firewall

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
User avatar
shadowKnows
Posts: 2
Joined: Fri 28 Jan 2011, 03:31
Location: Charleston, WV

firewall

#1 Post by shadowKnows »

here is what I have for a firewall


not the best way to load the iptables-restore, but good enough until I figure out the right way to do it.

.bashrc = <!

#B691ED#B791F0. /etc/profile

iptables-restore /root/firewall

alias ls="ls --color=auto"
alias lsd="ls -lad"
alias lswd="ls -ad"
alias ll="ls -la"
alias mf="more $1"
alias vi=defaulttexteditor


#v1.0.5 need to override TERM setting in /etc/profile...
#export TERM=xterm
# ...v2.13 removed.

#export HISTFILESIZE=2000#000000
#export HISTCONTROL=ignoredups
#...v2.13 removed.
#B791F0

!>

firewall = <!
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*mangle
:PREROUTING ACCEPT [60:9146]
:INPUT ACCEPT [60:9146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53:3849]
:POSTROUTING ACCEPT [60:4584]
COMMIT
# Completed on Thu Feb 26 21:16:44 2009
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*nat
:PREROUTING ACCEPT [7:1546]
:POSTROUTING ACCEPT [53:3849]
:OUTPUT ACCEPT [53:3849]
COMMIT
# Completed on Thu Feb 26 21:16:44 2009
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [53:3849]
:CHECK_ICMP - [0:0]
:CHECK_TCP - [0:0]
:INET_IN - [0:0]
:INET_IN_TCP - [0:0]
:INET_IN_UDP - [0:0]
:INET_OUT - [0:0]
:PACKET_DROP - [0:0]
:SPOOFING - [0:0]
:SYN_FLOOD - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j INET_IN
-A INPUT -j PACKET_DROP
-A FORWARD -j PACKET_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j INET_OUT
-A CHECK_TCP -m state --state INVALID -m limit --limit 1/sec -j LOG --log-prefix "INVALID Packet " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-option 64 -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG(64) " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-option 128 -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG(128) " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -m state --state INVALID -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-option 64 -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-option 128 -j DROP
-A INET_IN -j SPOOFING
-A INET_IN -p tcp -j INET_IN_TCP
-A INET_IN -p udp -j INET_IN_UDP
-A INET_IN -s 216.239.116.65 -j DROP
-A INET_IN -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_TCP -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYN_FLOOD
-A INET_IN_TCP -j CHECK_TCP
-A INET_IN_TCP -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INET_IN_UDP -s 208.180.43.6 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INET_IN_UDP -s 66.76.2.132 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_UDP -s 66.76.2.133 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_UDP -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INET_OUT -m state --state INVALID -j DROP
-A PACKET_DROP -p tcp -m limit --limit 1/sec -j LOG --log-prefix "TCP Dropped " --log-level 6
-A PACKET_DROP -p udp -m limit --limit 1/sec -j LOG --log-prefix "UDP Dropped " --log-level 6
-A PACKET_DROP -f -m limit --limit 1/sec -j LOG --log-prefix "FRAGMENT Dropped " --log-level 6
-A PACKET_DROP -j DROP
-A SPOOFING -s 0.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 10.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 127.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 169.254.0.0/255.255.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 172.16.0.0/255.240.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 224.0.0.0/240.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 240.0.0.0/248.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 248.0.0.0/248.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 255.255.255.255 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 75.108.115.230 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -d 255.255.255.255 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -d 0.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 0.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 10.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 127.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 169.254.0.0/255.255.0.0 -j DROP
-A SPOOFING -s 172.16.0.0/255.240.0.0 -j DROP
-A SPOOFING -s 224.0.0.0/240.0.0.0 -j DROP
-A SPOOFING -s 240.0.0.0/248.0.0.0 -j DROP
-A SPOOFING -s 248.0.0.0/248.0.0.0 -j DROP
-A SPOOFING -s 255.255.255.255 -j DROP
-A SPOOFING -s 75.108.115.230 -j DROP
-A SPOOFING -d 255.255.255.255 -j DROP
-A SPOOFING -d 0.0.0.0 -j DROP
-A SYN_FLOOD -m limit --limit 12/sec --limit-burst 24 -j RETURN
-A SYN_FLOOD -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SYN_FLOOD Dropped " --log-level 6
-A SYN_FLOOD -j DROP
COMMIT
# Completed on Thu Feb 26 21:16:44 2009



!>

Post Reply