### definitions # all interfaces list interfaces ppp+ eth0 tap+ lo cipcb+ ippp+ sit+ tun6to4 sixxs # trusted interfaces list trust eth0 cipcb+ lo # interfaces to filter list filter ppp+ ippp+ # source networks to masq list masqnets 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 # interfaces to masquerade on list masqdevs ppp+ # udp/tcp destination ports and protocols to accept list accept-tcp-dst-ports webcache finger smtp auth ssh http domain \ 6346 telnet list accept-udp-dst-ports isakmp talk ntalk ntp domain syslog list accept-protos-4 ipv6 ipv6-route ipv6-frag ipv6-crypt ipv6-auth \ ipv6-nonxt ipv6-opts ipv6-icmp icmp list accept-protos-6 icmpv6 ### filtering rules table filter policy all DENY # setup the device specific chains build from list interfaces chain {interfaces}-in build from list interfaces chain {interfaces}-fwd build from list interfaces chain {interfaces}-out chain INPUT build from list interfaces rule {interfaces}-in device in {interfaces} chain OUTPUT build from list interfaces rule {interfaces}-out device out {interfaces} chain FORWARD build from list interfaces rule {interfaces}-fwd device in {interfaces} chain ssh-owner rule RETURN proto not tcp rule RETURN proto tcp dest ports 0:12221 rule RETURN proto tcp dest ports 12230:65535 rule ACCEPT proto tcp owner uid paul rule DROP attach ssh-owner to lo-out # setup the accepting chain chain accepts build from list accept-protos-4 \ rule ACCEPT proto {accept-protos-4} build from list accept-tcp-dst-ports \ rule ACCEPT proto tcp dest port {accept-tcp-dst-ports} build from list accept-udp-dst-ports \ rule ACCEPT proto udp dest port {accept-udp-dst-ports} rule ACCEPT state RELATED,ESTABLISHED # catch some common maps chain attacks rule LOG prot tcp flags ALL ALL \ limit rate 5/min burst 5 level debug prefix 'Merry-XMAS:' rule LOG prot tcp flags ALL FIN,PSH,URG \ limit rate 5/min burst 5 level debug prefix 'NMAP-XMAS:' rule LOG prot tcp flags ALL FIN,SYN,RST,ACK,URG \ limit rate 5/min burst 5 level debug prefix 'XMAS-PSH:' rule LOG prot tcp flags SYN,RST SYN,RST \ limit rate 5/min burst 5 level debug prefix 'SYN/RST:' rule LOG prot tcp flags FIN,SYN FIN,SYN \ limit rate 5/min burst 5 level debug prefix 'FIN/SYN:' rule LOG prot tcp option 64 \ limit rate 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:' rule LOG prot tcp option 128 \ limit rate 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:' # the top level filtering rule chain infilter rule attacks rule accepts rule LOG limit rate 4/min burst 5 level debug prefix 'infilter end: ' # trusted chain chain trusted rule ACCEPT prot icmp rule DROP state INVALID rule ACCEPT # chain to apply to filter interfaces, but for forwarding chain inetfwd rule infilter build from list trust attach trusted to {trust}-in build from list trust attach trusted to {trust}-fwd build from list filter attach infilter to {filter}-in build from list filter attach inetfwd to {filter}-fwd build from list interfaces attach trusted to {interfaces}-out ### nat table nat chain POSTROUTING build from list masqdevs \ build from list masqnets \ rule MASQUERADE device out {masqdevs} source {masqnets} ### some cheap and not terribly useful TOS manglement table mangle chain OUTPUT rule TOS prot tcp dest port telnet tos Minimize-Delay rule TOS prot tcp dest port ssh tos Minimize-Delay rule TOS prot tcp dest port www tos Maximize-Reliability rule TOS prot tcp dest port pop-3 tos Minimize-Cost rule TOS prot tcp dest port ircd tos Minimize-Delay rule TOS prot tcp dest port smtp tos Minimize-Cost rule TOS prot tcp dest port 6346 tos Minimize-Cost