### -*-m4-*-
###
-### Initialization and finishing touches for firewall scripts
+### Classify packets according to source and destination networks.
###
### (c) 2008 Mark Wooding
###
run iptables -A $chain -p tcp ! --syn -g bad-tcp
}
+## commonrules CHAIN
+##
+## Add standard IP filtering rules to the CHAIN.
+commonrules () {
+ set -e
+ chain=$1
+
+ ## Pass fragments through, assuming that the eventual destination will sort
+ ## things out properly. Except for TCP, that is, which should never be
+ ## fragmented.
+ run iptables -A $chain -p tcp -f -g tcp-fragment
+ run iptables -A $chain -f -j ACCEPT
+}
+
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
## Allow ping from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-request \
+ -p icmp ! -f --icmp-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-reply \
+ -p icmp ! -f --icmp-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p tcp --destination-port $port_ssh \
+ -p tcp ! -f --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p tcp --source-port $port_ssh \
+ -p tcp ! -f --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
clearchain inbound
## Track connections.
+commonrules inbound
conntrack inbound
## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
ROOT = become root
-SCRIPTS += logtrawl
-
## Installation.
install: all
firewall_script=./`hostname`.sh && \
$(ROOT) ./$$firewall_script
for i in $(HOSTS); do \
$(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
- for j in $(SCRIPTS); do \
+ [ "$(SCRIPTS)" ] && for j in $(SCRIPTS); do \
$(ROOT) ssh $$i <$$j " \
cd /usr/local/sbin && \
rm -f $$j.new && \
+++ /dev/null
-#! /bin/bash
-
-set -e
-
-## DNS DDOS victims.
-dns_victims=$(
- sed -n '
- /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
- ' /var/log/daemon.log |
- sort -u |
- while read addr; do
- if ! ipset -qT ddos-evil-dns "$addr"; then
- echo "$addr"
- fi
- done
-)
-case "$dns_victims" in
- "") ;;
- *)
- echo 'DNS DDOS victim addresses:'
- ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
- for addr in $dns_victims; do
- echo " $addr"
- ipset -A ddos-evil-dns "$addr" || :
- done
- ;;
-esac
###--------------------------------------------------------------------------
### vampire-specific rules.
-m4_divert(35)m4_dnl
-errorchain ddos-evil-dns DROP
-## Invalid DNS request with probably-forged sender address, with intent to
-## cause DDOS.
-
m4_divert(82)m4_dnl
-## Repelling evil DDos attack.
-run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -g ddos-evil-dns \
- -m set --set ddos-evil-dns src \
- -p udp --destination-port $port_dns
-
## Externally visible services.
allowservices inbound tcp \
finger ident \