############################### filtering ############################## # # set table to 'filter' table filter # default filter policy is to DENY policy all DENY # build generic iface-in,iface-fwd,iface-out chains build from list interfaces chain {interfaces}-in build from list interfaces chain {interfaces}-fwd build from list interfaces chain {interfaces}-out chain INPUT build from list interfaces rule {interfaces}-in device in {interfaces} chain OUTPUT build from list interfaces rule {interfaces}-out device out {interfaces} chain FORWARD build from list interfaces rule {interfaces}-fwd device in {interfaces} # main local 'accepts' filter chain # applied to INPUT packets from untrusted sources chain accepts build from list inet-proto-in rule ACCEPT proto {inet-proto-in} build from list inet-tcp-in rule ACCEPT proto tcp \ dest port {inet-tcp-in} build from list inet-udp-in rule ACCEPT proto udp \ dest port {inet-udp-in} rule ACCEPT state RELATED,ESTABLISHED ### helper chains # # chains to reject/drop packets to/from ports we dont want going to/from inet chain dropports-dst build from list inet-tcp-drop rule DROP proto tcp \ dest port {inet-tcp-drop} build from list inet-udp-drop rule DROP proto udp \ dest port {inet-udp-drop} chain dropports-src build from list inet-tcp-drop rule DROP proto tcp \ src port {inet-tcp-drop} build from list inet-udp-drop rule DROP proto udp \ src port {inet-udp-drop} chain dropports rule dropports-dst rule dropports-src # chain rejectports-dst build from list inet-tcp-drop rule REJECT proto tcp \ dest port {inet-tcp-drop} \ reject with icmp-net-prohibited build from list inet-udp-drop rule REJECT proto udp \ dest port {inet-udp-drop} \ reject with icmp-net-prohibited chain rejectports-src build from list inet-tcp-drop rule REJECT proto tcp \ src port {inet-tcp-drop} \ reject with icmp-net-prohibited build from list inet-udp-drop rule REJECT proto udp \ src port {inet-udp-drop} \ reject with icmp-net-prohibited chain rejectports rule rejectports-dst rule rejectports-src # chains to accept traffic source/destined to private internal addresses chain accept-private-dest build from list privatenets rule ACCEPT dest {privatenets} chain accept-private-src build from list privatenets rule ACCEPT src {privatenets} chain accept-private rule accept-private-dest rule accept-private-src ## # chains to reject/drop traffic destined to/coming from # private internal addresses chain drop-private-dest build from list privatenets rule DROP dest {privatenets} chain drop-private-src build from list privatenets rule DROP src {privatenets} chain drop-private rule drop-private-src rule drop-private-dest chain reject-private-dest build from list privatenets rule REJECT dest {privatenets} \ reject with icmp-net-prohibited chain reject-private-src build from list privatenets rule REJECT src {privatenets} \ reject with icmp-net-prohibited chain reject-private rule reject-private-src rule reject-private-dest # # chain to catch common attacks/probes chain attacks rule LOG prot tcp flags ALL ALL \ limit 5/min burst 5 level debug prefix 'Merry-XMAS:' rule LOG prot tcp flags ALL FIN,PSH,URG \ limit 5/min burst 5 level debug prefix 'NMAP-XMAS:' rule LOG prot tcp flags ALL FIN,SYN,RST,ACK,URG \ limit 5/min burst 5 level debug prefix 'XMAS-PSH:' rule LOG prot tcp flags SYN,RST SYN,RST \ limit 5/min burst 5 level debug prefix 'SYN/RST:' rule LOG prot tcp flags FIN,SYN FIN,SYN \ limit rate 5/min burst 5 level debug prefix 'FIN/SYN:' rule LOG prot tcp option 64 \ limit 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:' rule LOG prot tcp option 128 \ limit 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:' # # our main INPUT filter for external ifaces chain infilter rule attacks rule accepts rule LOG limit 10/min burst 5 level debug prefix 'infilter end: ' # # trusted chain - almost no limits chain trusted rule ACCEPT prot icmp rule DROP state INVALID rule ACCEPT # #### ## chains to filter forwarding on transit/external/dmz links # # we cant do the usual good firewalling thing and ACCEPT just a small # list of known ports because other internet connected hosts are using # this link and need almost full access - we cant tell what they want to # send or receive. further we cant depend on connection tracking because # of assymetric routing. # so this becomes fun. # # the cleanest answer is to have a second set of seperate links for # internal traffic UK<->DUB, not going to happen. We should possibly # get a second set of machines in UK, then use VPNs for internal traffic # but routing issues could complicate use of VPNs for internal transit # chain ext-to-dmz # rule drop-private-dest # rule drop-private-src rule drop-private rule reject-private # rule dropports-dst rule rejectports-dst build from list publicnets rule REJECT source {publicnets} rule attacks build from list publicnets rule ACCEPT dest {publicnets} rule ACCEPT state ESTABLISHED,related rule REJECT reject with icmp-net-prohibited chain ext-to-int build from list publicnets rule REJECT source {publicnets} build from list privatenets rule REJECT source {privatenets} rule ACCEPT state ESTABLISHED,RELATED rule REJECT reject with icmp-net-prohibited chain ext-to-transit rule drop-private-dest rule drop-private-src build from list publicnets rule REJECT source {publicnets} rule dropports-dst rule attacks build from list publicnets rule ACCEPT dest {publicnets} rule ACCEPT state ESTABLISHED,related rule REJECT reject with icmp-net-prohibited chain dmz-to-ext rule drop-private-source rule drop-private-dest build from list publicnets rule REJECT dest {publicnets} rule dropports-src build from list publicnets rule ACCEPT source {publicnets} rule REJECT reject with icmp-net-prohibited chain dmz-to-int rule attacks rule accept-internal-src rule ACCEPT state ESTABLISHED,related rule REJECT reject with icmp-net-prohibited chain dmz-to-transit rule attacks rule ACCEPT chain transit-to-dmz rule attacks rule ACCEPT chain transit-to-ext rule dropports-src build from list publicnets rule REJECT dest {publicnets} rule attacks rule ACCEPT chain transit-to-int rule accept-private-src rule ACCEPT state RELATED,ESTABLISHED rule dropports-src rule dropports-dst build from list publicnets rule ACCEPT source {publicnets} rule REJECT reject with icmp-net-prohibited #### attach our filter chains to our per interface chains # intdevs in/forward - trusted build from list intdevs attach trusted to {intdevs}-in build from list intdevs attach trusted to {intdevs}-fwd # filter INPUT for 'filterdevs' - attach infilter chain build from list filterdevs attach infilter to {filterdevs}-in ##### non-trusted forwarding # # aim is to have a chain for each combination of # ext,dmz,transit # forwarding to # transit,internal,dmz,ext # in device == out device excepted, obviously. # # source external build from list extdevs \ build from list dmzdevs \ attach ext-to-dmz to {extdevs}-fwd dev out {dmzdevs} build from list extdevs \ build from list transitdevs \ attach ext-to-transit to {extdevs}-fwd dev out {transitdevs} build from list extdevs \ build from list intdevs \ attach ext-to-int to {extdevs}-fwd dev out {intdevs} # source dmz build from list dmzdevs \ build from list extdevs \ attach dmz-to-ext to {dmzdevs}-fwd dev out {extdevs} build from list dmzdevs \ build from list intdevs \ attach dmz-to-int to {dmzdevs}-fwd dev out {intdevs} build from list dmzdevs \ build from list transitdevs \ attach dmz-to-int to {dmzdevs}-fwd dev out {transitdevs} # source transit build from list transitdevs \ build from list extdevs \ attach transit-to-ext to {transitdevs}-fwd dev out {extdevs} build from list transitdevs \ build from list intdevs \ fwd transit-to-int to {transitdevs}-fwd dev out {intdevs} build from list transitdevs \ build from list dmzdevs \ attach transit-to-int to {transitdevs}-fwd dev out {dmzdevs} # # finally, LOG and REJECT any traffic that has gotten this far (it means # there's a hole in the FORWARD chain) chain FORWARD rule LOG limit 10/min burst 5 level debug prefix 'infilter end: ' rule REJECT reject with icmp-net-prohibited #### # we dont filter output (yet) build from list interfaces attach trusted to {interfaces}-out # ####################################################################### ################################## NAT ################################# # table nat # # chain to nat packets which are: # - not to intranet addresses. # - not dissallowed ports # - from allowed prefixes chain nat-private-to-ext build from list alphyranets rule RETURN dest {alphyranets} build from list prefix-no-nat rule RETURN src {prefix-no-nat} build from list tcp-port-no-nat rule RETURN \ prot tcp dst port {tcp-port-no-nat} build from list udp-port-no-nat rule RETURN \ prot udp dst port {udp-port-no-nat} build from list prefix-nat \ build from list nat-addr \ rule SNAT src {prefix-nat} \ nat {nat-addr} # chain POSTROUTING # # if build from list natdevs \ build from list privatenets \ rule nat-private-to-ext device out {natdevs} \ source {privatenets} table mangle chain OUTPUT rule TOS prot tcp dest port telnet tos Minimize-Delay rule TOS prot tcp src port telnet tos Minimize-Delay rule TOS prot tcp dest port ssh tos Minimize-Delay rule TOS prot tcp src port ssh tos Minimize-Delay rule TOS prot tcp dest port www tos Minimize-Delay rule TOS prot tcp src port www tos Minimize-Delay rule TOS prot tcp dest port pop-3 tos Maximize-Reliability rule TOS prot tcp dest port ircd tos Minimize-Delay rule TOS prot tcp dest port smtp tos Maximize-Throughput rule TOS prot tcp src port smtp tos Maximize-Throughput rule TOS prot tcp dest port rsync tos Maximize-Throughput # #########################################################################