File config.conf
## PUT YOUR OWN ADDRESS HERE! if you want to receive errors by mail
MAILTO="linuxwarning@saruman.biz";
CMD="/sbin/iptables";
SYSLOG="/usr/bin/logger";
# if you want to use the Userspace Logging Daemon, change this
# from "LOG" to "ULOG"
FWLOG="ULOG";
# default "--log-prefix" or "--ulog-prefix"
FWLOGPREFIX="--ulog-prefix";
# topology
inetIF='eth1';
inetIP='212.238.151.172';
lanIF='eth0';
lanIP='192.168.67.10';
lanNET='192.168.67.0/24';
natIF=$inetIF;
natIP=$inetIP;
# Define some subnets
FRESHFIELDNET='192.168.67.144/28' # Limited hosts: 144 t/m 159
JANNET='192.168.67.160/27' # Limited hosts: 160 t/m 191
SASNET='192.168.67.192/26' # Limited hosts: 192 t/m 254
################################################################################
## Here you can declare and/or read every variable you'll need in the rules ##
################################################################################
# Fetch all IP's that are totally blocked
lookup_param_list 'blockedIP' "/etc/iceditch/params.conf";
NumOfBlockedIPs=${r[0]};
if [ $NumOfBlockedIPs -gt 0 ]; then
i=0;
while [ $i -le $NumOfBlockedIPs ] ; do
blockedIP[$i]=${r[$i]};
let "i += 1";
done;
fi;
# Fetch all IPsec tunnel parameters
lookup_param_list 'IPsecLocalLAN' "/etc/iceditch/params.conf";
IPsecNumOfTunnels=${r[0]};
if [ $IPsecNumOfTunnels -gt 0 ]; then
i=0;
while [ $i -lt $IPsecNumOfTunnels ] ; do
let "i += 1"; IPsecLocalLAN[$i]=${r[$i]};
IPsecLocalLANIP[$i]=$lanIP; # we don't read these from the config
IPsecLocalWANIP[$i]=$inetIP; # file, since they're always the same
done;
lookup_param_list 'IPsecRemoteWANIP' "$PATHNAME/$PARMFILENAME";
i=0;
while [ $i -lt $IPsecNumOfTunnels ] ; do
let "i += 1"; IPsecRemoteWANIP[$i]=${r[$i]};
done;
lookup_param_list 'IPsecRemoteLAN' "$PATHNAME/$PARMFILENAME";
i=0;
while [ $i -lt $IPsecNumOfTunnels ] ; do
let "i += 1"; IPsecRemoteLAN[$i]=${r[$i]};
done;
fi;
File params.conf
blockedIP = 62.27.41.69 = 20060529 - adware webserver
blockedIP = 195.56.146.210 = 20060805 - forum.joomla.hu
blockedIP = 82.201.220.60 = 20070918 - messes on udp500
blockedIP = 80.73.129.193 = 20080127 - lots of NewNotSyns
IPsecRemoteNET = 'Odeon.lan' = descriptive name of the IPtunnel destination
IPsecLocalLanIP = $lanIP = the local IP address of the router
IPsecLocalLAN = $lanNET = the LAN segment we're prepared to open
IPsecLocalWANIP = $inetIP = Our own external IP for this connection
IPsecRemoteLAN = '192.168.70.0/24' = the remote LAN segment we wanna reach
IPsecRemoteWANIP = '82.161.20.132' = the public IP of the remote gateway
File rules.conf
######################################################################
### ###
### 1.1 PRE_ROUTING mangle ###
### ###
### use case: mark incoming packets for (outgoing) traffic control ###
### ###
######################################################################
context "PREROUTING" "mangle"
# Mark incoming ESP packets with mark "1"
let "i=0";
while [[ $i -lt $IPsecNumOfTunnels ]]; do
let "i += 1";
mark 1 -p esp -s ${IPsecRemoteWANIP[$i]} -d ${IPsecLocalWANIP[$i]};
done;
# default policy: accept
######################################################################
### ###
### 1.2 PRE_ROUTING nat ###
### ###
### use cases: ###
### - DNAT (incoming connects to private ip's, e.g. DMZ or svr) ###
### - REDIRECT (machine port redirects / transparant proxy) ###
### ###
######################################################################
context "PREROUTING" "nat"
# let IPsec traffic bypass any SNATting
let "i=0"
while [[ $i -lt $IPsecNumOfTunnels ]]; do
let "i += 1"
accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}
done
# also accept all traffic marked "1" which is
# incoming ESP traffic from trusted remote IP's
# SHOULD already be handled by the default policy
accept -m mark --mark 1
# make Squid our transparent proxy
dnat to ${lanIP}:3128 -p tcp -i $lanIF --dport 80
# default policy: accept
######################################################################
### ###
### 2.1 FORWARD mangle ###
### ###
### use case: none ###
### ###
######################################################################
context "FORWARD" "mangle"
# default policy: accept
######################################################################
### ###
### 2.2 FORWARD filter ###
### ###
### use case: filter traffic forwarded between networks ###
### ###
### ATTENTION please: choose an appropriate forwarding policy ###
### o no forwarding: 0 > ip_forward ###
### o untrusted forwarding: filter ports + egress ip ###
### o trusted forwarding: filter only egress ip ###
### ###
######################################################################
context "FORWARD" "filter"
# upfront blocking of all banned IP's
let "j = 0";
while [[ $j -lt ${blockedIP[0]} ]]; do
let "j += 1";
drop -s ${blockedIP[$j]};
drop log msg Banned_IP_$j -d ${blockedIP[$j]};
done
# drop some nasty P2P calls
reject with host-prohib -p tcp --dport 13830
# Connection tracking for forwarding
accept -m state --state ESTABLISHED,RELATED
# drop new-not-syn
drop log msg FORWARD_NewNotSYN -p tcp ! --syn -m state --state NEW
# let IPsec traffic through
let "i=0"
while [[ $i -lt $IPsecNumOfTunnels ]]; do
let "i += 1"
drop -s $FRESHFIELDNET -d ${IPsecRemoteLAN[$i]} # Freshfieldnet has no business in the tunnels
accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}
accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}
done
# Allow Yodi's mail (pop3.zonnet.nl + mail.descartes.nl + wissit.com/mail.wissit.nl)
accept -p tcp -d 62.58.50.236 --dport 110
accept -p tcp -d 213.196.12.29 --dport 110
accept -p tcp -d 194.121.181.250 --dport 25
# Allow MPPE-traffic from inside to outside
accept -p 47
# Specifically block certain ports out to the Internet
# Mainly mail, DNS and NTP
drop -p tcp -m multiport --dport 25,53,110,123
drop -p udp -m multiport --dport 53,123
# Generic TCP traffic allowed out to the Internet: everything else
# note: return traffic is handled by connection tracking
accept -p tcp -s $lanNET
accept -p udp -s $lanNET
# Allowing full ICMP between inside and outside
accept -p icmp -s $lanNET
# default policy: drop
######################################################################
### ###
### 3.2 INPUT filter ###
### ###
### use case: filter incoming traffic directed at machine host ###
### ###
######################################################################
context "INPUT" "filter"
# upfront blocking of all banned IP's
let "j = 0";
while [[ $j -lt ${blockedIP[0]} ]]; do
let "j += 1";
drop -s ${blockedIP[$j]}
done
# Spoofed IP protect
# a bit superfluous, since rp_filter (Source Address Verification) can
# be turned on in /proc/sys...
# drop log msg Local_IP_from_Inet_192 -i $inetIF -s 192.168.0.0/16
# drop log msg Local_IP_from_Inet_10 -i $inetIF -s 10.0.0.0/8
# drop log msg Local_IP_from_Inet_172 -i $inetIF -s 172.16.0.0/12
# drop some nasty P2P calls
reject with host-prohib -p tcp --dport 13830
# drop new-not-syn
drop log msg INPUT_NewNotSYN -p tcp ! --syn -m state --state NEW
# Connection tracking for incoming traffic
accept -m state --state ESTABLISHED,RELATED
# Drop different attacks:
# Xmas scan
drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL FIN,URG,PSH
drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL ALL
# Stealth scan
drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST
drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL NONE
# SYN,RST scan
drop log msg SYN/RST_scan -i $inetIF -p tcp --tcp-flags SYN,RST SYN,RST
# SYN,FIN scan
drop log msg SYN/FIN_scan -i $inetIF -p tcp --tcp-flags SYN,FIN SYN,FIN
# drop SSH connections if they're spurious (more than 2 attempts per minute)
nojump -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --set
drop -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --update --seconds 60 --hitcount 3
# accept SSH from all sides
accept -p tcp --dport 22
# accept IKE traffic from everyone including NAT-T
accept -p udp --sport 500 --dport 500
accept -p udp --sport 4500 --dport 4500
# accept ESP traffic from everyone
# accept -p esp
# accept all traffic marked "1", which is
# incoming ESP traffic from trusted remote IP's
accept -m mark --mark 1
# accept MPPTP to this machine from the Internet
accept -p tcp --dport 1723
# accept -i $inetIF -p 47
accept -p 47
# This might be needed for 2 simultaneous connections to a local PPTP server??
#accept -i ppp0
#accept -o ppp0
#accept -i ppp1
#accept -o ppp1
# accepting ICMP traffic from the inside
accept -i $lanIF -p icmp;
# accepting ICMP traffic from the Internet side
accept -i $inetIF -p icmp
#accept -i $inetIF -p icmp --icmp-type echo-request;
#accept -i $inetIF -p icmp --icmp-type ttl-exceeded;
#accept -i $inetIF -p icmp --icmp-type destination-unreachable;
# Generic TCP traffic from the LAN to this machine
# 20 = FTP 135 = DCE Endpoint Resolution
# 21 = FTP 137 = NetBIOS Name Service
# 22 = SSH 138 = NetBIOS Datagram Service
# 25 = SMTP 139 = NetBIOS Session Service
# 53 = DNS
# 80 = HTTP
# 110 = POP3
accept -p tcp -i $lanIF -m multiport --dport 20,21,22,25,53,80,110,135,137,138,139
# 143 = IMAP 993 = IMAP4 over TLS
# 443 = HTTPS 995 = POP3 over TLS
# 445 = CIFS 3128 = Squid access
# 631 = CUPSadmin 3306 = MySQL port
# 901 = SWAT
accept -p tcp -i $lanIF -m multiport --dport 143,443,445,631,901,993,995,3128,3306
# Generic TCP traffic from the Internet to this machine
# 25 = SMTP 443 = HTTPS
# 53 = DNS 993 = IMAP4 over TLS
# 80 = HTTP 995 = POP3 over TLS
# 110 = POP3
# 143 = IMAP
accept -p tcp -i $inetIF -m multiport --dport 25,53,80,110,143,443,993,995
# Generic UDP traffic from the LAN to this machine
# 53 = DNS 137 = NetBIOS Name Service
# 123 = NTP 138 = NetBIOS Datagram Service
# 139 = NetBIOS Session Service
accept -p udp -i $lanIF -m multiport --dport 53,123,137,138,139
# Generic UDP traffic from the Internet to this machine
# 53 = DNS 123 = NTP
accept -p udp -i $inetIF -m multiport --dport 53,123
accept -p udp -i $inetIF -m multiport --sport 53,123
# default policy: drop
######################################################################
### ###
### 4.1 OUTPUT mangle ###
### ###
### use case: mark locally generated traffic for traffic control ###
### ###
######################################################################
context "OUTPUT" "mangle"
# Mark all outgoing ESP packets to trusted IP's with mark "2"
let "i=0"
while [[ $i -lt $IPsecNumOfTunnels ]]; do
let "i += 1"
mark 2 -p esp -d ${IPsecRemoteWANIP[$i]}
done
# default policy: accept
######################################################################
### ###
### 4.2 OUTPUT nat ###
### ###
### use cases: ###
### - DNAT locally generated traffic (e.g. tunnel encapsulation) ###
### - REDIRECT port redirects (???) ###
### ###
######################################################################
context "OUTPUT" "nat"
# accept trusted outgoing ESP packages, which are marked "2"
# only needed if we need to bypass some NAT rules
# accept -m mark --mark 2
# default policy: accept
######################################################################
### ###
### 4.3 OUTPUT filter ###
### ###
### use case: filter locally generated traffic ###
### ###
######################################################################
context "OUTPUT" "filter"
# upfront blocking of all banned IP's
let "j = 0";
while [[ $j -lt ${blockedIP[0]} ]]; do
let "j += 1"
drop log msg Banned_IP_$j -d ${blockedIP[$j]}
done
# accept trusted outgoing ESP packages, which are marked "2"
accept -m mark --mark 2
# assume ALL traffic from the server to the LAN is safe
accept -p tcp -o $lanIF
accept -p udp -o $lanIF
# for convenience, let's for now assume all traffic from
# the server to the Internet is safe as well....
accept -p tcp -o $inetIF
accept -p udp -o $inetIF
accept -p 47
accept -p icmp
accept log msg odeon_output -p tcp -d 192.168.70.0/24
accept log msg odeon_output -p udp -d 192.168.70.0/24
# default policy: drop
######################################################################
### ###
### 5.1 POSTROUTING mangle ###
### ###
### use case: set TOS on outgoing packets to guide other routers ###
### ###
######################################################################
context "POSTROUTING" "mangle"
classify 1:11 -s $JANNET -d ! $lanNET
classify 2:11 -d $JANNET -s ! $lanNET
classify 1:12 -s $FRESHFIELDNET -d ! $lanNET
classify 2:12 -d $FRESHFIELDNET -s ! $lanNET
classify 2:99 -s $lanNET -d $lanNET
# default policy: accept
######################################################################
### ###
### 5.2 POSTROUTING nat ###
### ###
### use cases ###
### - SNAT hide LAN ip range behind public ip façade ###
### - MASQUERADE on dynamic ip dialup interface only ###
### ###
######################################################################
context "POSTROUTING" "nat"
# let trusted IPsec traffic bypass the NATting
let "i=0"
while [[ $i -lt $IPsecNumOfTunnels ]]; do
let "i += 1"
accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}
done
# and accept trusted outgoing ESP packages, which are marked "2",
# which also need to bypass the NATting
accept -m mark --mark 2
# This machine is a NAT router, so sourcenat over the designated
# NAT interface using the designated NAT IP address, EXCEPT for
# traffic that originates from the machine itself
snat to $natIP -o $natIF ! --src $natIP
# default policy: accept