shutter 0.0.7 → 0.1.0

data/spec/files/base.ipt

@@ -0,0 +1,160 @@
+# Generated by Shutter
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:Dmz - [0:0]
+:ValidCheck - [0:0]
+:Jail - [0:0]
+:Bastards - [0:0]
+:Public - [0:0]
+:AllowIP - [0:0]
+:Allowed - [0:0]
+:Private - [0:0]
+:DropJail - [0:0]
+:DropBastards - [0:0]
+:DropInvalid - [0:0]
+:DropScan - [0:0]
+:DropDDOS - [0:0]
+# [CHAIN:FAIL2BAN]
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j Jail
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -j ValidCheck
+-A INPUT -j Dmz
+-A INPUT -j Bastards
+-A INPUT -j Public
+-A INPUT -j AllowIP
+-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
+-A INPUT -j DROP
+
+##################################################################
+# Jail goes here.  Jail and any fail2ban chains will be
+# taken care of dynamically in locker-restore.
+##################################################################
+# [RULES:JAIL]
+
+##################################################################
+# Validity/Scanning/DDOS checking
+##################################################################
+-A ValidCheck -m state --state INVALID -j DropInvalid
+-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
+-A ValidCheck -p tcp --tcp-option 64 -j DropScan
+-A ValidCheck -p tcp --tcp-option 128 -j DropScan
+-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -j RETURN
+
+##################################################################
+# DMZ.  Read from iface.dmz and added as:
+# -A INPUT -i <iface> -j ACCEPT
+##################################################################
+# [RULES:DMZ]
+-A Dmz -j RETURN
+
+##################################################################
+# All IP address ranges that are permanently banned.  If
+# no IP addresses are given, then all will be assumed that no ip
+# addresses are banned and create the following rule
+# -A Bastards -j RETURN
+# otherwise a list of banned ips will be generated from ip.deny
+# and will look like this:
+# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
+##################################################################
+# [RULES:BASTARDS]
+-A Bastards -j RETURN
+
+##################################################################
+# A list of authorized ports for the public access.  If there are
+# entries in the ports.public file then they will be added as:
+# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
+##################################################################
+# [RULES:PUBLIC]
+-A Public -j RETURN
+
+##################################################################
+# All IP address ranges that are allowed to access the ports.  If
+# no IP addresses are given, then all will be assumed and a rule
+# to jump to the Allowed chain will be created:
+# -A AllowIP -j Allowed
+# otherwise a list of allowed ips will be generated from ip.allow
+# and will look like this:
+# -A AllowIP -s 129.101.159.128/26 -j Allowed
+##################################################################
+# [RULES:ALLOWIP]
+-A AllowIP -j RETURN
+
+##################################################################
+# Allowed.  If a packet has met all the requirements it will end
+# up here.  This should be a static chain.
+##################################################################
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT 
+-A Allowed -j Private
+-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
+-A Allowed -j ACCEPT
+
+##################################################################
+# A list of authorized ports for the allowed IPs.  If there are
+# entries in the ports.private file then they will be added as:
+# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
+##################################################################
+# [RULES:PRIVATE]
+-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
+-A Private -j DROP
+
+##################################################################
+# Log and Drops
+##################################################################
+-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" 
+-A DropJail -j DROP
+
+-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" 
+-A DropBastards -j DROP
+
+-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"  
+-A DropInvalid -j DROP
+
+-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"  
+-A DropScan -j DROP
+
+-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"  
+-A DropDDOS -j DROP
+
+##################################################################
+# NATing
+##################################################################
+# [RULES:FORWARD]
+-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
+-A FORWARD -j DROP
+
+##################################################################
+# Add any additional rules that fail2ban has added
+##################################################################
+# [RULES:FAIL2BAN]
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+# [RULES:POSTROUTING]
+COMMIT
+

data/spec/files/iface.dmz

@@ -0,0 +1,4 @@
+# Generated by Shutter
+# device
+eth0
+eth1

data/spec/files/iface.forward

@@ -0,0 +1,3 @@
+# src iface | dst iface
+eth0 eth1
+eth0 eth2

data/spec/files/ip.allow

@@ -0,0 +1,5 @@
+# Generated by Shutter
+# ipaddr
+# ipaddr/subnet
+192.168.0.0/16
+10.0.0.1

data/spec/files/ip.deny

@@ -0,0 +1,5 @@
+# Generated by Shutter
+# ipaddr
+# ipaddr/subnet
+172.31.0.0/24
+8.8.9.9

data/spec/files/iptables_save.out

@@ -0,0 +1,86 @@
+# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [3763472:853134022]
+:AllowIP - [0:0]
+:Allowed - [0:0]
+:Bastards - [0:0]
+:Dmz - [0:0]
+:DropBastards - [0:0]
+:DropDDOS - [0:0]
+:DropInvalid - [0:0]
+:DropJail - [0:0]
+:DropScan - [0:0]
+:Jail - [0:0]
+:Private - [0:0]
+:Public - [0:0]
+:ValidCheck - [0:0]
+:fail2ban-SSH - [0:0]
+-A INPUT -i lo -j ACCEPT 
+-A INPUT -j Jail 
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -j ValidCheck 
+-A INPUT -j Dmz 
+-A INPUT -j Bastards 
+-A INPUT -j Public 
+-A INPUT -j AllowIP 
+-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:" 
+-A INPUT -j DROP 
+-A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed 
+-A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed 
+-A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed 
+-A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed 
+-A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed 
+-A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed 
+-A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed 
+-A AllowIP -j RETURN 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT 
+-A Allowed -j Private 
+-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:" 
+-A Allowed -j ACCEPT 
+-A Bastards -j RETURN 
+-A Dmz -i eth0 -j ACCEPT 
+-A Dmz -j RETURN 
+-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" 
+-A DropBastards -j DROP 
+-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:" 
+-A DropDDOS -j DROP 
+-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:" 
+-A DropInvalid -j DROP 
+-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" 
+-A DropJail -j DROP 
+-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:" 
+-A DropScan -j DROP 
+-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
+-A Jail -j RETURN 
+-A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN 
+-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:" 
+-A Private -j DROP 
+-A Public -j RETURN 
+-A ValidCheck -m state --state INVALID -j DropInvalid 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan 
+-A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan 
+-A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS 
+-A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS 
+-A ValidCheck -j RETURN 
+-A fail2ban-SSH -j RETURN
+COMMIT
+# Completed on Sat Sep 29 14:34:04 2012

data/spec/files/ports.private

@@ -0,0 +1,2 @@
+# proto port
+22    tcp

data/spec/files/ports.public

@@ -0,0 +1,3 @@
+# proto port
+80  tcp
+443   tcp

data/spec/files_spec.rb

@@ -0,0 +1,76 @@
+require File.dirname(__FILE__) + '/spec_helper'
+require 'fileutils'
+
+describe "Shutter::Files" do
+  it "should create the configuration directory if it does not exist" do
+    Shutter::Files.create_config_dir('./tmp/configs')
+    File.directory?('./tmp/configs').should == true
+    FileUtils.rm_rf('./tmp/configs')
+  end
+
+  it "should not recursively create the configuration directory if the parent does not exist" do
+    expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
+  end
+
+  it "should include the templates for all files" do
+    Shutter::Files::CONFIG_FILES.each do |name|
+      Shutter::Files.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
+    end
+  end
+
+  it "should create the files in the configuration directory if they do not exist" do
+    Shutter::Files.create_config_dir('./spec/tmp')
+    Shutter::Files.create('./spec/tmp')
+    Shutter::Files::CONFIG_FILES.each do |name|
+      File.exists?("./spec/tmp/#{name}")
+      File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
+    end
+    FileUtils.rm_rf('./spec/tmp')
+  end
+
+  it "should not touch the configs when they already exist" do
+    Shutter::Files.create_config_dir('./spec/tmp')
+    Shutter::Files::CONFIG_FILES.each do |name|
+      FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
+    end
+    Shutter::Files.create('./spec/tmp')
+    Shutter::Files::CONFIG_FILES.each do |name|
+      File.exists?("./spec/tmp/#{name}")
+      unless name == "base.ipt"
+        File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
+      end
+    end
+    FileUtils.rm_rf('./spec/tmp')
+  end
+
+  it "should overwrite the configs when overwrite is specified" do
+    Shutter::Files.create_config_dir('./spec/tmp')
+    Shutter::Files::CONFIG_FILES.each do |name|
+      FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
+    end
+    Shutter::Files.create('./spec/tmp',true)
+    Shutter::Files::CONFIG_FILES.each do |name|
+      File.exists?("./spec/tmp/#{name}")
+      File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
+    end
+    FileUtils.rm_rf('./spec/tmp')
+  end
+
+  it "should overwrite the configs when overwrite false but there are exceptions" do
+    Shutter::Files.create_config_dir('./spec/tmp')
+    Shutter::Files::CONFIG_FILES.each do |name|
+      FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
+    end
+    except = ['iface.forward','base.ipt']
+    Shutter::Files.create('./spec/tmp',false,except)
+    Shutter::Files::CONFIG_FILES.each do |name|
+      File.exists?("./spec/tmp/#{name}")
+      unless except.include?(name)
+        File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
+      else
+        File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
+      end
+    end
+    FileUtils.rm_rf('./spec/tmp')
+  end
+end

data/spec/iptables_spec.rb

@@ -0,0 +1,157 @@
+require File.dirname(__FILE__) + '/spec_helper'
+require 'fileutils'
+
+describe "Shutter::Firewall::IPTables" do
+  before(:each) do
+    @ipt = Shutter::Firewall::IPTables.new("./spec/files")
+  end
+
+  it "should have the default iptables-restore defined" do
+    @ipt.iptables_restore.should == "/sbin/iptables-restore"
+  end
+
+  it "should return the correct forward block" do
+    @ipt.forward_block.should == %q{-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+}
+  end
+
+  it "should return the correct iface postrouting block" do
+    @ipt.postrouting_block.should == %q{-A POSTROUTING -o eth1 -j MASQUERADE
+-A POSTROUTING -o eth2 -j MASQUERADE
+}
+  end
+
+  it "should return the correct output for allow_private_port_block" do
+    @ipt.allow_private_port_block.should == %q{-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
+}
+  end
+
+  it "should return the correct output for allow_public_port_block" do
+    @ipt.allow_public_port_block.should == %q{-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
+-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
+}
+  end
+
+  it "should return the correct output for allow_ip_block" do
+    @ipt.allow_ip_block.should == %q{-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
+-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
+}
+  end
+
+  it "should return the correct output for deny_ip_block" do
+    @ipt.deny_ip_block.should == %q{-A Bastards -s 172.31.0.0/24 -j DropBastards
+-A Bastards -s 8.8.9.9 -j DropBastards
+}
+  end
+
+  it "should return the correct output for dmz_device_block" do
+    @ipt.dmz_device_block.should == %q{-A Dmz -i eth0 -j ACCEPT
+-A Dmz -i eth1 -j ACCEPT
+}
+  end
+
+  it "should return the correct output for generate" do
+    iptables_save = File.read("./spec/files/iptables_save.out")
+    @ipt.stubs(:iptables_save).returns(iptables_save)
+    @ipt.generate.should == %q{*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:Dmz - [0:0]
+:ValidCheck - [0:0]
+:Jail - [0:0]
+:Bastards - [0:0]
+:Public - [0:0]
+:AllowIP - [0:0]
+:Allowed - [0:0]
+:Private - [0:0]
+:DropJail - [0:0]
+:DropBastards - [0:0]
+:DropInvalid - [0:0]
+:DropScan - [0:0]
+:DropDDOS - [0:0]
+:fail2ban-SSH - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j Jail
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -j ValidCheck
+-A INPUT -j Dmz
+-A INPUT -j Bastards
+-A INPUT -j Public
+-A INPUT -j AllowIP
+-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
+-A INPUT -j DROP
+-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
+-A Jail -j RETURN 
+-A ValidCheck -m state --state INVALID -j DropInvalid
+-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
+-A ValidCheck -p tcp --tcp-option 64 -j DropScan
+-A ValidCheck -p tcp --tcp-option 128 -j DropScan
+-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -j RETURN
+-A Dmz -i eth0 -j ACCEPT
+-A Dmz -i eth1 -j ACCEPT
+-A Dmz -j RETURN
+-A Bastards -s 172.31.0.0/24 -j DropBastards
+-A Bastards -s 8.8.9.9 -j DropBastards
+-A Bastards -j RETURN
+-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
+-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
+-A Public -j RETURN
+-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
+-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
+-A AllowIP -j RETURN
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
+-A Allowed -j Private
+-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
+-A Allowed -j ACCEPT
+-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
+-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
+-A Private -j DROP
+-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
+-A DropJail -j DROP
+-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
+-A DropBastards -j DROP
+-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
+-A DropInvalid -j DROP
+-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
+-A DropScan -j DROP
+-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
+-A DropDDOS -j DROP
+-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
+-A FORWARD -j DROP
+-A fail2ban-SSH -j RETURN
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -o eth1 -j MASQUERADE
+-A POSTROUTING -o eth2 -j MASQUERADE
+COMMIT}
+  end
+end