Iceditch configuration example

From SaruWiki
Revision as of 17:01, 19 July 2008 by Saruman! (talk | contribs) (Iceditch example config)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

File config.conf

## PUT YOUR OWN ADDRESS HERE! if you want to receive errors by mail
MAILTO="linuxwarning@saruman.biz";
	
CMD="/sbin/iptables";
SYSLOG="/usr/bin/logger";
			
# if you want to use the Userspace Logging Daemon, change this
# from "LOG" to "ULOG"
FWLOG="ULOG";
# default "--log-prefix" or "--ulog-prefix"
FWLOGPREFIX="--ulog-prefix";

# topology
inetIF='eth1';
inetIP='212.238.151.172';

lanIF='eth0';
lanIP='192.168.67.10';
lanNET='192.168.67.0/24';
	
natIF=$inetIF;
natIP=$inetIP;

# Define some subnets
FRESHFIELDNET='192.168.67.144/28'   # Limited hosts: 144 t/m 159
JANNET='192.168.67.160/27'          # Limited hosts: 160 t/m 191
SASNET='192.168.67.192/26'          # Limited hosts: 192 t/m 254

################################################################################
##  Here you can declare and/or read every variable you'll need in the rules  ##
################################################################################

# Fetch all IP's that are totally blocked
lookup_param_list 'blockedIP' "/etc/iceditch/params.conf";
NumOfBlockedIPs=${r[0]};
if [ $NumOfBlockedIPs -gt 0 ]; then
	i=0;
	while [ $i -le $NumOfBlockedIPs ] ; do
		blockedIP[$i]=${r[$i]};
		let "i += 1";
	done;
fi;


# Fetch all IPsec tunnel parameters
lookup_param_list 'IPsecLocalLAN' "/etc/iceditch/params.conf";
IPsecNumOfTunnels=${r[0]};
if [ $IPsecNumOfTunnels -gt 0 ]; then
	i=0;
	while [ $i -lt $IPsecNumOfTunnels ] ; do
		let "i += 1"; IPsecLocalLAN[$i]=${r[$i]};
		IPsecLocalLANIP[$i]=$lanIP;     # we don't read these from the config
		IPsecLocalWANIP[$i]=$inetIP;    # file, since they're always the same
	done;
	lookup_param_list 'IPsecRemoteWANIP' "$PATHNAME/$PARMFILENAME";
	i=0;
	while [ $i -lt $IPsecNumOfTunnels ] ; do
		let "i += 1"; IPsecRemoteWANIP[$i]=${r[$i]};
	done;
	lookup_param_list 'IPsecRemoteLAN' "$PATHNAME/$PARMFILENAME";
	i=0;
	while [ $i -lt $IPsecNumOfTunnels ] ; do
		let "i += 1"; IPsecRemoteLAN[$i]=${r[$i]};
	done;
fi;

File params.conf

blockedIP = 62.27.41.69        = 20060529 - adware webserver
blockedIP = 195.56.146.210     = 20060805 - forum.joomla.hu
blockedIP = 82.201.220.60      = 20070918 - messes on udp500
blockedIP = 80.73.129.193      = 20080127 - lots of NewNotSyns


IPsecRemoteNET   = 'Odeon.lan'         = descriptive name of the IPtunnel destination
IPsecLocalLanIP  = $lanIP              = the local IP address of the router
IPsecLocalLAN    = $lanNET             = the LAN segment we're prepared to open
IPsecLocalWANIP  = $inetIP             = Our own external IP for this connection
IPsecRemoteLAN   = '192.168.70.0/24'   = the remote LAN segment we wanna reach
IPsecRemoteWANIP = '82.161.20.132'     = the public IP of the remote gateway

File rules.conf

######################################################################
###                                                                ###
### 1.1 PRE_ROUTING mangle                                         ###
###                                                                ###
### use case: mark incoming packets for (outgoing) traffic control ###
###                                                                ###
######################################################################

    context "PREROUTING" "mangle"

    # Mark incoming ESP packets with mark "1"
    let "i=0";
    while [[ $i -lt $IPsecNumOfTunnels ]]; do
        let "i += 1";
        mark 1 -p esp -s ${IPsecRemoteWANIP[$i]} -d ${IPsecLocalWANIP[$i]};
    done;
    
    # default policy: accept


######################################################################
###                                                                ###
### 1.2 PRE_ROUTING nat                                            ###
###                                                                ###
### use cases:                                                     ###
### - DNAT (incoming connects to private ip's, e.g. DMZ or svr)    ###
### - REDIRECT (machine port redirects / transparant proxy)        ###
###                                                                ###
######################################################################

    context "PREROUTING" "nat"

    # let IPsec traffic bypass any SNATting
    let "i=0"
    while [[ $i -lt $IPsecNumOfTunnels ]]; do
        let "i += 1"
        accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}
    done

    # also accept all traffic marked "1" which is
    # incoming ESP traffic from trusted remote IP's
    # SHOULD already be handled by the default policy
    accept -m mark --mark 1
    
    # make Squid our transparent proxy
    dnat to ${lanIP}:3128 -p tcp -i $lanIF --dport 80
    
    # default policy: accept


######################################################################
###                                                                ###
### 2.1 FORWARD mangle                                             ###
###                                                                ###
### use case: none                                                 ###
###                                                                ###
######################################################################

    context "FORWARD" "mangle"
    
    # default policy: accept


######################################################################
###                                                                ###
### 2.2 FORWARD filter                                             ###
###                                                                ###
### use case: filter traffic forwarded between networks            ###
###                                                                ###
### ATTENTION please: choose an appropriate forwarding policy      ###
### o no forwarding: 0 > ip_forward                                ###
### o untrusted forwarding: filter ports + egress ip               ###
### o trusted forwarding: filter only egress ip                    ###
###                                                                ###
######################################################################

    context "FORWARD" "filter"

    # upfront blocking of all banned IP's
    let "j = 0";
    while [[ $j -lt ${blockedIP[0]} ]]; do
        let "j += 1";
        drop -s ${blockedIP[$j]};
        drop log msg Banned_IP_$j -d ${blockedIP[$j]};
    done

    # drop some nasty P2P calls
    reject with host-prohib -p tcp --dport 13830

    # Connection tracking for forwarding
    accept -m state --state ESTABLISHED,RELATED
    
    # drop new-not-syn
    drop log msg FORWARD_NewNotSYN -p tcp ! --syn -m state --state NEW

    # let IPsec traffic through
    let "i=0"
    while [[ $i -lt $IPsecNumOfTunnels ]]; do
        let "i += 1"
        drop -s $FRESHFIELDNET -d ${IPsecRemoteLAN[$i]}   # Freshfieldnet has no business in the tunnels
        accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}
        accept -s ${IPsecRemoteLAN[$i]} -d ${IPsecLocalLAN[$i]}
    done
    
    # Allow Yodi's mail (pop3.zonnet.nl + mail.descartes.nl + wissit.com/mail.wissit.nl)
    accept -p tcp -d 62.58.50.236 --dport 110
    accept -p tcp -d 213.196.12.29 --dport 110
    accept -p tcp -d 194.121.181.250 --dport 25
      
    # Allow MPPE-traffic from inside to outside
    accept -p 47

    # Specifically block certain ports out to the Internet
    # Mainly mail, DNS and NTP
    drop -p tcp -m multiport --dport 25,53,110,123
    drop -p udp -m multiport --dport 53,123
    
    # Generic TCP traffic allowed out to the Internet: everything else
    # note: return traffic is handled by connection tracking
    accept -p tcp -s $lanNET
    accept -p udp -s $lanNET
    
    # Allowing full ICMP between inside and outside
    accept -p icmp -s $lanNET

    # default policy: drop


######################################################################
###                                                                ###
### 3.2 INPUT filter                                               ###
###                                                                ###
### use case: filter incoming traffic directed at machine host     ###
###                                                                ###
######################################################################

    context "INPUT" "filter"

    # upfront blocking of all banned IP's
    let "j = 0";
    while [[ $j -lt ${blockedIP[0]} ]]; do
        let "j += 1";
        drop -s ${blockedIP[$j]}
    done

    # Spoofed IP protect
    # a bit superfluous, since rp_filter (Source Address Verification) can
    # be turned on in /proc/sys...
    # drop log msg Local_IP_from_Inet_192 -i $inetIF -s 192.168.0.0/16
    # drop log msg Local_IP_from_Inet_10 -i $inetIF -s 10.0.0.0/8
    # drop log msg Local_IP_from_Inet_172 -i $inetIF -s 172.16.0.0/12

    # drop some nasty P2P calls
    reject with host-prohib -p tcp --dport 13830
    
    # drop new-not-syn
    drop log msg INPUT_NewNotSYN -p tcp ! --syn -m state --state NEW

    # Connection tracking for incoming traffic
    accept -m state --state ESTABLISHED,RELATED
    
    # Drop different attacks:
    # Xmas scan
    drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL FIN,URG,PSH
    drop log msg Xmas_scan -i $inetIF -p tcp --tcp-flags ALL ALL
    # Stealth scan
    drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST
    drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
    drop log msg Stealth_scan -i $inetIF -p tcp --tcp-flags ALL NONE
    # SYN,RST scan
    drop log msg SYN/RST_scan -i $inetIF -p tcp --tcp-flags SYN,RST SYN,RST
    # SYN,FIN scan
    drop log msg SYN/FIN_scan -i $inetIF -p tcp --tcp-flags SYN,FIN SYN,FIN

    # drop SSH connections if they're spurious (more than 2 attempts per minute)
    nojump -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --set
    drop -p tcp --dport 22 -i $inetIF -m state --state NEW -m recent --name SSHERS --update --seconds 60 --hitcount 3
    # accept SSH from all sides
    accept -p tcp --dport 22

    # accept IKE traffic from everyone including NAT-T
    accept -p udp --sport 500 --dport 500
    accept -p udp --sport 4500 --dport 4500
    # accept ESP traffic from everyone
    # accept -p esp

    # accept all traffic marked "1", which is
    # incoming ESP traffic from trusted remote IP's
    accept -m mark --mark 1
    
    # accept MPPTP to this machine from the Internet
    accept -p tcp --dport 1723
    # accept -i $inetIF -p 47
    accept -p 47
   

    # This might be needed for 2 simultaneous connections to a local PPTP server??
    #accept -i ppp0
    #accept -o ppp0
    #accept -i ppp1
    #accept -o ppp1

    # accepting ICMP traffic from the inside
    accept -i $lanIF -p icmp;
    # accepting ICMP traffic from the Internet side
    accept -i $inetIF -p icmp
    #accept -i $inetIF -p icmp --icmp-type echo-request;
    #accept -i $inetIF -p icmp --icmp-type ttl-exceeded;
    #accept -i $inetIF -p icmp --icmp-type destination-unreachable;
    

    # Generic TCP traffic from the LAN to this machine
    #   20 = FTP          135 = DCE Endpoint Resolution
    #   21 = FTP          137 = NetBIOS Name Service
    #   22 = SSH          138 = NetBIOS Datagram Service
    #   25 = SMTP         139 = NetBIOS Session Service
    #   53 = DNS
    #   80 = HTTP
    #  110 = POP3    
    accept -p tcp -i $lanIF -m multiport --dport 20,21,22,25,53,80,110,135,137,138,139
    #  143 = IMAP          993 = IMAP4 over TLS
    #  443 = HTTPS         995 = POP3 over TLS
    #  445 = CIFS         3128 = Squid access
    #  631 = CUPSadmin    3306 = MySQL port
    #  901 = SWAT
    accept -p tcp -i $lanIF -m multiport --dport 143,443,445,631,901,993,995,3128,3306
    
    # Generic TCP traffic from the Internet to this machine
    #   25 = SMTP          443 = HTTPS
    #   53 = DNS           993 = IMAP4 over TLS
    #   80 = HTTP          995 = POP3 over TLS
    #  110 = POP3
    #  143 = IMAP
    accept -p tcp -i $inetIF -m multiport --dport 25,53,80,110,143,443,993,995
    
    # Generic UDP traffic from the LAN to this machine
    #   53 = DNS           137 = NetBIOS Name Service
    #  123 = NTP           138 = NetBIOS Datagram Service
    #                      139 = NetBIOS Session Service
    accept -p udp -i $lanIF -m multiport --dport 53,123,137,138,139
    
    # Generic UDP traffic from the Internet to this machine
    #   53 = DNS           123 = NTP
    accept -p udp -i $inetIF -m multiport --dport 53,123
    accept -p udp -i $inetIF -m multiport --sport 53,123
    
    # default policy: drop


######################################################################
###                                                                ###
### 4.1 OUTPUT mangle                                              ###
###                                                                ###
### use case: mark locally generated traffic for traffic control   ###
###                                                                ###
######################################################################

    context "OUTPUT" "mangle"
    
    # Mark all outgoing ESP packets to trusted IP's with mark "2"
    let "i=0"
    while [[ $i -lt $IPsecNumOfTunnels ]]; do
        let "i += 1"
        mark 2 -p esp -d ${IPsecRemoteWANIP[$i]}
    done
    
    # default policy: accept


######################################################################
###                                                                ###
### 4.2 OUTPUT nat                                                 ###
###                                                                ###
### use cases:                                                     ###
### - DNAT locally generated traffic (e.g. tunnel encapsulation)   ###
### - REDIRECT port redirects (???)                                ###
###                                                                ###
######################################################################

    context "OUTPUT" "nat"
    
    # accept trusted outgoing ESP packages, which are marked "2"
    # only needed if we need to bypass some NAT rules
    # accept -m mark --mark 2
    
    # default policy: accept


######################################################################
###                                                                ###
### 4.3 OUTPUT filter                                              ###
###                                                                ###
### use case: filter locally generated traffic                     ###
###                                                                ###
######################################################################

    context "OUTPUT" "filter"
    
    # upfront blocking of all banned IP's
    let "j = 0";
    while [[ $j -lt ${blockedIP[0]} ]]; do
        let "j += 1"
        drop log msg Banned_IP_$j -d ${blockedIP[$j]}
    done

    # accept trusted outgoing ESP packages, which are marked "2"
    accept -m mark --mark 2

    # assume ALL traffic from the server to the LAN is safe
    accept -p tcp -o $lanIF
    accept -p udp -o $lanIF

    # for convenience, let's for now assume all traffic from
    # the server to the Internet is safe as well....
    accept -p tcp -o $inetIF
    accept -p udp -o $inetIF
    accept -p 47 
    accept -p icmp

    accept log msg odeon_output -p tcp -d 192.168.70.0/24
    accept log msg odeon_output -p udp -d 192.168.70.0/24

    # default policy: drop


######################################################################
###                                                                ###
### 5.1 POSTROUTING mangle                                         ###
###                                                                ###
### use case: set TOS on outgoing packets to guide other routers   ###
###                                                                ###
######################################################################

    context "POSTROUTING" "mangle"
    
    classify 1:11 -s $JANNET -d ! $lanNET
    classify 2:11 -d $JANNET -s ! $lanNET
    classify 1:12 -s $FRESHFIELDNET -d ! $lanNET
    classify 2:12 -d $FRESHFIELDNET -s ! $lanNET
    classify 2:99 -s $lanNET -d $lanNET
    # default policy: accept


######################################################################
###                                                                ###
### 5.2 POSTROUTING nat                                            ###
###                                                                ###
### use cases                                                      ###
### - SNAT hide LAN ip range behind public ip façade               ###
### - MASQUERADE on dynamic ip dialup interface only               ###
###                                                                ###
######################################################################

    context "POSTROUTING" "nat"

    # let trusted IPsec traffic bypass the NATting
    let "i=0"
    while [[ $i -lt $IPsecNumOfTunnels ]]; do
        let "i += 1"
        accept -s ${IPsecLocalLAN[$i]} -d ${IPsecRemoteLAN[$i]}
    done
    # and accept trusted outgoing ESP packages, which are marked "2",
    # which also need to bypass the NATting
    accept -m mark --mark 2

    # This machine is a NAT router, so sourcenat over the designated
    # NAT interface using the designated NAT IP address, EXCEPT for
    # traffic that originates from the machine itself
    snat to $natIP -o $natIF ! --src $natIP

    # default policy: accept