
ALLOW_TIME_OUT=0 # 37
ALLOW_TIME_SERVER_IN=0 # 525
ALLOW_TIME_SERVER_OUT=0 # 525
ALLOW_TOMCAT_IN=0 »·»·»· # 9080
ALLOW_TOMCAT_OUT=0»·»·»· # 9080
ALLOW_TOR_OUT=0 #
ALLOW_TRACEROUTE_IN=0 #
ALLOW_TRACEROUTE_OUT=1 #
ALLOW_UNIX_SYSSTAT_IN=0 # 11
ALLOW_UNIX_SYSSTAT_OUT=0 # 11
ALLOW_UPNP_IN=0 # 2869 Universal Plug and Play
ALLOW_UPNP_OUT=0 # 2869 Universal Plug and Play
ALLOW_WEBLOGIN_IN=1 # 2054 Needed for sharing
ALLOW_WEBLOGIN_OUT=0 # 2054 Needed for sharing
ALLOW_WHOIS_IN=1 »»·»· # 43 See also RWHOIS
ALLOW_WHOIS_OUT=1 »·»·»· # 43 See also RWHOIS
ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027
ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027
ALLOW_TRACEROUTE_IN=1 #
ALLOW_TRACEROUTE_OUT=1 #
ALLOW_XDMCP_IN=0 # 177
ALLOW_XDMCP_OUT=0 # 177
ALLOW_XWINDOWS_IN=0 #
ALLOW_XWINDOWS_OUT=0 #
ALLOW_XWINDOWS_FONTSERVER_IN=0 #
ALLOW_XWINDOWS_FONTSERVER_OUT=0 #
BLOCK_AKAMAI=1 #
BLOCK_BROADCASTS=1 #
BLOCK_BRUTE_FORCE_ATTACKS=1 #
BLOCK_CONNECTIONS_COUNT=1 #
BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1 #
BLOCK_FACEBOOK=0 #
BLOCK_FLOODS=1 #
BLOCK_SAMBA_WITHOUT_LOGGING=0 #
BLOCK_OVERSIZE_ICMP_PACKETS=1 #
BLOCK_VIRUSES=1 #·
DO_BAD_PACKETS_LAST=0 »·»·»· # Less logging
DO_KERNEL_SECURE=1 »»·»· # Set various kernel network protection on
DO_LOG_SCANS=1 »»·»·»· # if 1 will log well known scans whilst dropping them
DO_MASQUERADE=0 »·»·»· # if 0 will use SNAT / DNAT
DO_PORT_KNOCKING=0 »»·»· # if 1 will allow Port Knocking
DO_QUICK_NTP=0 »»·»·»· # if 1 will allow NTP in without any checks
DO_QUOTA=0 # If 1 then will switch on quota checking
DO_REJECT_INSTEAD_OF_DROP=0 # Reject instead of drop
DO_STEALTH_ALL_IN=0 # Stealth all incoming
DO_WHITELISTING=0 »·»·»· # Dangerous if made a 1
#
#*********************************************************
#
# /proc sysctl settings
#
PROC_SYSCTL_IP_FORWARD=1»·»· # To enable ipforward, VERY important
PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1 # Block ALL the pings from everywhere·
PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf)
PROC_SYSCTL_ICMP_ERROR_MESG=1»»· # Protect against bogus error messages
PROC_SYSCTL_LOG_MARTIANS=1»·»· # Log packets with impossible addresses
PROC_SYSCTL_IP_SPOOFING=1»»· # Disable spoofing attacks on ALL interfaces
PROC_SYSCTL_REDUCE_DOS=1»·»· # Reduces the timeouts and the posibility of a DOS
PROC_SYSCTL_SYN_COOKIES=1»»· # Enable tcp syn cookies protection
PROC_SYSCTL_TIME_STAMPS=1»»· # Enable tcp timestamps protection
PROC_SYSCTL_SOURCE_ROUTED=1»»· # Ignore source routed packets
PROC_SYSCTL_ACCEPT_REDIRECTS=1»·»· # Ignore accepted redirected packets
PROC_SYSCTL_SEND_REDIRECTS=1»·»· # Ignore send redirected packets
PROC_SYSCTL_SECURE_REDIRECTS=1»·»· # Enable secure redirects
PROC_SYSCTL_DISABLE_BOOTP_RELAY=1 # Disable BootP relays
PROC_SYSCTL_DISABLE_PROXY_ARP=1 # Disable Proxy ARP
#
#*********************************************************
# Trusted hosts
#
# Hosts that are auto allowed into the system if WhiteListing
# is allowed.
#
TRUSTED_HOSTS="192.168.0.10"
UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
#UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com"
#
#*********************************************************
# Port Knocking
#
# Port knocking is a method of externally opening ports on a firewall by·
# generating a connection attempt on a set of prespecified closed ports.
#
# Once a correct sequence of connection attempts is received, the firewall·
# rules are dynamically modified to allow the host which sent the connection·
# attempts to connect over specific port(s).
#
PORT_KNOCK_1="3456"
PORT_KNOCK_2="4567"
PORT_KNOCK_3="1234"
PORT_KNOCK_ALLOW="22"
#
#*********************************************************
# Websites to stop
#
#WEB_FACEBOOK="facebook.com"
#
#*********************************************************
# Connection limits
#
# Against brute-force attacks.
#
# 4 connect/min 5 connects/3 mins 10 connects/10 mins 25 connects/20 mins 50 connects/40 mins ...
# Offense #1 10 min 30 min 1 hour 2 hours 3 hours
# Offense #2 30 min 1 hour 2 hours 3 hours 6 hours··
# Offense #3 1 hour 2 hours 3 hours 6 hours 1 day·
# Offense #4 2 hours 3 hours 6 hours 1 day 1 week
# Offense #5 3 hours 6 hours 1 day 1 week 1 month
# Offense #6 6 hours 1 day 1 week 1 month 1 month·
# Offense #7 1 day 1 week 1 month 1 month 1 month
# Offense #8 1 week 1 month 1 month 1 month 1 month
# Offense #9 1 month 1 month 1 month 1 month 1 month
#
CONNECTION_MAX_1=4 # 4 Connections
CONNECTION_MAX_2=5 # 5 Connections
CONNECTION_MAX_3=10 # 10 Connections
CONNECTION_MAX_4=25 # 25 Connections
CONNECTION_MAX_5=50 # 50 Connections
CONNECTION_MAX_6=75 # 75 Connections
CONNECTION_MAX_7=100 # 100 Connections
CONNECTION_MAX_8=200 # 200 Connections
CONNECTION_MAX_9=255 # 255 Connections
#
CONNECTION_LIMIT_1=60 # 1 Minute
CONNECTION_LIMIT_2=180 # 3 Minutes
CONNECTION_LIMIT_3=600 # 10 Minutes
CONNECTION_LIMIT_4=1200 # 20 Minutes
CONNECTION_LIMIT_5=2400 # 40 Minutes
CONNECTION_LIMIT_6=3600 # 60 Minutes (1 hour)
CONNECTION_LIMIT_7=7200 # 120 Minutes (2 hours)
CONNECTION_LIMIT_8=10800 # 180 Minutes (3 hours)
CONNECTION_LIMIT_9=21600 # 360 minutes (6 hours)
#
# Offence timeouts
CONNECTION_TIMEOUT_1=600 # 10 Minute
CONNECTION_TIMEOUT_2=1800 # 30 Minutes
CONNECTION_TIMEOUT_3=3600 # 60 Minutes (1 hour)
CONNECTION_TIMEOUT_4=7200 # 120 Minutes (2 hours)
CONNECTION_TIMEOUT_5=10800 # 180 Minutes (3 hours)
CONNECTION_TIMEOUT_6=21600 # 360 Minutes (6 hours)
CONNECTION_TIMEOUT_7=86400 # 24 hours (1 day)
CONNECTION_TIMEOUT_8=604800 # 168 hours (1 week)
CONNECTION_TIMEOUT_9=2635200 # 732 hours (1 month)
#*********************************************************
# Log limit
#
LOG_LEVEL=7
#LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
#LOG="$LOG --log-ip-options"
#LOG="--log-ip-options --log-tcp-options
#
#*********************************************************
# String Search Algorith
#
STRING_ALGO="bm"
STRING_ALGO2="kmp"
#
#*********************************************************
# Quota limits
#
QUOTA_LIMIT_TCP="2147483648" # 2 GB Quota limit
QUOTA_LIMIT_UDP="2147483648" # 2 GB Quota limit
QUOTA_LIMIT_ICMP="2147483648" # 2 GB Quota limit
#
#*********************************************************
# DNS limits
#
# Limits the number of DNS queries per second to 5/s
# with a burst rate of 15/s and does not require buffer space changes.
#
# Limit the requests per second to 5, which leads to 35 requests in 7 seconds.
# To solve the first-second burst, allow for 15 requests to happen in each of·
# the seven seconds.
# DNS open time.
DNS_TIMEOUT="7"
# DNS Requests per second
DNS_BURST="15"
# DNS Requests per 7 seconds
DNS_TOTAL_REQUESTS="35"
#
#*********************************************************
# Flooding limits
#
#
# Limit per second
LIMIT_PER_SECOND="4"
#
# Limit for SYN connections
LIMIT_SYN_MAX="9"
#
# Limit for SYN-Flood detection
LIMIT_SYN="5/s"
#
#
# Burst Limit for SYN-Flood detection
LIMIT_SYN_BURST="10"
#
#
# Overall Limit for Logging in Logging-Chains
LIMIT_LOG="2/s"
#
#
# Burst Limit for Logging in Logging-Chains
LIMIT_LOG_BURST="10"
#
#
# Overall Limit for TCP-Flood-Detection
LIMIT_TCP="5/s"
#
#
# Burst Limit for TCP-Flood-Detection
LIMIT_TCP_BURST="10"
#
#
# Overall Limit for UDP-Flood-Detection
LIMIT_UDP="5/s"
#
#
# Burst Limit for TCP-Flood-Detection
LIMIT_UDP_BURST="10"
#
#
# Overall Limit for Ping-Flood-Detection
LIMIT_PING="5/s"
#
#
# Burst Limit for Ping-Flood-Detection
LIMIT_PING_BURST="10"
#
#**************************************************
#********** Do not edit beyond this line **********
#**************************************************
#
# IP Mask for all IP addresses
PORTS_UNIVERSE="0.0.0.0/0"
PORTS_BROADCAST="255.255.255.255"
#
#
# Ports for Dropbox Lan Sync Broadcasts
PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500"
#
#
# Ports for IRC-Connection-Tracking
PORTS_IRC="6665,6666,6667,6668,6669,7000"
#
#
# Ports for TOR
# (http://tor.eff.org)
PORTS_TOR="9001,9002,9030,9031,9090,9091"
#
#
# Ports for traceroute
PORTS_TRACEROUTE_SRC="32769:65535"
PORTS_TRACEROUTE_DEST="33434:33523"
#
#
# Specification of the high unprivileged IP ports.
PORTS_UNPRIV="1024:65535"
PORTS_PSSH="1000:1023"
#
#
# Specification of X Window System (TCP)
PORTS_XWIN="6000:6063"
#
#*********************************************************
# AKAMAI·
#
# http://www.matveev.se/net/akamai.htm
#
RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19"
RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15"
RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17"
#*********************************************************
# IANA RESERVED·
#
RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3"
#
#*********************************************************
# Mitigate ARP spoofing/poisoning and similar attacks.
#------------------------------------------------------------------------------
# Hardcode static ARP cache entries here
# $ARP -s IP-ADDRESS MAC-ADDRESS
#
#*********************************************************
# Delete all existing rules
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
#
# Zero all packets and counters.
#
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
#
# Set Policies
# By default, drop everything except outgoing traffic
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#if [ $BLOCK_BROADCASTS -eq 1 ]
#then
#$IPTABLES -A INPUT DROP
#$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 192.168.255.255 -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
#fi
#*********************************************************
#
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#
# Save these settings in the /etc/sysctl.conf file to make it permanent
#
#------------------------------------------
if [ $DO_KERNEL_SECURE -eq 1 ]
then
#------------------------------------------
# Allow port forwarding - Enable IP NAT in the Linux kernel
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " ip_forward activated"
fi
fi
#
#------------------------------------------
# Disabling IP Spoofing
#
#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo " .....Blocking IP spoofing attacks"
fi
#
#------------------------------------------
# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
#
# Turn on reverse path filtering. This helps make sure that packets use·
# legitimate source addresses, by automatically rejecting incoming packets·
# if the routing table entry for their source address doesn't match the·
# network interface they're arriving on. This has security advantages because
# it prevents so-called IP spoofing, however it can pose problems if you use·
# asymmetric routing (packets from you to a host take a different path than·
# packets from that host to you) or if you operate a non-routing host which·
# has several IP addresses on different interfaces.·
# (Note - If you turn on IP forwarding, you will also get this).
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
#
fi
#
#------------------------------------------
# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " .....Blocking all incoming pings from everywhere"
fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " .....Allowing all incoming pings from everywhere"
fi
fi
#
#------------------------------------------
# Don't respond to broadcast pings
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
#
if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " .....Blocking all broadcast pings"
fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " .....Allowing all broadcast pings"
fi
fi
#
#------------------------------------------
# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
#
# The proc entry containing that value is read-only, and cannot be made writable easily.
#
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
#
#------------------------------------------
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
#
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo " .....TCP syn cookies protection enabled"
fi
fi
#
#------------------------------------------
# Kill timestamps
#
#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo " .....TCP timestamps protection enabled"
fi
fi
#
#------------------------------------------
# Block source routing
#
# Don't accept source routed packets. Attackers can use source routing·
# to generate traffic pretending to be from inside your network, but·
# which is routed back along the path from which it came, namely outside,·
# so attackers can compromise your network. Source routing is rarely·
# used for legitimate purposes.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo " .....Ignore source routed packets"
fi
#
#------------------------------------------
# Don't accept source routed packets.
#
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
#
fi
#
#------------------------------------------
# Kill redirects
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter·
# your routing tables, possibly to a bad end.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " .....Ignore accept redirected packets"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
fi
#
if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo " .....Ignore send redirected packets"
fi
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
fi
#
#------------------------------------------
# Don't accept or send ICMP redirects.
#
#for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
#for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#
#------------------------------------------
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
#
#for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
fi
#
#
#------------------------------------------
# Enable bad error message protection
# Don't log invalid responses to broadcast frames, they just clutter the logs.
#
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " .....Enable error message protection"
fi
fi
#
#------------------------------------------
# Log martians
#
# Log packets with impossible addresses
# Log spoofed packets, source routed packets, redirect packets.
#
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo " .....Logging packets with impossible addresses"
fi
#
#------------------------------------------
# Log packets with impossible addresses.
#
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
#
fi
#
#------------------------------------------
# Disable bootp_relay. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
fi
#
#------------------------------------------
# Disable proxy_arp. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
fi
#
#------------------------------------------
# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
#
#------------------------------------------
# Set out local port range
#
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#
#------------------------------------------
# Reduce timeouts for DoS protection
#
#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#
#------------------------------------------
# Other
#
#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#echo 0 > /proc/sys/net/ipv4/tcp_sack
#
if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo " .....Denial of Service Reduction Measures"
fi
#
fi
#
#*********************************************************
#
# Completely disable IPv6.
#
# Block all IPv6 traffic
#
#------------------------------------------
# If the ip6tables command is available, try to block all IPv6 traffic.
#
if test -x $IP6TABLES; then
#------------------------------------------
# Set the default policies.
# Drop everything.
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null
#------------------------------------------
# The mangle table can pass everything.
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
#------------------------------------------
# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null
#------------------------------------------
# Delete all chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null
#------------------------------------------
# Zero all packets and counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi
#------------------------------------------
# Shellshock
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
#*********************************************************
#
# Create the chains
#
$IPTABLES -N IANA_RESERVED
$IPTABLES -N BAD_PACKETS
$IPTABLES -N BAD_TCP_PACKETS
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -N WHITELIST
fi
if [ $DO_PORT_KNOCKING -eq 1 ]
then
$IPTABLES -N PORT_KNOCK
$IPTABLES -N PORT_KNOCK_STAGE1
$IPTABLES -N PORT_KNOCK_STAGE2
$IPTABLES -N PORT_KNOCK_STAGE3
fi
$IPTABLES -N PRIVATE_PACKETS
$IPTABLES -N BLACKLIST
if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
then
$IPTABLES -N ATTACK
$IPTABLES -N ATTACK2
$IPTABLES -N ATTACK_CHECK
$IPTABLES -N ATTACKED1
$IPTABLES -N ATTACKED2
$IPTABLES -N ATTACKED3
$IPTABLES -N ATTACKED4
$IPTABLES -N ATTACKED5
$IPTABLES -N ATTACKED6
$IPTABLES -N ATTACKED7
$IPTABLES -N ATTACKED8
$IPTABLES -N ATTACKED9
$IPTABLES -N BAN1
$IPTABLES -N BAN2
$IPTABLES -N BAN3
$IPTABLES -N BAN4
$IPTABLES -N BAN5
$IPTABLES -N BAN6
$IPTABLES -N BAN7
$IPTABLES -N BAN8
$IPTABLES -N BAN9
fi
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -N FLOODS
fi
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -N VIRUS
fi
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -N SCANS
fi
$IPTABLES -N ICMP_IN
$IPTABLES -N ICMP_OUT
$IPTABLES -N TCP_IN
$IPTABLES -N TCP_OUT
$IPTABLES -N UDP_IN
$IPTABLES -N UDP_OUT
$IPTABLES -N NO_LOGGING
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -N QUOTA
fi
#
#*********************************************************
# Check Quotas
#
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN
$IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN
$IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN
$IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP "
$IPTABLES -A QUOTA -j DROP
fi
#
#*********************************************************
# Filter IANA RESERVED
#
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP "
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP
#$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP
#$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP
#$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP
#$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP
#$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP