shutter 0.0.7 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,160 @@
1
+ # Generated by Shutter
2
+ *filter
3
+ :INPUT DROP [0:0]
4
+ :FORWARD DROP [0:0]
5
+ :OUTPUT ACCEPT [0:0]
6
+ :Dmz - [0:0]
7
+ :ValidCheck - [0:0]
8
+ :Jail - [0:0]
9
+ :Bastards - [0:0]
10
+ :Public - [0:0]
11
+ :AllowIP - [0:0]
12
+ :Allowed - [0:0]
13
+ :Private - [0:0]
14
+ :DropJail - [0:0]
15
+ :DropBastards - [0:0]
16
+ :DropInvalid - [0:0]
17
+ :DropScan - [0:0]
18
+ :DropDDOS - [0:0]
19
+ # [CHAIN:FAIL2BAN]
20
+
21
+ -A INPUT -i lo -j ACCEPT
22
+ -A INPUT -j Jail
23
+ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
24
+ -A INPUT -j ValidCheck
25
+ -A INPUT -j Dmz
26
+ -A INPUT -j Bastards
27
+ -A INPUT -j Public
28
+ -A INPUT -j AllowIP
29
+ -A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
30
+ -A INPUT -j DROP
31
+
32
+ ##################################################################
33
+ # Jail goes here. Jail and any fail2ban chains will be
34
+ # taken care of dynamically in locker-restore.
35
+ ##################################################################
36
+ # [RULES:JAIL]
37
+
38
+ ##################################################################
39
+ # Validity/Scanning/DDOS checking
40
+ ##################################################################
41
+ -A ValidCheck -m state --state INVALID -j DropInvalid
42
+ -A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
43
+ -A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
44
+ -A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
45
+ -A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
46
+ -A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
47
+ -A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
48
+ -A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
49
+ -A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
50
+ -A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
51
+ -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
52
+ -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
53
+ -A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
54
+ -A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
55
+ -A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
56
+ -A ValidCheck -p tcp --tcp-option 64 -j DropScan
57
+ -A ValidCheck -p tcp --tcp-option 128 -j DropScan
58
+ -A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
59
+ -A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
60
+ -A ValidCheck -j RETURN
61
+
62
+ ##################################################################
63
+ # DMZ. Read from iface.dmz and added as:
64
+ # -A INPUT -i <iface> -j ACCEPT
65
+ ##################################################################
66
+ # [RULES:DMZ]
67
+ -A Dmz -j RETURN
68
+
69
+ ##################################################################
70
+ # All IP address ranges that are permanently banned. If
71
+ # no IP addresses are given, then all will be assumed that no ip
72
+ # addresses are banned and create the following rule
73
+ # -A Bastards -j RETURN
74
+ # otherwise a list of banned ips will be generated from ip.deny
75
+ # and will look like this:
76
+ # -A Bastards -s <ipaddr>/<subnet> -j DropBastards
77
+ ##################################################################
78
+ # [RULES:BASTARDS]
79
+ -A Bastards -j RETURN
80
+
81
+ ##################################################################
82
+ # A list of authorized ports for the public access. If there are
83
+ # entries in the ports.public file then they will be added as:
84
+ # -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
85
+ ##################################################################
86
+ # [RULES:PUBLIC]
87
+ -A Public -j RETURN
88
+
89
+ ##################################################################
90
+ # All IP address ranges that are allowed to access the ports. If
91
+ # no IP addresses are given, then all will be assumed and a rule
92
+ # to jump to the Allowed chain will be created:
93
+ # -A AllowIP -j Allowed
94
+ # otherwise a list of allowed ips will be generated from ip.allow
95
+ # and will look like this:
96
+ # -A AllowIP -s 129.101.159.128/26 -j Allowed
97
+ ##################################################################
98
+ # [RULES:ALLOWIP]
99
+ -A AllowIP -j RETURN
100
+
101
+ ##################################################################
102
+ # Allowed. If a packet has met all the requirements it will end
103
+ # up here. This should be a static chain.
104
+ ##################################################################
105
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
106
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
107
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
108
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
109
+ -A Allowed -j Private
110
+ -A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
111
+ -A Allowed -j ACCEPT
112
+
113
+ ##################################################################
114
+ # A list of authorized ports for the allowed IPs. If there are
115
+ # entries in the ports.private file then they will be added as:
116
+ # -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
117
+ ##################################################################
118
+ # [RULES:PRIVATE]
119
+ -A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
120
+ -A Private -j DROP
121
+
122
+ ##################################################################
123
+ # Log and Drops
124
+ ##################################################################
125
+ -A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
126
+ -A DropJail -j DROP
127
+
128
+ -A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
129
+ -A DropBastards -j DROP
130
+
131
+ -A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
132
+ -A DropInvalid -j DROP
133
+
134
+ -A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
135
+ -A DropScan -j DROP
136
+
137
+ -A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
138
+ -A DropDDOS -j DROP
139
+
140
+ ##################################################################
141
+ # NATing
142
+ ##################################################################
143
+ # [RULES:FORWARD]
144
+ -A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
145
+ -A FORWARD -j DROP
146
+
147
+ ##################################################################
148
+ # Add any additional rules that fail2ban has added
149
+ ##################################################################
150
+ # [RULES:FAIL2BAN]
151
+
152
+ COMMIT
153
+
154
+ *nat
155
+ :PREROUTING ACCEPT [0:0]
156
+ :POSTROUTING ACCEPT [0:0]
157
+ :OUTPUT ACCEPT [0:0]
158
+ # [RULES:POSTROUTING]
159
+ COMMIT
160
+
@@ -0,0 +1,4 @@
1
+ # Generated by Shutter
2
+ # device
3
+ eth0
4
+ eth1
@@ -0,0 +1,3 @@
1
+ # src iface | dst iface
2
+ eth0 eth1
3
+ eth0 eth2
@@ -0,0 +1,5 @@
1
+ # Generated by Shutter
2
+ # ipaddr
3
+ # ipaddr/subnet
4
+ 192.168.0.0/16
5
+ 10.0.0.1
@@ -0,0 +1,5 @@
1
+ # Generated by Shutter
2
+ # ipaddr
3
+ # ipaddr/subnet
4
+ 172.31.0.0/24
5
+ 8.8.9.9
@@ -0,0 +1,86 @@
1
+ # Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
2
+ *filter
3
+ :INPUT DROP [0:0]
4
+ :FORWARD DROP [0:0]
5
+ :OUTPUT ACCEPT [3763472:853134022]
6
+ :AllowIP - [0:0]
7
+ :Allowed - [0:0]
8
+ :Bastards - [0:0]
9
+ :Dmz - [0:0]
10
+ :DropBastards - [0:0]
11
+ :DropDDOS - [0:0]
12
+ :DropInvalid - [0:0]
13
+ :DropJail - [0:0]
14
+ :DropScan - [0:0]
15
+ :Jail - [0:0]
16
+ :Private - [0:0]
17
+ :Public - [0:0]
18
+ :ValidCheck - [0:0]
19
+ :fail2ban-SSH - [0:0]
20
+ -A INPUT -i lo -j ACCEPT
21
+ -A INPUT -j Jail
22
+ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
23
+ -A INPUT -j ValidCheck
24
+ -A INPUT -j Dmz
25
+ -A INPUT -j Bastards
26
+ -A INPUT -j Public
27
+ -A INPUT -j AllowIP
28
+ -A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
29
+ -A INPUT -j DROP
30
+ -A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed
31
+ -A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed
32
+ -A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed
33
+ -A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed
34
+ -A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed
35
+ -A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed
36
+ -A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed
37
+ -A AllowIP -j RETURN
38
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
39
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
40
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
41
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
42
+ -A Allowed -j Private
43
+ -A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
44
+ -A Allowed -j ACCEPT
45
+ -A Bastards -j RETURN
46
+ -A Dmz -i eth0 -j ACCEPT
47
+ -A Dmz -j RETURN
48
+ -A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
49
+ -A DropBastards -j DROP
50
+ -A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
51
+ -A DropDDOS -j DROP
52
+ -A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
53
+ -A DropInvalid -j DROP
54
+ -A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
55
+ -A DropJail -j DROP
56
+ -A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
57
+ -A DropScan -j DROP
58
+ -A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
59
+ -A Jail -j RETURN
60
+ -A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN
61
+ -A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
62
+ -A Private -j DROP
63
+ -A Public -j RETURN
64
+ -A ValidCheck -m state --state INVALID -j DropInvalid
65
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
66
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan
67
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan
68
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan
69
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan
70
+ -A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan
71
+ -A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan
72
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan
73
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan
74
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
75
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan
76
+ -A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan
77
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan
78
+ -A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan
79
+ -A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan
80
+ -A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan
81
+ -A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
82
+ -A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
83
+ -A ValidCheck -j RETURN
84
+ -A fail2ban-SSH -j RETURN
85
+ COMMIT
86
+ # Completed on Sat Sep 29 14:34:04 2012
@@ -0,0 +1,2 @@
1
+ # proto port
2
+ 22 tcp
@@ -0,0 +1,3 @@
1
+ # proto port
2
+ 80 tcp
3
+ 443 tcp
@@ -0,0 +1,76 @@
1
+ require File.dirname(__FILE__) + '/spec_helper'
2
+ require 'fileutils'
3
+
4
+ describe "Shutter::Files" do
5
+ it "should create the configuration directory if it does not exist" do
6
+ Shutter::Files.create_config_dir('./tmp/configs')
7
+ File.directory?('./tmp/configs').should == true
8
+ FileUtils.rm_rf('./tmp/configs')
9
+ end
10
+
11
+ it "should not recursively create the configuration directory if the parent does not exist" do
12
+ expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
13
+ end
14
+
15
+ it "should include the templates for all files" do
16
+ Shutter::Files::CONFIG_FILES.each do |name|
17
+ Shutter::Files.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
18
+ end
19
+ end
20
+
21
+ it "should create the files in the configuration directory if they do not exist" do
22
+ Shutter::Files.create_config_dir('./spec/tmp')
23
+ Shutter::Files.create('./spec/tmp')
24
+ Shutter::Files::CONFIG_FILES.each do |name|
25
+ File.exists?("./spec/tmp/#{name}")
26
+ File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
27
+ end
28
+ FileUtils.rm_rf('./spec/tmp')
29
+ end
30
+
31
+ it "should not touch the configs when they already exist" do
32
+ Shutter::Files.create_config_dir('./spec/tmp')
33
+ Shutter::Files::CONFIG_FILES.each do |name|
34
+ FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
35
+ end
36
+ Shutter::Files.create('./spec/tmp')
37
+ Shutter::Files::CONFIG_FILES.each do |name|
38
+ File.exists?("./spec/tmp/#{name}")
39
+ unless name == "base.ipt"
40
+ File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
41
+ end
42
+ end
43
+ FileUtils.rm_rf('./spec/tmp')
44
+ end
45
+
46
+ it "should overwrite the configs when overwrite is specified" do
47
+ Shutter::Files.create_config_dir('./spec/tmp')
48
+ Shutter::Files::CONFIG_FILES.each do |name|
49
+ FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
50
+ end
51
+ Shutter::Files.create('./spec/tmp',true)
52
+ Shutter::Files::CONFIG_FILES.each do |name|
53
+ File.exists?("./spec/tmp/#{name}")
54
+ File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
55
+ end
56
+ FileUtils.rm_rf('./spec/tmp')
57
+ end
58
+
59
+ it "should overwrite the configs when overwrite false but there are exceptions" do
60
+ Shutter::Files.create_config_dir('./spec/tmp')
61
+ Shutter::Files::CONFIG_FILES.each do |name|
62
+ FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
63
+ end
64
+ except = ['iface.forward','base.ipt']
65
+ Shutter::Files.create('./spec/tmp',false,except)
66
+ Shutter::Files::CONFIG_FILES.each do |name|
67
+ File.exists?("./spec/tmp/#{name}")
68
+ unless except.include?(name)
69
+ File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
70
+ else
71
+ File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
72
+ end
73
+ end
74
+ FileUtils.rm_rf('./spec/tmp')
75
+ end
76
+ end
@@ -0,0 +1,157 @@
1
+ require File.dirname(__FILE__) + '/spec_helper'
2
+ require 'fileutils'
3
+
4
+ describe "Shutter::Firewall::IPTables" do
5
+ before(:each) do
6
+ @ipt = Shutter::Firewall::IPTables.new("./spec/files")
7
+ end
8
+
9
+ it "should have the default iptables-restore defined" do
10
+ @ipt.iptables_restore.should == "/sbin/iptables-restore"
11
+ end
12
+
13
+ it "should return the correct forward block" do
14
+ @ipt.forward_block.should == %q{-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
15
+ -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
16
+ -A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
17
+ -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
18
+ }
19
+ end
20
+
21
+ it "should return the correct iface postrouting block" do
22
+ @ipt.postrouting_block.should == %q{-A POSTROUTING -o eth1 -j MASQUERADE
23
+ -A POSTROUTING -o eth2 -j MASQUERADE
24
+ }
25
+ end
26
+
27
+ it "should return the correct output for allow_private_port_block" do
28
+ @ipt.allow_private_port_block.should == %q{-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
29
+ }
30
+ end
31
+
32
+ it "should return the correct output for allow_public_port_block" do
33
+ @ipt.allow_public_port_block.should == %q{-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
34
+ -A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
35
+ }
36
+ end
37
+
38
+ it "should return the correct output for allow_ip_block" do
39
+ @ipt.allow_ip_block.should == %q{-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
40
+ -A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
41
+ }
42
+ end
43
+
44
+ it "should return the correct output for deny_ip_block" do
45
+ @ipt.deny_ip_block.should == %q{-A Bastards -s 172.31.0.0/24 -j DropBastards
46
+ -A Bastards -s 8.8.9.9 -j DropBastards
47
+ }
48
+ end
49
+
50
+ it "should return the correct output for dmz_device_block" do
51
+ @ipt.dmz_device_block.should == %q{-A Dmz -i eth0 -j ACCEPT
52
+ -A Dmz -i eth1 -j ACCEPT
53
+ }
54
+ end
55
+
56
+ it "should return the correct output for generate" do
57
+ iptables_save = File.read("./spec/files/iptables_save.out")
58
+ @ipt.stubs(:iptables_save).returns(iptables_save)
59
+ @ipt.generate.should == %q{*filter
60
+ :INPUT DROP [0:0]
61
+ :FORWARD DROP [0:0]
62
+ :OUTPUT ACCEPT [0:0]
63
+ :Dmz - [0:0]
64
+ :ValidCheck - [0:0]
65
+ :Jail - [0:0]
66
+ :Bastards - [0:0]
67
+ :Public - [0:0]
68
+ :AllowIP - [0:0]
69
+ :Allowed - [0:0]
70
+ :Private - [0:0]
71
+ :DropJail - [0:0]
72
+ :DropBastards - [0:0]
73
+ :DropInvalid - [0:0]
74
+ :DropScan - [0:0]
75
+ :DropDDOS - [0:0]
76
+ :fail2ban-SSH - [0:0]
77
+ -A INPUT -i lo -j ACCEPT
78
+ -A INPUT -j Jail
79
+ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
80
+ -A INPUT -j ValidCheck
81
+ -A INPUT -j Dmz
82
+ -A INPUT -j Bastards
83
+ -A INPUT -j Public
84
+ -A INPUT -j AllowIP
85
+ -A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
86
+ -A INPUT -j DROP
87
+ -A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
88
+ -A Jail -j RETURN
89
+ -A ValidCheck -m state --state INVALID -j DropInvalid
90
+ -A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
91
+ -A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
92
+ -A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
93
+ -A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
94
+ -A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
95
+ -A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
96
+ -A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
97
+ -A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
98
+ -A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
99
+ -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
100
+ -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
101
+ -A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
102
+ -A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
103
+ -A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
104
+ -A ValidCheck -p tcp --tcp-option 64 -j DropScan
105
+ -A ValidCheck -p tcp --tcp-option 128 -j DropScan
106
+ -A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
107
+ -A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
108
+ -A ValidCheck -j RETURN
109
+ -A Dmz -i eth0 -j ACCEPT
110
+ -A Dmz -i eth1 -j ACCEPT
111
+ -A Dmz -j RETURN
112
+ -A Bastards -s 172.31.0.0/24 -j DropBastards
113
+ -A Bastards -s 8.8.9.9 -j DropBastards
114
+ -A Bastards -j RETURN
115
+ -A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
116
+ -A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
117
+ -A Public -j RETURN
118
+ -A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
119
+ -A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
120
+ -A AllowIP -j RETURN
121
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
122
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
123
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
124
+ -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
125
+ -A Allowed -j Private
126
+ -A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
127
+ -A Allowed -j ACCEPT
128
+ -A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
129
+ -A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
130
+ -A Private -j DROP
131
+ -A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
132
+ -A DropJail -j DROP
133
+ -A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
134
+ -A DropBastards -j DROP
135
+ -A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
136
+ -A DropInvalid -j DROP
137
+ -A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
138
+ -A DropScan -j DROP
139
+ -A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
140
+ -A DropDDOS -j DROP
141
+ -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
142
+ -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
143
+ -A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
144
+ -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
145
+ -A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
146
+ -A FORWARD -j DROP
147
+ -A fail2ban-SSH -j RETURN
148
+ COMMIT
149
+ *nat
150
+ :PREROUTING ACCEPT [0:0]
151
+ :POSTROUTING ACCEPT [0:0]
152
+ :OUTPUT ACCEPT [0:0]
153
+ -A POSTROUTING -o eth1 -j MASQUERADE
154
+ -A POSTROUTING -o eth2 -j MASQUERADE
155
+ COMMIT}
156
+ end
157
+ end