module Shutter

BASE_IPT = %q{# Generated by Shutter
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Dmz - [0:0]
:ValidCheck - [0:0]
:Jail - [0:0]
:Bastards - [0:0]
:Public - [0:0]
:AllowIP - [0:0]
:Allowed - [0:0]
:Private - [0:0]
:DropJail - [0:0]
:DropBastards - [0:0]
:DropInvalid - [0:0]
:DropScan - [0:0]
:DropDDOS - [0:0]
# [CHAIN:FAIL2BAN]

-A INPUT -i lo -j ACCEPT
-A INPUT -j Jail
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ValidCheck
-A INPUT -j Dmz
-A INPUT -j Bastards
-A INPUT -j Public
-A INPUT -j AllowIP
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
-A INPUT -j DROP

##################################################################
# Jail goes here.  Jail and any fail2ban chains will be
# taken care of dynamically in locker-restore.
##################################################################
# [RULES:JAIL]

##################################################################
# Validity/Scanning/DDOS checking
##################################################################
-A ValidCheck -m state --state INVALID -j DropInvalid
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
-A ValidCheck -j RETURN

##################################################################
# DMZ.  Read from iface.dmz and added as:
# -A INPUT -i <iface> -j ACCEPT
##################################################################
# [RULES:DMZ]
-A Dmz -j RETURN

##################################################################
# All IP address ranges that are permanently banned.  If
# no IP addresses are given, then all will be assumed that no ip
# addresses are banned and create the following rule
# -A Bastards -j RETURN
# otherwise a list of banned ips will be generated from ip.deny
# and will look like this:
# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
##################################################################
# [RULES:BASTARDS]
-A Bastards -j RETURN

##################################################################
# A list of authorized ports for the public access.  If there are
# entries in the ports.public file then they will be added as:
# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
##################################################################
# [RULES:PUBLIC]
-A Public -j RETURN

##################################################################
# All IP address ranges that are allowed to access the ports.  If
# no IP addresses are given, then all will be assumed and a rule
# to jump to the Allowed chain will be created:
# -A AllowIP -j Allowed
# otherwise a list of allowed ips will be generated from ip.allow
# and will look like this:
# -A AllowIP -s 129.101.159.128/26 -j Allowed
##################################################################
# [RULES:ALLOWIP]
-A AllowIP -j RETURN

##################################################################
# Allowed.  If a packet has met all the requirements it will end
# up here.  This should be a static chain.
##################################################################
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT 
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT 
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT 
-A Allowed -j Private
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
-A Allowed -j ACCEPT

##################################################################
# A list of authorized ports for the allowed IPs.  If there are
# entries in the ports.private file then they will be added as:
# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
##################################################################
# [RULES:PRIVATE]
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
-A Private -j DROP

##################################################################
# Log and Drops
##################################################################
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" 
-A DropJail -j DROP

-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" 
-A DropBastards -j DROP

-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"  
-A DropInvalid -j DROP

-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"  
-A DropScan -j DROP

-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"  
-A DropDDOS -j DROP

##################################################################
# Add any additional rules that fail2ban has added
##################################################################
# [RULES:FAIL2BAN]

COMMIT
}

IFACE_DMZ = %q{# Generated by Shutter
# iface
# eth0
# eth1
}

IP_ALLOW = %q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
192.168.0.0/16
}

IP_DENY = %q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
# 192.168.0.0/16
}

PORTS_PUBLIC = %q{
# proto port
# 80  tcp
# 443   tcp
}

PORTS_PRIVATE = %q{
# proto port
22    tcp
}
end