computer_setup:firewall
Table of Contents
Computer Setup - Firewall
cat /sys/module/xt_recent/parameters/ip_list_tot cat /sys/module/xt_recent/parameters/ip_pkt_lisA cat /sys/module/xt_recent/parameters/ip_list_uid cat /sys/module/xt_recent/parameters/ip_list_tot echo 100000 > /sys/module/xt_recent/parameters/ip_list_tot /sbin/modprobe ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255 most /proc/net/xt_recent/ATTACK /proc/net/xt_recent/BANNED1 /proc/net/xt_recent/BANNED2 /proc/net/xt_recent/BANNED3 /proc/net/xt_recent/BANNED4 /var/log/iptables.log grep src=64. /proc/net/xt_recent/* echo -64.20.227.134 > /proc/net/xt_recent/ATTACK echo -64.20.227.134 > /proc/net/xt_recent/BANNED1 grep 192.168.1. /proc/net/xt_recent/* wc /proc/net/xt_recent/* apt install ipcalc ipcalc 0.0.0.0/7 ipcalc 224.0.0.0/3 ipcalc 96.0.0.0/4
Firewall Reset
#!/bin/bash # # Resets all firewall rules echo "Stopping firewall and allowing everyone..." # # Modify the following settings as required: # IPTABLES=/sbin/iptables # # Reset the default policies in the filter table. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # # Reset the default policies in the nat table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # Reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT # # Flush all the rules in the filter, nat and mangle tables. # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # Erase all chains that are not default in filter, nat and mangle tables. # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
Firewall
#!/bin/bash # # Modify the following settings as required: # # You should check/test that the firewall really works, using # iptables -vnL, nmap, ping, telnet, ... # # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables LOAD_MODULES=yes LOAD_MODULES_IPV6=no DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe RMMOD=/sbin/rmmod ARP=/usr/sbin/arp # # REJECT target works basically the same as the DROP target, but it also sends # back an error message to the host sending the packet that was blocked. # # The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT # chains or their sub chains. # # REJECT --reject-with tcp-reset # RFC 793. TCP RST packets are used to close open TCP connections gracefully. # REJECT --icmp-net-unreachable # # REJECT --icmp-host-unreachable # # REJECT --icmp-port-unreachable # Default # REJECT --icmp-proto-unreachable # # REJECT --icmp-net-prohibited # # REJECT --icmp-host-prohibited # #********************************************************* # # Interfaces # #SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'` #SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2` #tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:]) #ifconfig em1 | grep -m 1 inet | tr -d [:alpha:] #INET_IP=$(echo $tmp | cut -d : -f2) #INET_BCAST=$(echo $tmp | cut -d : -f3) #INET_MASK=$(echo $tmp | cut -d : -f4) #unset tmp # # Internet Interface # #INET_IFACE="eth0" #INET_IFACE="em1" INET_IFACE="br0" #INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1) INET_GW="192.168.1.1" INET_IP="192.168.1.2" INET_NET="192.168.1.0/24" INET_BCAST="192.168.1.255" # # # Local Interface Information # #LOCAL_IFACE="eth1" LOCAL_IFACE="em2" #LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}') LOCAL_IP="192.168.0.2" LOCAL_NET="192.168.0.0/24" LOCAL_BCAST="192.168.0.255" # # # Localhost Interface # LO_IFACE="lo" LO_IP="127.0.0.1" # # # Standard Definitions # ALL="0/0" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" LOOPBACK="127.0.0.0/8" P_PORTS="0:1023" UP_PORTS="1024:65535" # # # DNS servers # DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4" # ########################################################################### # # Module loading. # if [ $LOAD_MODULES == "yes" ]; then # # Initially load modules # $DEPMOD -a # # Required modules # $MODPROBE ip_tables # Required; all IPv4 modules depend on this one. #$MODPROBE ip6_tables # Required; all IPv6 modules depend on this one. $MODPROBE ip_conntrack # Allows connection tracking state match, which allows you to write rules matching the state of a connection. $MODPROBE ip_conntrack_ftp # Permits active FTP; requires ip_conntrack. Recognises connection is related to original port 21. $MODPROBE iptable_filter # $MODPROBE iptable_mangle # Implement the mangle table. $MODPROBE iptable_nat # Implement the NAT table. $MODPROBE ip_nat_ftp # $MODPROBE ipt_LOG # $MODPROBE ipt_limit # Allows log limits. $MODPROBE ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on). # # To prevent the dmesg command showing errors such as: # xt_recent: hitcount (25) is larger than packets to be remembered (20) # # The following command shows all the xt_recent parameters: # head /sys/module/xt_recent/parameters/* # # ls -al /proc/net/xt_recent/ # # Use modinfo xt_recent to see the possible parameters. # # ls -1 /sys/module/xt_recent/parameters/ # Any of the parameters can be checked by simply: # cat /sys/module/xt_recent/parameters/ip_pkt_list_tot # #$RMMOD xt_recent $MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255 #$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255 # # Non-Required modules # #$MODPROBE ipt_owner # #$MODPROBE ipt_REJECT # Implement the REJECT target. #$MODPROBE ipt_MASQUERADE # #$MODPROBE ip_conntrack_ftp # #$MODPROBE ip_conntrack_irc # #$MODPROBE ip_nat_ftp # #$MODPROBE ip_nat_irc # # fi #********************************************************* # What to allow # # 0=no # 1=yes # ALLOW_APPLESHARE_IN=0 # 500 ALLOW_APPLESHARE_OUT=0 # 500 ALLOW_BITTORRENT_IN=0 # ALLOW_BITTORRENT_OUT=0 # ALLOW_BOOTP_CLIENT_IN=0 # 68 DHCP boot protocol client ALLOW_BOOTP_CLIENT_OUT=0 # 68 DHCP boot protocol client ALLOW_BOOTP_SERVER_IN=0 # 67 DHCP boot protocol server ALLOW_BOOTP_SERVER_OUT=0 # 67 DHCP boot protocol server ALLOW_CHARGEN_IN=0 # 19 ALLOW_CHARGEN_OUT=0 # 19 ALLOW_CORBA_IIOP_IN=0 # 535 ALLOW_CORBA_IIOP_OUT=0 # 535 ALLOW_CUPS_IN=0 # CUPS printer service ALLOW_CUPS_OUT=0 # CUPS printer service ALLOW_CVS_IN=0 # ALLOW_CVS_OUT=0 # ALLOW_DAYTIME_IN=0 # 13 daytime-server ALLOW_DAYTIME_OUT=0 # 13 daytime-server ALLOW_DHCP_BROADCAST_IN=1 # ALLOW_DHCP_BROADCAST_OUT=1 # ALLOW_DISCARD_IN=0 # 9 discard-server ALLOW_DISCARD_OUT=0 # 9 discard-server ALLOW_DNS_IN=1 # 53 ALLOW_DNS_OUT=1 # 53 ALLOW_ECHO_IN=0 # 7 echo-server ALLOW_ECHO_OUT=0 # 7 echo-server ALLOW_FINGER_IN=0 # 79 ALLOW_FINGER_OUT=0 # 79 ALLOW_FTP_IN=1 # 20, 21=ftp-data ALLOW_FTP_OUT=1 # 20, 21=ftp-data ALLOW_HTTP_IN=1 # 80 ALLOW_HTTP_OUT=1 # 80 ALLOW_HTTPS_IN=1 # 443 ALLOW_HTTPS_OUT=1 # 443 ALLOW_ICMP_PARAM_PROBLEM_IN=0 # ALLOW_IDENT_IN=1 # 59??? What about 113? Are these different? ALLOW_IDENT_OUT=1 # 59??? What about 113? Are these different? ALLOW_IMAP_IN=1 # 143 ALLOW_IMAP_OUT=1 # 143 ALLOW_IMAPS_IN=1 # 993 ALLOW_IMAPS_OUT=1 # 993 ALLOW_IRC_IN=0 # ALLOW_IRC_OUT=0 # ALLOW_KAZAA_IN=0 # 1214 ALLOW_KAZAA_OUT=0 # 1214 ALLOW_KPASSWD_IN=0 # 464 ALLOW_KPASSWD_OUT=0 # 464 ALLOW_KRB5_IN=0 # 88 Kerberos ALLOW_KRB5_OUT=0 # 88 Kerberos ALLOW_LDAP_IN=0 # 389 ALLOW_LDAP_OUT=0 # 389 ALLOW_LDAPS_IN=0 # 636 Secure LDAP ALLOW_LDAPS_OUT=0 # 636 Secure LDAP ALLOW_LINUX_CONF_IN=0 # 98 ALLOW_LINUX_CONF_OUT=0 # 98 ALLOW_LINUX_MOUNTD_BUG_IN=0 # 635 ALLOW_LINUX_MOUNTD_BUG_OUT=0 # 635 ALLOW_MS_EXCHANGE_IN=0 # 691 ALLOW_MS_EXCHANGE_OUT=0 # 691 ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003. ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003 ALLOW_MS_FT_DS_IN=0 # 445 ALLOW_MS_FT_DS_OUT=0 # 445 ALLOW_MS_RPC_IN=0 # 135 ALLOW_MS_RPC_OUT=0 # 135 ALLOW_MS_RPC_OVER_HTTP_IN=0 # 593 ALLOW_MS_RPC_OVER_HTTP_OUT=0 # 593 ALLOW_MSSQL_IN=0 # 1433 MSSQL database ALLOW_MSSQL_OUT=0 # 1433 MSSQL database ALLOW_MSSQL_MONITOR_IN=0 # 1434 MSSQL monitor ALLOW_MSSQL_MONITOR_OUT=0 # 1434 MSSQL monitor ALLOW_MYSQL_IN=0 # 3306 MySQL database ALLOW_MYSQL_OUT=0 # 3306 MySQL database ALLOW_NC_IN=0 # 2030 ALLOW_NC_OUT=0 # 2030 ALLOW_NCP_IN=0 # 524 ALLOW_NCP_OUT=0 # 524 ALLOW_NETWORK_LOG_CLIENT_IN=0 # 1394 ALLOW_NETWORK_LOG_CLIENT_OUT=0 # 1394 ALLOW_NFS_IN=0 # 1025 ALLOW_NFS_OUT=0 # 1025 ALLOW_NNTP_IN=0 # 119 NNTP news ALLOW_NNTP_OUT=0 # 119 NNTP news ALLOW_NTP_IN=1 # 123 ALLOW_NTP_OUT=1 # 123 ALLOW_OPENVPN_IN=0 # ALLOW_OPENVPN_OUT=0 # ALLOW_PCANYWHERE_IN=0 # 5623 ALLOW_PCANYWHERE_OUT=0 # 5623 ALLOW_PC_SERVER_BACKDOOR_IN=0 # 600 ALLOW_PC_SERVER_BACKDOOR_OUT=0 # 600 ALLOW_PHASE_ZERO_IN=0 # 555 ALLOW_PHASE_ZERO_OUT=0 # 555 ALLOW_PING_IN=0 # ALLOW_PING_OUT=1 # ALLOW_PLESK_IN=0 # PLESK desktop ALLOW_PLESK_OUT=0 # PLESK desktop ALLOW_PLEX_IN=1 # PLEX ALLOW_PLEX_OUT=1 # PLEX ALLOW_POP2_IN=0 # 109 ALLOW_POP2_OUT=0 # 109 ALLOW_POP3_IN=1 # 110 ALLOW_POP3_OUT=1 # 110 ALLOW_POP3S_IN=1 # 995 ALLOW_POP3S_OUT=1 # 995 ALLOW_POSTGRESQL_IN=0 # ALLOW_POSTGRESQL_OUT=0 # ALLOW_PRINT_IN=0 # 515 Allow printer port ALLOW_PRINT_OUT=0 # 515 Allow printer port ALLOW_REAL_SERVER_IN=0 # 554 ALLOW_REAL_SERVER_OUT=0 # 554 ALLOW_ROUTE_IN=0 # 520 ALLOW_ROUTE_OUT=0 # 520 ALLOW_RWHO_IN=0 # 513 ALLOW_RWHO_OUT=0 # 513 ALLOW_RWHOIS_IN=1 # 4321 ALLOW_RWHOIS_OUT=1 # 4321 ALLOW_SAMBA_IN=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session ALLOW_SAMBA_OUT=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session ALLOW_SGI_IRIX_TCPMUX_IN=0 # 1 ALLOW_SGI_IRIX_TCPMUX_OUT=0 # 1 ALLOW_SMTP_IN=1 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead. ALLOW_SMTP_OUT=1 # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead. ALLOW_SMTPS_IN=1 # 465 ALLOW_SMTPS_OUT=1 # 465 ALLOW_SNMP_IN=0 # 161 ALLOW_SNMP_OUT=0 # 161 ALLOW_SOCKS5_IN=0 # 1080 ALLOW_SOCKS5_OUT=0 # 1080 ALLOW_SSH_IN=1 # 22 ALLOW_SSH_OUT=1 # 22 ALLOW_SQL_IN=0 # 1114 ALLOW_SQL_OUT=0 # 1114 ALLOW_SQUID_IN=0 # 3128 SQUID proxy ALLOW_SQUID_OUT=0 # 3128 SQUID proxy ALLOW_SUB7_IN=0 # 1243 ALLOW_SUB7_OUT=0 # 1243 ALLOW_SUBMISSION_IN=1 # 587 ALLOW_SUBMISSION_OUT=1 # 587 ALLOW_SUNRPC_IN=0 # 111 Also RPCbind ALLOW_SUNRPC_OUT=0 # 111 Also RPCbind ALLOW_SVN_IN=0 # ALLOW_SVN_OUT=0 # ALLOW_TELNET_IN=0 # 23 ALLOW_TELNET_OUT=0 # 23 ALLOW_TFTP_IN=0 # 69 Trivial FTP ALLOW_TFTP_OUT=0 # 69 Trivial FTP ALLOW_TIME_IN=0 # 37 ALLOW_TIME_OUT=0 # 37 ALLOW_TIME_SERVER_IN=0 # 525 ALLOW_TIME_SERVER_OUT=0 # 525 ALLOW_TOMCAT_IN=0 # 9080 ALLOW_TOMCAT_OUT=0 # 9080 ALLOW_TOR_OUT=0 # ALLOW_TRACEROUTE_IN=0 # ALLOW_TRACEROUTE_OUT=1 # ALLOW_UNIX_SYSSTAT_IN=0 # 11 ALLOW_UNIX_SYSSTAT_OUT=0 # 11 ALLOW_UPNP_IN=0 # 2869 Universal Plug and Play ALLOW_UPNP_OUT=0 # 2869 Universal Plug and Play ALLOW_WEBLOGIN_IN=1 # 2054 Needed for sharing ALLOW_WEBLOGIN_OUT=0 # 2054 Needed for sharing ALLOW_WHOIS_IN=1 # 43 See also RWHOIS ALLOW_WHOIS_OUT=1 # 43 See also RWHOIS ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027 ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027 ALLOW_TRACEROUTE_IN=1 # ALLOW_TRACEROUTE_OUT=1 # ALLOW_XDMCP_IN=0 # 177 ALLOW_XDMCP_OUT=0 # 177 ALLOW_XWINDOWS_IN=0 # ALLOW_XWINDOWS_OUT=0 # ALLOW_XWINDOWS_FONTSERVER_IN=0 # ALLOW_XWINDOWS_FONTSERVER_OUT=0 # BLOCK_AKAMAI=1 # BLOCK_BROADCASTS=1 # BLOCK_BRUTE_FORCE_ATTACKS=1 # BLOCK_CONNECTIONS_COUNT=1 # BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1 # BLOCK_FACEBOOK=0 # BLOCK_FLOODS=1 # BLOCK_SAMBA_WITHOUT_LOGGING=0 # BLOCK_OVERSIZE_ICMP_PACKETS=1 # BLOCK_VIRUSES=1 # DO_BAD_PACKETS_LAST=0 # Less logging DO_KERNEL_SECURE=1 # Set various kernel network protection on DO_LOG_SCANS=1 # if 1 will log well known scans whilst dropping them DO_MASQUERADE=0 # if 0 will use SNAT / DNAT DO_PORT_KNOCKING=0 # if 1 will allow Port Knocking DO_QUICK_NTP=0 # if 1 will allow NTP in without any checks DO_QUOTA=0 # If 1 then will switch on quota checking DO_REJECT_INSTEAD_OF_DROP=0 # Reject instead of drop DO_STEALTH_ALL_IN=0 # Stealth all incoming DO_WHITELISTING=0 # Dangerous if made a 1 # #********************************************************* # # /proc sysctl settings # PROC_SYSCTL_IP_FORWARD=1 # To enable ipforward, VERY important PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1 # Block ALL the pings from everywhere PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf) PROC_SYSCTL_ICMP_ERROR_MESG=1 # Protect against bogus error messages PROC_SYSCTL_LOG_MARTIANS=1 # Log packets with impossible addresses PROC_SYSCTL_IP_SPOOFING=1 # Disable spoofing attacks on ALL interfaces PROC_SYSCTL_REDUCE_DOS=1 # Reduces the timeouts and the posibility of a DOS PROC_SYSCTL_SYN_COOKIES=1 # Enable tcp syn cookies protection PROC_SYSCTL_TIME_STAMPS=1 # Enable tcp timestamps protection PROC_SYSCTL_SOURCE_ROUTED=1 # Ignore source routed packets PROC_SYSCTL_ACCEPT_REDIRECTS=1 # Ignore accepted redirected packets PROC_SYSCTL_SEND_REDIRECTS=1 # Ignore send redirected packets PROC_SYSCTL_SECURE_REDIRECTS=1 # Enable secure redirects PROC_SYSCTL_DISABLE_BOOTP_RELAY=1 # Disable BootP relays PROC_SYSCTL_DISABLE_PROXY_ARP=1 # Disable Proxy ARP # #********************************************************* # Trusted hosts # # Hosts that are auto allowed into the system if WhiteListing # is allowed. # TRUSTED_HOSTS="192.168.0.10" UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134" #UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com" # #********************************************************* # Port Knocking # # Port knocking is a method of externally opening ports on a firewall by # generating a connection attempt on a set of prespecified closed ports. # # Once a correct sequence of connection attempts is received, the firewall # rules are dynamically modified to allow the host which sent the connection # attempts to connect over specific port(s). # PORT_KNOCK_1="3456" PORT_KNOCK_2="4567" PORT_KNOCK_3="1234" PORT_KNOCK_ALLOW="22" # #********************************************************* # Websites to stop # #WEB_FACEBOOK="facebook.com" # #********************************************************* # Connection limits # # Against brute-force attacks. # # 4 connect/min 5 connects/3 mins 10 connects/10 mins 25 connects/20 mins 50 connects/40 mins ... # Offense #1 10 min 30 min 1 hour 2 hours 3 hours # Offense #2 30 min 1 hour 2 hours 3 hours 6 hours # Offense #3 1 hour 2 hours 3 hours 6 hours 1 day # Offense #4 2 hours 3 hours 6 hours 1 day 1 week # Offense #5 3 hours 6 hours 1 day 1 week 1 month # Offense #6 6 hours 1 day 1 week 1 month 1 month # Offense #7 1 day 1 week 1 month 1 month 1 month # Offense #8 1 week 1 month 1 month 1 month 1 month # Offense #9 1 month 1 month 1 month 1 month 1 month # CONNECTION_MAX_1=4 # 4 Connections CONNECTION_MAX_2=5 # 5 Connections CONNECTION_MAX_3=10 # 10 Connections CONNECTION_MAX_4=25 # 25 Connections CONNECTION_MAX_5=50 # 50 Connections CONNECTION_MAX_6=75 # 75 Connections CONNECTION_MAX_7=100 # 100 Connections CONNECTION_MAX_8=200 # 200 Connections CONNECTION_MAX_9=255 # 255 Connections # CONNECTION_LIMIT_1=60 # 1 Minute CONNECTION_LIMIT_2=180 # 3 Minutes CONNECTION_LIMIT_3=600 # 10 Minutes CONNECTION_LIMIT_4=1200 # 20 Minutes CONNECTION_LIMIT_5=2400 # 40 Minutes CONNECTION_LIMIT_6=3600 # 60 Minutes (1 hour) CONNECTION_LIMIT_7=7200 # 120 Minutes (2 hours) CONNECTION_LIMIT_8=10800 # 180 Minutes (3 hours) CONNECTION_LIMIT_9=21600 # 360 minutes (6 hours) # # Offence timeouts CONNECTION_TIMEOUT_1=600 # 10 Minute CONNECTION_TIMEOUT_2=1800 # 30 Minutes CONNECTION_TIMEOUT_3=3600 # 60 Minutes (1 hour) CONNECTION_TIMEOUT_4=7200 # 120 Minutes (2 hours) CONNECTION_TIMEOUT_5=10800 # 180 Minutes (3 hours) CONNECTION_TIMEOUT_6=21600 # 360 Minutes (6 hours) CONNECTION_TIMEOUT_7=86400 # 24 hours (1 day) CONNECTION_TIMEOUT_8=604800 # 168 hours (1 week) CONNECTION_TIMEOUT_9=2635200 # 732 hours (1 month) #********************************************************* # Log limit # LOG_LEVEL=7 #LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" #LOG="$LOG --log-ip-options" #LOG="--log-ip-options --log-tcp-options # #********************************************************* # String Search Algorith # STRING_ALGO="bm" STRING_ALGO2="kmp" # #********************************************************* # Quota limits # QUOTA_LIMIT_TCP="2147483648" # 2 GB Quota limit QUOTA_LIMIT_UDP="2147483648" # 2 GB Quota limit QUOTA_LIMIT_ICMP="2147483648" # 2 GB Quota limit # #********************************************************* # DNS limits # # Limits the number of DNS queries per second to 5/s # with a burst rate of 15/s and does not require buffer space changes. # # Limit the requests per second to 5, which leads to 35 requests in 7 seconds. # To solve the first-second burst, allow for 15 requests to happen in each of # the seven seconds. # DNS open time. DNS_TIMEOUT="7" # DNS Requests per second DNS_BURST="15" # DNS Requests per 7 seconds DNS_TOTAL_REQUESTS="35" # #********************************************************* # Flooding limits # # # Limit per second LIMIT_PER_SECOND="4" # # Limit for SYN connections LIMIT_SYN_MAX="9" # # Limit for SYN-Flood detection LIMIT_SYN="5/s" # # # Burst Limit for SYN-Flood detection LIMIT_SYN_BURST="10" # # # Overall Limit for Logging in Logging-Chains LIMIT_LOG="2/s" # # # Burst Limit for Logging in Logging-Chains LIMIT_LOG_BURST="10" # # # Overall Limit for TCP-Flood-Detection LIMIT_TCP="5/s" # # # Burst Limit for TCP-Flood-Detection LIMIT_TCP_BURST="10" # # # Overall Limit for UDP-Flood-Detection LIMIT_UDP="5/s" # # # Burst Limit for TCP-Flood-Detection LIMIT_UDP_BURST="10" # # # Overall Limit for Ping-Flood-Detection LIMIT_PING="5/s" # # # Burst Limit for Ping-Flood-Detection LIMIT_PING_BURST="10" # #************************************************** #********** Do not edit beyond this line ********** #************************************************** # # IP Mask for all IP addresses PORTS_UNIVERSE="0.0.0.0/0" PORTS_BROADCAST="255.255.255.255" # # # Ports for Dropbox Lan Sync Broadcasts PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500" # # # Ports for IRC-Connection-Tracking PORTS_IRC="6665,6666,6667,6668,6669,7000" # # # Ports for PLEX PORTS_PLEX="32412:32414" # # # Ports for TOR # (http://tor.eff.org) PORTS_TOR="9001,9002,9030,9031,9090,9091" # # # Ports for traceroute PORTS_TRACEROUTE_SRC="32769:65535" PORTS_TRACEROUTE_DEST="33434:33523" # # # Specification of the high unprivileged IP ports. PORTS_UNPRIV="1024:65535" PORTS_PSSH="1000:1023" # # # Specification of X Window System (TCP) PORTS_XWIN="6000:6063" # #********************************************************* # AKAMAI # # http://www.matveev.se/net/akamai.htm # RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19" RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15" RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17" #********************************************************* # IANA RESERVED # RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3" # #********************************************************* # Mitigate ARP spoofing/poisoning and similar attacks. #------------------------------------------------------------------------------ # Hardcode static ARP cache entries here # $ARP -s IP-ADDRESS MAC-ADDRESS # #********************************************************* # Delete all existing rules # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # # # Zero all packets and counters. # $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z # # Set Policies # By default, drop everything except outgoing traffic # $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # # Set the nat/mangle/raw tables' chains to ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT #if [ $BLOCK_BROADCASTS -eq 1 ] #then #$IPTABLES -A INPUT DROP #$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP #$IPTABLES -A INPUT -d 192.168.255.255 -i INET_IFACE -j DROP #$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP #$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP #fi #********************************************************* # # Kernel configuration. # For details see: # * http://www.securityfocus.com/infocus/1711 # * http://www.linuxgazette.com/issue77/lechnyr.html # * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html # * /usr/src/linux/Documentation/filesystems/proc.txt # * /usr/src/linux/Documentation/networking/ip-sysctl.txt # # Save these settings in the /etc/sysctl.conf file to make it permanent # #------------------------------------------ if [ $DO_KERNEL_SECURE -eq 1 ] then #------------------------------------------ # Allow port forwarding - Enable IP NAT in the Linux kernel # #echo 1 > /proc/sys/net/ipv4/ip_forward if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo " ip_forward activated" fi fi # #------------------------------------------ # Disabling IP Spoofing # #echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo " .....Blocking IP spoofing attacks" fi # #------------------------------------------ # Enable IP spoofing protection (i.e. source address verification). # Note: This is special, as it seems to only be enabled if you set # */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only # */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive. # # Turn on reverse path filtering. This helps make sure that packets use # legitimate source addresses, by automatically rejecting incoming packets # if the routing table entry for their source address doesn't match the # network interface they're arriving on. This has security advantages because # it prevents so-called IP spoofing, however it can pose problems if you use # asymmetric routing (packets from you to a host take a different path than # packets from that host to you) or if you operate a non-routing host which # has several IP addresses on different interfaces. # (Note - If you turn on IP forwarding, you will also get this). # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done # fi # #------------------------------------------ # Ignore all incoming ICMP echo requests (i.e. disable ping). # Usually not a good idea, as some protocols and users need/want this. # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ] then #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo " .....Blocking all incoming pings from everywhere" fi else #echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo " .....Allowing all incoming pings from everywhere" fi fi # #------------------------------------------ # Don't respond to broadcast pings # Ignore ICMP echo requests to broadcast/multicast addresses. We do not # want to participate in smurf (and similar) DoS attacks. # For details see: http://en.wikipedia.org/wiki/Smurf_attack. # if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ] then #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " .....Blocking all broadcast pings" fi else #echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " .....Allowing all broadcast pings" fi fi # #------------------------------------------ # Disable multicast routing. Should not be needed, usually. # TODO: This throws an "Operation not permitted" error. Why? # # The proc entry containing that value is read-only, and cannot be made writable easily. # #for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done # #------------------------------------------ # Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html). # #echo 1 > /proc/sys/net/ipv4/tcp_syncookies if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo " .....TCP syn cookies protection enabled" fi fi # #------------------------------------------ # Kill timestamps # #echo 0 > /proc/sys/net/ipv4/tcp_timestamps if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo " .....TCP timestamps protection enabled" fi fi # #------------------------------------------ # Block source routing # # Don't accept source routed packets. Attackers can use source routing # to generate traffic pretending to be from inside your network, but # which is routed back along the path from which it came, namely outside, # so attackers can compromise your network. Source routing is rarely # used for legitimate purposes. # #echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo " .....Ignore source routed packets" fi # #------------------------------------------ # Don't accept source routed packets. # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done # fi # #------------------------------------------ # Kill redirects # # Disable ICMP redirect acceptance. ICMP redirects can be used to alter # your routing tables, possibly to a bad end. # #echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo " .....Ignore accept redirected packets" fi for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done fi # if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects echo " .....Ignore send redirected packets" fi for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done fi # #------------------------------------------ # Don't accept or send ICMP redirects. # #for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done #for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done # #------------------------------------------ # Enable secure redirects, i.e. only accept ICMP redirects for gateways # listed in the default gateway list. Helps against MITM attacks. # #for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done fi # # #------------------------------------------ # Enable bad error message protection # Don't log invalid responses to broadcast frames, they just clutter the logs. # #echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo " .....Enable error message protection" fi fi # #------------------------------------------ # Log martians # # Log packets with impossible addresses # Log spoofed packets, source routed packets, redirect packets. # #echo 1 > /proc/sys/net/ipv4/conf/all/log_martians if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo " .....Logging packets with impossible addresses" fi # #------------------------------------------ # Log packets with impossible addresses. # for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done # fi # #------------------------------------------ # Disable bootp_relay. Should not be needed, usually. # if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done fi # #------------------------------------------ # Disable proxy_arp. Should not be needed, usually. # if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done fi # #------------------------------------------ # TODO: These may mitigate ARP poisoning attacks? # /proc/sys/net/ipv4/neigh/*/locktime # /proc/sys/net/ipv4/neigh/*/gc_stale_time # TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt. # Are there any security-relevant options I missed? Check especially: # icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*. # #------------------------------------------ # Set out local port range # #echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range # #------------------------------------------ # Reduce timeouts for DoS protection # #echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # #------------------------------------------ # Other # #echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time #echo 0 > /proc/sys/net/ipv4/tcp_window_scaling #echo 0 > /proc/sys/net/ipv4/tcp_sack # if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack echo " .....Denial of Service Reduction Measures" fi # fi # #********************************************************* # # Completely disable IPv6. # # Block all IPv6 traffic # #------------------------------------------ # If the ip6tables command is available, try to block all IPv6 traffic. # if test -x $IP6TABLES; then #------------------------------------------ # Set the default policies. # Drop everything. $IP6TABLES -P INPUT DROP 2>/dev/null $IP6TABLES -P FORWARD DROP 2>/dev/null $IP6TABLES -P OUTPUT DROP 2>/dev/null #------------------------------------------ # The mangle table can pass everything. $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null #------------------------------------------ # Delete all rules. $IP6TABLES -F 2>/dev/null $IP6TABLES -t mangle -F 2>/dev/null #------------------------------------------ # Delete all chains. $IP6TABLES -X 2>/dev/null $IP6TABLES -t mangle -X 2>/dev/null #------------------------------------------ # Zero all packets and counters. $IP6TABLES -Z 2>/dev/null $IP6TABLES -t mangle -Z 2>/dev/null fi #------------------------------------------ # Shellshock $IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP $IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP #********************************************************* # # Create the chains # $IPTABLES -N IANA_RESERVED $IPTABLES -N BAD_PACKETS $IPTABLES -N BAD_TCP_PACKETS if [ $DO_WHITELISTING -eq 1 ] then $IPTABLES -N WHITELIST fi if [ $DO_PORT_KNOCKING -eq 1 ] then $IPTABLES -N PORT_KNOCK $IPTABLES -N PORT_KNOCK_STAGE1 $IPTABLES -N PORT_KNOCK_STAGE2 $IPTABLES -N PORT_KNOCK_STAGE3 fi $IPTABLES -N PRIVATE_PACKETS $IPTABLES -N BLACKLIST if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ] then $IPTABLES -N ATTACK $IPTABLES -N ATTACK2 $IPTABLES -N ATTACK_CHECK $IPTABLES -N ATTACKED1 $IPTABLES -N ATTACKED2 $IPTABLES -N ATTACKED3 $IPTABLES -N ATTACKED4 $IPTABLES -N ATTACKED5 $IPTABLES -N ATTACKED6 $IPTABLES -N ATTACKED7 $IPTABLES -N ATTACKED8 $IPTABLES -N ATTACKED9 $IPTABLES -N BAN1 $IPTABLES -N BAN2 $IPTABLES -N BAN3 $IPTABLES -N BAN4 $IPTABLES -N BAN5 $IPTABLES -N BAN6 $IPTABLES -N BAN7 $IPTABLES -N BAN8 $IPTABLES -N BAN9 fi if [ $BLOCK_FLOODS -eq 1 ] then $IPTABLES -N FLOODS fi if [ $BLOCK_VIRUSES -eq 1 ] then $IPTABLES -N VIRUS fi if [ $DO_LOG_SCANS -eq 1 ] then $IPTABLES -N SCANS fi $IPTABLES -N ICMP_IN $IPTABLES -N ICMP_OUT $IPTABLES -N TCP_IN $IPTABLES -N TCP_OUT $IPTABLES -N UDP_IN $IPTABLES -N UDP_OUT $IPTABLES -N NO_LOGGING if [ $DO_QUOTA -eq 1 ] then $IPTABLES -N QUOTA fi # #********************************************************* # Check Quotas # if [ $DO_QUOTA -eq 1 ] then $IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN $IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN $IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN $IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP " $IPTABLES -A QUOTA -j DROP fi # #********************************************************* # Filter IANA RESERVED # $IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP " $IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP #$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP #$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP #$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP #$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP #$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP #$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP #$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP #$IPTABLES -A IANA_RESERVED -s 192.0.2.0/24 -j DROP #$IPTABLES -A IANA_RESERVED -s 197.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 198.18.0.0/15 -j DROP #$IPTABLES -A IANA_RESERVED -s 223.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 224.0.0.0/3 -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A IANA_RESERVED -j RETURN # # #********************************************************* # Filter BAD packets # #------------------------------------------ # For TCP packet check if they are bad. # if [ $DO_BAD_PACKETS_LAST -eq 1 ] then $IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS fi # #------------------------------------------ # Drop packets received on the external interface # claiming a source of the local network # $IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=local-source a=DROP " $IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -j DROP # #------------------------------------------ # Drop INVALID packets immediately (not ESTABLISHED, RELATED or NEW) # # Note: ICMPv6 Neighbor Discovery packets remain untracked, and will # always be classified "INVALID" though they are not corrupted or # thelike. Keep this in mind, and accept them before this rule! # iptables -A INPUT -p 41 -j ACCEPT # $IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=invalid a=DROP " $IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -j DROP # #------------------------------------------ # Drop packets with incoming fragments. # This attack results in Linux Server panic resulting in possible data loss. # $IPTABLES -A BAD_PACKETS -p all -f -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=fragmeted a=DROP " $IPTABLES -A BAD_PACKETS -p all -f -j DROP # #------------------------------------------ # For TCP packet check if they are bad. # if [ $DO_BAD_PACKETS_LAST -eq 0 ] then $IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS fi # #------------------------------------------ # All good, so return # $IPTABLES -A BAD_PACKETS -j RETURN # #********************************************************* # Filter bad TCP packets # # Flags are: SYN ACK FIN RST URG PSH ALL NONE # # The only flag that is allowed to be sent along # with a SYN is ACK, and this only in the 2nd # packet of the 3-way-handshake. # #------------------------------------------ # Erroneous flags # # Allow these... # #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Any TCP packet which is not a part of an established connection falls into # one of three categories: (1) connection handshake, (2) stray resend, or # (3) invalid. Here we discard stray resends and log obvious hack attempts. # See table below: # # SYN RST ACK What it means Action # =========== ============= ======= # 0 0 0 invalid logdrop # 0 0 1 stray resend DROP # 0 1 0 stray resend DROP # 0 1 1 stray resend DROP # 1 0 0 conn attempt ok # 1 0 1 conn response ok # 1 1 0 invalid logdrop # 1 1 1 invalid logdrop #iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop #iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP #iptables -A INPUT -p tcp --tcp-flags SYN,RST RST -j DROP #iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop #iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop #iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP #iptables -A FORWARD -p tcp --tcp-flags SYN,RST RST -j DROP #iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop #iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j logdrop #iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK ACK -j DROP #iptables -A OUTPUT -p tcp --tcp-flags SYN,RST RST -j DROP #iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop #-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP #-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP #-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP #-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP #-A INPUT -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j DROP #-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j DROP #-A INPUT -m state –state INVALID -j DROP ## peter - 3 mar 2017 #-A INPUT -m state --state INVALID -j DROP #-A INPUT -p tcp ! --syn -m state --state NEW -j DROP #-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP #-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP #-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP #-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP #-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #-A INPUT -p tcp --tcp-flags ALL ALL -j DROP # XMAS-ALL scan #-A INPUT -p tcp --tcp-flags ALL NONE -j DROP #-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP # XMAS scan #-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP #-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # XMAS-PSH scan #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP #-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/RST scan #-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP #-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP #-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP #-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP #------------------------------------------ # Malformed packets # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-PSH-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-ALL-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FIN-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -j DROP # #------------------------------------------ # Sending SYN in conjunction with RST means, that a connection shall # This is A violation of RFC793. # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/RST-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/FIN-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Null-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=NMAP-ID-scan a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FIN/RST a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # #------------------------------------------ # FIN scan, nmap v3.0 sends ACK,FIN FIN # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FAF a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AUU a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:APP a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AFF a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -j DROP ## # Seems to stop Firefox using HTTP to get web pages from this server # Therefore disabled for now... ## #$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:SUS a=DROP " #$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -j DROP # #------------------------------------------ # Unclean packets...same as above (but this option is still listed as experimental) # #$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j LOG --log-prefix "IPT=BAD_TCP:unclean a=DROP " #$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j DROP # #------------------------------------------ # New connections that have no syn set are most probably bad. # Also known as ACK scan # $IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn2 a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP #$IPTABLES -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable # #------------------------------------------ # Port 0 fingerprint attempt # $IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:finger:0 a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -j DROP # #------------------------------------------ # Invalid TCP Options # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(64) a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -j DROP # $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(128) a=DROP " $IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A BAD_TCP_PACKETS -p tcp -j RETURN # #********************************************************* # Whitelisting # # Always allow these packets # # High-priority packets which should always be accepted without much # delay. # # Using this chain will break firewall security and will result in # this not passing certain security standards. However, there may # be specific reasons where this might be useful. # #------------------------------------------ # if [ $DO_WHITELISTING -eq 1 ] then #------------------------------------------ # Allow NTP # # To provide accurate timing, it is necessary to have a low delay # when processing networking packets of the Network Time Protocol. # # These packets are sent as UDP packets to port 123. For this # reason these packets are directly accepted, without checking # further rules. These packets might originate from an attacker, # and even be part of a DDOS attack, but we accept that situation. # The processing of NTP packets has such a low overhead that even # when packets are coming in at a very high speed, it wont take too # much CPU resources. There are also no states preserved as with # the TCP protocol which could cause buffer overflows. The only # thing which might happen is saturation of the network, but that # would happen with a DDOS attack independent of us accepting or # dropping the incoming packets. # if [ $DO_QUICK_NTP -eq 1 ] then $IPTABLES -A WHITELIST -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT fi # #------------------------------------------ # ???Allow unpriviledged ports # #$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -m conntrack --ctstate NEW -j ACCEPT # #------------------------------------------ # Add trusted hosts: # # The "remove" clears the whitelisted host out of the recently seen # BLACKLIST table, and because it has an ACCEPT jump target, should # stop further processing anyway. # $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BLACKLIST -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED1 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED2 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED3 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED4 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED5 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED6 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED7 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED8 -j ACCEPT $IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED9 -j ACCEPT # #------------------------------------------ # All good, so return # $IPTABLES -A WHITELIST -j RETURN # #------------------------------------------ fi # #********************************************************* # Port Knocking # # Allow Port Knocking # # Port knocking is a method of externally opening ports on a firewall by # generating a connection attempt on a set of prespecified closed ports. # # Once a correct sequence of connection attempts is received, the firewall # rules are dynamically modified to allow the host which sent the connection # attempts to connect over specific port(s). #------------------------------------------ # if [ $DO_PORT_KNOCKING -eq 1 ] then #------------------------------------------ $IPTABLES -A PORT_KNOCK_STAGE1 -m recent --remove --name knock $IPTABLES -A PORT_KNOCK_STAGE1 -p tcp --dport $PORT_KNOCK_1 -m recent --set --name knock2 $IPTABLES -A PORT_KNOCK_STAGE2 -m recent --remove --name knock2 $IPTABLES -A PORT_KNOCK_STAGE2 -p tcp --dport $PORT_KNOCK_2 -m recent --set --name heaven $IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock2 -j PORT_KNOCK_STAGE2 $IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock -j PORT_KNOCK_STAGE1 $IPTABLES -A PORT_KNOCK_STAGE3 -p tcp --dport $PORT_KNOCK_3 -m recent --set --name knock $IPTABLES -A PORT_KNOCK -p tcp --dport $PORT_KNOCK_ALLOW -m recent --rcheck --seconds 5 --name heaven -j ACCEPT $IPTABLES -A PORT_KNOCK -p tcp --syn -j PORT_KNOCK_STAGE3 #------------------------------------------ # All good, so return # $IPTABLES -A PORT_KNOCK -j RETURN # #------------------------------------------ fi # #********************************************************* # Filter Enemies # #------------------------------------------ # # This will limit brute-force attacks. # # It performs multiple tests against the number of connections within specific # timeframes. If any of the total connections has exceeded the maximum # allowed connections for that specific timeframe then it is banned for a # certain time period. # # If still further connections come in whilst it is banned then this will # cause it to move to an even higher level of ban, i.e. to be banned for # even longer. # # Whilst a connection is banned no subsequent connection attempts will be # allowed before it will resume allowing connections again. # # The --rttl option also takes into account the TTL of the # datagram when matching packets, so as to endeavour to mitigate # against spoofed source addresses. # # Allows for whitelisting. # # The Linux kernel will maintain a list of portscan IPs which # can be accessed at the location /proc/net/ipt_recent/BLACKLIST # if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ] then # Check for any offences. # If so then drop for that period of time, into the specific banned group - which determines the timeout. # Otherwise, if not yet banned, check if this is an attack. $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP $IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP $IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -j ATTACK_CHECK # Check if we are under attack. # If so jump to the specific ban. # If not yet under attack, then record initial instance. $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK --rsource --rttl -j ATTACKED9 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK --rsource --rttl -j ATTACKED8 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK --rsource --rttl -j ATTACKED7 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK --rsource --rttl -j ATTACKED6 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK --rsource --rttl -j ATTACKED5 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK --rsource --rttl -j ATTACKED4 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK --rsource --rttl -j ATTACKED3 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK --rsource --rttl -j ATTACKED2 $IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK --rsource --rttl -j ATTACKED1 # ATTACK2 only contains data if ATTACK is full. # Contains the max allowed from /sys/module/xt_recent/parameters/ip_list_tot. #if [ $(wc -l < /proc/net/xt_recent/ATTACK) >= 10000 ] #then; #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1 #fi #$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource # # To accomodate when /proc/net/xt_recent/ATTACK contains the max allowed # as can be seen from /sys/module/xt_recent/parameters/ip_list_tot then # instead of adding into ATTACH add to ATTACK2... # #if [ $(wc -l < /proc/net/xt_recent/ATTACK) < 10000 ] #then; $IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource #else # Check if we are under attack. # If so jump to the specific ban. # If not yet under attack, then record initial instance. #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2 #$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1 #$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK2 --rsource #fi #------------------------------------------ # All good, so return # #$IPTABLES -A ATTACK_CHECK -j ACCEPT $IPTABLES -A ATTACK_CHECK -j RETURN # # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED5 --rsource -j BAN6 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED4 --rsource -j BAN5 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED3 --rsource -j BAN4 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED2 --rsource -j BAN3 $IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED1 --rsource -j BAN2 $IPTABLES -A ATTACKED1 -j BAN1 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED5 --rsource -j BAN6 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED4 --rsource -j BAN5 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED3 --rsource -j BAN4 $IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED2 --rsource -j BAN3 $IPTABLES -A ATTACKED2 -j BAN2 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED5 --rsource -j BAN6 $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED4 --rsource -j BAN5 $IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED3 --rsource -j BAN4 $IPTABLES -A ATTACKED3 -j BAN3 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED5 --rsource -j BAN6 $IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED4 --rsource -j BAN5 $IPTABLES -A ATTACKED4 -j BAN4 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED5 --rsource -j BAN6 $IPTABLES -A ATTACKED5 -j BAN5 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED6 --rsource -j BAN7 $IPTABLES -A ATTACKED6 -j BAN6 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED7 --rsource -j BAN8 $IPTABLES -A ATTACKED7 -j BAN7 # Loop through all BANNED groups and jump to 1st one found. $IPTABLES -A ATTACKED8 -m recent --rcheck --name BANNED8 --rsource -j BAN9 $IPTABLES -A ATTACKED8 -j BAN8 # Only 1 possible group to jump to. $IPTABLES -A ATTACKED9 -j BAN9 # Log and then Drop. $IPTABLES -A BAN1 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN1 a=DROP " $IPTABLES -A BAN1 -m recent --set --name BANNED1 --rsource -j DROP # Log. # Remove from prev BANNED group. # Add to next higher BANNED group; therefore more delay. # Drop. $IPTABLES -A BAN2 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN2 a=DROP " $IPTABLES -A BAN2 -m recent --remove --name BANNED1 --rsource $IPTABLES -A BAN2 -m recent --set --name BANNED2 --rsource -j DROP $IPTABLES -A BAN3 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN3 a=DROP " $IPTABLES -A BAN3 -m recent --remove --name BANNED2 --rsource $IPTABLES -A BAN3 -m recent --set --name BANNED3 --rsource -j DROP $IPTABLES -A BAN4 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN4 a=DROP " $IPTABLES -A BAN4 -m recent --remove --name BANNED3 --rsource $IPTABLES -A BAN4 -m recent --set --name BANNED4 --rsource -j DROP $IPTABLES -A BAN5 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN5 a=DROP " $IPTABLES -A BAN5 -m recent --remove --name BANNED4 --rsource $IPTABLES -A BAN5 -m recent --set --name BANNED5 --rsource -j DROP $IPTABLES -A BAN6 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN6 a=DROP " $IPTABLES -A BAN6 -m recent --remove --name BANNED5 --rsource $IPTABLES -A BAN6 -m recent --set --name BANNED6 --rsource -j DROP $IPTABLES -A BAN7 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN7 a=DROP " $IPTABLES -A BAN7 -m recent --remove --name BANNED6 --rsource $IPTABLES -A BAN7 -m recent --set --name BANNED7 --rsource -j DROP $IPTABLES -A BAN8 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN8 a=DROP " $IPTABLES -A BAN8 -m recent --remove --name BANNED7 --rsource $IPTABLES -A BAN8 -m recent --set --name BANNED8 --rsource -j DROP $IPTABLES -A BAN9 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN9 a=DROP " $IPTABLES -A BAN9 -m recent --remove --name BANNED8 --rsource $IPTABLES -A BAN9 -m recent --set --name BANNED9 --rsource -j DROP # fi # #------------------------------------------ # # This will allow three connections from any given IP address # within a 60 second period, and require 60 seconds of no # subsequent connection attempts before it will resume allowing # connections again. # # The --rttl option also takes into account the TTL of the # datagram when matching packets, so as to endeavour to mitigate # against spoofed source addresses. # # Does not not stop any established connections from the host # that has made too many connections in a short period of time. # # Allows for whitelisting. # # The Linux kernel will maintain a list of portscan IPs which # can be accessed at the location /proc/net/ipt_recent/BLACKLIST # ##########################################################START # # # # #if [ $BLOCK_CONNECTIONS_COUNT -eq 1 ] #then # These rules are set to simply count the number of new connections. #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_1 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_2 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_3 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_4 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_5 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_6 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_7 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_8 #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_9 # #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_9 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_8 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_7 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_6 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_5 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_4 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_3 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_2 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j DROP #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_1 a=DROP " #$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j DROP # #fi # ############################################################END # #------------------------------------------ # Block any other required ports # #$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 1433 -m recent --name BLACKLIST --set -j DROP #$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 3306 -m recent --name BLACKLIST --set -j DROP #$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 8086 -m recent --name BLACKLIST --set -j DROP #$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 10000 -m recent --name BLACKLIST --set -j DROP #$IPTABLES -A BLACKLIST -s 99.99.99.99 -j DROP # #------------------------------------------ # Block partizans # $IPTABLES -A BLACKLIST -s $UNTRUSTED_HOSTS -j DROP # #------------------------------------------ # Drop Private Network Address On Public Interface # #$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INET Addr on Local a=DROP " #$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j DROP # #------------------------------------------ # Block any flooding # if [ $BLOCK_FLOODS -eq 1 ] then $IPTABLES -A BLACKLIST -j FLOODS fi # #------------------------------------------ # Block Viruses # if [ $BLOCK_VIRUSES -eq 1 ] then $IPTABLES -A BLACKLIST -j VIRUS fi # #------------------------------------------ # Block Akamai # # http://www.matveev.se/net/akamai.htm # if [ $BLOCK_AKAMAI -eq 1 ] then $IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=AKAMAI a=DROP " $IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -j DROP #$IPTABLES -A BLACKLIST -s 2.16.0.0/13 -j DROP #$IPTABLES -A BLACKLIST -s 2.23.144.0/20 -j DROP #$IPTABLES -A BLACKLIST -s 23.0.0.0/12 -j DROP #$IPTABLES -A BLACKLIST -s 23.32.0.0/11 -j DROP #$IPTABLES -A BLACKLIST -s 23.64.0.0/14 -j DROP #$IPTABLES -A BLACKLIST -s 62.115.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 72.246.0.0/15 -j DROP #$IPTABLES -A BLACKLIST -s 80.239.128.0/19 -j DROP #$IPTABLES -A BLACKLIST -s 80.239.160.0/19 -j DROP #$IPTABLES -A BLACKLIST -s 80.239.192.0/19 -j DROP #$IPTABLES -A BLACKLIST -s 80.239.224.0/19 -j DROP #$IPTABLES -A BLACKLIST -s 84.53.168.0/22 -j DROP #$IPTABLES -A BLACKLIST -s 88.221.176.0/21 -j DROP #$IPTABLES -A BLACKLIST -s 96.6.0.0/15 -j DROP #$IPTABLES -A BLACKLIST -s 96.16.0.0/15 -j DROP #$IPTABLES -A BLACKLIST -s 217.208.0.0/13 -j DROP #$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP #$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP #$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP fi # #------------------------------------------ if [ $BLOCK_FACEBOOK -eq 1 ] then $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j DROP $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP $IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j DROP fi # #------------------------------------------ # All good, so return # $IPTABLES -A BLACKLIST -j RETURN # #********************************************************* # Filter Floods # if [ $BLOCK_FLOODS -eq 1 ] then # # Allow 4 TCP connects per second, no more # Allow $LIMIT_PER_SECOND TCP connects per second, no more # #$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst $LIMIT_PER_SECOND -j RETURN # #------------------------------------------ # Block DDOS - SYN-flood # #$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN flood:1 a=DROP " #$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j DROP $IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN Flood a=DROP " $IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j DROP # # PETER - possibably instead of dropping set a mark or a name and only if name set right at bottom then drop. # - else it seems that 1st drop for e.g. tcp wont allow this to reach 2nd tcp check... #------------------------------------------ # TCP Flood protection. Accept $LIMIT_TCP requests/sec, rest will be logged/dropped. # $IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_TCP --limit-burst $LIMIT_TCP_BURST -j RETURN $IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Flood a=DROP " $IPTABLES -A FLOODS -p tcp -m limit -j DROP # #------------------------------------------ # UDP Flood protection. Accept $LIMIT_UDP requests/sec, rest will be logged/dropped. # $IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_UDP --limit-burst $LIMIT_UDP_BURST -j RETURN $IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP:Flood a=DROP " $IPTABLES -A FLOODS -p udp -m limit -j DROP # #------------------------------------------ # TCP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped. # 3 minutes ban for flooders # # $IPTABLES -A FLOODS -p tcp -m limit --limit 2/s --limit-burst 6 -m comment --comment "IPT=TCP:Flood Limit " -j RETURN $IPTABLES -A FLOODS -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=TCP:Flood Limit a=DROP " $IPTABLES -A FLOODS -p tcp -m recent --name FLOOD --set -m comment --comment "IPT=TCP:Flood Limit a=DROP " -j DROP # #------------------------------------------ # Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!) # 3 minutes ban for flooders # $IPTABLES -A FLOODS -p udp -m limit --limit 10/s --limit-burst 20 -m comment --comment "IPT=UDP:Flood Limit " -j RETURN $IPTABLES -A FLOODS -p udp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=UDP:Flood Limit a=DROP" $IPTABLES -A FLOODS -p udp -m recent --name FLOOD --set -m comment --comment "IPT=UDP:Flood Limit a=DROP " -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A FLOODS -j RETURN # # fi # #********************************************************* # Create a chain to filter known Viruses # # if [ $BLOCK_VIRUSES -eq 1 ] then # # One of the most powerful netfilter patches allows you to match # packets based on their content. # # Use the experimental string-matching patch to filter out packets # that match a certain string. # #------------------------------------------ # DROP HTTP packets related to CodeRed and Nimda viruses silently # #$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP #$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+dir" --algo $STRING_ALGO -j DROP #$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+tftp" --algo $STRING_ALGO -j DROP # #------------------------------------------ # If you port forward your HTTP requests to an internal host, # filter out the CodeRed virus in the FORWARD chain with this rule: # #$IPTABLES -A FORWARD -t filter -p tcp --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP # #------------------------------------------ # Torrent ALGO Strings using Boyer-Moore # $IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent protocol" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "peer_id=" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string ".torrent" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce.php?passkey=" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "torrent" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "info_hash" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string "/default.ida?" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c+dir" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c_tftp" -j DROP # #------------------------------------------ # Torrent Keys # $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "peer_id" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent protocol" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "bittorrent-announce" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce.php?passkey=" -j DROP # #------------------------------------------ # Distributed Hash Table (DHT) Keywords # $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "find_node" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "info_hash" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "get_peers" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce" -j DROP $IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce_peers" -j DROP # # Block Common Virus Ports #iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP #iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP # add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp # add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp # add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp # add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp # add action=drop chain=virus comment=________ dst-port=593 protocol=tcp # add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp # add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp # add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp # add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp # add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp # add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp # add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp # add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp # add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp # add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp # add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp # add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp # add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp # add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp # add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp # add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp # add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp # add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp # add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp # add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp # add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp # add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp # add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp #------------------------------------------ # All good, so return # $IPTABLES -A VIRUS -j RETURN # # fi # #********************************************************* # Create a chain to filter PRIVATE ADDRESS packets # This chain is for inbound (from the Internet) private packets only. # #------------------------------------------ # Drop packets from private address ranges coming in on the external # Drop multicast adresses # $IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:0 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:A a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:127 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:169 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:B a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 192.16.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:C a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 192.0.0.0/24 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:D a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:239 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:240 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -j DROP # $IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:248 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -j DROP # # 255=FAKE CLASS E # $IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:255 a=DROP " $IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A PRIVATE_PACKETS -j RETURN # #********************************************************* # Create a chain to filter incoming ICMP packets # This chain is for inbound (from the Internet) icmp packets only. # # For more info on ICMP types. # # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml # iptables -p icmp -h # # # Type 0 is for echo-reply # Type 1 is Unassigned # Type 2 is Unassigned # Type 3 is for destination-unreachable # Type 4 is for source quench (depreciated) # Type 5 is for redirect # Type 6 is for alternative host address # Type 7 is Unassigned # Type 8 is for echo-request. # Type 9 is for router advertisement # Type 10 is for router solicitation # Type 11 is for time-exceeded # Type 12 is for parameter problem # Type 13 is for timestamp # Type 14 is for timestamp-reply # Type 15 is for information-request # Type 16 is for information-reply # Type 17 is for address-mask-request # Type 18 is for address-mask-reply # Type 19 is reserved (for security) # Type 30 is for traceroute # Type 31 is for datagram conversion error # Type 32 is for mobile host redirect # Type 33 is for IPv6 where-are you # Type 34 is for IPv6 I-am-here # Type 35 is for mobile registration request # Type 36 is for mobile registration reply # Type 37 is for domain name request # Type 38 is for domain name reply # Type 39 is for SKIP # Type 40 is for Photunis # Type 41 is for ICMP messages utilized by experimental mobility protocols such as Seamoby # # #--reject-with icmp-port-unreachable #--reject-with icmp6-port-unreachable # #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-reply -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type required-option-missing -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type parameter-problem -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ip-header-bad -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type time-exceeded -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-unreachable -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-route-failed -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unknown -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-reply -j ACCEPT # Deny ICMP types inbound #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type destination-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type protocol-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type port-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type fragmentation-needed -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unknown -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-prohibited -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-prohibited -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-unreachable -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type communication-prohibited -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-precedence-violation -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type precedence-cutoff -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-quench -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type redirect -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-redirect -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-redirect -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-redirect -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-redirect -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix “PING REQUEST “ #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-advertisement -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-solicitation -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-transit -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-reassembly -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-request -j DROP #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-reply -j ACCEPT #$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-request -j DROP #------------------------------------------ # Destination unreachable # # ICMP type 3 is necessary for path MTU discovery to work correctly. # It should be enabled inbound to get top efficiency. # $IPTABLES -A ICMP_IN -p icmp --icmp-type destination-unreachable -j ACCEPT # #------------------------------------------ # Drop Smurf attack # $IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:0.255 a=DROP " $IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -j DROP # #------------------------------------------ # Answer ping requests. # # First Block DOS - Ping of Death # $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING-death a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j DROP #------------------------------------------ # Now Block DDOS - Smurf # $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:Smurf:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j DROP #------------------------------------------ # Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped. # Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped. # if [ $ALLOW_PING_IN -eq 1 ] then $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT fi $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -j DROP # if [ $ALLOW_PING_IN -eq 1 ] then $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT #$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT # Smurf fi $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:2 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -j DROP # #------------------------------------------ # Allow traceroute, though it is not required. # # Type 11 (Time Exceeded) is the only one accepted that would # not already be covered by the established connection rule. # Applied to INPUT on the external interface. # # Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped. # if [ $ALLOW_TRACEROUTE_IN -eq 1 ] then $IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT fi $IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:time:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -j DROP # if [ $ALLOW_TRACEROUTE_IN -eq 1 ] then $IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT fi $IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:trace a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -j DROP # #------------------------------------------ # Block ICMP-Parameter-Problem # # Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped. # if [ $ALLOW_ICMP_PARAM_PROBLEM_IN -eq 1 ] then $IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT fi $IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:params a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -j DROP # #------------------------------------------ # Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled) # $IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:redirect a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -j DROP # #------------------------------------------ # Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert) # $IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -j DROP $IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:2 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -j DROP # #------------------------------------------ # Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled) # $IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -j DROP $IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:2 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -j DROP # #------------------------------------------ # Block ICMP-address-mask (can help to prevent OS-fingerprinting) # $IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:1 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -j DROP $IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:2 a=DROP " $IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -j DROP # #------------------------------------------ # Block DOS - Jolt # # # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. # $IPTABLES -A ICMP_IN -p icmp --fragment -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP:frag a=DROP " #$IPTABLES -A ICMP_IN -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:frag a=DROP " $IPTABLES -A ICMP_IN -p icmp --fragment -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A ICMP_IN -p icmp -j DROP # #********************************************************* # Create a chain to filter outgoing ICMP packets # This chain is for outbound (to the Internet) icmp packets only. # #------------------------------------------ # Answer ping requests. # # Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped. # Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped. # if [ $ALLOW_PING_OUT -eq 1 ] then $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m conntrack --ctstate NEW -j ACCEPT else $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:1 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -j DROP fi # if [ $ALLOW_PING_OUT -eq 1 ] then $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT else $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:2 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -j DROP fi # #------------------------------------------ # Time Exceeded # Type 11 (Time Exceeded) is the only one accepted that would # not already be covered by the established connection rule. # Applied to INPUT on the external interface. # if [ $ALLOW_TRACEROUTE_OUT -eq 1 ] then $IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j ACCEPT else $IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:time:1 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j DROP fi # if [ $ALLOW_TRACEROUTE_OUT -eq 1 ] then $IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j ACCEPT else $IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:trace a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j DROP fi # #------------------------------------------ # Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled) # $IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:redirect a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -j DROP # #------------------------------------------ # Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert) # $IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:1 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -j DROP $IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:2 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -j DROP # #------------------------------------------ # Block ICMP-Parameter-Problem # $IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:params a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -j DROP # #------------------------------------------ # Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled) # $IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:1 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -j DROP $IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:2 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -j DROP # #------------------------------------------ # Block ICMP-address-mask (can help to prevent OS-fingerprinting) # $IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:1 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -j DROP $IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:2 a=DROP " $IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -j DROP # #------------------------------------------ # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. # $IPTABLES -A ICMP_OUT -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:frag a=DROP " $IPTABLES -A ICMP_OUT -p icmp --fragment -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A ICMP_OUT -p icmp -j DROP # #********************************************************* # Create a chain to filter UDP packets # Applied to INPUT on the external or Internet interface. # #------------------------------------------ # BitTorrent # if [ $ALLOW_BITTORRENT_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BITTORRENT fi # #------------------------------------------ # CUPS Printing # if [ $ALLOW_CUPS_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS fi # #------------------------------------------ # If DHCP, the initial request is a broadcast. The response # doesn't exactly match the outbound packet. This explicitly # allow the DHCP ports to alleviate this problem. # # If you receive your dynamic address by a different means, you # can probably comment out this line. # if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ] then #$IPTABLES -A UDP_IN -p udp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A UDP_IN -p udp --sport 67:68 --dport 67:68 -j ACCEPT fi # #------------------------------------------ # Allow DNS # if [ $ALLOW_DNS_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp --dport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT # -o $INET_IFACE -s $INET_IP #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate NEW --dport 53 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT #for ip in $DNS_SERVERS #do #$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport $PORTS_UNPRIV -m state --state ESTABLISHED -j ACCEPT #done #$IPTABLES -A UDP_IN -p udp -s 0/0 --sport $PORTS_UNPRIV -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT fi # #------------------------------------------ # Allow NC # if [ $ALLOW_NC_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC fi # #------------------------------------------ # Allow NFS # if [ $ALLOW_NFS_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS fi # #------------------------------------------ # Allow NTP # if [ $DO_QUICK_NTP -ne 0 ] then if [ $ALLOW_NTP_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT fi fi # #------------------------------------------ # Allow SAMBA # if [ $ALLOW_SAMBA_IN -eq 1 ] then #$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT $IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT fi # #------------------------------------------ # Allow TRACEROUTE # if [ $ALLOW_TRACEROUTE_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT fi # #------------------------------------------ # Allow Weblogin # if [ $ALLOW_WEBLOGIN_IN -eq 1 ] then $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin fi # #------------------------------------------ # Don't log route packets coming from routers - too much logging # $IPTABLES -A UDP_IN -p udp --dport 520 -m conntrack --ctstate NEW -j DROP # #------------------------------------------ # Block DDOS - Fraggle # #$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Fraggle a=DROP " $IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -j DROP # #------------------------------------------ # Block DOS - Teardrop # $IPTABLES -A UDP_IN -p udp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Teardrop a=DROP " $IPTABLES -A UDP_IN -p udp --fragment -j DROP # #------------------------------------------ # Port 0 fingerprint attempt # $IPTABLES -A UDP_IN -p udp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:finger:0 a=DROP " $IPTABLES -A UDP_IN -p udp --dport 0 -j DROP # #------------------------------------------ # Drop the rwho port (513 udp) # $IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:rwho a=DROP " $IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m comment --comment "Block rwho port" -j DROP # #------------------------------------------ # Separate logging of special portscans/connection attempts # # Port Scanners # if [ $DO_LOG_SCANS -eq 1 ] then $IPTABLES -A UDP_IN -i $INET_IFACE -j SCANS fi # #------------------------------------------ # All good, so return # $IPTABLES -A UDP_IN -p udp -j RETURN # #********************************************************* # Create a chain to filter outgoing UDP packets # # This chain is for outbound (to the Internet) udp packets only. # #------------------------------------------ # Allow printing using CUPS # if [ $ALLOW_CUPS_OUT -eq 1 ] then $IPTABLES -A UDP_OUT -p udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT # Printing CUPS fi # #------------------------------------------ # If DHCP, the initial request is a broadcast. The response # doesn't exactly match the outbound packet. This explicitly # allow the DHCP ports to alleviate this problem. # # If you receive your dynamic address by a different means, you # can probably comment this line. # if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ] then #$IPTABLES -A UDP_OUT -p udp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A UDP_OUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT fi # #------------------------------------------ # Allow DNS # if [ $ALLOW_DNS_OUT -eq 1 ] then $IPTABLES -A UDP_OUT -p udp --dport 53 -j ACCEPT #$IPTABLES -A UDP_OUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # DNS #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT #$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT fi # #------------------------------------------ # Allow NTP Time to setup the Date/Time from NTP Server # if [ $ALLOW_NTP_OUT -eq 1 ] then $IPTABLES -A UDP_OUT -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT fi # #------------------------------------------ # Allow SAMBA # if [ $ALLOW_SAMBA_OUT -eq 1 ] then #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT # #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT $IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT fi # #------------------------------------------ # Allow TRACEROUTE # if [ $ALLOW_TRACEROUTE_OUT -eq 1 ] then $IPTABLES -A UDP_OUT -p udp --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -m conntrack --ctstate NEW -j ACCEPT fi # #------------------------------------------ # All good, so return # $IPTABLES -A UDP_OUT -p udp -j RETURN # #********************************************************* # Create a chain to filter incoming TCP packets # # Applied to INPUT on the external or Internet interface. # #------------------------------------------ # Stealth TCP ports. # # A quick and dirty way is to drop all tcp syn packets. # This way you're virtually undetectable to portscanners. # Basically, you're dropping all TCP packets that weren't initiated by your local computer/network. # if [ $DO_STEALTH_ALL_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --syn -j DROP # # I've noticed that this doesn't kill port 0 & 1 for some reason, so those have to be turned off as well. # $IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 0 -j DROP $IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 1 -j DROP fi # #------------------------------------------ # Ident - Silently reject Ident # # Dont DROP ident, because of possible delays when establishing an outbound connection # #$IPTABLES -A TCP_IN -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset #$IPTABLES -A TCP_IN -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable #$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "relationship" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "IDENT" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable # #------------------------------------------ # Allow BitTorrent # if [ $ALLOW_BITTORRENT_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BitTorrent fi # #------------------------------------------ # Allow printing using CUPS # if [ $ALLOW_CUPS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS fi # #------------------------------------------ # Allow CVS IN # if [ $ALLOW_CVS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS fi # #------------------------------------------ # Allow DHCP Broadcast # if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ] then #$IPTABLES -A TCP_IN -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A TCP_IN -p tcp --sport 67:68 --dport 67:68 -j ACCEPT fi # #------------------------------------------ # Allow DNS # if [ $ALLOW_DNS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp --dport 53 -j ACCEPT # DNS #$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport 53 -j ACCEPT # DNS #$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS #$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT #$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT #$IPTABLES -A TCP_IN -p tcp --dport 953 -j ACCEPT # dns internal fi # #------------------------------------------ # Allow FTP # if [ $ALLOW_FTP_IN -eq 1 ] then # When you attempt to use ftp on these settings, it stops when enter the PASV # mode. At PASV mode, after establish the connection with port 21, client # appoints >1024 port so that this becomes new connection and is rejected. # You need to have been loaded ip_conntrack_ftp module to use ftp in PASV mode. # Add one line above ip_conntrack ip_conntrack_ftp to /etc/modules.conf then # it is loaded at boot up and ftp will be possible to use. # $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp fi # #------------------------------------------ # Allow HTTP # if [ $ALLOW_HTTP_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http fi # #------------------------------------------ # Allow HTTPS # if [ $ALLOW_HTTPS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https fi # #------------------------------------------ # Allow IMAP # if [ $ALLOW_IMAP_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap fi # #------------------------------------------ # Allow IMAPS # if [ $ALLOW_IMAPS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # imap fi # #------------------------------------------ # Allow MySQL # if [ $ALLOW_MYSQL_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL fi # #------------------------------------------ # Allow NC # if [ $ALLOW_NC_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC fi # #------------------------------------------ # Allow NFS # if [ $ALLOW_NFS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS fi # #------------------------------------------ # Allow NTP # if [ $ALLOW_NTP_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # ntp fi # #------------------------------------------ # Allow NNTP # if [ $ALLOW_NNTP_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # nntp fi # #------------------------------------------ # Allow PLESK # if [ $ALLOW_PLESK_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http fi # #------------------------------------------ # Allow PLEX # if [ $ALLOW_PLEX_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX fi # #------------------------------------------ # Allow POP3 # if [ $ALLOW_POP3_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3 fi # #------------------------------------------ # Allow POP3S # if [ $ALLOW_POP3S_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S fi # #------------------------------------------ # Allow POSTGRESQL # if [ $ALLOW_POSTGRESQL_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL fi # #------------------------------------------ # Allow SAMBA # if [ $ALLOW_SAMBA_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT #$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT #$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT fi # #------------------------------------------ # Allow SMTP # if [ $ALLOW_SMTP_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp fi # #------------------------------------------ # Allow SMTPS # if [ $ALLOW_SMTPS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps fi # #------------------------------------------ # Allow SSH # if [ $ALLOW_SSH_IN -eq 1 ] then # Allow three port 22 connections from any given IP address within a # 60 second period, and requires 60 seconds of no subsequent connection # attempts before it will resume allowing connections again. # # The --rttl option also takes into account the TTL of the datagram # when matching packets, so as to endeavour to mitigate against spoofed # source addresses. # # Does not not stop any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting. # # Linux kernel will maintain a list of portscan IPs which can be accessed at the location /proc/net/ipt_recent/SSH. # $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:Brute a=DROP " $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT fi # #------------------------------------------ # Allow Squid # if [ $ALLOW_SQUID_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy fi # #------------------------------------------ # Allow Submission # (RFC 2476) # if [ $ALLOW_SUBMISSION_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476) fi # #------------------------------------------ # Allow SVN # if [ $ALLOW_SVN_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN fi # #------------------------------------------ # Allow Telnet # if [ $ALLOW_TELNET_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet fi #------------------------------------------ # Allow Weblogin # if [ $ALLOW_WEBLOGIN_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin fi #------------------------------------------ # Allow XWindows # if [ $ALLOW_XWINDOWS_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6000:6009 -j ACCEPT # XWindows fi # #------------------------------------------ # Allow XWindows Font Server if [ $ALLOW_XWINDOWS_FONTSERVER_IN -eq 1 ] then $IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 7100 -j ACCEPT # XWindows Font Server fi # #------------------------------------------ # Separate logging of special portscans/connection attempts # # Port Scanners # if [ $DO_LOG_SCANS -eq 1 ] then $IPTABLES -A TCP_IN -i $INET_IFACE -j SCANS fi # #------------------------------------------ # *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ## # # iptables -A TCP_IN -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT # #------------------------------------------ # Allow unpriviledged ports # ##$IPTABLES -A TCP_IN -p tcp -m tcp --dport $PORTS_UNPRIV -m state --state RELATED -j ACCEPT # #------------------------------------------ # All good, so return # $IPTABLES -A TCP_IN -p tcp -j RETURN # #********************************************************* # Create a chain to filter outgoing TCP packets # # Applied to OUTPUT on the external or Internet interface. # #------------------------------------------ # Ident - Silently reject Ident # # Dont DROP ident, because of possible delays when establishing an outbound connection # #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with tcp-reset #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP -d $INET_GW --dport 113 -j ACCEPT $IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP --dport 113 -j ACCEPT #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "relationship" --rdest --set $IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "IDENT" --rdest --set # #------------------------------------------ # Public services running ON Server # # Allow printing using CUPS # if [ $ALLOW_CUPS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS fi # #------------------------------------------ # Allow CVS # if [ $ALLOW_CVS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS fi # #------------------------------------------ # Allow DHCP Broadcast # if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ] then #$IPTABLES -A TCP_OUT -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A TCP_OUT -p tcp --sport 67:68 --dport 67:68 -j ACCEPT fi # #------------------------------------------ # Allow DNS # if [ $ALLOW_DNS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT #$IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT fi # #------------------------------------------ # Allow FTP # if [ $ALLOW_FTP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp fi # #------------------------------------------ # Allow HTTP # if [ $ALLOW_HTTP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http $IPTABLES -A TCP_OUT -p tcp -o INET_IFACE --sport 80 -m state --state ESTABLISHED -j ACCEPT fi # #------------------------------------------ # Allow HTTPS # if [ $ALLOW_HTTPS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https fi # #------------------------------------------ # Allow IMAP # if [ $ALLOW_IMAP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap fi # #------------------------------------------ # Allow IMAPS # if [ $ALLOW_IMAPS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # IMAPS fi # #------------------------------------------ # Allow IRC # # This usually needs the ip_conntrack_irc kernel module. # if [ $ALLOW_IRC_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 6667 -j ACCEPT # IRC #$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT fi # #------------------------------------------ # Allow MySQL # if [ $ALLOW_MYSQL_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL fi #------------------------------------------ # Allow NFS # if [ $ALLOW_NFS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS fi # #------------------------------------------ # Allow NTP # if [ $ALLOW_NTP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # NTP fi # #------------------------------------------ # Allow NNTP # if [ $ALLOW_NNTP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # NNTP fi # #------------------------------------------ # Allow OPENVPN # if [ $ALLOW_OPENVPN_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1194 -j ACCEPT # OPENVPN fi # #------------------------------------------ # Allow PLESK # if [ $ALLOW_PLESK_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http fi # #------------------------------------------ # Allow PLEX # if [ $ALLOW_PLEX_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX fi # #------------------------------------------ # Allow POP3 # if [ $ALLOW_POP3_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3 fi # #------------------------------------------ # Allow POP3S # if [ $ALLOW_POP3S_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S fi # #------------------------------------------ # Allow POSTGRESQL # if [ $ALLOW_POSTGRESQL_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL fi # #------------------------------------------ # Allow RWHOIS # if [ $ALLOW_RWHOIS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 4321 -j ACCEPT # RWHOIS fi # #------------------------------------------ # Allow SAMBA # if [ $ALLOW_SAMBA_OUT -eq 1 ] then #$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT $IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT #$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT fi # #------------------------------------------ # Allow SMTP # if [ $ALLOW_SMTP_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 25 -j ACCEPT # smtp fi # #------------------------------------------ # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP! # if [ $ALLOW_SMTPS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 465 -j ACCEPT # smtps fi # #------------------------------------------ # Allow SOCKS5 # if [ $ALLOW_SOCKS5_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1080 -j ACCEPT # SOCKS5 fi # #------------------------------------------ # Allow SSH # if [ $ALLOW_SSH_OUT -eq 1 ] then # Allow three port 22 connections from any given IP address within a # 60 second period, and requires 60 seconds of no subsequent connection # attempts before it will resume allowing connections again. # # The --rttl option also takes into account the TTL of the datagram # when matching packets, so as to endeavour to mitigate against spoofed # source addresses. # # Does not not stop any established SSH connections from the host # that has made too many SSH connections in a short period of time, # and allows for whitelisting. # #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH ##$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j WHITELIST_SSH #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP " #$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP " $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT fi # #------------------------------------------ # Allow Squid # if [ $ALLOW_SQUID_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy fi # #------------------------------------------ # Allow Submission # (RFC 2476) # if [ $ALLOW_SUBMISSION_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476) fi # #------------------------------------------ # Allow SVN # if [ $ALLOW_SVN_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN fi # #------------------------------------------ # Allow Telnet # if [ $ALLOW_TELNET_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet fi # #------------------------------------------ # Allow TOR # (http://tor.eff.org) # if [ $ALLOW_TOR_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_TOR -j ACCEPT # tor fi # #------------------------------------------ # Allow WHOIS # if [ $ALLOW_WHOIS_OUT -eq 1 ] then $IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 43 -j ACCEPT # WHOIS fi # #------------------------------------------ # Allow unpriviledged ports # ##$IPTABLES -A TCP_OUT -p tcp -m tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -j ACCEPT # #------------------------------------------ # All good, so return # $IPTABLES -A TCP_OUT -p tcp -j RETURN # #********************************************************* # Create a chain to filter known SCANS # Applied to INPUT on the external or Internet interface. # # Trojan portscan, special services, etc # if [ $DO_LOG_SCANS -eq 1 ] then #------------------------------------------ # Deepthroat scan # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6670 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Deepthroat a=DROP " $IPTABLES -A SCANS -p tcp --dport 6670 -j DROP # #------------------------------------------ # Subseven scan # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:1 a=DROP " $IPTABLES -A SCANS -p tcp --dport 1243 -j DROP # $IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:2 a=DROP " $IPTABLES -A SCANS -p udp --dport 1243 -j DROP # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:3 a=DROP " $IPTABLES -A SCANS -p tcp --dport 27374 -j DROP $IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:4 a=DROP " $IPTABLES -A SCANS -p udp --dport 27374 -j DROP # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6711:6713 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:5 a=DROP " $IPTABLES -A SCANS -p tcp --dport 6711:6713 -j DROP # #------------------------------------------ # Netbus scan # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 12345:12346 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:1 a=DROP " $IPTABLES -A SCANS -p tcp --dport 12345:12346 -j DROP # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 20034 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:2 a=DROP " $IPTABLES -A SCANS -p tcp --dport 20034 -j DROP # #------------------------------------------ # Back Oriface scan # $IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 31337:31338 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Back-Orifice a=DROP " $IPTABLES -A SCANS -p udp --dport 31337:31338 -j DROP # #------------------------------------------ # X-Win scan # $IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport $PORTS_XWIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=X-Win a=DROP " $IPTABLES -A SCANS -p tcp --dport $PORTS_XWIN -j DROP # #------------------------------------------ # Hack'a'Tack 2000 # $IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 28431 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Hack'a'Tack-2000 a=DROP " $IPTABLES -A SCANS -p udp --dport 28431 -j DROP # #------------------------------------------ # All good, so return # $IPTABLES -A SCANS -j RETURN # # fi # #********************************************************* # Create a chain to filter packets that are not to be logged. # Applied to INPUT on the external or Internet interface. # #------------------------------------------ # Drop SMB, CIFS, and related Windows traffic without logging. # # TODO: I think not all of these use TCP _and_ UDP. Tighten the rules! # if [ $BLOCK_SAMBA_WITHOUT_LOGGING -eq 1 ] then $IPTABLES -A NO_LOGGING -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A NO_LOGGING -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP # $IPTABLES -A NO_LOGGING -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A NO_LOGGING -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP fi # #------------------------------------------ # Ignore Dropbox LAN Sync broadcasts # # Do not log as too much logging. # if [ $BLOCK_DROPBOX_LAN_SYNC_BROADCASTS -eq 1 ] then $IPTABLES -A NO_LOGGING -p udp -m udp --dport $PORTS_DROPBOX_LAN_SYNC_BROADCASTS -j DROP fi # #------------------------------------------ # All good, so return # $IPTABLES -A NO_LOGGING -j RETURN # #********************************************************* # # INPUT CHAIN # # Add comments to your rules: # # -m comment --comment "Comments help to read output of iptables -nvL" # #------------------------------------------ # Allow incoming for loopback interfaces # Allow traffic on loopback interface (lo0) # $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT # #------------------------------------------ # Drop all traffic to 127/8 that doesn't use lo0 # Should already be catched by kernel/rp_filter # $IPTABLES -A INPUT -i !$LO_IFACE -d 127.0.0.0/8 -j REJECT # #------------------------------------------ # Allow previously initiated connections to bypass rules # $IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # #$IPTABLES -A INPUT -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT #$IPTABLES -A INPUT -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT #$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT #$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT # DROP 29691 - Microsoft something or other - I think against Win 10... #$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 29691 -j DROP #$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW --dport 29691 -j DROP #------------------------------------------ # Allow incoming from local INET # #$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT # peter enabled this... checking... $IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT # #------------------------------------------ # Allow HTTP # if [ $ALLOW_HTTP_IN -eq 1 ] then $IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http fi # #------------------------------------------ # Allow HTTPS # if [ $ALLOW_HTTPS_IN -eq 1 ] then $IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https fi # #------------------------------------------ # This should be one of the first rules. # so dns lookups are already allowed for our other rules. $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT #iptables -A INPUT -p udp --dport 53 --dport 1024:65535 -j ACCEPT #iptables -A INPUT -p tcp --dport 53 --dport 1024:65535 -j ACCEPT #iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT #iptables -A INPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT # #$IPTABLES -A INPUT -p tcp -m tcp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:TCP LIMIT a=DROP " --log-level $LOG_LEVEL #$IPTABLES -A INPUT -p udp -m udp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:UDP LIMIT a=DROP " --log-level $LOG_LEVEL $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP BURST a=DROP " $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP TOTAL a=DROP " $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP BURST a=DROP " $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP TOTAL a=DROP " $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP $IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS $IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS #for ip in $DNS_SERVER #do # echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'" # $IPTABLES -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT # $IPTABLES -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT # $IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPTABLES -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #done #PTR1 #------------------------------------------ # Allow packets not coming from the outside # $IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT # #------------------------------------------ # This should be one of the first rules. # to drop any previously detected attackers. if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ] then # Check for any offences. # If so then drop for that period of time, into the specific banned group - which determines the timeout. # Otherwise, if not yet banned, check if this is an attack. $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP $IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP $IPTABLES -A INPUT -m conntrack --ctstate NEW -j ATTACK_CHECK fi #------------------------------------------ # Allow incoming from the gateway # $IPTABLES -A INPUT -s $INET_GW -d $INET_IP -j ACCEPT # #------------------------------------------ # Allow incoming from local INET to local BCAST # $IPTABLES -A INPUT -s $INET_NET -d $INET_BCAST -j ACCEPT $IPTABLES -A INPUT -d $PORTS_BROADCAST -j ACCEPT #$IPTABLES -A INPUT -s $INET_NET -d $PORTS_BROADCAST -j ACCEPT #$IPTABLES -A INPUT -s $INET_NET -d $PORTS_UNIVERSE -j ACCEPT # #------------------------------------------ # Allow incoming from local INET # #$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT # #------------------------------------------ # Allow packets not coming from the outside # $IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT # #------------------------------------------ # Check Quotas # if [ $DO_QUOTA -eq 1 ] then $IPTABLES -A INPUT -j QUOTAS fi # #------------------------------------------ # Drop invalid packets # $IPTABLES -A INPUT -j BAD_PACKETS # #------------------------------------------ # Do not log certain packets, as too much logging # #$IPTABLES -A INPUT -j NO_LOGGING # #------------------------------------------ # Always allow certain packets # if [ $DO_WHITELISTING -eq 1 ] then $IPTABLES -A INPUT -j WHITELIST fi # #------------------------------------------ # Drop enemies # $IPTABLES -A INPUT -j BLACKLIST # #------------------------------------------ # Route the rest to the appropriate user chain # $IPTABLES -A INPUT -p tcp -i $INET_IFACE -j TCP_IN $IPTABLES -A INPUT -p udp -i $INET_IFACE -j UDP_IN $IPTABLES -A INPUT -p icmp -i $INET_IFACE -j ICMP_IN $IPTABLES -A INPUT -p igmp -j DROP # #------------------------------------------ # Drop any traffic from IANA-reserved IPs. # $IPTABLES -A INPUT -i $INET_IFACE -j IANA_RESERVED # #------------------------------------------ # Allow Port Knocking # if [ $DO_PORT_KNOCKING -eq 1 ] then $IPTABLES -A INPUT -j PORT_KNOCK fi # #------------------------------------------ # Do not log certain packets, as too much logging # $IPTABLES -A INPUT -j NO_LOGGING # #------------------------------------------ # Drop packets from private address ranges coming in on the external # $IPTABLES -A INPUT -i $INET_IFACE -j PRIVATE_PACKETS # #------------------------------------------ # Drop without logging broadcasts that get this far. # Cuts down on log clutter. # Comment this line if testing new rules that impact # broadcast protocols. # $IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP # #------------------------------------------ # Catch all # Log packets that still don't match, and then DROP them. # if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ] then $IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=REJECT " $IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -j REJECT --reject-with icmp-proto-unreachable else $IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=DROP " $IPTABLES -A INPUT -j DROP fi # #********************************************************* # # OUTPUT CHAIN # #------------------------------------------ # Allow outgoing for loopback interfaces # Allow traffic on loopback interface (lo0) # $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT # #------------------------------------------ # Drop all traffic to 127/8 that doesn't use lo0 # Should be already be catched by kernel/rp_filter # $IPTABLES -A OUTPUT -o !$LO_IFACE -d 127.0.0.0/8 -j REJECT # #------------------------------------------ # Allow previously initiated connections to bypass rules # $IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # #------------------------------------------ # Allow outgoing connections EXCEPT invalid # #$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #------------------------------------------ # This should be one of the first rules. # so dns lookups are already allowed for your other rules $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT #iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT #iptables -A OUTPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT # #$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS #$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS #$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS #$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS #------------------------------------------ # Allow established connections, and those not coming from the outside # $IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $LOCAL_IFACE -j ACCEPT # #------------------------------------------ # Drop invalid packets # # Note: Be careful if you're using kernels older than 2.4.29. Some locally # generated ICMP error types (going through OUTPUT) are erroneously tagged # as INVALID (instead of RELATED). # Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html. # $IPTABLES -A OUTPUT -j BAD_PACKETS # #------------------------------------------ # Do not log certain packets, as too much logging # #$IPTABLES -A OUTPUT -j NO_LOGGING # #------------------------------------------ # Always allow certain packets # #if [ $DO_WHITELISTING -eq 1 ] #then #$IPTABLES -A OUTPUT -j WHITELIST #fi # #------------------------------------------ # Drop enemies # #$IPTABLES -A OUTPUT -j BLACKLIST # #------------------------------------------ # Route the rest to the appropriate user chain # $IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -j TCP_OUT $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -j UDP_OUT $IPTABLES -A OUTPUT -p icmp -o $INET_IFACE -j ICMP_OUT # #------------------------------------------ # Do not log certain packets, as too much logging # $IPTABLES -A OUTPUT -j NO_LOGGING # #------------------------------------------ # Catch all # # Log packets that still don't match, and then DROP them. # if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ] then $IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=REJECT " $IPTABLES -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable else $IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=DROP " $IPTABLES -A OUTPUT -j DROP fi # #********************************************************* # # FORWARD CHAIN # # $IPTABLES -A FORWARD -j BAD_PACKETS # #------------------------------------------ #FORWARD $IPTABLES -A FORWARD -p icmp -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $LOCAL_NET -j ACCEPT #forward everything from local LAN $IPTABLES -A FORWARD -p udp -s $LOCAL_NET -j ACCEPT #forward everything from local LAN #$IPTABLES -A FORWARD -i $INET_IFACE -j OUTBOUND #need both for pass-through #$IPTABLES -A FORWARD -i $LOCAL_IFACE -j OUTBOUND #need both for pass-through #------------------------------------------ # Allows new forwarded packets # #$IPTABLES -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -s $LOCAL_NET -m conntrack --ctstate NEW -j ACCEPT # #------------------------------------------ # Don't forward from the outside to the inside. # $IPTABLES -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -s $INET_NET -i $INET_IFACE -j DROP # Drop from internet which it claims are an addr in LAN ip range. # #------------------------------------------ # Allow previously initiated connections to bypass rules # $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # #------------------------------------------ # Allow established connections, and those not coming from the outside # #$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT # # #------------------------------------------ # Drop invalid packets # $IPTABLES -A FORWARD -j BAD_PACKETS # #------------------------------------------ # Always allow certain packets # if [ $DO_WHITELISTING -eq 1 ] then $IPTABLES -A FORWARD -j WHITELIST fi # #------------------------------------------ # Allow outgoing connections from the LAN side # Route packets to either TCP or UDP as appropriate # $IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -j TCP_OUT $IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p udp -j UDP_OUT # #------------------------------------------ # Do not log certain packets, as too much logging # #$IPTABLES -A FORWARD -j NO_LOGGING # #------------------------------------------ # Drop enemies # $IPTABLES -A FORWARD -j BLACKLIST # #------------------------------------------ # Do not log certain packets, as too much logging # $IPTABLES -A FORWARD -j NO_LOGGING # #------------------------------------------ # Catch all # Log packets that still don't match, and then DROP them. # if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ] then $IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=REJECT " $IPTABLES -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -j REJECT --reject-with icmp-proto-unreachable else $IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=DROP " $IPTABLES -A FORWARD -j DROP fi # #********************************************************* # # POSTROUTING CHAIN # #------------------------------------------ # Masquerade - Set up your gateway # if [ $DO_MASQUERADE -eq 1 ] then $IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE else # POSTROUTING statements for 1:1 NAT # (Connections originating from the home network servers) # # SNAT is used to NAT all other outbound connections initiated # from the protected network to appear to come from the local # IP address. # # The reason for choosing MASQUERADE in the previous example # anyway has the following reason: For SNAT one has to specify # the new source-IP explicitly. # # For routers with a static IP address SNAT is the best choice # because it is faster than MASQUERADE which has to check the # current IP address of the outgoing network interface at every # packet. Since SNAT is only meaningful for packets leaving the # router it is used within the POSTROUTING chain only. # #$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j SNAT --to-source $INET_IP $IPTABLES -A POSTROUTING -t nat -s $LOCAL_IP -o $INET_IFACE -j SNAT --to-source $LOCAL_IP # #------------------------------------------ # POSTROUTING statements for Many:1 NAT # #$IPTABLES -A POSTROUTING -t nat -s $LOCAL_NET -o $INET_IFACE -j SNAT --to-source $LOCAL_IP fi # #********************************************************* # # PREROUTING CHAIN # #------------------------------------------ # DROP packets from hosts with more than 16 active connections. #$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --syn -d $INET_IP -m iplimit --iplimit-above 16 -j DROP # #------------------------------------------ if [ $DO_MASQUERADE -eq 0 ] then # PREROUTING statements for 1:1 NAT # #$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -j DNAT --to-destination $INET_IP $IPTABLES -A PREROUTING -t nat -d $LOCAL_IP -i $INET_IFACE -j DNAT --to-destination $INET_IP fi # #------------------------------------------ # Blocks oversized unfragmented ICMP packets. # if [ $BLOCK_OVERSIZE_ICMP_PACKETS -eq 1 ] then $IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=PRE:oversize_ICMP a=DROP " $IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -j DROP fi # #------------------------------------------ ## RULES END ## rules_number=`egrep '\-j' /sharewiz/firewall/firewall.sh | wc -l` #rules_number=`egrep '\-j' `basename $0 | wc -l` total_rules=$(( rules_number )) echo "" echo "$total_rules rules loaded." echo "" #------------------------------------------ # Exit gracefully. # exit 0
computer_setup/firewall.txt · Last modified: 2021/07/03 11:37 by peter