https://www.saruman.biz/saruwiki/index.php?action=history&feed=atom&title=Iceditch_configuration_example Iceditch configuration example - Revision history 2026-05-02T21:45:45Z Revision history for this page on the wiki MediaWiki 1.40.0 https://www.saruman.biz/saruwiki/index.php?title=Iceditch_configuration_example&diff=1566&oldid=prev Saruman!: Iceditch example config 2008-07-19T16:01:00Z <p>Iceditch example config</p> <p><b>New page</b></p><div>==File &#039;&#039;config.conf&#039;&#039;==<br /> &lt;pre&gt;<br /> ## PUT YOUR OWN ADDRESS HERE! if you want to receive errors by mail<br /> MAILTO=&quot;linuxwarning@saruman.biz&quot;;<br /> <br /> CMD=&quot;/sbin/iptables&quot;;<br /> SYSLOG=&quot;/usr/bin/logger&quot;;<br /> <br /> # if you want to use the Userspace Logging Daemon, change this<br /> # from &quot;LOG&quot; to &quot;ULOG&quot;<br /> FWLOG=&quot;ULOG&quot;;<br /> # default &quot;--log-prefix&quot; or &quot;--ulog-prefix&quot;<br /> FWLOGPREFIX=&quot;--ulog-prefix&quot;;<br /> <br /> # topology<br /> inetIF=&#039;eth1&#039;;<br /> inetIP=&#039;212.238.151.172&#039;;<br /> <br /> lanIF=&#039;eth0&#039;;<br /> lanIP=&#039;192.168.67.10&#039;;<br /> lanNET=&#039;192.168.67.0/24&#039;;<br /> <br /> natIF=$inetIF;<br /> natIP=$inetIP;<br /> <br /> # Define some subnets<br /> FRESHFIELDNET=&#039;192.168.67.144/28&#039; # Limited hosts: 144 t/m 159<br /> JANNET=&#039;192.168.67.160/27&#039; # Limited hosts: 160 t/m 191<br /> SASNET=&#039;192.168.67.192/26&#039; # Limited hosts: 192 t/m 254<br /> <br /> ################################################################################<br /> ## Here you can declare and/or read every variable you&#039;ll need in the rules ##<br /> ################################################################################<br /> <br /> # Fetch all IP&#039;s that are totally blocked<br /> lookup_param_list &#039;blockedIP&#039; &quot;/etc/iceditch/params.conf&quot;;<br /> NumOfBlockedIPs=${r[0]};<br /> if [ $NumOfBlockedIPs -gt 0 ]; then<br /> i=0;<br /> while [ $i -le $NumOfBlockedIPs ] ; do<br /> blockedIP[$i]=${r[$i]};<br /> let &quot;i += 1&quot;;<br /> done;<br /> fi;<br /> <br /> <br /> # Fetch all IPsec tunnel parameters<br /> lookup_param_list &#039;IPsecLocalLAN&#039; &quot;/etc/iceditch/params.conf&quot;;<br /> IPsecNumOfTunnels=${r[0]};<br /> if [ $IPsecNumOfTunnels -gt 0 ]; then<br /> i=0;<br /> while [ $i -lt $IPsecNumOfTunnels ] ; do<br /> let &quot;i += 1&quot;; IPsecLocalLAN[$i]=${r[$i]};<br /> IPsecLocalLANIP[$i]=$lanIP; # we don&#039;t read these from the config<br /> IPsecLocalWANIP[$i]=$inetIP; # file, since they&#039;re always the same<br /> done;<br /> lookup_param_list &#039;IPsecRemoteWANIP&#039; &quot;$PATHNAME/$PARMFILENAME&quot;;<br /> i=0;<br /> while [ $i -lt $IPsecNumOfTunnels ] ; do<br /> let &quot;i += 1&quot;; IPsecRemoteWANIP[$i]=${r[$i]};<br /> done;<br /> lookup_param_list &#039;IPsecRemoteLAN&#039; &quot;$PATHNAME/$PARMFILENAME&quot;;<br /> i=0;<br /> while [ $i -lt $IPsecNumOfTunnels ] ; do<br /> let &quot;i += 1&quot;; IPsecRemoteLAN[$i]=${r[$i]};<br /> done;<br /> fi;<br /> <br /> &lt;/pre&gt;<br /> <br /> ==File &#039;&#039;params.conf&#039;&#039;==<br /> &lt;pre&gt;<br /> blockedIP = 62.27.41.69 = 20060529 - adware webserver<br /> blockedIP = 195.56.146.210 = 20060805 - forum.joomla.hu<br /> blockedIP = 82.201.220.60 = 20070918 - messes on udp500<br /> blockedIP = 80.73.129.193 = 20080127 - lots of NewNotSyns<br /> <br /> <br /> IPsecRemoteNET = &#039;Odeon.lan&#039; = descriptive name of the IPtunnel destination<br /> IPsecLocalLanIP = $lanIP = the local IP address of the router<br /> IPsecLocalLAN = $lanNET = the LAN segment we&#039;re prepared to open<br /> IPsecLocalWANIP = $inetIP = Our own external IP for this connection<br /> IPsecRemoteLAN = &#039;192.168.70.0/24&#039; = the remote LAN segment we wanna reach<br /> IPsecRemoteWANIP = &#039;82.161.20.132&#039; = the public IP of the remote gateway<br /> &lt;/pre&gt;<br /> <br /> ==File &#039;&#039;rules.conf&#039;&#039;==<br /> <br /> &lt;pre&gt;<br /> ######################################################################<br /> ### ###<br /> ### 1.1 PRE_ROUTING mangle ###<br /> ### ###<br /> ### use case: mark incoming packets for (outgoing) traffic control ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;PREROUTING&quot; &quot;mangle&quot;<br /> <br /> # Mark incoming ESP packets with mark &quot;1&quot;<br /> let &quot;i=0&quot;;<br /> while [[ $i -lt $IPsecNumOfTunnels ]]; do<br /> let &quot;i += 1&quot;;<br /> mark 1 -p esp -s ${IPsecRemoteWANIP[$i]} -d ${IPsecLocalWANIP[$i]};<br /> done;<br /> <br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 1.2 PRE_ROUTING nat ###<br /> ### ###<br /> ### use cases: ###<br /> ### - DNAT (incoming connects to private ip&#039;s, e.g. DMZ or svr) ###<br /> ### - REDIRECT (machine port redirects / transparant proxy) ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;PREROUTING&quot; &quot;nat&quot;<br /> <br /> # let IPsec traffic bypass any SNATting<br /> let &quot;i=0&quot;<br /> while [[ $i -lt $IPsecNumOfTunnels ]]; do<br /> let &quot;i += 1&quot;<br /> accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}<br /> done<br /> <br /> # also accept all traffic marked &quot;1&quot; which is<br /> # incoming ESP traffic from trusted remote IP&#039;s<br /> # SHOULD already be handled by the default policy<br /> accept -m mark --mark 1<br /> <br /> # make Squid our transparent proxy<br /> dnat to ${lanIP}:3128 -p tcp -i $lanIF --dport 80<br /> <br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 2.1 FORWARD mangle ###<br /> ### ###<br /> ### use case: none ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;FORWARD&quot; &quot;mangle&quot;<br /> <br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 2.2 FORWARD filter ###<br /> ### ###<br /> ### use case: filter traffic forwarded between networks ###<br /> ### ###<br /> ### ATTENTION please: choose an appropriate forwarding policy ###<br /> ### o no forwarding: 0 &gt; ip_forward ###<br /> ### o untrusted forwarding: filter ports + egress ip ###<br /> ### o trusted forwarding: filter only egress ip ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;FORWARD&quot; &quot;filter&quot;<br /> <br /> # upfront blocking of all banned IP&#039;s<br /> let &quot;j = 0&quot;;<br /> while [[ $j -lt ${blockedIP[0]} ]]; do<br /> let &quot;j += 1&quot;;<br /> drop -s ${blockedIP[$j]};<br /> drop log msg Banned_IP_$j -d ${blockedIP[$j]};<br /> done<br /> <br /> # drop some nasty P2P calls<br /> reject with host-prohib -p tcp --dport 13830<br /> <br /> # Connection tracking for forwarding<br /> accept -m state --state ESTABLISHED,RELATED<br /> <br /> # drop new-not-syn<br /> drop log msg FORWARD_NewNotSYN -p tcp ! --syn -m state --state NEW<br /> <br /> # let IPsec traffic through<br /> let &quot;i=0&quot;<br /> while [[ $i -lt $IPsecNumOfTunnels ]]; do<br /> let &quot;i += 1&quot;<br /> drop -s $FRESHFIELDNET -d ${IPsecRemoteLAN[$i]} # Freshfieldnet has no business in the tunnels<br /> accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}<br /> accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}<br /> done<br /> <br /> # Allow Yodi&#039;s mail (pop3.zonnet.nl + mail.descartes.nl + wissit.com/mail.wissit.nl)<br /> accept -p tcp -d 62.58.50.236 --dport 110<br /> accept -p tcp -d 213.196.12.29 --dport 110<br /> accept -p tcp -d 194.121.181.250 --dport 25<br /> <br /> # Allow MPPE-traffic from inside to outside<br /> accept -p 47<br /> <br /> # Specifically block certain ports out to the Internet<br /> # Mainly mail, DNS and NTP<br /> drop -p tcp -m multiport --dport 25,53,110,123<br /> drop -p udp -m multiport --dport 53,123<br /> <br /> # Generic TCP traffic allowed out to the Internet: everything else<br /> # note: return traffic is handled by connection tracking<br /> accept -p tcp -s $lanNET<br /> accept -p udp -s $lanNET<br /> <br /> # Allowing full ICMP between inside and outside<br /> accept -p icmp -s $lanNET<br /> <br /> # default policy: drop<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 3.2 INPUT filter ###<br /> ### ###<br /> ### use case: filter incoming traffic directed at machine host ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;INPUT&quot; &quot;filter&quot;<br /> <br /> # upfront blocking of all banned IP&#039;s<br /> let &quot;j = 0&quot;;<br /> while [[ $j -lt ${blockedIP[0]} ]]; do<br /> let &quot;j += 1&quot;;<br /> drop -s ${blockedIP[$j]}<br /> done<br /> <br /> # Spoofed IP protect<br /> # a bit superfluous, since rp_filter (Source Address Verification) can<br /> # be turned on in /proc/sys...<br /> # drop log msg Local_IP_from_Inet_192 -i $inetIF -s 192.168.0.0/16<br /> # drop log msg Local_IP_from_Inet_10 -i $inetIF -s 10.0.0.0/8<br /> # drop log msg Local_IP_from_Inet_172 -i $inetIF -s 172.16.0.0/12<br /> <br /> # drop some nasty P2P calls<br /> reject with host-prohib -p tcp --dport 13830<br /> <br /> # drop new-not-syn<br /> drop log msg INPUT_NewNotSYN -p tcp ! --syn -m state --state NEW<br /> <br /> # Connection tracking for incoming traffic<br /> accept -m state --state ESTABLISHED,RELATED<br /> <br /> # Drop different attacks:<br /> # Xmas scan<br /> drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL FIN,URG,PSH<br /> drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL ALL<br /> # Stealth scan<br /> drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST<br /> drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG<br /> drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL NONE<br /> # SYN,RST scan<br /> drop log msg SYN/RST_scan -i $inetIF -p tcp --tcp-flags SYN,RST SYN,RST<br /> # SYN,FIN scan<br /> drop log msg SYN/FIN_scan -i $inetIF -p tcp --tcp-flags SYN,FIN SYN,FIN<br /> <br /> # drop SSH connections if they&#039;re spurious (more than 2 attempts per minute)<br /> nojump -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --set<br /> drop -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --update --seconds 60 --hitcount 3<br /> # accept SSH from all sides<br /> accept -p tcp --dport 22<br /> <br /> # accept IKE traffic from everyone including NAT-T<br /> accept -p udp --sport 500 --dport 500<br /> accept -p udp --sport 4500 --dport 4500<br /> # accept ESP traffic from everyone<br /> # accept -p esp<br /> <br /> # accept all traffic marked &quot;1&quot;, which is<br /> # incoming ESP traffic from trusted remote IP&#039;s<br /> accept -m mark --mark 1<br /> <br /> # accept MPPTP to this machine from the Internet<br /> accept -p tcp --dport 1723<br /> # accept -i $inetIF -p 47<br /> accept -p 47<br /> <br /> <br /> # This might be needed for 2 simultaneous connections to a local PPTP server??<br /> #accept -i ppp0<br /> #accept -o ppp0<br /> #accept -i ppp1<br /> #accept -o ppp1<br /> <br /> # accepting ICMP traffic from the inside<br /> accept -i $lanIF -p icmp;<br /> # accepting ICMP traffic from the Internet side<br /> accept -i $inetIF -p icmp<br /> #accept -i $inetIF -p icmp --icmp-type echo-request;<br /> #accept -i $inetIF -p icmp --icmp-type ttl-exceeded;<br /> #accept -i $inetIF -p icmp --icmp-type destination-unreachable;<br /> <br /> <br /> # Generic TCP traffic from the LAN to this machine<br /> # 20 = FTP 135 = DCE Endpoint Resolution<br /> # 21 = FTP 137 = NetBIOS Name Service<br /> # 22 = SSH 138 = NetBIOS Datagram Service<br /> # 25 = SMTP 139 = NetBIOS Session Service<br /> # 53 = DNS<br /> # 80 = HTTP<br /> # 110 = POP3 <br /> accept -p tcp -i $lanIF -m multiport --dport 20,21,22,25,53,80,110,135,137,138,139<br /> # 143 = IMAP 993 = IMAP4 over TLS<br /> # 443 = HTTPS 995 = POP3 over TLS<br /> # 445 = CIFS 3128 = Squid access<br /> # 631 = CUPSadmin 3306 = MySQL port<br /> # 901 = SWAT<br /> accept -p tcp -i $lanIF -m multiport --dport 143,443,445,631,901,993,995,3128,3306<br /> <br /> # Generic TCP traffic from the Internet to this machine<br /> # 25 = SMTP 443 = HTTPS<br /> # 53 = DNS 993 = IMAP4 over TLS<br /> # 80 = HTTP 995 = POP3 over TLS<br /> # 110 = POP3<br /> # 143 = IMAP<br /> accept -p tcp -i $inetIF -m multiport --dport 25,53,80,110,143,443,993,995<br /> <br /> # Generic UDP traffic from the LAN to this machine<br /> # 53 = DNS 137 = NetBIOS Name Service<br /> # 123 = NTP 138 = NetBIOS Datagram Service<br /> # 139 = NetBIOS Session Service<br /> accept -p udp -i $lanIF -m multiport --dport 53,123,137,138,139<br /> <br /> # Generic UDP traffic from the Internet to this machine<br /> # 53 = DNS 123 = NTP<br /> accept -p udp -i $inetIF -m multiport --dport 53,123<br /> accept -p udp -i $inetIF -m multiport --sport 53,123<br /> <br /> # default policy: drop<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 4.1 OUTPUT mangle ###<br /> ### ###<br /> ### use case: mark locally generated traffic for traffic control ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;OUTPUT&quot; &quot;mangle&quot;<br /> <br /> # Mark all outgoing ESP packets to trusted IP&#039;s with mark &quot;2&quot;<br /> let &quot;i=0&quot;<br /> while [[ $i -lt $IPsecNumOfTunnels ]]; do<br /> let &quot;i += 1&quot;<br /> mark 2 -p esp -d ${IPsecRemoteWANIP[$i]}<br /> done<br /> <br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 4.2 OUTPUT nat ###<br /> ### ###<br /> ### use cases: ###<br /> ### - DNAT locally generated traffic (e.g. tunnel encapsulation) ###<br /> ### - REDIRECT port redirects (???) ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;OUTPUT&quot; &quot;nat&quot;<br /> <br /> # accept trusted outgoing ESP packages, which are marked &quot;2&quot;<br /> # only needed if we need to bypass some NAT rules<br /> # accept -m mark --mark 2<br /> <br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 4.3 OUTPUT filter ###<br /> ### ###<br /> ### use case: filter locally generated traffic ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;OUTPUT&quot; &quot;filter&quot;<br /> <br /> # upfront blocking of all banned IP&#039;s<br /> let &quot;j = 0&quot;;<br /> while [[ $j -lt ${blockedIP[0]} ]]; do<br /> let &quot;j += 1&quot;<br /> drop log msg Banned_IP_$j -d ${blockedIP[$j]}<br /> done<br /> <br /> # accept trusted outgoing ESP packages, which are marked &quot;2&quot;<br /> accept -m mark --mark 2<br /> <br /> # assume ALL traffic from the server to the LAN is safe<br /> accept -p tcp -o $lanIF<br /> accept -p udp -o $lanIF<br /> <br /> # for convenience, let&#039;s for now assume all traffic from<br /> # the server to the Internet is safe as well....<br /> accept -p tcp -o $inetIF<br /> accept -p udp -o $inetIF<br /> accept -p 47 <br /> accept -p icmp<br /> <br /> accept log msg odeon_output -p tcp -d 192.168.70.0/24<br /> accept log msg odeon_output -p udp -d 192.168.70.0/24<br /> <br /> # default policy: drop<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 5.1 POSTROUTING mangle ###<br /> ### ###<br /> ### use case: set TOS on outgoing packets to guide other routers ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;POSTROUTING&quot; &quot;mangle&quot;<br /> <br /> classify 1:11 -s $JANNET -d ! $lanNET<br /> classify 2:11 -d $JANNET -s ! $lanNET<br /> classify 1:12 -s $FRESHFIELDNET -d ! $lanNET<br /> classify 2:12 -d $FRESHFIELDNET -s ! $lanNET<br /> classify 2:99 -s $lanNET -d $lanNET<br /> # default policy: accept<br /> <br /> <br /> ######################################################################<br /> ### ###<br /> ### 5.2 POSTROUTING nat ###<br /> ### ###<br /> ### use cases ###<br /> ### - SNAT hide LAN ip range behind public ip façade ###<br /> ### - MASQUERADE on dynamic ip dialup interface only ###<br /> ### ###<br /> ######################################################################<br /> <br /> context &quot;POSTROUTING&quot; &quot;nat&quot;<br /> <br /> # let trusted IPsec traffic bypass the NATting<br /> let &quot;i=0&quot;<br /> while [[ $i -lt $IPsecNumOfTunnels ]]; do<br /> let &quot;i += 1&quot;<br /> accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}<br /> done<br /> # and accept trusted outgoing ESP packages, which are marked &quot;2&quot;,<br /> # which also need to bypass the NATting<br /> accept -m mark --mark 2<br /> <br /> # This machine is a NAT router, so sourcenat over the designated<br /> # NAT interface using the designated NAT IP address, EXCEPT for<br /> # traffic that originates from the machine itself<br /> snat to $natIP -o $natIF ! --src $natIP<br /> <br /> # default policy: accept<br /> &lt;/pre&gt;</div> Saruman!