Table of Contents

Ubuntu - iptables - Firewall

Verify the IPTables package is installed

dpkg --list | grep iptables

returns:

ii  iptables                            1.6.0-2ubuntu3                      amd64        administration tools for packet filtering and NAT

Verify the Kernel Module is loaded

lsmod | grep ip_tables

returns:

ip_tables              24576  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw

Creating iptables rules

iptables -P INPUT DROP
iptables -P OUTPUT DROP
 
# Allowing Loopback Traffic.
iptables -I INPUT -i lo -j ACCEPT
 
# Allow established connections.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH access.
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT
 
 
# Enable Web.
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
 
# Enable FTP.
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
 
 
# To block an IP range.
iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP

Enable kernel modules

To have FTP work correctly with iptables, ensure that the ip_conntrack_ftp module is loaded.

modprobe ip_conntrack_ftp

Check that the module is loaded

lsmod | grep conntrack

returns:

nf_conntrack_ftp       20480  1 nf_nat_ftp
nf_conntrack_ipv4      16384  84
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
xt_conntrack           16384  81
nf_conntrack          106496  9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
x_tables               36864  25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw

Setup an init script

/etc/init.d/firewall-sharewiz
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
 
### BEGIN INIT INFO
# Provides:          firewall-sharewiz
# Required-Start:    $network
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
 
 
IPTABLES=/sbin/iptables
NAME=firewall-sharewiz
 
 
opts="start stop restart reload status"
 
#if [[ $1 == start ]] ; then
 
case "$1" in
    start)
        /sharewiz/firewall/firewall.sh
;;
 
    stop)
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
;;
 
    restart|reload)
#        $0 stop
#        $0 start
 
        $IPTABLES --flush
        $IPTABLES -t nat --flush
        $IPTABLES -F -t mangle
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -t nat -P POSTROUTING ACCEPT
        $IPTABLES -t nat -P PREROUTING ACCEPT
        $IPTABLES -t nat -P OUTPUT ACCEPT
 
        /sharewiz/firewall/firewall.sh
;;
 
 
    status)
        $IPTABLES --list
        $IPTABLES -t nat --list
        $IPTABLES -t mangle --list
;;
 
 
    *)
        echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2
        exit 1
;;
 
 
 
esac
 
exit 0·

Set permissions

chmod 755 /etc/init.d/firewall-sharewiz

Create the firewall script

vi /sharewiz/firewall/firewall.sh

and populate as

/sharewiz/firewall/firewall.sh
#!/bin/bash
#
# Modify the following settings as required:
#
# You should check/test that the firewall really works, using
# iptables -vnL, nmap, ping, telnet, ...
#
# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
 
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
LOAD_MODULES=yes
LOAD_MODULES_IPV6=no
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
RMMOD=/sbin/rmmod
ARP=/usr/sbin/arp
 
 
#
# REJECT target works basically the same as the DROP target, but it also sends
# back an error message to the host sending the packet that was blocked.
#
# The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT
# chains or their sub chains.
#
 
# REJECT --reject-with tcp-reset        # RFC 793.  TCP RST packets are used to close open TCP connections gracefully.
# REJECT --icmp-net-unreachable         #
# REJECT --icmp-host-unreachable        #
# REJECT --icmp-port-unreachable        # Default
# REJECT --icmp-proto-unreachable       #
# REJECT --icmp-net-prohibited          #
# REJECT --icmp-host-prohibited         #
 
 
#*********************************************************
#
# Interfaces
#
#SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'`
#SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2`
 
#tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:])
#ifconfig em1 | grep -m 1 inet | tr -d [:alpha:]
#INET_IP=$(echo $tmp | cut -d : -f2)
#INET_BCAST=$(echo $tmp | cut -d : -f3)
#INET_MASK=$(echo $tmp | cut -d : -f4)
#unset tmp
 
#
# Internet Interface
#
#INET_IFACE="eth0"
#INET_IFACE="em1"
INET_IFACE="br0"
#INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1)
INET_GW="192.168.1.1"
INET_IP="192.168.1.2"
INET_NET="192.168.1.1/24"
INET_BCAST="192.168.1.255"
#
 
#
# Local Interface Information
#
#LOCAL_IFACE="eth1"
LOCAL_IFACE="em2"
#LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}')
LOCAL_IP="192.168.0.2"
LOCAL_NET="192.168.0.1/24"
LOCAL_BCAST="192.168.0.255"
#
 
#
# Localhost Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
 
#
# Standard Definitions
#
ALL="0/0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
#
 
#
# DNS servers
#
DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4"
#
 
###########################################################################
#
# Module loading.
#
if [ $LOAD_MODULES == "yes" ]; then
#
# Initially load modules
#
$DEPMOD -a
 
#
# Required modules
#
$MODPROBE ip_tables                    # Required; all IPv4 modules depend on this one.
$MODPROBE ip_conntrack                 # Stateful Connections. Allows connection tracking state match, which allows you to write rules matching the state of a connection.
$MODPROBE ip_conntrack_ftp             # Permits active FTP; requires ip_conntrack. Recognizes connection is related to original port 21.
$MODPROBE iptable_filter               # Filter Table.
$MODPROBE iptable_mangle               # Mangle table.
$MODPROBE iptable_nat                  # NAT table.
$MODPROBE ip_nat_ftp                   #
$MODPROBE ipt_LOG                      #
$MODPROBE ipt_limit                    # Allows log limits.
$MODPROBE ipt_state                    # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
#
 
#
# To prevent the dmesg command showing errors such as:·
# xt_recent: hitcount (25) is larger than packets to be remembered (20)
#
# The following command shows all the xt_recent parameters:
# head /sys/module/xt_recent/parameters/*
#
# ls -al  /proc/net/xt_recent/
#
# Use modinfo xt_recent to see the possible parameters.
#
# ls -1 /sys/module/xt_recent/parameters/
# Any of the parameters can be checked by simply:
# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
#
#$RMMOD xt_recent
$MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255
#$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
 
# See also:
# xt_length 
# xt_hl 
# xt_tcpmss 
# xt_TCPMSS 
# xt_multiport 
# xt_limit 
# xt_dscp
 
#
# Non-Required modules
#
#$MODPROBE ipt_owner                    #
#$MODPROBE ipt_REJECT                   # Implement the REJECT target.
#$MODPROBE ipt_MASQUERADE               # Masquerade Target.
#$MODPROBE ip_conntrack_ftp             #
#$MODPROBE ip_conntrack_irc             #
#$MODPROBE ip_conntrack_netbios_ns      #
#$MODPROBE ip_nat_ftp                   #
#$MODPROBE ip_nat_irc                   #
#
 
#
# Other modules.
#
#$MODPROBE ipt_comment                  #
#$MODPROBE ipt_helper                   #
# ipt_length
# ipt_limit
# ipt_multiport
# ipt_REDIRECT
# ipt_REJECT
# ipt_state
# ipt_tcp
# ipt_TCPMSS                            # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit).
# ipt_tcpmss                            # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit).
# ipt_tos
# ipt_TOS
# ipt_ttl
# iptable_filter
# iptable_mangle
# iptable_nat
 
#
# IPv6 modules.
#
#$MODPROBE ip6_tables                    # Required; all IPv6 modules depend on this one.
#$MODPROBE ip6table_filter               # Filter Table.
#$MODPROBE ip6table_mangle               # Mangle table.
 
 
fi
 
 
 
 
#*********************************************************
# What to allow
#
# 0=no
# 1=yes
#
ALLOW_APPLESHARE_IN=0                  # 500
ALLOW_APPLESHARE_OUT=0                 # 500
ALLOW_BITTORRENT_IN=0                  #
ALLOW_BITTORRENT_OUT=0                 #
ALLOW_BOOTP_CLIENT_IN=0                # 68 DHCP boot protocol client
ALLOW_BOOTP_CLIENT_OUT=0               # 68 DHCP boot protocol client
ALLOW_BOOTP_SERVER_IN=0                # 67 DHCP boot protocol server
ALLOW_BOOTP_SERVER_OUT=0               # 67 DHCP boot protocol server
ALLOW_CHARGEN_IN=0                     # 19
ALLOW_CHARGEN_OUT=0                    # 19
ALLOW_CORBA_IIOP_IN=0                  # 535
ALLOW_CORBA_IIOP_OUT=0                 # 535
ALLOW_CUPS_IN=0                        # CUPS printer service
ALLOW_CUPS_OUT=0                       # CUPS printer service
ALLOW_CVS_IN=0                         #
ALLOW_CVS_OUT=0                        #
ALLOW_DAYTIME_IN=0                     # 13 daytime-server
ALLOW_DAYTIME_OUT=0                    # 13 daytime-server
ALLOW_DHCP_BROADCAST_IN=1              #
ALLOW_DHCP_BROADCAST_OUT=1             #
ALLOW_DISCARD_IN=0                     # 9 discard-server
ALLOW_DISCARD_OUT=0                    # 9 discard-server
ALLOW_DNS_IN=1                         # 53
ALLOW_DNS_OUT=1                        # 53
ALLOW_ECHO_IN=0                        # 7 echo-server
ALLOW_ECHO_OUT=0                       # 7 echo-server
ALLOW_FINGER_IN=0                      # 79
ALLOW_FINGER_OUT=0                     # 79
ALLOW_FTP_IN=1                         # 20, 21=ftp-data
ALLOW_FTP_OUT=1                        # 20, 21=ftp-data
ALLOW_HTTP_IN=1                        # 80
ALLOW_HTTP_OUT=1                       # 80
ALLOW_HTTPS_IN=1                       # 443
ALLOW_HTTP_OUT=1                       # 80
ALLOW_HTTPS_IN=1                       # 443
ALLOW_HTTPS_OUT=1                      # 443
ALLOW_ICMP_PARAM_PROBLEM_IN=0          #
ALLOW_IDENT_IN=1                       # 59??? What about 113?  Are these different?
ALLOW_IDENT_OUT=1                      # 59??? What about 113?  Are these different?
ALLOW_IMAP_IN=1                        # 143
ALLOW_IMAP_OUT=1                       # 143
ALLOW_IMAPS_IN=1                       # 993
ALLOW_IMAPS_OUT=1                      # 993
ALLOW_IRC_IN=0                         #
ALLOW_IRC_OUT=0                        #
ALLOW_KAZAA_IN=0                       # 1214
ALLOW_KAZAA_OUT=0                      # 1214
ALLOW_KPASSWD_IN=0                     # 464
ALLOW_KPASSWD_OUT=0                    # 464
ALLOW_KRB5_IN=0                        # 88 Kerberos
ALLOW_KRB5_OUT=0                       # 88 Kerberos
ALLOW_LDAP_IN=0                        # 389
ALLOW_LDAP_OUT=0                       # 389
ALLOW_LDAPS_IN=0                       # 636 Secure LDAP
ALLOW_LDAPS_OUT=0                      # 636 Secure LDAP
ALLOW_LINUX_CONF_IN=0                  # 98
ALLOW_LINUX_CONF_OUT=0                 # 98
ALLOW_LINUX_MOUNTD_BUG_IN=0            # 635
ALLOW_LINUX_MOUNTD_BUG_OUT=0           # 635
ALLOW_MS_EXCHANGE_IN=0                 # 691
ALLOW_MS_EXCHANGE_OUT=0                # 691
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003.
ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003
ALLOW_MS_FT_DS_IN=0                    # 445
ALLOW_MS_FT_DS_OUT=0                   # 445
ALLOW_MS_RPC_IN=0                      # 135
ALLOW_MS_RPC_OUT=0                     # 135
ALLOW_MS_RPC_OVER_HTTP_IN=0            # 593
ALLOW_MS_RPC_OVER_HTTP_OUT=0           # 593
ALLOW_MSSQL_IN=0                       # 1433 MSSQL database
ALLOW_MSSQL_OUT=0                      # 1433 MSSQL database
ALLOW_MSSQL_MONITOR_IN=0               # 1434 MSSQL monitor
ALLOW_MSSQL_MONITOR_OUT=0              # 1434 MSSQL monitor
ALLOW_MYSQL_IN=0                       # 3306 MySQL database
ALLOW_MYSQL_OUT=0                      # 3306 MySQL database
ALLOW_NC_IN=0                          # 2030
ALLOW_NC_OUT=0                         # 2030
ALLOW_NCP_IN=0                         # 524
ALLOW_NCP_OUT=0                        # 524
ALLOW_NETWORK_LOG_CLIENT_IN=0          # 1394
ALLOW_NETWORK_LOG_CLIENT_OUT=0         # 1394
ALLOW_NFS_IN=0                         # 1025
ALLOW_NFS_OUT=0                        # 1025
ALLOW_NNTP_IN=0                        # 119 NNTP news
ALLOW_NNTP_OUT=0                       # 119 NNTP news
ALLOW_NTP_IN=1                         # 123
ALLOW_NTP_OUT=1                        # 123
ALLOW_OPENVPN_IN=0                     #
ALLOW_OPENVPN_OUT=0                    #
ALLOW_PCANYWHERE_IN=0                  # 5623
ALLOW_PCANYWHERE_OUT=0                 # 5623
ALLOW_PC_SERVER_BACKDOOR_IN=0          # 600
ALLOW_PC_SERVER_BACKDOOR_OUT=0         # 600
ALLOW_PHASE_ZERO_IN=0                  # 555
ALLOW_PHASE_ZERO_OUT=0                 # 555
ALLOW_PING_IN=0                        #
ALLOW_PING_OUT=1                       #
ALLOW_PLESK_IN=0                       # PLESK desktop
ALLOW_PLESK_OUT=0                      # PLESK desktop
ALLOW_POP2_IN=0                        # 109
ALLOW_POP2_OUT=0                       # 109
ALLOW_POP3_IN=1                        # 110
ALLOW_POP3_OUT=1                       # 110
ALLOW_POP3S_IN=1                       # 995
ALLOW_POP3S_OUT=1                      # 995
ALLOW_POSTGRESQL_IN=0                  #
ALLOW_POSTGRESQL_OUT=0                 #
ALLOW_PRINT_IN=0 »»·»·                 # 515 Allow printer port
ALLOW_PRINT_OUT=0 »·»·»·               # 515 Allow printer port
ALLOW_REAL_SERVER_IN=0                 # 554
ALLOW_REAL_SERVER_OUT=0                # 554
ALLOW_ROUTE_IN=0                       # 520
ALLOW_ROUTE_OUT=0                      # 520
ALLOW_RWHO_IN=0                        # 513
ALLOW_RWHO_OUT=0                       # 513
ALLOW_RWHOIS_IN=1                      # 4321
ALLOW_RWHOIS_OUT=1                     # 4321
ALLOW_SAMBA_IN=1                       # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SAMBA_OUT=1                      # 137=SMB Name, 138=SMB Data, 139=SMB Session
ALLOW_SGI_IRIX_TCPMUX_IN=0             # 1
ALLOW_SGI_IRIX_TCPMUX_OUT=0            # 1
ALLOW_SMTP_IN=1 »·»·»·                 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTP_OUT=1 »»·»·                 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTPS_IN=0                       # 465
ALLOW_SMTPS_OUT=0                      # 465
ALLOW_SNMP_IN=0                        # 161
ALLOW_SNMP_OUT=0                       # 161
ALLOW_SOCKS5_IN=0                      # 1080
ALLOW_SOCKS5_OUT=0                     # 1080
ALLOW_SSH_IN=1                         # 22
ALLOW_SSH_OUT=1                        # 22
ALLOW_SQL_IN=0                         # 1114
ALLOW_SQL_OUT=0                        # 1114
ALLOW_SQUID_IN=0 »»·»·                 # 3128 SQUID proxy
ALLOW_SQUID_OUT=0 »·»·»·               # 3128 SQUID proxy
ALLOW_SUB7_IN=0                        # 1243
ALLOW_SUB7_OUT=0                       # 1243
ALLOW_SUBMISSION_IN=1                  # 587
ALLOW_SUBMISSION_OUT=1                 # 587
ALLOW_SUNRPC_IN=0                      # 111 Also RPCbind
ALLOW_SUNRPC_OUT=0                     # 111 Also RPCbind
ALLOW_SVN_IN=0                         #
ALLOW_SVN_OUT=0                        #
ALLOW_TELNET_IN=0                      # 23
ALLOW_TELNET_OUT=0                     # 23
ALLOW_TFTP_IN=0                        # 69 Trivial FTP
ALLOW_TFTP_OUT=0                       # 69 Trivial FTP
ALLOW_TIME_IN=0                        # 37
ALLOW_TIME_OUT=0                       # 37
ALLOW_TIME_SERVER_IN=0                 # 525
ALLOW_TIME_SERVER_OUT=0                # 525
ALLOW_TOMCAT_IN=0     »·»·»·           # 9080
ALLOW_TOMCAT_OUT=0»·»·»·               # 9080
ALLOW_TOR_OUT=0                        #
ALLOW_TRACEROUTE_IN=0                  #
ALLOW_TRACEROUTE_OUT=1                 #
ALLOW_UNIX_SYSSTAT_IN=0                # 11
ALLOW_UNIX_SYSSTAT_OUT=0               # 11
ALLOW_UPNP_IN=0                        # 2869 Universal Plug and Play
ALLOW_UPNP_OUT=0                       # 2869 Universal Plug and Play
ALLOW_WEBLOGIN_IN=1                    # 2054 Needed for sharing
ALLOW_WEBLOGIN_OUT=0                   # 2054 Needed for sharing
ALLOW_WHOIS_IN=1 »»·»·                 # 43 See also RWHOIS
ALLOW_WHOIS_OUT=1 »·»·»·               # 43 See also RWHOIS
ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
ALLOW_TRACEROUTE_IN=1                  #
ALLOW_TRACEROUTE_OUT=1                 #
ALLOW_XDMCP_IN=0                       # 177
ALLOW_XDMCP_OUT=0                      # 177
ALLOW_XWINDOWS_IN=0                    #
ALLOW_XWINDOWS_OUT=0                   #
ALLOW_XWINDOWS_FONTSERVER_IN=0         #
ALLOW_XWINDOWS_FONTSERVER_OUT=0        #
 
BLOCK_AKAMAI=1                         #
BLOCK_BROADCASTS=1                     #
BLOCK_BRUTE_FORCE_ATTACKS=1            #
BLOCK_CONNECTIONS_COUNT=1              #
BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1    #
BLOCK_FACEBOOK=0                       #
BLOCK_FLOODS=1                         #
BLOCK_SAMBA_WITHOUT_LOGGING=0          #
BLOCK_OVERSIZE_ICMP_PACKETS=1          #
BLOCK_VIRUSES=1                        
 
DO_BAD_PACKETS_LAST=0 »·»·»·           # Less logging
DO_KERNEL_SECURE=1 »»·»·               # Set various kernel network protection on
DO_LOG_SCANS=1 »»·»·»·                 # if 1 will log well known scans whilst dropping them
DO_MASQUERADE=0 »·»·»·                 # if 0 will use SNAT / DNAT
DO_PORT_KNOCKING=0 »»·»·               # if 1 will allow Port Knocking
DO_QUICK_NTP=0 »»·»·»·                 # if 1 will allow NTP in without any checks
DO_QUOTA=0                             # If 1 then will switch on quota checking
DO_REJECT_INSTEAD_OF_DROP=0            # Reject instead of drop
DO_STEALTH_ALL_IN=0                    # Stealth all incoming
DO_WHITELISTING=0 »·»·»·               # Dangerous if made a 1
#
 
#*********************************************************
#
# /proc sysctl settings
#
PROC_SYSCTL_IP_FORWARD=1»·»·           # To enable ipforward, VERY important
PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1       # Block ALL the pings from everywhere·
PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf)
PROC_SYSCTL_ICMP_ERROR_MESG=1»»·       # Protect against bogus error messages
PROC_SYSCTL_LOG_MARTIANS=1»·»·         # Log packets with impossible addresses
PROC_SYSCTL_IP_SPOOFING=1»»·           # Disable spoofing attacks on ALL interfaces
PROC_SYSCTL_REDUCE_DOS=1»·»·           # Reduces the timeouts and the posibility of a DOS
PROC_SYSCTL_SYN_COOKIES=1»»·           # Enable tcp syn cookies protection
PROC_SYSCTL_TIME_STAMPS=1»»·           # Enable tcp timestamps protection
PROC_SYSCTL_SOURCE_ROUTED=1»»·         # Ignore source routed packets
PROC_SYSCTL_ACCEPT_REDIRECTS=1»·»·     # Ignore accepted redirected packets
PROC_SYSCTL_SEND_REDIRECTS=1»·»·       # Ignore send redirected packets
PROC_SYSCTL_SECURE_REDIRECTS=1»·»·     # Enable secure redirects
PROC_SYSCTL_DISABLE_BOOTP_RELAY=1      # Disable BootP relays
PROC_SYSCTL_DISABLE_PROXY_ARP=1        # Disable Proxy ARP
#
 
#*********************************************************
# Trusted hosts
#
# Hosts that are auto allowed into the system if WhiteListing
# is allowed.
#
TRUSTED_HOSTS="192.168.0.10"
UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
#UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com"
#
 
#*********************************************************
# Port Knocking
#
# Port knocking is a method of externally opening ports on a firewall by·
# generating a connection attempt on a set of prespecified closed ports.
#
# Once a correct sequence of connection attempts is received, the firewall·
# rules are dynamically modified to allow the host which sent the connection·
# attempts to connect over specific port(s).
#
PORT_KNOCK_1="3456"
PORT_KNOCK_2="4567"
PORT_KNOCK_3="1234"
PORT_KNOCK_ALLOW="22"
#
 
#*********************************************************
# Websites to stop
#
#WEB_FACEBOOK="facebook.com"
#
 
#*********************************************************
# Connection limits
#
# Against brute-force attacks.
#
#               4 connect/min  5 connects/3 mins   10 connects/10 mins   25 connects/20 mins   50 connects/40 mins   ...
# Offense #1         10 min            30 min              1 hour                2 hours               3 hours
# Offense #2         30 min            1 hour              2 hours               3 hours               6 hours··
# Offense #3         1 hour            2 hours             3 hours               6 hours               1 day·
# Offense #4         2 hours           3 hours             6 hours               1 day                 1 week
# Offense #5         3 hours           6 hours             1 day                 1 week                1 month
# Offense #6         6 hours           1 day               1 week                1 month               1 month·
# Offense #7         1 day             1 week              1 month               1 month               1 month
# Offense #8         1 week            1 month             1 month               1 month               1 month
# Offense #9         1 month           1 month             1 month               1 month               1 month
#
CONNECTION_MAX_1=4                     # 4 Connections
CONNECTION_MAX_2=5                     # 5 Connections
CONNECTION_MAX_3=10                    # 10 Connections
CONNECTION_MAX_4=25                    # 25 Connections
CONNECTION_MAX_5=50                    # 50 Connections
CONNECTION_MAX_6=75                    # 75 Connections
CONNECTION_MAX_7=100                   # 100 Connections
CONNECTION_MAX_8=200                   # 200 Connections
CONNECTION_MAX_9=255                   # 255 Connections
#
CONNECTION_LIMIT_1=60                  # 1 Minute
CONNECTION_LIMIT_2=180                 # 3 Minutes
CONNECTION_LIMIT_3=600                 # 10 Minutes
CONNECTION_LIMIT_4=1200                # 20 Minutes
CONNECTION_LIMIT_5=2400                # 40 Minutes
CONNECTION_LIMIT_6=3600                # 60 Minutes  (1 hour)
CONNECTION_LIMIT_7=7200                # 120 Minutes (2 hours)
CONNECTION_LIMIT_8=10800               # 180 Minutes (3 hours)
CONNECTION_LIMIT_9=21600               # 360 minutes (6 hours)
#
# Offence timeouts
CONNECTION_TIMEOUT_1=600               # 10 Minute
CONNECTION_TIMEOUT_2=1800              # 30 Minutes
CONNECTION_TIMEOUT_3=3600              # 60 Minutes  (1 hour)
CONNECTION_TIMEOUT_4=7200              # 120 Minutes (2 hours)
CONNECTION_TIMEOUT_5=10800             # 180 Minutes (3 hours)
CONNECTION_TIMEOUT_6=21600             # 360 Minutes (6 hours)
CONNECTION_TIMEOUT_7=86400             # 24 hours    (1 day)
CONNECTION_TIMEOUT_8=604800            # 168 hours   (1 week)
CONNECTION_TIMEOUT_9=2635200           # 732 hours   (1 month)
 
 
#*********************************************************
# Log limit
#
LOG_LEVEL=7
#LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
#LOG="$LOG --log-ip-options"
#LOG="--log-ip-options --log-tcp-options
#
 
#*********************************************************
# String Search Algorith
#
STRING_ALGO="bm"
STRING_ALGO2="kmp"
#
 
#*********************************************************
# Quota limits
#
QUOTA_LIMIT_TCP="2147483648"           # 2 GB Quota limit
QUOTA_LIMIT_UDP="2147483648"           # 2 GB Quota limit
QUOTA_LIMIT_ICMP="2147483648"          # 2 GB Quota limit
#
 
#*********************************************************
# DNS limits
#
# Limits the number of DNS queries per second to 5/s
# with a burst rate of 15/s and does not require buffer space changes.
#
# Limit the requests per second to 5, which leads to 35 requests in 7 seconds.
# To solve the first-second burst, allow for 15 requests to happen in each of·
# the seven seconds.
 
# DNS open time.
DNS_TIMEOUT="7"
 
# DNS Requests per second
DNS_BURST="15"
 
# DNS Requests per 7 seconds
DNS_TOTAL_REQUESTS="35"
#
 
#*********************************************************
# Flooding limits
#
#
# Limit per second
LIMIT_PER_SECOND="4"
#
 
# Limit for SYN connections
LIMIT_SYN_MAX="9"
#
 
# Limit for SYN-Flood detection
LIMIT_SYN="5/s"
#
 
#
# Burst Limit for SYN-Flood detection
LIMIT_SYN_BURST="10"
#
 
#
# Overall Limit for Logging in Logging-Chains
LIMIT_LOG="2/s"
#
 
#
# Burst Limit for Logging in Logging-Chains
LIMIT_LOG_BURST="10"
#
 
#
# Overall Limit for TCP-Flood-Detection
LIMIT_TCP="5/s"
#
 
#
# Burst Limit for TCP-Flood-Detection
LIMIT_TCP_BURST="10"
#
 
#
# Overall Limit for UDP-Flood-Detection
LIMIT_UDP="5/s"
#
 
#
# Burst Limit for TCP-Flood-Detection
LIMIT_UDP_BURST="10"
#
 
#
# Overall Limit for Ping-Flood-Detection
LIMIT_PING="5/s"
#
 
#
# Burst Limit for Ping-Flood-Detection
LIMIT_PING_BURST="10"
#
 
#**************************************************
#********** Do not edit beyond this line **********
#**************************************************
 
#
# IP Mask for all IP addresses
PORTS_UNIVERSE="0.0.0.0/0"
PORTS_BROADCAST="255.255.255.255"
#
 
#
# Ports for Dropbox Lan Sync Broadcasts
PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500"
#
 
#
# Ports for IRC-Connection-Tracking
PORTS_IRC="6665,6666,6667,6668,6669,7000"
#
 
#
# Ports for TOR
# (http://tor.eff.org)
PORTS_TOR="9001,9002,9030,9031,9090,9091"
#
 
#
# Ports for traceroute
PORTS_TRACEROUTE_SRC="32769:65535"
PORTS_TRACEROUTE_DEST="33434:33523"
#
 
#
# Specification of the high unprivileged IP ports.
PORTS_UNPRIV="1024:65535"
PORTS_PSSH="1000:1023"
#
 
#
# Specification of X Window System (TCP)
PORTS_XWIN="6000:6063"
#
 
#*********************************************************
# AKAMAI·
#
# http://www.matveev.se/net/akamai.htm
#
RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19"
RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15"
RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17"
 
#*********************************************************
# IANA RESERVED·
#
RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6"
RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3"
#
 
#*********************************************************
# Mitigate ARP spoofing/poisoning and similar attacks.
#------------------------------------------------------------------------------
# Hardcode static ARP cache entries here
# $ARP -s IP-ADDRESS MAC-ADDRESS
#
 
#*********************************************************
# Delete all existing rules
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
 
#
# Zero all packets and counters.
#
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
 
#
# Set Policies
# By default, drop everything except outgoing traffic
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#
 
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
 
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
 
#if [ $BLOCK_BROADCASTS -eq 1 ]
#then
#$IPTABLES -A INPUT DROP
#$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 192.168.255.255  -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP
#$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
#fi
 
#*********************************************************
#
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#
# Save these settings in the /etc/sysctl.conf file to make it permanent
#
#------------------------------------------
if [ $DO_KERNEL_SECURE -eq 1 ]
then
 
#------------------------------------------
# Allow port forwarding - Enable IP NAT in the Linux kernel
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then
  if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "          ip_forward activated"
  fi
fi
#
 
#------------------------------------------
# Disabling IP Spoofing
#
#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then
  if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "          .....Blocking IP spoofing attacks"
  fi
#
 
#------------------------------------------
# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
#
# Turn on reverse path filtering. This helps make sure that packets use·
# legitimate source addresses, by automatically rejecting incoming packets·
# if the routing table entry for their source address doesn't match the·
# network interface they're arriving on. This has security advantages because
# it prevents so-called IP spoofing, however it can pose problems if you use·
# asymmetric routing (packets from you to a host take a different path than·
# packets from that host to you) or if you operate a non-routing host which·
# has several IP addresses on different interfaces.·
# (Note - If you turn on IP forwarding, you will also get this).
#
  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
#
fi
#
 
#------------------------------------------
# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo "          .....Blocking all incoming pings from everywhere"
  fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo "          .....Allowing all incoming pings from everywhere"
  fi
fi
#
 
#------------------------------------------
# Don't respond to broadcast pings
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
#
if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ]
then
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "          .....Blocking all broadcast pings"
  fi
else
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "          .....Allowing all broadcast pings"
  fi
fi
#
 
#------------------------------------------
# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
#
# The proc entry containing that value is read-only, and cannot be made writable easily.
#
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
#
 
#------------------------------------------
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
#
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then
  if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "          .....TCP syn cookies protection enabled"
  fi
fi
#
 
#------------------------------------------
# Kill timestamps
#
#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then
  if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    echo "          .....TCP timestamps protection enabled"
  fi
fi
#
 
#------------------------------------------
# Block source routing
#
# Don't accept source routed packets.  Attackers can use source routing·
# to generate traffic pretending to be from inside your network, but·
# which is routed back along the path from which it came, namely outside,·
# so attackers can compromise your network.  Source routing is rarely·
# used for legitimate purposes.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then
  if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "          .....Ignore source routed packets"
  fi
#
 
#------------------------------------------
# Don't accept source routed packets.
#
  for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
#
fi
#
 
#------------------------------------------
# Kill redirects
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter·
# your routing tables, possibly to a bad end.
#
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then
  if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "          .....Ignore accept redirected packets"
  fi
 
  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
fi
#
if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then
  if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
    echo "          .....Ignore send redirected packets"
  fi
 
  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
fi
#
 
#------------------------------------------
# Don't accept or send ICMP redirects.
#
#for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
#for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#
 
#------------------------------------------
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
#
#for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then
  for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
fi
#
#
 
#------------------------------------------
# Enable bad error message protection
# Don't log invalid responses to broadcast frames, they just clutter the logs.
#
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then
  if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "          .....Enable error message protection"
  fi
fi
#
 
#------------------------------------------
# Log martians
#
# Log packets with impossible addresses
# Log spoofed packets, source routed packets, redirect packets.
#
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then
  if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "          .....Logging packets with impossible addresses"
  fi
#
 
#------------------------------------------
# Log packets with impossible addresses.
#
  for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
#
fi
#
 
#------------------------------------------
# Disable bootp_relay. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then
  for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
fi
#
 
#------------------------------------------
# Disable proxy_arp. Should not be needed, usually.
#
if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then
  for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
fi
#
 
#------------------------------------------
# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
#
 
#------------------------------------------
# Set out local port range
#
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#
 
#------------------------------------------
# Reduce timeouts for DoS protection
#
#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#
 
#------------------------------------------
# Other
#
#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#echo 0 > /proc/sys/net/ipv4/tcp_sack
#
if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then
  echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
  echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
  echo "0" > /proc/sys/net/ipv4/tcp_sack
  echo "          .....Denial of Service Reduction Measures"
fi
 
#
fi
#
 
#*********************************************************
#
# Completely disable IPv6.
#
# Block all IPv6 traffic
#
#------------------------------------------
# If the ip6tables command is available, try to block all IPv6 traffic.
#
if test -x $IP6TABLES; then
 
#------------------------------------------
# Set the default policies.
# Drop everything.
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null
 
#------------------------------------------
# The mangle table can pass everything.
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
 
#------------------------------------------
# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null
 
#------------------------------------------
# Delete all chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null
 
#------------------------------------------
# Zero all packets and counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
 
fi
 
#------------------------------------------
# Shellshock
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
 
#*********************************************************
#
# Create the chains
#
$IPTABLES -N IANA_RESERVED
$IPTABLES -N BAD_PACKETS
$IPTABLES -N BAD_TCP_PACKETS
 
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -N WHITELIST
fi
 
if [ $DO_PORT_KNOCKING -eq 1 ]
then
$IPTABLES -N PORT_KNOCK
$IPTABLES -N PORT_KNOCK_STAGE1
$IPTABLES -N PORT_KNOCK_STAGE2
$IPTABLES -N PORT_KNOCK_STAGE3
fi
 
$IPTABLES -N PRIVATE_PACKETS
$IPTABLES -N BLACKLIST
 
if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
then
$IPTABLES -N ATTACK
$IPTABLES -N ATTACK2
$IPTABLES -N ATTACK_CHECK
$IPTABLES -N ATTACKED1
$IPTABLES -N ATTACKED2
$IPTABLES -N ATTACKED3
$IPTABLES -N ATTACKED4
$IPTABLES -N ATTACKED5
$IPTABLES -N ATTACKED6
$IPTABLES -N ATTACKED7
$IPTABLES -N ATTACKED8
$IPTABLES -N ATTACKED9
$IPTABLES -N BAN1
$IPTABLES -N BAN2
$IPTABLES -N BAN3
$IPTABLES -N BAN4
$IPTABLES -N BAN5
$IPTABLES -N BAN6
$IPTABLES -N BAN7
$IPTABLES -N BAN8
$IPTABLES -N BAN9
fi
 
 
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -N FLOODS
fi
 
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -N VIRUS
fi
 
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -N SCANS
fi
 
$IPTABLES -N ICMP_IN
$IPTABLES -N ICMP_OUT
$IPTABLES -N TCP_IN
$IPTABLES -N TCP_OUT
$IPTABLES -N UDP_IN
$IPTABLES -N UDP_OUT
$IPTABLES -N NO_LOGGING
 
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -N QUOTA
fi
#
 
#*********************************************************
# Check Quotas
#
if [ $DO_QUOTA -eq 1 ]
then
$IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN
$IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN
$IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN
$IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP "
$IPTABLES -A QUOTA -j DROP
fi
#
 
#*********************************************************
# Filter IANA RESERVED
#
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP "
 
$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP
 
#$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP
#$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP
#$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP
#$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP
#$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP
#$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP
#$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP
#$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP