module Shutter module Content CONFIG_FILES = %w[ base.ipt iface.dmz iface.forward ip.allow ip.deny ports.private ports.public ] BASE_IPT = %q{# Generated by Shutter *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :Dmz - [0:0] :ValidCheck - [0:0] :Jail - [0:0] :Bastards - [0:0] :Public - [0:0] :AllowIP - [0:0] :Allowed - [0:0] :Private - [0:0] :DropJail - [0:0] :DropBastards - [0:0] :DropInvalid - [0:0] :DropScan - [0:0] :DropDDOS - [0:0] # [CHAIN:FAIL2BAN] -A INPUT -i lo -j ACCEPT -A INPUT -j Jail -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j ValidCheck -A INPUT -j Dmz -A INPUT -j Bastards -A INPUT -j Public -A INPUT -j AllowIP -A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:" -A INPUT -j DROP ################################################################## # Jail goes here. Jail and any fail2ban chains will be # taken care of dynamically in locker-restore. ################################################################## # [RULES:JAIL] ################################################################## # Validity checking ################################################################## -A ValidCheck -m state --state INVALID -j DropInvalid -A ValidCheck -j RETURN ################################################################## # DMZ. Read from iface.dmz and added as: # -A INPUT -i -j ACCEPT ################################################################## # [RULES:DMZ] -A Dmz -j RETURN ################################################################## # All IP address ranges that are permanently banned. If # no IP addresses are given, then all will be assumed that no ip # addresses are banned and create the following rule # -A Bastards -j RETURN # otherwise a list of banned ips will be generated from ip.deny # and will look like this: # -A Bastards -s / -j DropBastards ################################################################## # [RULES:BASTARDS] -A Bastards -j RETURN ################################################################## # A list of authorized ports for the public access. If there are # entries in the ports.public file then they will be added as: # -A Public -m state --state NEW -p -m --dport -j ACCEPT ################################################################## # [RULES:PUBLIC] -A Public -j RETURN ################################################################## # All IP address ranges that are allowed to access the ports. If # no IP addresses are given, then all will be assumed and a rule # to jump to the Allowed chain will be created: # -A AllowIP -j Allowed # otherwise a list of allowed ips will be generated from ip.allow # and will look like this: # -A AllowIP -s 129.101.159.128/26 -j Allowed ################################################################## # [RULES:ALLOWIP] -A AllowIP -j RETURN ################################################################## # Allowed. If a packet has met all the requirements it will end # up here. This should be a static chain. ################################################################## -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT -A Allowed -j Private -A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:" -A Allowed -j ACCEPT ################################################################## # A list of authorized ports for the allowed IPs. If there are # entries in the ports.private file then they will be added as: # -A Private -m state --state NEW -p -m --dport -j RETURN ################################################################## # [RULES:PRIVATE] -A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:" -A Private -j DROP ################################################################## # Log and Drops ################################################################## -A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" -A DropJail -j DROP -A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" -A DropBastards -j DROP -A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:" -A DropInvalid -j DROP -A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:" -A DropScan -j DROP -A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:" -A DropDDOS -j DROP ################################################################## # NATing ################################################################## # [RULES:FORWARD] -A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:" -A FORWARD -j DROP ################################################################## # Add any additional rules that fail2ban has added ################################################################## # [RULES:FAIL2BAN] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # [RULES:POSTROUTING] COMMIT } IFACE_DMZ = %q{# Generated by Shutter # device # eth0 # eth1 } IP_ALLOW = %q{# Generated by Shutter # ipaddr # ipaddr/subnet 192.168.0.0/16 } IP_DENY = %q{# Generated by Shutter # ipaddr # ipaddr/subnet # 192.168.0.0/16 } PORTS_PUBLIC = %q{ # proto port # 80 tcp # 443 tcp } PORTS_PRIVATE = %q{ # proto port 22 tcp } IFACE_FORWARD = %q{ # src iface | dst iface # eth0 eth1 } IFACE_DMZ_MOCK = %q{# Generated by Shutter # device eth0 eth1 } IP_ALLOW_MOCK = %q{# Generated by Shutter # ipaddr # ipaddr/subnet 192.168.0.0/16 10.0.0.1 } IP_DENY_MOCK = %q{# Generated by Shutter # ipaddr # ipaddr/subnet 172.31.0.0/24 8.9.9.9 } PORTS_PUBLIC_MOCK = %q{ # proto port 80 tcp 443 tcp } PORTS_PRIVATE_MOCK = %q{ # proto port 22 tcp } IFACE_FORWARD_MOCK = %q{ # src iface | dst iface eth0 eth1 } end end