#!/bin/sh

# Sair Linux/GNU Certification Firewall rule sets
# - updated for CSCI561 (ptm 11 Oct 2007)
# - updated for CSCI561 (ptm 09 Oct 2003)
# - updated for iptables (pchood 03/01/2001)
#
# See the following for background:
# http://www.netfilter.org/documentation/index.html#FAQ
# http://www.netfilter.org/documentation/index.html#HOWTO
# http://www.ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing.html
# http://www.linuxguruz.com/iptables/
#
# Brief definitions:
#  Goal - iptable rule sets attempt to match IP header component(s) to each
#         packet and dispatch the packets accordingly.
#  Boundary zone - The IP packet processing kernel code/data area that includes
#                  packets waiting for connections, routing table, ARP, & ICMP
# Target (jump) actions after a match:
#  REJECT - Refuse a packet and return an ICMP error packet
#  DROP - Refuse packet with no explanation to the foreign host (formerly DENY)
#  MASQUERADE - Flip private source IP and port numbers for public access
#  ACCEPT - Use the routing table to dispatch the packet.
#  newtable - Matched one component, jump to "newtable" to test another
# The above actions work with five primary "chains" or packet lists:
#  PREROUTING - The list of packets as they come into the boundary zone from
#               one or more network interfaces.
#  INPUT - Packets addressed to local clients and servers
#  FORWARD - Packets staying in the boundary zone, but moving between
#            two network interfaces.
#  OUTPUT - A list of locally-generated packets before routing to an interface
#  POSTROUTING - Packets that are leaving the boundary zone and going
#                to a selected interface
# These chains work within the context of three main tables:
#  filter - The NOT specified default table for most packet processing
#  nat - The specified network address translation table for private to public
#  mangle - The specified table for bit level checking of packet headers
#  raw - Used to mark a packet for later processing
#
# Topology - an external T1 line from AT&T into a firewall with
#            10 Ethernet adapters (two 5-in-one cards).  Each Ethernet
#            interface defines a DMZ or private subnet which have been
#            isolated. Employees on the private subnets should be able to
#            see the Internet, but not abuse the privilege!
#
# Firewall name is "jar" whose address is:
FIREWALLIP="12.6.178.65"
# with 64 public IP addresses:
EXTERNALIP="12.6.178.64/26"
# on interface: "eth0"
# T1 line (WAN pipe 1 with point-to-point protocol)
# connects to AT&T on interface:
EXTERNALNET="wp1_ppp"
# eth0 controls the DMZ trusted external addresses "Jar," "Nod", "Vis"
# or the first 8 IP addresses:
TRUSTED="12.6.178.64/29"
# Class B private network has an IP range of 65,535 addresses:
INTRANET="192.168.0.0/16"
# The main intranetwork is eth1:
SAIRNET="eth1"
# and 1st 64 IP addresses on SAIRNET are reserved for management
MGMT="192.168.1.0/26"
# Privileged systems on SAIRNET are:
# 18=xwing 34=greedo 35=crix 45=luke 59=echobase 60=skywalker
SYSTEMS="192.168.1.18 192.168.1.34 192.168.1.35 192.168.1.45 192.168.1.59 192.168.1.60"
# Vision Creek subnet has been disconnected but used to be:
VISNODHUB="eth2"
# The testbed subnet is:
# 192.168.2.0
TESTSUBNET="eth3"
# D2 Interactive's subnet and pass through IP address
D2I="12.6.178.90/32"
D2I_INTERFACE="eth5"
# Prometric and VUE test center subnet is:
# 192.168.3.0
TESTCENTER="eth6"

# Syslog levels:
#define LOG_EMERG       0       /* system is unusable */
#define LOG_ALERT       1       /* action must be taken immediately */
#define LOG_CRIT        2       /* critical conditions */
#define LOG_ERR         3       /* error conditions */
#define LOG_WARNING     4       /* warning conditions */
#define LOG_NOTICE      5       /* normal but significant condition */
#define LOG_INFO        6       /* informational */
#define LOG_DEBUG       7       /* debug-level messages */
LOGLEVEL=7

# First enable kernel networking options and load the kernel device
# drivers (modules) for network packet filtering.
# Enable IP forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable ARP Proxies on private interfaces so private hosts
# can talk directly to the outgoing public interface
if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]; then
 echo 1 > /proc/sys/net/ipv4/conf/$SAIRNET/proxy_arp
 echo 1 > /proc/sys/net/ipv4/conf/$D2I_INTERFACE/proxy_arp
fi

# Drop spoofed packets coming in on one interface, which if replied to,
# would result in the reply going out a different interface
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
   done
fi

# Log packets with impossible IP addresses to kernel log
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
  for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
   done
fi

# Don't SEND ICMP redirects - needed for transparent proxy
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi

# Don't ACCEPT ICMP redirects (only on the T1 interface)
if [ -e /proc/sys/net/ipv4/conf/$EXTERNALNET/accept_redirects ]; then
        echo 0 > /proc/sys/net/ipv4/conf/$EXTERNALNET/accept_redirects
fi

# The TCP Explicit Congestion Notification (ECN) flags (defined
# in 2001 and located in the "reserved" bits) provide an early
# warning of buffer overflow on the receiving end and signals
# the sending end the option of slowing down. See: RFC 3168.
# But, 1% of the routers or firewalls drop packets with ECN
# (reserved) bits set!  Another solution is to use the mangle
# table's ECN option to clear these bits before packets are sent
# to the 1%.  See the CHECK_FLAGS section in this file.
#
# For now, use brute force and turn off the ECN flags in our TCP packets
if [ -e /proc/sys/net/ipv4/tcp_ecn ];then
        echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

# Increase maximum limit of IP connection tracking
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
        echo 16376 > /proc/sys/net/ipv4/ip_conntrack_max
fi

# Install the kernel network filter modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_TOS 
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

# Reset the tables -- Clear all rules and remove user-defined tables
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT 
/sbin/iptables -F FORWARD

# Do not forward packets by default
/sbin/iptables -P FORWARD DROP

# Disable the loopback interface, otherwise if the firewall
# must have a loopback interface then:
#LOOPBACK="127.0.0.0/8"
#LOOPNET="lo"
# Allow local traffic on the loopback interface
#/sbin/iptables -A INPUT -i $LOOPNET -j ACCEPT
#/sbin/iptables -A OUTPUT -o $LOOPNET -j ACCEPT
#
# Deny outside packets from the Internet which claim to be
# from your loopback interface. 
#/sbin/iptables -t nat -A PREROUTEING -p all -s $LOOPBACK -i $EXTERNALNET \
#-j LOG --log-prefix "spoofed loopback: " --log-level 5
#/sbin/iptables -t nat -A PREROUTEING -p all -s $LOOPBACK -i $EXTERNALNET -j DROP

# Use iptables' definition of "state" to bypass re-checking packets
# that belong to already approved connections.  CAUTION: this may effect
# the type of logging desired later in the file.
/sbin/iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT

# Return ICMP error if D2 Interactive attempts to access any other subnet
/sbin/iptables -A FORWARD -s $D2I -d $INTRANET -j REJECT
/sbin/iptables -A FORWARD -s $D2I -j ACCEPT
/sbin/iptables -A FORWARD -d $D2I -j ACCEPT
# Disallow ssh from D2I to the outside world
/sbin/iptables -A INPUT -p tcp -s $D2I -d $EXTERNALIP --dport 22 -j REJECT

# Permit access to AOL (205.188/16 152.163/16 64.12/24) by MGMT and D2I
/sbin/iptables -t nat -A POSTROUTING -s $MGMT -d 205.188.0.0/16 -j MASQUERADE
/sbin/iptables -A FORWARD -s $EXTERNALIP -d 205.188.0.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -s $EXTERNALIP -d 152.163.0.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -s $EXTERNALIP -d 64.12.149.0/24 -j ACCEPT

# Deny AOL access otherwise
/sbin/iptables -A FORWARD -s ! $MGMT -d 205.188.0.0/16 -j REJECT
/sbin/iptables -A FORWARD -s ! $MGMT -d 152.163.0.0/16 -j REJECT
/sbin/iptables -A FORWARD -s ! $MGMT -d 64.12.149.0/24 -j REJECT

# Allow access to www.winamp.com (part of AOL's subnet)
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 205.188.245.120/32 -j ACCEPT

# Screen out CHAT room IP ranges, but first let embedded Web pages through.
# Yahoo has web page IPs stuck in with the chat stuff.. of course
YAHOO="204.71.200.67 204.71.200.68 204.71.200.74 204.71.200.75 216.136.175.56 \
       216.115.105.16 215.115.105.17 204.71.202.248 216.115.106.207 \
       216.115.106.206 216.115.106.208 216.115.106.34 216.115.106.35"

for z in $YAHOO; do
 /sbin/iptables -A FORWARD -d $z -j ACCEPT
done

# Allow chatting access for DMZ, D2I, and MGMT IPs, but block chatting access
# for non-MGMT IPs.
CHAT="204.71.200.0/22 216.115.105.0/22 216.136.175.0/24 \
 64.4.13.0/24 64.12.163.199"
for eachip in $CHAT; do
 /sbin/iptables -A FORWARD -s $EXTERNALIP -d $eachip -j ACCEPT
 /sbin/iptables -A FORWARD -s ! $MGMT -d $eachip -j REJECT
done

# Testbed subnet (192.168.2.0/24) rules
# Allow test subnet to ssh to workstations and back, disallow all else
/sbin/iptables -A FORWARD -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 \
--dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 192.168.2.0/24 --sport 22 \
-d 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 \
--dport 515 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 192.168.2.0/24 --sport 515 \
-d 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j REJECT
/sbin/iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -j REJECT

# Prometric / VUE test center (192.168.3.0/24) rules
# Accept connections from the test center server to the camera
/sbin/iptables -A FORWARD -p tcp -s 192.168.3.2 -d 192.168.1.252 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 192.168.3.0/24 -d 192.168.1.0/24 -j REJECT
/sbin/iptables -A FORWARD -p tcp -s 192.168.3.0/24 -d 192.168.2.0/24 -j REJECT
/sbin/iptables -A FORWARD -p tcp -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT

# Uncomment to log DNS requests from the intranets to nod
#/sbin/iptables -t nat -A POSTROUTING -p tcp -s $INTRANET -d 12.6.178.68/32 \
#--dport 53 -j LOG

# Logs GNUtella connects -pchood
/sbin/iptables -t nat -A POSTROUTING -p tcp -s $INTRANET --dport 6346 \
-j LOG --log-prefix "GNUtella:"

# Uncomment to log HTTP (Web) requests from the intranets to the world
#/sbin/iptables -t nat -A POSTROUTING -p tcp -s ! $MGMT -d ! $EXTERNALIP \
#--dport 80 -j LOG --log-prefix "http: " --log-level 5

# Restrict rsync (TCP & UDP port 873) connects file server Jabba to Web
# server Nod only
/sbin/iptables -t nat -p tcp -A POSTROUTING -s 192.168.1.4 -d 12.6.178.68 \
--dport 873 -j ACCEPT
/sbin/iptables -t nat -p udp -A POSTROUTING -s 192.168.1.4 -d 12.6.178.68 \
--dport 873 -j ACCEPT
/sbin/iptables -t nat -p tcp -A POSTROUTING -d $EXTERNALIP --dport 873 -j DROP
/sbin/iptables -t nat -p udp -A POSTROUTING -d $EXTERNALIP --dport 873 -j DROP

# Only allow Amanda (UDP/10080) connect attempts from Backup to Jar (firewall)
/sbin/iptables -p udp -A INPUT -s ! 192.168.1.3 --dport 10080 -j DROP 

# Restrict ntop (TCP/8080) connects to SYSTEMS machines *only*
for z in $SYSTEMS; do
 /sbin/iptables -t nat -p tcp -A POSTROUTING -s $z --dport 8080 -j ACCEPT
 /sbin/iptables -p tcp -A INPUT -s $z --dport 8080 -j ACCEPT
done
/sbin/iptables -t nat -p tcp -A POSTROUTING --dport 8080 -j DROP
/sbin/iptables -p tcp -A INPUT --dport 8080 -j DROP

# Restrict UPS Powerchute (TCP/3052) connects to SYSTEMS machines *only*
for z in $SYSTEMS; do
 /sbin/iptables -t nat -p tcp -A POSTROUTING -s $z --dport 3052 -j ACCEPT
 /sbin/iptables -p tcp -A INPUT -s $z --dport 3052 -j ACCEPT
done
 /sbin/iptables -t nat -p udp -A POSTROUTING -s 192.168.1.10 \
--dport 3052 -j ACCEPT
 /sbin/iptables -p udp -A INPUT -s 192.168.1.10 --dport 3052 -j ACCEPT
 /sbin/iptables -t nat -p tcp -A POSTROUTING --dport 3052 -j DROP
 /sbin/iptables -p tcp -A INPUT --dport 3052 -j DROP
# /sbin/iptables -p tcp -A INPUT --dport 3052 -j LOG --log-prefix "PwrChute:"

# If you let Windows on the DMZ, Protect These Vunerable Ports
# 12345,12346 - netbus / fat bitch trojans
# 1524, 27665, 31335, 27444 - trinoo
# 31337 - ADM / BackOrifice trojans
# 445,1025 - LSASS exploit
# 5554, 9898 - Dabber worm
# 2745 - Bagle worm
# 135 - MS Exchange / Active Directory exploit attempts
# 1026-1029 - popup spam attempts
# 23232, 32121 - berbew
# 1434 - MS SQL Slammer worm
# 3127 - MyDoom
# 5000 - Kibuv.b Worm exploits a vulnerability in Windows (UPnP) service
#intrusion_ports_tcp="12345,12346,1524,27665,31337,445,1025,5554,9898, 2745,135,23232,32121,3127,5000"
#intrusion_ports_udp="12345,12346,27444,31335 ,31337,135,1025,1026,1027,1028,1029,1434"

# Rules placed after this point will be subject to MASQUERADE!
# Thus, if the packet was destined for Nod from the intranets, it will have
# been changed already, so a rule like -s 192.168.1.4 -d 12.6.178.68 will
# *NOT* match, since 192.168.1.4 has been masq'ed to 12.119.148.53 already

# Masquerade from the intranets to the world
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 12.6.178.66 \
-j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d ! 12.6.178.66 \
-j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.2 -d ! 12.6.178.66 \
-j MASQUERADE

# Let SNMP (UDP/161) packets through from Nod to the switches for MRTG
/sbin/iptables -t nat -p udp -A POSTROUTING -s 12.6.178.68 -d 192.168.1.2 \
--dport 161 -j ACCEPT
/sbin/iptables -t nat -p udp -A POSTROUTING -s 12.6.178.68 -d 192.168.1.8 \
--dport 161 -j ACCEPT
/sbin/iptables -t nat -p udp -A POSTROUTING -s 12.6.178.68 -d 192.168.1.9 \
--dport 161 -j ACCEPT

# Remote syslogging (Vis and Nod to firewall Jar:516 to Poof:514) 
/sbin/iptables -t nat -p udp -A POSTROUTING -s $TRUSTED -d 192.168.1.11 \
--dport 514 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p udp --dport 516 \
-s $TRUSTED -j DNAT --to 192.168.1.11:514 
/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p udp --dport 516 \
-s ! $TRUSTED -j DROP

# Close off new connections from the DMZ to the intranet
/sbin/iptables -t nat -A POSTROUTING -s $EXTERNALIP -d $INTRANET -j DROP

/sbin/iptables -A FORWARD -s $INTRANET -j ACCEPT
/sbin/iptables -A FORWARD -d $INTRANET -j ACCEPT

# Allow requests to the public DMZ network
/sbin/iptables -A FORWARD -d $EXTERNALIP -j ACCEPT
/sbin/iptables -A FORWARD -s $EXTERNALIP -j ACCEPT
/sbin/iptables -A FORWARD -s $TRUSTED -d $TRUSTED -j ACCEPT

# TOS flags: (from: iptables -m tos -h)
# [These are accepted TCP values from RFC 1060/1349]
# Minimize-Delay 16 (0x10)
# Maximize-Throughput 8 (0x08)
# Maximize-Reliability 4 (0x04)
# Minimize-Cost 2 (0x02)
# Normal-Service 0 (0x00)

# Mangle OUTPUT chain for throttling certain TCP traffic
# This should probably be POSTROUTING
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos 16
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8

# Mangle PREROUTING chain for throttling certain TCP traffic
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos 16
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 8

# <SRC_EGRESS> - Originally an outbound traffic filter but has evolved into
# rules to drop IANA reserved IP addresses.  See:
# http://www.iana.org/assignments/ipv4-address-space

if [ `iptables -L SRC_EGRESS -n 2>/dev/null | grep Chain | wc -l` == 1 ]; then
 /sbin/iptables -F SRC_EGRESS
 /sbin/iptables -X SRC_EGRESS
fi
/sbin/iptables -N SRC_EGRESS
/sbin/iptables -F SRC_EGRESS

# Class B Reserved
/sbin/iptables -A SRC_EGRESS -s 172.16.0.0/12 -j DROP

# Class D Reserved
/sbin/iptables -A SRC_EGRESS -s 224.0.0.0/3 -j DROP

RESERVED_NET="\
        0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
        5.0.0.0/8 \
        7.0.0.0/8 \
        23.0.0.0/8 \
        27.0.0.0/8 \
        31.0.0.0/8 \
        36.0.0.0/8 37.0.0.0/8 \
        39.0.0.0/8 \
        41.0.0.0/8 42.0.0.0/8 \
        58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
        67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
        74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 \
        81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
        88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
        95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
        102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
        108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
        114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
        120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
        126.0.0.0/8 127.0.0.0/8 \
        197.0.0.0/8 \
        201.0.0.0/8 \
        219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
        240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
        246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
        252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

for i in $RESERVED_NET; do
/sbin/iptables -A SRC_EGRESS -s $i -j DROP
done

# add SRC_EGRESS target to INPUT chain
# Instead of INPUT, this should probably be -t nat or mangle - A POSTROUTING
/sbin/iptables -A INPUT -d $EXTERNALIP -p all -j SRC_EGRESS
# </SRC_EGRESS>

# Check TCP packets coming in on the external interface for weird flags
# <CHECK_FLAGS> - special chain to filter TCP headers with multiple
# incompatible bits turned on.

if [ `iptables -L CHECK_FLAGS -n 2>/dev/null | grep Chain | wc -l` == 1 ]; then
 /sbin/iptables -F CHECK_FLAGS
 /sbin/iptables -X CHECK_FLAGS
fi
/sbin/iptables -N CHECK_FLAGS
/sbin/iptables -F CHECK_FLAGS

# nmap fin/urg/psh
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
      --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NMAP-XMAS:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# xmas tree
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \
      --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "Merry XMAS:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP

# another xmas tree
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
 -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "XMAS-PSH:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# null scan (possibly)
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit \
      --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NULL_SCAN:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

# syn/rst
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
      --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "SYN/RST:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# syn/fin scan (possibly)
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
      --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "SYN/FIN:"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# TCP option checks
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Bogus TCP FLAG 64"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit \
--limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "Bogus TCP FLAG 128"
/sbin/iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP

# Add CHECK_FLAGS target to INPUT chain (from the outside)
# Instead of INPUT, this should probably be -t nat or mangle - A PREROUTING
/sbin/iptables -A INPUT -d $EXTERNALIP -p tcp -j CHECK_FLAGS
# </CHECK_FLAGS>

# Check TCP packets on the external interface for communication with
# undesirable servers.  CAUTION: do not block existing services like
# SSL on port 443 just because the slapper worm is using it.  You have
# to fix the server in these cases.
# <DENY_PORTS> - special chain to DROP packets based on port number

if [ `iptables -L DENY_PORTS -n 2>/dev/null | grep Chain | wc -l` == 1 ]; then
 /sbin/iptables -F DENY_PORTS
 /sbin/iptables -X DENY_PORTS
fi
/sbin/iptables -N DENY_PORTS
/sbin/iptables -F DENY_PORTS

# Do not allow NFS, X, SMB connections to/from the outside world
/sbin/iptables -A DENY_PORTS -p tcp --dport 137:139 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --sport 137:139 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --dport 1433 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --sport 1433 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --dport 2049 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --sport 2049 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --dport 5432 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --sport 5432 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP

# Block off Mysql connections from the world to the DMZ
/sbin/iptables -t nat -A POSTROUTING -s $TRUSTED -d $EXTERNALIP -p tcp \
--dport 3306 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $INTRANET -d $EXTERNALIP -p tcp \
--dport 3306 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p tcp -d $EXTERNALIP \
--dport 3306 -j DROP

# Block off FTP connections from the world to the DMZ
/sbin/iptables -t nat -A POSTROUTING -s $TRUSTED -d $EXTERNALIP -p tcp \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $INTRANET -d $EXTERNALIP -p tcp \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p tcp -d $D2I --dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p tcp -d $EXTERNAL --dport 21 -j DROP

/sbin/iptables -t nat -A POSTROUTING -s $TRUSTED -d $EXTERNALIP -p udp \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $INTRANET -d $EXTERNALIP -p udp \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p udp -d $EXTERNALIP --dport 21 -j DROP

# Catch rpc.statd exploit shell
/sbin/iptables -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "rpc.statd(9704) Shell:"
/sbin/iptables -A DENY_PORTS -p tcp --dport 9704 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "rpc.statd(9704) Shell:"
/sbin/iptables -A DENY_PORTS -p tcp --sport 9704 -j DROP

# NetBus and NetBus Pro
/sbin/iptables -A DENY_PORTS -p tcp --dport 20034 -m limit \
--limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NetBus Pro:"
/sbin/iptables -A DENY_PORTS -p tcp --dport 20034 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --dport 12345:12346 -m limit \
--limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NetBus:"
/sbin/iptables -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP

# Trinoo
/sbin/iptables -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p tcp --sport 27665 -j DROP
/sbin/iptables -A DENY_PORTS -p tcp --dport 27665 -j DROP

/sbin/iptables -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p udp --sport 27444 -j DROP
/sbin/iptables -A DENY_PORTS -p udp --dport 27444 -j DROP

/sbin/iptables -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:"
/sbin/iptables -A DENY_PORTS -p udp --sport 31335 -j DROP
/sbin/iptables -A DENY_PORTS -p udp --dport 31335 -j DROP

# Back Orifice
/sbin/iptables -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-TCP:"
/sbin/iptables -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-UDP:"

/sbin/iptables -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-TCP:"
/sbin/iptables -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-UDP:"

/sbin/iptables -A DENY_PORTS -p tcp --dport 31337 -j DROP
/sbin/iptables -A DENY_PORTS -p udp --dport 31337 -j DROP

/sbin/iptables -A DENY_PORTS -p tcp --sport 31337 -j DROP
/sbin/iptables -A DENY_PORTS -p udp --sport 31337 -j DROP

# Add DENY_PORTS target to INPUT chain (from the outside)
# Instead of INPUT, this should probably be -t nat or mangle - A PREROUTING
/sbin/iptables -A INPUT -d $EXTERNALIP -p tcp -j DENY_PORTS
# </DENY_PORTS>

# Open holes in the firewall for mobile employees.  Use caution by
# opening only while they are on the road and change port numbers from
# time to time.
#
# Give external browsers the ability to see the internal Web server!
# Redirect http://jar.sairinc.com:54321/ to http://yoda
#/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p tcp --dport 54321 \
# -j DNAT --to 192.168.1.19:80
# Flip a ssh connection to the firewall on port 54321 from the DMZ to ssh on
# the internal file server Jabba! (Keep your fingers crossed...)
#/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p tcp --dport 54321 \
#-s $TRUSTED -j DNAT --to 192.168.1.4:22
#
# Give external clients access to a private host and port through the firewall!
#/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p tcp --dport 2112 \
#-j DNAT --to 192.168.1.4:22
# Give an arbitrary protocol access to a range of ports on a private host
#/sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p udp --dport 9000:9013 \
#-j DNAT --to 192.168.1.37
#
# Deny ICMP (i.e., Ping requests) from the outside to the internal network...
#/sbin/iptables -A INPUT -p ICMP -s $EXTERNALIP -j DROP
# ...and from the intranet to Vis/Nod
#/sbin/iptables -A OUTPUT -p ICMP -s $INTRANET -j DROP
# Or allow ICMP ECHO requests from anywhere
#/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# ...and allow ICMP ECHO replies from anywhere
#/sbin/iptables -A INPUT -i $EXTERNALNET -p icmp --icmp-type echo-reply -j ACCEPT

# Hints:
# To log packets from a certain subnet try this:
#/sbin/iptables -A SRC_EGRESS -s 130.74.0.0/16 -m limit \
#--limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:"
#
# Any rule can also have a match target, like so
#-m mac --mac-source 00:11:22:33:44:55
# or
#-m limit --limit 3 --limit-burst 10
#
# When you have a raw Ethernet connection to the Internet, a virtual firewall
# can be created without using separate physical subnets!  This occurs
# when two or more companies share a T1 line as shown above or when the ISP
# provide an Ethernet connection. These virtual firewall setups multiplex
# external and private IP packets on the same LAN by sending external IP
# Ethernet packets to one of the LAN hosts (the virtual firewall).  The other
# LAN hosts subsequently send/receive their IP packets to the virtual firewall.
#
# For example, assume a DSL connection is setup where physical eth0 is the DSL
# interface and PPPOE is attached to logical ppp0. 
# First, enable IP forwarding from INPUT to OUTPUT tables as was done above:
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Second, make the host the virtual firewall by creating a second logical
# interface tied to eth0:
#/sbin/ifconfig eth0:0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 up
# Now eth0:0 is the firewall interface for the private network gateway to the
# Internet.  Third, enable masquerading for the previously created external
# public interface:
#/sbin/iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
# Last, accept IP packets (on all ports) from other private hosts to be
# forwarded to the Internet:
#/sbin/iptables -I INPUT -s 192.168.1.2 -d 192.168.1.1 -j ACCEPT

#
# ISP stopping Bit-torrenty workaround
#
# Posted by Cat in the Red Hat    at 7:08 AM
# http://redhatcat.blogspot.com/2007/09/beating-sandvine-with-linux-iptables.html
#
# Configure firewall and have great upload speed. Run this script every boot.
# One easy way is to call the script at the end of /etc/rc.local
#!/bin/sh
#Replace 6883 with you BT port
BT_PORT=6883
#Flush the filters
iptables -F
#Apply new filters
iptables -A INPUT -j RH-Firewall-1-INPUT
iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#Comcast BitTorrent seeding block workaround
iptables -A RH-Firewall-1-INPUT -p tcp --dport $BT_PORT --tcp-flags RST RST -j DROP
#BitTorrent
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $BT_PORT -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport $BT_PORT -j ACCEPT
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited