Wiki

User Tools

Site Tools

Trace:
computer_setup:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computer_setup:firewall [2021/07/03 10:08] petercomputer_setup:firewall [2021/07/03 11:37] (current) peter
Line 6: Line 6:
  
 <code> <code>
 +cat /sys/module/xt_recent/parameters/ip_list_tot 
 +cat /sys/module/xt_recent/parameters/ip_pkt_lisA
 +cat /sys/module/xt_recent/parameters/ip_list_uid
 +cat /sys/module/xt_recent/parameters/ip_list_tot 
 +
 +echo 100000 > /sys/module/xt_recent/parameters/ip_list_tot 
 +/sbin/modprobe ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
 +
 most /proc/net/xt_recent/ATTACK most /proc/net/xt_recent/ATTACK
 /proc/net/xt_recent/BANNED1 /proc/net/xt_recent/BANNED1
Line 12: Line 20:
 /proc/net/xt_recent/BANNED4 /proc/net/xt_recent/BANNED4
 /var/log/iptables.log /var/log/iptables.log
 +
 +grep src=64. /proc/net/xt_recent/*
 +echo -64.20.227.134 > /proc/net/xt_recent/ATTACK 
 +echo -64.20.227.134 > /proc/net/xt_recent/BANNED1
 +
 +grep 192.168.1. /proc/net/xt_recent/*
 +wc /proc/net/xt_recent/*
  
 apt install ipcalc apt install ipcalc
Line 18: Line 33:
 ipcalc 96.0.0.0/4 ipcalc 96.0.0.0/4
 </code> </code>
 +
 +----
 +
 +===== Firewall Reset =====
 +
 +<code bash>
 +#!/bin/bash
 +#
 +# Resets all firewall rules
 +
 +echo "Stopping firewall and allowing everyone..."
 +
 +#
 +# Modify the following settings as required:
 +#
 +
 +IPTABLES=/sbin/iptables
 +
 +#
 +# Reset the default policies in the filter table.
 +#
 +
 +$IPTABLES -P INPUT ACCEPT
 +$IPTABLES -P FORWARD ACCEPT
 +$IPTABLES -P OUTPUT ACCEPT
 +
 +#
 +# Reset the default policies in the nat table.
 +#
 +
 +$IPTABLES -t nat -P PREROUTING ACCEPT
 +$IPTABLES -t nat -P POSTROUTING ACCEPT
 +$IPTABLES -t nat -P OUTPUT ACCEPT
 +
 +#
 +# Reset the default policies in the mangle table.
 +#
 +
 +$IPTABLES -t mangle -P PREROUTING ACCEPT
 +$IPTABLES -t mangle -P POSTROUTING ACCEPT
 +$IPTABLES -t mangle -P INPUT ACCEPT
 +$IPTABLES -t mangle -P OUTPUT ACCEPT
 +$IPTABLES -t mangle -P FORWARD ACCEPT
 +
 +#
 +# Flush all the rules in the filter, nat and mangle tables.
 +#
 +
 +$IPTABLES -F
 +$IPTABLES -t nat -F
 +$IPTABLES -t mangle -F
 +
 +#
 +# Erase all chains that are not default in filter, nat and mangle tables.
 +#
 +
 +$IPTABLES -X
 +$IPTABLES -t nat -X
 +$IPTABLES -t mangle -X
 +</code>
 +
 +----
 +
 +===== Firewall =====
 +
 +<code bash>
 +#!/bin/bash
 +#
 +# Modify the following settings as required:
 +#
 +# You should check/test that the firewall really works, using
 +# iptables -vnL, nmap, ping, telnet, ...
 +#
 +# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
 +
 +IPTABLES=/sbin/iptables
 +IP6TABLES=/sbin/ip6tables
 +LOAD_MODULES=yes
 +LOAD_MODULES_IPV6=no
 +DEPMOD=/sbin/depmod
 +MODPROBE=/sbin/modprobe
 +RMMOD=/sbin/rmmod
 +ARP=/usr/sbin/arp
 +
 +
 +#
 +# REJECT target works basically the same as the DROP target, but it also sends
 +# back an error message to the host sending the packet that was blocked.
 +#
 +# The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT
 +# chains or their sub chains.
 +#
 +
 +# REJECT --reject-with tcp-reset        # RFC 793.  TCP RST packets are used to close open TCP connections gracefully.
 +# REJECT --icmp-net-unreachable         #
 +# REJECT --icmp-host-unreachable        #
 +# REJECT --icmp-port-unreachable        # Default
 +# REJECT --icmp-proto-unreachable       #
 +# REJECT --icmp-net-prohibited          #
 +# REJECT --icmp-host-prohibited         #
 +
 +
 +#*********************************************************
 +#
 +# Interfaces
 +#
 +#SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'`
 +#SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2`
 +
 +#tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:])
 +#ifconfig em1 | grep -m 1 inet | tr -d [:alpha:]
 +#INET_IP=$(echo $tmp | cut -d : -f2)
 +#INET_BCAST=$(echo $tmp | cut -d : -f3)
 +#INET_MASK=$(echo $tmp | cut -d : -f4)
 +#unset tmp
 +
 +#
 +# Internet Interface
 +#
 +#INET_IFACE="eth0"
 +#INET_IFACE="em1"
 +INET_IFACE="br0"
 +#INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1)
 +INET_GW="192.168.1.1"
 +INET_IP="192.168.1.2"
 +INET_NET="192.168.1.0/24"
 +INET_BCAST="192.168.1.255"
 +#
 +
 +#
 +# Local Interface Information
 +#
 +#LOCAL_IFACE="eth1"
 +LOCAL_IFACE="em2"
 +#LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}')
 +LOCAL_IP="192.168.0.2"
 +LOCAL_NET="192.168.0.0/24"
 +LOCAL_BCAST="192.168.0.255"
 +#
 +
 +#
 +# Localhost Interface
 +#
 +LO_IFACE="lo"
 +LO_IP="127.0.0.1"
 +#
 +
 +#
 +# Standard Definitions
 +#
 +ALL="0/0"
 +CLASS_A="10.0.0.0/8"
 +CLASS_B="172.16.0.0/12"
 +CLASS_C="192.168.0.0/16"
 +CLASS_D_MULTICAST="224.0.0.0/4"
 +CLASS_E_RESERVED_NET="240.0.0.0/5"
 +LOOPBACK="127.0.0.0/8"
 +P_PORTS="0:1023"
 +UP_PORTS="1024:65535"
 +#
 +
 +#
 +# DNS servers
 +#
 +DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4"
 +#
 +
 +###########################################################################
 +#
 +# Module loading.
 +#
 +if [ $LOAD_MODULES == "yes" ]; then
 +#
 +# Initially load modules
 +#
 +$DEPMOD -a
 +
 +#
 +# Required modules
 +#
 +$MODPROBE ip_tables                    # Required; all IPv4 modules depend on this one.
 +#$MODPROBE ip6_tables                   # Required; all IPv6 modules depend on this one.
 +$MODPROBE ip_conntrack                 # Allows connection tracking state match, which allows you to write rules matching the state of a connection.
 +$MODPROBE ip_conntrack_ftp             # Permits active FTP; requires ip_conntrack. Recognises connection is related to original port 21.
 +$MODPROBE iptable_filter               #
 +$MODPROBE iptable_mangle               # Implement the mangle table.
 +$MODPROBE iptable_nat                  # Implement the NAT table.
 +$MODPROBE ip_nat_ftp                   #
 +$MODPROBE ipt_LOG                      #
 +$MODPROBE ipt_limit                    # Allows log limits.
 +$MODPROBE ipt_state                    # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
 +#
 +# To prevent the dmesg command showing errors such as:
 +# xt_recent: hitcount (25) is larger than packets to be remembered (20)
 +#
 +# The following command shows all the xt_recent parameters:
 +# head /sys/module/xt_recent/parameters/*
 +#
 +# ls -al  /proc/net/xt_recent/
 +#
 +# Use modinfo xt_recent to see the possible parameters.
 +#
 +# ls -1 /sys/module/xt_recent/parameters/
 +# Any of the parameters can be checked by simply:
 +# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
 +#
 +#$RMMOD xt_recent
 +$MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255
 +#$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255
 +#
 +# Non-Required modules
 +#
 +#$MODPROBE ipt_owner                    #
 +#$MODPROBE ipt_REJECT                   # Implement the REJECT target.
 +#$MODPROBE ipt_MASQUERADE               #
 +#$MODPROBE ip_conntrack_ftp             #
 +#$MODPROBE ip_conntrack_irc             #
 +#$MODPROBE ip_nat_ftp                   #
 +#$MODPROBE ip_nat_irc                   #
 +#
 +fi
 +
 +
 +
 +
 +#*********************************************************
 +# What to allow
 +#
 +# 0=no
 +# 1=yes
 +#
 +ALLOW_APPLESHARE_IN=0                  # 500
 +ALLOW_APPLESHARE_OUT=0                 # 500
 +ALLOW_BITTORRENT_IN=0                  #
 +ALLOW_BITTORRENT_OUT=0                 #
 +ALLOW_BOOTP_CLIENT_IN=0                # 68 DHCP boot protocol client
 +ALLOW_BOOTP_CLIENT_OUT=0               # 68 DHCP boot protocol client
 +ALLOW_BOOTP_SERVER_IN=0                # 67 DHCP boot protocol server
 +ALLOW_BOOTP_SERVER_OUT=0               # 67 DHCP boot protocol server
 +ALLOW_CHARGEN_IN=0                     # 19
 +ALLOW_CHARGEN_OUT=0                    # 19
 +ALLOW_CORBA_IIOP_IN=0                  # 535
 +ALLOW_CORBA_IIOP_OUT=0                 # 535
 +ALLOW_CUPS_IN=0                        # CUPS printer service
 +ALLOW_CUPS_OUT=0                       # CUPS printer service
 +ALLOW_CVS_IN=0                         #
 +ALLOW_CVS_OUT=0                        #
 +ALLOW_DAYTIME_IN=0                     # 13 daytime-server
 +ALLOW_DAYTIME_OUT=0                    # 13 daytime-server
 +ALLOW_DHCP_BROADCAST_IN=1              #
 +ALLOW_DHCP_BROADCAST_OUT=1             #
 +ALLOW_DISCARD_IN=0                     # 9 discard-server
 +ALLOW_DISCARD_OUT=0                    # 9 discard-server
 +ALLOW_DNS_IN=1                         # 53
 +ALLOW_DNS_OUT=1                        # 53
 +ALLOW_ECHO_IN=0                        # 7 echo-server
 +ALLOW_ECHO_OUT=0                       # 7 echo-server
 +ALLOW_FINGER_IN=0                      # 79
 +ALLOW_FINGER_OUT=0                     # 79
 +ALLOW_FTP_IN=1                         # 20, 21=ftp-data
 +ALLOW_FTP_OUT=1                        # 20, 21=ftp-data
 +ALLOW_HTTP_IN=1                        # 80
 +ALLOW_HTTP_OUT=1                       # 80
 +ALLOW_HTTPS_IN=1                       # 443
 +ALLOW_HTTPS_OUT=1                      # 443
 +ALLOW_ICMP_PARAM_PROBLEM_IN=0          #
 +ALLOW_IDENT_IN=1                       # 59??? What about 113?  Are these different?
 +ALLOW_IDENT_OUT=1                      # 59??? What about 113?  Are these different?
 +ALLOW_IMAP_IN=1                        # 143
 +ALLOW_IMAP_OUT=1                       # 143
 +ALLOW_IMAPS_IN=1                       # 993
 +ALLOW_IMAPS_OUT=1                      # 993
 +ALLOW_IRC_IN=0                         #
 +ALLOW_IRC_OUT=0                        #
 +ALLOW_KAZAA_IN=0                       # 1214
 +ALLOW_KAZAA_OUT=0                      # 1214
 +ALLOW_KPASSWD_IN=0                     # 464
 +ALLOW_KPASSWD_OUT=0                    # 464
 +ALLOW_KRB5_IN=0                        # 88 Kerberos
 +ALLOW_KRB5_OUT=0                       # 88 Kerberos
 +ALLOW_LDAP_IN=0                        # 389
 +ALLOW_LDAP_OUT=0                       # 389
 +ALLOW_LDAPS_IN=0                       # 636 Secure LDAP
 +ALLOW_LDAPS_OUT=0                      # 636 Secure LDAP
 +ALLOW_LINUX_CONF_IN=0                  # 98
 +ALLOW_LINUX_CONF_OUT=0                 # 98
 +ALLOW_LINUX_MOUNTD_BUG_IN=0            # 635
 +ALLOW_LINUX_MOUNTD_BUG_OUT=0           # 635
 +ALLOW_MS_EXCHANGE_IN=0                 # 691
 +ALLOW_MS_EXCHANGE_OUT=0                # 691
 +ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003.
 +ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003
 +ALLOW_MS_FT_DS_IN=0                    # 445
 +ALLOW_MS_FT_DS_OUT=0                   # 445
 +ALLOW_MS_RPC_IN=0                      # 135
 +ALLOW_MS_RPC_OUT=0                     # 135
 +ALLOW_MS_RPC_OVER_HTTP_IN=0            # 593
 +ALLOW_MS_RPC_OVER_HTTP_OUT=0           # 593
 +ALLOW_MSSQL_IN=0                       # 1433 MSSQL database
 +ALLOW_MSSQL_OUT=0                      # 1433 MSSQL database
 +ALLOW_MSSQL_MONITOR_IN=0               # 1434 MSSQL monitor
 +ALLOW_MSSQL_MONITOR_OUT=0              # 1434 MSSQL monitor
 +ALLOW_MYSQL_IN=0                       # 3306 MySQL database
 +ALLOW_MYSQL_OUT=0                      # 3306 MySQL database
 +ALLOW_NC_IN=0                          # 2030
 +ALLOW_NC_OUT=0                         # 2030
 +ALLOW_NCP_IN=0                         # 524
 +ALLOW_NCP_OUT=0                        # 524
 +ALLOW_NETWORK_LOG_CLIENT_IN=0          # 1394
 +ALLOW_NETWORK_LOG_CLIENT_OUT=0         # 1394
 +ALLOW_NFS_IN=0                         # 1025
 +ALLOW_NFS_OUT=0                        # 1025
 +ALLOW_NNTP_IN=0                        # 119 NNTP news
 +ALLOW_NNTP_OUT=0                       # 119 NNTP news
 +ALLOW_NTP_IN=1                         # 123
 +ALLOW_NTP_OUT=1                        # 123
 +ALLOW_OPENVPN_IN=0                     #
 +ALLOW_OPENVPN_OUT=0                    #
 +ALLOW_PCANYWHERE_IN=0                  # 5623
 +ALLOW_PCANYWHERE_OUT=0                 # 5623
 +ALLOW_PC_SERVER_BACKDOOR_IN=0          # 600
 +ALLOW_PC_SERVER_BACKDOOR_OUT=0         # 600
 +ALLOW_PHASE_ZERO_IN=0                  # 555
 +ALLOW_PHASE_ZERO_OUT=0                 # 555
 +ALLOW_PING_IN=0                        #
 +ALLOW_PING_OUT=1                       #
 +ALLOW_PLESK_IN=0                       # PLESK desktop
 +ALLOW_PLESK_OUT=0                      # PLESK desktop
 +ALLOW_PLEX_IN=1                        # PLEX
 +ALLOW_PLEX_OUT=1                       # PLEX
 +ALLOW_POP2_IN=0                        # 109
 +ALLOW_POP2_OUT=0                       # 109
 +ALLOW_POP3_IN=1                        # 110
 +ALLOW_POP3_OUT=1                       # 110
 +ALLOW_POP3S_IN=1                       # 995
 +ALLOW_POP3S_OUT=1                      # 995
 +ALLOW_POSTGRESQL_IN=0                  #
 +ALLOW_POSTGRESQL_OUT=0                 #
 +ALLOW_PRINT_IN=0                       # 515 Allow printer port
 +ALLOW_PRINT_OUT=0                      # 515 Allow printer port
 +ALLOW_REAL_SERVER_IN=0                 # 554
 +ALLOW_REAL_SERVER_OUT=0                # 554
 +ALLOW_ROUTE_IN=0                       # 520
 +ALLOW_ROUTE_OUT=0                      # 520
 +ALLOW_RWHO_IN=0                        # 513
 +ALLOW_RWHO_OUT=0                       # 513
 +ALLOW_RWHOIS_IN=1                      # 4321
 +ALLOW_RWHOIS_OUT=1                     # 4321
 +ALLOW_SAMBA_IN=1                       # 137=SMB Name, 138=SMB Data, 139=SMB Session
 +ALLOW_SAMBA_OUT=1                      # 137=SMB Name, 138=SMB Data, 139=SMB Session
 +ALLOW_SGI_IRIX_TCPMUX_IN=0             # 1
 +ALLOW_SGI_IRIX_TCPMUX_OUT=0            # 1
 +ALLOW_SMTP_IN=1                                          # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
 +ALLOW_SMTP_OUT=1                                         # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead.
 +ALLOW_SMTPS_IN=1                       # 465
 +ALLOW_SMTPS_OUT=1                      # 465
 +ALLOW_SNMP_IN=0                        # 161
 +ALLOW_SNMP_OUT=0                       # 161
 +ALLOW_SOCKS5_IN=0                      # 1080
 +ALLOW_SOCKS5_OUT=0                     # 1080
 +ALLOW_SSH_IN=1                         # 22
 +ALLOW_SSH_OUT=1                        # 22
 +ALLOW_SQL_IN=0                         # 1114
 +ALLOW_SQL_OUT=0                        # 1114
 +ALLOW_SQUID_IN=0                       # 3128 SQUID proxy
 +ALLOW_SQUID_OUT=0                      # 3128 SQUID proxy
 +ALLOW_SUB7_IN=0                        # 1243
 +ALLOW_SUB7_OUT=0                       # 1243
 +ALLOW_SUBMISSION_IN=1                  # 587
 +ALLOW_SUBMISSION_OUT=1                 # 587
 +ALLOW_SUNRPC_IN=0                      # 111 Also RPCbind
 +ALLOW_SUNRPC_OUT=0                     # 111 Also RPCbind
 +ALLOW_SVN_IN=0                         #
 +ALLOW_SVN_OUT=0                        #
 +ALLOW_TELNET_IN=0                      # 23
 +ALLOW_TELNET_OUT=0                     # 23
 +ALLOW_TFTP_IN=0                        # 69 Trivial FTP
 +ALLOW_TFTP_OUT=0                       # 69 Trivial FTP
 +ALLOW_TIME_IN=0                        # 37
 +ALLOW_TIME_OUT=0                       # 37
 +ALLOW_TIME_SERVER_IN=0                 # 525
 +ALLOW_TIME_SERVER_OUT=0                # 525
 +ALLOW_TOMCAT_IN=0                      # 9080
 +ALLOW_TOMCAT_OUT=0                     # 9080
 +ALLOW_TOR_OUT=0                        #
 +ALLOW_TRACEROUTE_IN=0                  #
 +ALLOW_TRACEROUTE_OUT=1                 #
 +ALLOW_UNIX_SYSSTAT_IN=0                # 11
 +ALLOW_UNIX_SYSSTAT_OUT=0               # 11
 +ALLOW_UPNP_IN=0                        # 2869 Universal Plug and Play
 +ALLOW_UPNP_OUT=0                       # 2869 Universal Plug and Play
 +ALLOW_WEBLOGIN_IN=1                    # 2054 Needed for sharing
 +ALLOW_WEBLOGIN_OUT=0                   # 2054 Needed for sharing
 +ALLOW_WHOIS_IN=1                       # 43 See also RWHOIS
 +ALLOW_WHOIS_OUT=1                      # 43 See also RWHOIS
 +ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
 +ALLOW_WINDOWS_MESSAGE_IN=0             # 1026, 1027
 +ALLOW_TRACEROUTE_IN=1                  #
 +ALLOW_TRACEROUTE_OUT=1                 #
 +ALLOW_XDMCP_IN=0                       # 177
 +ALLOW_XDMCP_OUT=0                      # 177
 +ALLOW_XWINDOWS_IN=0                    #
 +ALLOW_XWINDOWS_OUT=0                   #
 +ALLOW_XWINDOWS_FONTSERVER_IN=0         #
 +ALLOW_XWINDOWS_FONTSERVER_OUT=0        #
 +
 +BLOCK_AKAMAI=1                         #
 +BLOCK_BROADCASTS=1                     #
 +BLOCK_BRUTE_FORCE_ATTACKS=1            #
 +BLOCK_CONNECTIONS_COUNT=1              #
 +BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1    #
 +BLOCK_FACEBOOK=0                       #
 +BLOCK_FLOODS=1                         #
 +BLOCK_SAMBA_WITHOUT_LOGGING=0          #
 +BLOCK_OVERSIZE_ICMP_PACKETS=1          #
 +BLOCK_VIRUSES=1                        #
 +
 +DO_BAD_PACKETS_LAST=0                  # Less logging
 +DO_KERNEL_SECURE=1                     # Set various kernel network protection on
 +DO_LOG_SCANS=1                         # if 1 will log well known scans whilst dropping them
 +DO_MASQUERADE=0                        # if 0 will use SNAT / DNAT
 +DO_PORT_KNOCKING=0                     # if 1 will allow Port Knocking
 +DO_QUICK_NTP=0                         # if 1 will allow NTP in without any checks
 +DO_QUOTA=0                             # If 1 then will switch on quota checking
 +DO_REJECT_INSTEAD_OF_DROP=0            # Reject instead of drop
 +DO_STEALTH_ALL_IN=0                    # Stealth all incoming
 +DO_WHITELISTING=0                      # Dangerous if made a 1
 +#
 +
 +#*********************************************************
 +#
 +# /proc sysctl settings
 +#
 +PROC_SYSCTL_IP_FORWARD=1               # To enable ipforward, VERY important
 +PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1       # Block ALL the pings from everywhere
 +PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf)
 +PROC_SYSCTL_ICMP_ERROR_MESG=1          # Protect against bogus error messages
 +PROC_SYSCTL_LOG_MARTIANS=1             # Log packets with impossible addresses
 +PROC_SYSCTL_IP_SPOOFING=1              # Disable spoofing attacks on ALL interfaces
 +PROC_SYSCTL_REDUCE_DOS=1               # Reduces the timeouts and the posibility of a DOS
 +PROC_SYSCTL_SYN_COOKIES=1              # Enable tcp syn cookies protection
 +PROC_SYSCTL_TIME_STAMPS=1              # Enable tcp timestamps protection
 +PROC_SYSCTL_SOURCE_ROUTED=1            # Ignore source routed packets
 +PROC_SYSCTL_ACCEPT_REDIRECTS=1         # Ignore accepted redirected packets
 +PROC_SYSCTL_SEND_REDIRECTS=1           # Ignore send redirected packets
 +PROC_SYSCTL_SECURE_REDIRECTS=1         # Enable secure redirects
 +PROC_SYSCTL_DISABLE_BOOTP_RELAY=1      # Disable BootP relays
 +PROC_SYSCTL_DISABLE_PROXY_ARP=1        # Disable Proxy ARP
 +#
 +
 +#*********************************************************
 +# Trusted hosts
 +#
 +# Hosts that are auto allowed into the system if WhiteListing
 +# is allowed.
 +#
 +TRUSTED_HOSTS="192.168.0.10"
 +UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
 +#UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com"
 +#
 +
 +#*********************************************************
 +# Port Knocking
 +#
 +# Port knocking is a method of externally opening ports on a firewall by
 +# generating a connection attempt on a set of prespecified closed ports.
 +#
 +# Once a correct sequence of connection attempts is received, the firewall
 +# rules are dynamically modified to allow the host which sent the connection
 +# attempts to connect over specific port(s).
 +#
 +PORT_KNOCK_1="3456"
 +PORT_KNOCK_2="4567"
 +PORT_KNOCK_3="1234"
 +PORT_KNOCK_ALLOW="22"
 +#
 +
 +#*********************************************************
 +# Websites to stop
 +#
 +#WEB_FACEBOOK="facebook.com"
 +#
 +
 +#*********************************************************
 +# Connection limits
 +#
 +# Against brute-force attacks.
 +#
 +#               4 connect/min  5 connects/3 mins   10 connects/10 mins   25 connects/20 mins   50 connects/40 mins   ...
 +# Offense #1         10 min            30 min              1 hour                2 hours               3 hours
 +# Offense #2         30 min            1 hour              2 hours               3 hours               6 hours
 +# Offense #3         1 hour            2 hours             3 hours               6 hours               1 day
 +# Offense #4         2 hours           3 hours             6 hours               1 day                 1 week
 +# Offense #5         3 hours           6 hours             1 day                 1 week                1 month
 +# Offense #6         6 hours           1 day               1 week                1 month               1 month
 +# Offense #7         1 day             1 week              1 month               1 month               1 month
 +# Offense #8         1 week            1 month             1 month               1 month               1 month
 +# Offense #9         1 month           1 month             1 month               1 month               1 month
 +#
 +CONNECTION_MAX_1=4                     # 4 Connections
 +CONNECTION_MAX_2=5                     # 5 Connections
 +CONNECTION_MAX_3=10                    # 10 Connections
 +CONNECTION_MAX_4=25                    # 25 Connections
 +CONNECTION_MAX_5=50                    # 50 Connections
 +CONNECTION_MAX_6=75                    # 75 Connections
 +CONNECTION_MAX_7=100                   # 100 Connections
 +CONNECTION_MAX_8=200                   # 200 Connections
 +CONNECTION_MAX_9=255                   # 255 Connections
 +#
 +CONNECTION_LIMIT_1=60                  # 1 Minute
 +CONNECTION_LIMIT_2=180                 # 3 Minutes
 +CONNECTION_LIMIT_3=600                 # 10 Minutes
 +CONNECTION_LIMIT_4=1200                # 20 Minutes
 +CONNECTION_LIMIT_5=2400                # 40 Minutes
 +CONNECTION_LIMIT_6=3600                # 60 Minutes  (1 hour)
 +CONNECTION_LIMIT_7=7200                # 120 Minutes (2 hours)
 +CONNECTION_LIMIT_8=10800               # 180 Minutes (3 hours)
 +CONNECTION_LIMIT_9=21600               # 360 minutes (6 hours)
 +#
 +# Offence timeouts
 +CONNECTION_TIMEOUT_1=600               # 10 Minute
 +CONNECTION_TIMEOUT_2=1800              # 30 Minutes
 +CONNECTION_TIMEOUT_3=3600              # 60 Minutes  (1 hour)
 +CONNECTION_TIMEOUT_4=7200              # 120 Minutes (2 hours)
 +CONNECTION_TIMEOUT_5=10800             # 180 Minutes (3 hours)
 +CONNECTION_TIMEOUT_6=21600             # 360 Minutes (6 hours)
 +CONNECTION_TIMEOUT_7=86400             # 24 hours    (1 day)
 +CONNECTION_TIMEOUT_8=604800            # 168 hours   (1 week)
 +CONNECTION_TIMEOUT_9=2635200           # 732 hours   (1 month)
 +
 +
 +#*********************************************************
 +# Log limit
 +#
 +LOG_LEVEL=7
 +#LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
 +#LOG="$LOG --log-ip-options"
 +#LOG="--log-ip-options --log-tcp-options
 +#
 +
 +#*********************************************************
 +# String Search Algorith
 +#
 +STRING_ALGO="bm"
 +STRING_ALGO2="kmp"
 +#
 +
 +#*********************************************************
 +# Quota limits
 +#
 +QUOTA_LIMIT_TCP="2147483648"           # 2 GB Quota limit
 +QUOTA_LIMIT_UDP="2147483648"           # 2 GB Quota limit
 +QUOTA_LIMIT_ICMP="2147483648"          # 2 GB Quota limit
 +#
 +
 +#*********************************************************
 +# DNS limits
 +#
 +# Limits the number of DNS queries per second to 5/s
 +# with a burst rate of 15/s and does not require buffer space changes.
 +#
 +# Limit the requests per second to 5, which leads to 35 requests in 7 seconds.
 +# To solve the first-second burst, allow for 15 requests to happen in each of
 +# the seven seconds.
 +
 +# DNS open time.
 +DNS_TIMEOUT="7"
 +
 +# DNS Requests per second
 +DNS_BURST="15"
 +
 +# DNS Requests per 7 seconds
 +DNS_TOTAL_REQUESTS="35"
 +#
 +
 +#*********************************************************
 +# Flooding limits
 +
 +#
 +# Limit per second
 +LIMIT_PER_SECOND="4"
 +#
 +
 +# Limit for SYN connections
 +LIMIT_SYN_MAX="9"
 +#
 +
 +# Limit for SYN-Flood detection
 +LIMIT_SYN="5/s"
 +#
 +
 +#
 +# Burst Limit for SYN-Flood detection
 +LIMIT_SYN_BURST="10"
 +#
 +
 +#
 +# Overall Limit for Logging in Logging-Chains
 +LIMIT_LOG="2/s"
 +#
 +
 +#
 +# Burst Limit for Logging in Logging-Chains
 +LIMIT_LOG_BURST="10"
 +#
 +
 +#
 +# Overall Limit for TCP-Flood-Detection
 +LIMIT_TCP="5/s"
 +#
 +
 +#
 +# Burst Limit for TCP-Flood-Detection
 +LIMIT_TCP_BURST="10"
 +#
 +
 +#
 +# Overall Limit for UDP-Flood-Detection
 +LIMIT_UDP="5/s"
 +#
 +
 +#
 +# Burst Limit for TCP-Flood-Detection
 +LIMIT_UDP_BURST="10"
 +#
 +
 +#
 +# Overall Limit for Ping-Flood-Detection
 +LIMIT_PING="5/s"
 +#
 +
 +#
 +# Burst Limit for Ping-Flood-Detection
 +LIMIT_PING_BURST="10"
 +#
 +
 +#**************************************************
 +#********** Do not edit beyond this line **********
 +#**************************************************
 +
 +#
 +# IP Mask for all IP addresses
 +PORTS_UNIVERSE="0.0.0.0/0"
 +PORTS_BROADCAST="255.255.255.255"
 +#
 +
 +#
 +# Ports for Dropbox Lan Sync Broadcasts
 +PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500"
 +#
 +
 +#
 +# Ports for IRC-Connection-Tracking
 +PORTS_IRC="6665,6666,6667,6668,6669,7000"
 +#
 +
 +#
 +# Ports for PLEX
 +PORTS_PLEX="32412:32414"
 +#
 +
 +#
 +# Ports for TOR
 +# (http://tor.eff.org)
 +PORTS_TOR="9001,9002,9030,9031,9090,9091"
 +#
 +
 +#
 +# Ports for traceroute
 +PORTS_TRACEROUTE_SRC="32769:65535"
 +PORTS_TRACEROUTE_DEST="33434:33523"
 +#
 +
 +#
 +# Specification of the high unprivileged IP ports.
 +PORTS_UNPRIV="1024:65535"
 +PORTS_PSSH="1000:1023"
 +#
 +
 +#
 +# Specification of X Window System (TCP)
 +PORTS_XWIN="6000:6063"
 +#
 +
 +#*********************************************************
 +# AKAMAI
 +#
 +# http://www.matveev.se/net/akamai.htm
 +#
 +RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19"
 +RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15"
 +RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17"
 +
 +#*********************************************************
 +# IANA RESERVED
 +#
 +RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8"
 +RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5"
 +RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6"
 +RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3"
 +#
 +
 +#*********************************************************
 +# Mitigate ARP spoofing/poisoning and similar attacks.
 +#------------------------------------------------------------------------------
 +# Hardcode static ARP cache entries here
 +# $ARP -s IP-ADDRESS MAC-ADDRESS
 +#
 +
 +#*********************************************************
 +# Delete all existing rules
 +#
 +$IPTABLES -F
 +$IPTABLES -t nat -F
 +$IPTABLES -t mangle -F
 +$IPTABLES -X
 +$IPTABLES -t nat -X
 +$IPTABLES -t mangle -X
 +#
 +
 +#
 +# Zero all packets and counters.
 +#
 +$IPTABLES -Z
 +$IPTABLES -t nat -Z
 +$IPTABLES -t mangle -Z
 +
 +#
 +# Set Policies
 +# By default, drop everything except outgoing traffic
 +#
 +$IPTABLES -P INPUT DROP
 +$IPTABLES -P FORWARD DROP
 +$IPTABLES -P OUTPUT DROP
 +#
 +
 +# Set the nat/mangle/raw tables' chains to ACCEPT
 +$IPTABLES -t nat -P PREROUTING ACCEPT
 +$IPTABLES -t nat -P OUTPUT ACCEPT
 +$IPTABLES -t nat -P POSTROUTING ACCEPT
 +
 +$IPTABLES -t mangle -P PREROUTING ACCEPT
 +$IPTABLES -t mangle -P INPUT ACCEPT
 +$IPTABLES -t mangle -P FORWARD ACCEPT
 +$IPTABLES -t mangle -P OUTPUT ACCEPT
 +$IPTABLES -t mangle -P POSTROUTING ACCEPT
 +
 +
 +#if [ $BLOCK_BROADCASTS -eq 1 ]
 +#then
 +#$IPTABLES -A INPUT DROP
 +#$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP
 +#$IPTABLES -A INPUT -d 192.168.255.255  -i INET_IFACE -j DROP
 +#$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP
 +#$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
 +#fi
 +
 +#*********************************************************
 +#
 +# Kernel configuration.
 +# For details see:
 +# * http://www.securityfocus.com/infocus/1711
 +# * http://www.linuxgazette.com/issue77/lechnyr.html
 +# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
 +# * /usr/src/linux/Documentation/filesystems/proc.txt
 +# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
 +#
 +# Save these settings in the /etc/sysctl.conf file to make it permanent
 +#
 +#------------------------------------------
 +if [ $DO_KERNEL_SECURE -eq 1 ]
 +then
 +
 +#------------------------------------------
 +# Allow port forwarding - Enable IP NAT in the Linux kernel
 +#
 +#echo 1 > /proc/sys/net/ipv4/ip_forward
 +if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then
 +  if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
 +    echo 1 > /proc/sys/net/ipv4/ip_forward
 +    echo "          ip_forward activated"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Disabling IP Spoofing
 +#
 +#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
 +if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then
 +  if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
 +    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
 +    echo "          .....Blocking IP spoofing attacks"
 +  fi
 +#
 +
 +#------------------------------------------
 +# Enable IP spoofing protection (i.e. source address verification).
 +# Note: This is special, as it seems to only be enabled if you set
 +# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
 +# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
 +#
 +# Turn on reverse path filtering. This helps make sure that packets use
 +# legitimate source addresses, by automatically rejecting incoming packets
 +# if the routing table entry for their source address doesn't match the
 +# network interface they're arriving on. This has security advantages because
 +# it prevents so-called IP spoofing, however it can pose problems if you use
 +# asymmetric routing (packets from you to a host take a different path than
 +# packets from that host to you) or if you operate a non-routing host which
 +# has several IP addresses on different interfaces.
 +# (Note - If you turn on IP forwarding, you will also get this).
 +#
 +  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
 +#
 +fi
 +#
 +
 +#------------------------------------------
 +# Ignore all incoming ICMP echo requests (i.e. disable ping).
 +# Usually not a good idea, as some protocols and users need/want this.
 +# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +#
 +if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ]
 +then
 +#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
 +    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +    echo "          .....Blocking all incoming pings from everywhere"
 +  fi
 +else
 +#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
 +    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +    echo "          .....Allowing all incoming pings from everywhere"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Don't respond to broadcast pings
 +# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
 +# want to participate in smurf (and similar) DoS attacks.
 +# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
 +#
 +if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ]
 +then
 +#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
 +    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +    echo "          .....Blocking all broadcast pings"
 +  fi
 +else
 +#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +  if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
 +    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +    echo "          .....Allowing all broadcast pings"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Disable multicast routing. Should not be needed, usually.
 +# TODO: This throws an "Operation not permitted" error. Why?
 +#
 +# The proc entry containing that value is read-only, and cannot be made writable easily.
 +#
 +#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
 +#
 +
 +#------------------------------------------
 +# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
 +#
 +#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 +if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then
 +  if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
 +    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
 +    echo "          .....TCP syn cookies protection enabled"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Kill timestamps
 +#
 +#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
 +if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then
 +  if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
 +    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
 +    echo "          .....TCP timestamps protection enabled"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Block source routing
 +#
 +# Don't accept source routed packets.  Attackers can use source routing
 +# to generate traffic pretending to be from inside your network, but
 +# which is routed back along the path from which it came, namely outside,
 +# so attackers can compromise your network.  Source routing is rarely
 +# used for legitimate purposes.
 +#
 +#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
 +if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then
 +  if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
 +    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
 +    echo "          .....Ignore source routed packets"
 +  fi
 +#
 +
 +#------------------------------------------
 +# Don't accept source routed packets.
 +#
 +  for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
 +#
 +fi
 +#
 +
 +#------------------------------------------
 +# Kill redirects
 +#
 +# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
 +# your routing tables, possibly to a bad end.
 +#
 +#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
 +#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 +if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then
 +  if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
 +    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
 +    echo "          .....Ignore accept redirected packets"
 +  fi
 +
 +  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
 +fi
 +#
 +if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then
 +  if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
 +    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
 +    echo "          .....Ignore send redirected packets"
 +  fi
 +
 +  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
 +fi
 +#
 +
 +#------------------------------------------
 +# Don't accept or send ICMP redirects.
 +#
 +#for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
 +#for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
 +#
 +
 +#------------------------------------------
 +# Enable secure redirects, i.e. only accept ICMP redirects for gateways
 +# listed in the default gateway list. Helps against MITM attacks.
 +#
 +#for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
 +if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then
 +  for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
 +fi
 +#
 +#
 +
 +#------------------------------------------
 +# Enable bad error message protection
 +# Don't log invalid responses to broadcast frames, they just clutter the logs.
 +#
 +#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 +if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then
 +  if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
 +    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 +    echo "          .....Enable error message protection"
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Log martians
 +#
 +# Log packets with impossible addresses
 +# Log spoofed packets, source routed packets, redirect packets.
 +#
 +#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
 +if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then
 +  if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then
 +    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
 +    echo "          .....Logging packets with impossible addresses"
 +  fi
 +#
 +
 +#------------------------------------------
 +# Log packets with impossible addresses.
 +#
 +  for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
 +#
 +fi
 +#
 +
 +#------------------------------------------
 +# Disable bootp_relay. Should not be needed, usually.
 +#
 +if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then
 +  for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
 +fi
 +#
 +
 +#------------------------------------------
 +# Disable proxy_arp. Should not be needed, usually.
 +#
 +if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then
 +  for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
 +fi
 +#
 +
 +#------------------------------------------
 +# TODO: These may mitigate ARP poisoning attacks?
 +# /proc/sys/net/ipv4/neigh/*/locktime
 +# /proc/sys/net/ipv4/neigh/*/gc_stale_time
 +# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
 +# Are there any security-relevant options I missed? Check especially:
 +# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
 +#
 +
 +#------------------------------------------
 +# Set out local port range
 +#
 +#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
 +#
 +
 +#------------------------------------------
 +# Reduce timeouts for DoS protection
 +#
 +#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
 +#
 +
 +#------------------------------------------
 +# Other
 +#
 +#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
 +#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
 +#echo 0 > /proc/sys/net/ipv4/tcp_sack
 +#
 +if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then
 +  echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
 +  echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
 +  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
 +  echo "0" > /proc/sys/net/ipv4/tcp_sack
 +  echo "          .....Denial of Service Reduction Measures"
 +fi
 +
 +#
 +fi
 +#
 +
 +#*********************************************************
 +#
 +# Completely disable IPv6.
 +#
 +# Block all IPv6 traffic
 +#
 +#------------------------------------------
 +# If the ip6tables command is available, try to block all IPv6 traffic.
 +#
 +if test -x $IP6TABLES; then
 +
 +#------------------------------------------
 +# Set the default policies.
 +# Drop everything.
 +$IP6TABLES -P INPUT DROP 2>/dev/null
 +$IP6TABLES -P FORWARD DROP 2>/dev/null
 +$IP6TABLES -P OUTPUT DROP 2>/dev/null
 +
 +#------------------------------------------
 +# The mangle table can pass everything.
 +$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
 +$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
 +$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
 +$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
 +$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
 +
 +#------------------------------------------
 +# Delete all rules.
 +$IP6TABLES -F 2>/dev/null
 +$IP6TABLES -t mangle -F 2>/dev/null
 +
 +#------------------------------------------
 +# Delete all chains.
 +$IP6TABLES -X 2>/dev/null
 +$IP6TABLES -t mangle -X 2>/dev/null
 +
 +#------------------------------------------
 +# Zero all packets and counters.
 +$IP6TABLES -Z 2>/dev/null
 +$IP6TABLES -t mangle -Z 2>/dev/null
 +
 +fi
 +
 +#------------------------------------------
 +# Shellshock
 +$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
 +$IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
 +
 +#*********************************************************
 +#
 +# Create the chains
 +#
 +$IPTABLES -N IANA_RESERVED
 +$IPTABLES -N BAD_PACKETS
 +$IPTABLES -N BAD_TCP_PACKETS
 +
 +if [ $DO_WHITELISTING -eq 1 ]
 +then
 +$IPTABLES -N WHITELIST
 +fi
 +
 +if [ $DO_PORT_KNOCKING -eq 1 ]
 +then
 +$IPTABLES -N PORT_KNOCK
 +$IPTABLES -N PORT_KNOCK_STAGE1
 +$IPTABLES -N PORT_KNOCK_STAGE2
 +$IPTABLES -N PORT_KNOCK_STAGE3
 +fi
 +
 +$IPTABLES -N PRIVATE_PACKETS
 +$IPTABLES -N BLACKLIST
 +
 +if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
 +then
 +$IPTABLES -N ATTACK
 +$IPTABLES -N ATTACK2
 +$IPTABLES -N ATTACK_CHECK
 +$IPTABLES -N ATTACKED1
 +$IPTABLES -N ATTACKED2
 +$IPTABLES -N ATTACKED3
 +$IPTABLES -N ATTACKED4
 +$IPTABLES -N ATTACKED5
 +$IPTABLES -N ATTACKED6
 +$IPTABLES -N ATTACKED7
 +$IPTABLES -N ATTACKED8
 +$IPTABLES -N ATTACKED9
 +$IPTABLES -N BAN1
 +$IPTABLES -N BAN2
 +$IPTABLES -N BAN3
 +$IPTABLES -N BAN4
 +$IPTABLES -N BAN5
 +$IPTABLES -N BAN6
 +$IPTABLES -N BAN7
 +$IPTABLES -N BAN8
 +$IPTABLES -N BAN9
 +fi
 +
 +
 +if [ $BLOCK_FLOODS -eq 1 ]
 +then
 +$IPTABLES -N FLOODS
 +fi
 +
 +if [ $BLOCK_VIRUSES -eq 1 ]
 +then
 +$IPTABLES -N VIRUS
 +fi
 +
 +if [ $DO_LOG_SCANS -eq 1 ]
 +then
 +$IPTABLES -N SCANS
 +fi
 +
 +$IPTABLES -N ICMP_IN
 +$IPTABLES -N ICMP_OUT
 +$IPTABLES -N TCP_IN
 +$IPTABLES -N TCP_OUT
 +$IPTABLES -N UDP_IN
 +$IPTABLES -N UDP_OUT
 +$IPTABLES -N NO_LOGGING
 +
 +if [ $DO_QUOTA -eq 1 ]
 +then
 +$IPTABLES -N QUOTA
 +fi
 +#
 +
 +#*********************************************************
 +# Check Quotas
 +#
 +if [ $DO_QUOTA -eq 1 ]
 +then
 +$IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN
 +$IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN
 +$IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN
 +$IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP "
 +$IPTABLES -A QUOTA -j DROP
 +fi
 +#
 +
 +#*********************************************************
 +# Filter IANA RESERVED
 +#
 +$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP "
 +
 +$IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP
 +
 +#$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 192.0.2.0/24 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 197.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 198.18.0.0/15 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 223.0.0.0/8 -j DROP
 +#$IPTABLES -A IANA_RESERVED -s 224.0.0.0/3 -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A IANA_RESERVED -j RETURN
 +#
 +
 +#
 +#*********************************************************
 +# Filter BAD packets
 +#
 +#------------------------------------------
 +# For TCP packet check if they are bad.
 +#
 +if [ $DO_BAD_PACKETS_LAST -eq 1 ]
 +then
 +$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
 +fi
 +#
 +
 +#------------------------------------------
 +# Drop packets received on the external interface
 +# claiming a source of the local network
 +#
 +$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=local-source a=DROP "
 +
 +$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -j DROP
 +#
 +
 +#------------------------------------------
 +# Drop INVALID packets immediately (not ESTABLISHED, RELATED or NEW)
 +#
 +# Note: ICMPv6 Neighbor Discovery packets remain untracked, and will
 +# always be classified "INVALID" though they are not corrupted or
 +# thelike.  Keep this in mind, and accept them before this rule!
 +# iptables -A INPUT -p 41 -j ACCEPT
 +#
 +$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=invalid a=DROP "
 +
 +$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -j DROP
 +#
 +
 +#------------------------------------------
 +# Drop packets with incoming fragments.
 +# This attack results in Linux Server panic resulting in possible data loss.
 +#
 +$IPTABLES -A BAD_PACKETS -p all -f -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=fragmeted a=DROP "
 +
 +$IPTABLES -A BAD_PACKETS -p all -f -j DROP
 +#
 +
 +#------------------------------------------
 +# For TCP packet check if they are bad.
 +#
 +
 +if [ $DO_BAD_PACKETS_LAST -eq 0 ]
 +then
 +$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
 +fi
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A BAD_PACKETS -j RETURN
 +#
 +
 +#*********************************************************
 +# Filter bad TCP packets
 +#
 +# Flags are: SYN ACK FIN RST URG PSH ALL NONE
 +#
 +# The only flag that is allowed to be sent along
 +# with a SYN is ACK, and this only in the 2nd
 +# packet of the 3-way-handshake.
 +
 +
 +#------------------------------------------
 +# Erroneous flags
 +#
 +# Allow these...
 +#
 +#iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
 +#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 +#iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +# Any TCP packet which is not a part of an established connection falls into
 +# one of three categories: (1) connection handshake, (2) stray resend, or
 +# (3) invalid.  Here we discard stray resends and log obvious hack attempts.
 +# See table below:
 +#
 +# SYN RST ACK  What it means  Action
 +# ===========  =============  =======
 +#  0       invalid        logdrop
 +#  0       stray resend   DROP
 +#  0       stray resend   DROP
 +#  0       stray resend   DROP
 +#  1       conn attempt   ok
 +#  1       conn response  ok
 +#  1       invalid        logdrop
 +#  1       invalid        logdrop
 +
 +#iptables -A INPUT   -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
 +#iptables -A INPUT   -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
 +#iptables -A INPUT   -p tcp --tcp-flags SYN,RST     RST     -j DROP
 +#iptables -A INPUT   -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop
 +
 +#iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
 +#iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
 +#iptables -A FORWARD -p tcp --tcp-flags SYN,RST     RST     -j DROP
 +#iptables -A FORWARD -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop
 +
 +#iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK NONE    -j logdrop
 +#iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK ACK     -j DROP
 +#iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     RST     -j DROP
 +#iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     SYN,RST -j logdrop
 +
 +
 +#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 +#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
 +#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
 +#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
 +#-A INPUT -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j DROP
 +#-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
 +#-A INPUT -m state –state INVALID -j DROP
 +
 +
 +## peter - 3 mar 2017
 +
 +#-A INPUT -m state --state INVALID -j DROP
 +#-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 +#-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 +#-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
 +#-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 +#-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 +#-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 +#-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 +#-A INPUT -p tcp --tcp-flags ALL ALL -j DROP   # XMAS-ALL scan
 +#-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 +#-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP  # XMAS scan
 +#-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
 +#-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP   # XMAS-PSH scan
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP   # SYN/RST scan
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
 +#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
 +
 +
 +
 +#------------------------------------------
 +# Malformed packets
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-PSH-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=XMAS-ALL-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FIN-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -j DROP
 +#
 +
 +#------------------------------------------
 +# Sending SYN in conjunction with RST means, that a connection shall # This is A violation of RFC793.
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/RST-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=SYN/FIN-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Null-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=NMAP-ID-scan a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FIN/RST a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 +#
 +
 +#------------------------------------------
 +# FIN scan, nmap v3.0 sends ACK,FIN FIN
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:FAF a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AUU a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:APP a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:AFF a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -j DROP
 +##
 +# Seems to stop Firefox using HTTP to get web pages from this server
 +# Therefore disabled for now...
 +##
 +#$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAD_TCP:SUS a=DROP "
 +
 +#$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -j DROP
 +#
 +
 +#------------------------------------------
 +# Unclean packets...same as above (but this option is still listed as experimental)
 +#
 +#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j LOG --log-prefix "IPT=BAD_TCP:unclean a=DROP "
 +#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j DROP
 +#
 +
 +#------------------------------------------
 +# New connections that have no syn set are most probably bad.
 +# Also known as ACK scan
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=new-not-syn2 a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
 +#$IPTABLES -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable
 +#
 +
 +#------------------------------------------
 +# Port 0 fingerprint attempt
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:finger:0 a=DROP "
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -j DROP
 +#
 +
 +#------------------------------------------
 +# Invalid TCP Options
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(64) a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -j DROP
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Bad Flag(128) a=DROP "
 +
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A BAD_TCP_PACKETS -p tcp -j RETURN
 +#
 +
 +#*********************************************************
 +# Whitelisting
 +#
 +# Always allow these packets
 +#
 +# High-priority packets which should always be accepted without much
 +# delay.
 +#
 +# Using this chain will break firewall security and will result in
 +# this not passing certain security standards. However, there may
 +# be specific reasons where this might be useful.
 +#
 +#------------------------------------------
 +#
 +if [ $DO_WHITELISTING -eq 1 ]
 +then
 +#------------------------------------------
 +
 +# Allow NTP
 +#
 +# To provide accurate timing, it is necessary to have a low delay
 +# when processing networking packets of the Network Time Protocol.
 +#
 +# These packets are sent as UDP packets to port 123. For this
 +# reason these packets are directly accepted, without checking
 +# further rules. These packets might originate from an attacker,
 +# and even be part of a DDOS attack, but we accept that situation.
 +# The processing of NTP packets has such a low overhead that even
 +# when packets are coming in at a very high speed, it wont take too
 +# much CPU resources. There are also no states preserved as with
 +# the TCP protocol which could cause buffer overflows. The only
 +# thing which might happen is saturation of the network, but that
 +# would happen with a DDOS attack independent of us accepting or
 +# dropping the incoming packets.
 +#
 +if [ $DO_QUICK_NTP -eq 1 ]
 +then
 +$IPTABLES -A WHITELIST -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# ???Allow unpriviledged ports
 +#
 +#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -m conntrack --ctstate NEW -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Add trusted hosts:
 +#
 +# The "remove" clears the whitelisted host out of the recently seen
 +# BLACKLIST table, and because it has an ACCEPT jump target, should
 +# stop further processing anyway.
 +#
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BLACKLIST -j ACCEPT
 +
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED1 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED2 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED3 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED4 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED5 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED6 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED7 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED8 -j ACCEPT
 +$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BANNED9 -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A WHITELIST -j RETURN
 +#
 +
 +#------------------------------------------
 +fi
 +#
 +
 +#*********************************************************
 +# Port Knocking
 +#
 +# Allow Port Knocking
 +#
 +# Port knocking is a method of externally opening ports on a firewall by
 +# generating a connection attempt on a set of prespecified closed ports.
 +#
 +# Once a correct sequence of connection attempts is received, the firewall
 +# rules are dynamically modified to allow the host which sent the connection
 +# attempts to connect over specific port(s).
 +#------------------------------------------
 +#
 +if [ $DO_PORT_KNOCKING -eq 1 ]
 +then
 +#------------------------------------------
 +$IPTABLES -A PORT_KNOCK_STAGE1 -m recent --remove --name knock
 +$IPTABLES -A PORT_KNOCK_STAGE1 -p tcp --dport $PORT_KNOCK_1 -m recent --set --name knock2
 +
 +$IPTABLES -A PORT_KNOCK_STAGE2 -m recent --remove --name knock2
 +$IPTABLES -A PORT_KNOCK_STAGE2 -p tcp --dport $PORT_KNOCK_2 -m recent --set --name heaven
 +
 +$IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock2 -j PORT_KNOCK_STAGE2
 +$IPTABLES -A PORT_KNOCK_STAGE3 -m recent --rcheck --seconds 5 --name knock -j PORT_KNOCK_STAGE1
 +$IPTABLES -A PORT_KNOCK_STAGE3 -p tcp --dport $PORT_KNOCK_3 -m recent --set --name knock
 +
 +$IPTABLES -A PORT_KNOCK -p tcp --dport $PORT_KNOCK_ALLOW -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
 +$IPTABLES -A PORT_KNOCK -p tcp --syn -j PORT_KNOCK_STAGE3
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A PORT_KNOCK -j RETURN
 +#
 +
 +#------------------------------------------
 +fi
 +#
 +
 +#*********************************************************
 +# Filter Enemies
 +#
 +#------------------------------------------
 +#
 +# This will limit brute-force attacks.
 +#
 +# It performs multiple tests against the number of connections within specific
 +# timeframes.  If any of the total connections has exceeded the maximum
 +# allowed connections for that specific timeframe then it is banned for a
 +# certain time period.
 +#
 +# If still further connections come in whilst it is banned then this will
 +# cause it to move to an even higher level of ban, i.e. to be banned for
 +# even longer.
 +#
 +# Whilst a connection is banned no subsequent connection attempts will be
 +# allowed before it will resume allowing connections again.
 +#
 +# The --rttl option also takes into account the TTL of the
 +# datagram when matching packets, so as to endeavour to mitigate
 +# against spoofed source addresses.
 +#
 +# Allows for whitelisting.
 +#
 +# The Linux kernel will maintain a list of portscan IPs which
 +# can be accessed at the location /proc/net/ipt_recent/BLACKLIST
 +#
 +
 +if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
 +then
 +# Check for any offences.
 +# If so then drop for that period of time, into the specific banned group - which determines the timeout.
 +# Otherwise, if not yet banned, check if this is an attack.
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP
 +$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -j ATTACK_CHECK
 +
 +# Check if we are under attack.
 +# If so jump to the specific ban.
 +# If not yet under attack, then record initial instance.
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK --rsource --rttl -j ATTACKED9
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK --rsource --rttl -j ATTACKED8
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK --rsource --rttl -j ATTACKED7
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK --rsource --rttl -j ATTACKED6
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK --rsource --rttl -j ATTACKED5
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK --rsource --rttl -j ATTACKED4
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK --rsource --rttl -j ATTACKED3
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK --rsource --rttl -j ATTACKED2
 +$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK --rsource --rttl -j ATTACKED1
 +
 +# ATTACK2 only contains data if ATTACK is full.
 +# Contains the max allowed from /sys/module/xt_recent/parameters/ip_list_tot.
 +#if [ $(wc -l < /proc/net/xt_recent/ATTACK) >= 10000 ]
 +#then;
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1
 +#fi
 +
 +#$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource
 +#
 +# To accomodate when /proc/net/xt_recent/ATTACK contains the max allowed
 +# as can be seen from /sys/module/xt_recent/parameters/ip_list_tot then
 +# instead of adding into ATTACH add to ATTACK2...
 +#
 +#if [ $(wc -l < /proc/net/xt_recent/ATTACK) < 10000 ]
 +#then;
 +$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK --rsource
 +#else
 +# Check if we are under attack.
 +# If so jump to the specific ban.
 +# If not yet under attack, then record initial instance.
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_9 --hitcount $CONNECTION_MAX_9 --name ATTACK2 --rsource --rttl -j ATTACKED9
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_8 --hitcount $CONNECTION_MAX_8 --name ATTACK2 --rsource --rttl -j ATTACKED8
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_7 --hitcount $CONNECTION_MAX_7 --name ATTACK2 --rsource --rttl -j ATTACKED7
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_6 --hitcount $CONNECTION_MAX_6 --name ATTACK2 --rsource --rttl -j ATTACKED6
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_5 --hitcount $CONNECTION_MAX_5 --name ATTACK2 --rsource --rttl -j ATTACKED5
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_4 --hitcount $CONNECTION_MAX_4 --name ATTACK2 --rsource --rttl -j ATTACKED4
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_3 --hitcount $CONNECTION_MAX_3 --name ATTACK2 --rsource --rttl -j ATTACKED3
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_2 --hitcount $CONNECTION_MAX_2 --name ATTACK2 --rsource --rttl -j ATTACKED2
 +#$IPTABLES -A ATTACK_CHECK -m recent --update --seconds $CONNECTION_LIMIT_1 --hitcount $CONNECTION_MAX_1 --name ATTACK2 --rsource --rttl -j ATTACKED1
 +#$IPTABLES -A ATTACK_CHECK -m recent --set --name ATTACK2 --rsource
 +#fi
 +#------------------------------------------
 +# All good, so return
 +#
 +#$IPTABLES -A ATTACK_CHECK -j ACCEPT
 +$IPTABLES -A ATTACK_CHECK -j RETURN
 +#
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED5 --rsource -j BAN6
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED4 --rsource -j BAN5
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED3 --rsource -j BAN4
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED2 --rsource -j BAN3
 +$IPTABLES -A ATTACKED1 -m recent --rcheck --name BANNED1 --rsource -j BAN2
 +$IPTABLES -A ATTACKED1 -j BAN1
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED5 --rsource -j BAN6
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED4 --rsource -j BAN5
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED3 --rsource -j BAN4
 +$IPTABLES -A ATTACKED2 -m recent --rcheck --name BANNED2 --rsource -j BAN3
 +$IPTABLES -A ATTACKED2 -j BAN2
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED5 --rsource -j BAN6
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED4 --rsource -j BAN5
 +$IPTABLES -A ATTACKED3 -m recent --rcheck --name BANNED3 --rsource -j BAN4
 +$IPTABLES -A ATTACKED3 -j BAN3
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED5 --rsource -j BAN6
 +$IPTABLES -A ATTACKED4 -m recent --rcheck --name BANNED4 --rsource -j BAN5
 +$IPTABLES -A ATTACKED4 -j BAN4
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED5 -m recent --rcheck --name BANNED5 --rsource -j BAN6
 +$IPTABLES -A ATTACKED5 -j BAN5
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED6 -m recent --rcheck --name BANNED6 --rsource -j BAN7
 +$IPTABLES -A ATTACKED6 -j BAN6
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED7 -m recent --rcheck --name BANNED7 --rsource -j BAN8
 +$IPTABLES -A ATTACKED7 -j BAN7
 +
 +# Loop through all BANNED groups and jump to 1st one found.
 +$IPTABLES -A ATTACKED8 -m recent --rcheck --name BANNED8 --rsource -j BAN9
 +$IPTABLES -A ATTACKED8 -j BAN8
 +
 +# Only 1 possible group to jump to.
 +$IPTABLES -A ATTACKED9 -j BAN9
 +
 +# Log and then Drop.
 +$IPTABLES -A BAN1 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN1 a=DROP "
 +$IPTABLES -A BAN1 -m recent --set --name BANNED1 --rsource -j DROP
 +
 +
 +# Log.
 +# Remove from prev BANNED group.
 +# Add to next higher BANNED group; therefore more delay.
 +# Drop.
 +$IPTABLES -A BAN2 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN2 a=DROP "
 +$IPTABLES -A BAN2 -m recent --remove --name BANNED1 --rsource
 +$IPTABLES -A BAN2 -m recent --set --name BANNED2 --rsource -j DROP
 +
 +$IPTABLES -A BAN3 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN3 a=DROP "
 +$IPTABLES -A BAN3 -m recent --remove --name BANNED2 --rsource
 +$IPTABLES -A BAN3 -m recent --set --name BANNED3 --rsource -j DROP
 +
 +$IPTABLES -A BAN4 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN4 a=DROP "
 +$IPTABLES -A BAN4 -m recent --remove --name BANNED3 --rsource
 +$IPTABLES -A BAN4 -m recent --set --name BANNED4 --rsource -j DROP
 +
 +$IPTABLES -A BAN5 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN5 a=DROP "
 +$IPTABLES -A BAN5 -m recent --remove --name BANNED4 --rsource
 +$IPTABLES -A BAN5 -m recent --set --name BANNED5 --rsource -j DROP
 +
 +$IPTABLES -A BAN6 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN6 a=DROP "
 +$IPTABLES -A BAN6 -m recent --remove --name BANNED5 --rsource
 +$IPTABLES -A BAN6 -m recent --set --name BANNED6 --rsource -j DROP
 +
 +$IPTABLES -A BAN7 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN7 a=DROP "
 +$IPTABLES -A BAN7 -m recent --remove --name BANNED6 --rsource
 +$IPTABLES -A BAN7 -m recent --set --name BANNED7 --rsource -j DROP
 +
 +$IPTABLES -A BAN8 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN8 a=DROP "
 +$IPTABLES -A BAN8 -m recent --remove --name BANNED7 --rsource
 +$IPTABLES -A BAN8 -m recent --set --name BANNED8 --rsource -j DROP
 +
 +$IPTABLES -A BAN9 -m limit --limit $LIMIT_LOG -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=BAN9 a=DROP "
 +$IPTABLES -A BAN9 -m recent --remove --name BANNED8 --rsource
 +$IPTABLES -A BAN9 -m recent --set --name BANNED9 --rsource -j DROP
 +#
 +fi
 +#
 +
 +#------------------------------------------
 +#
 +# This will allow three connections from any given IP address
 +# within a 60 second period, and require 60 seconds of no
 +# subsequent connection attempts before it will resume allowing
 +# connections again.
 +#
 +# The --rttl option also takes into account the TTL of the
 +# datagram when matching packets, so as to endeavour to mitigate
 +# against spoofed source addresses.
 +#
 +# Does not not stop any established connections from the host
 +# that has made too many connections in a short period of time.
 +#
 +# Allows for whitelisting.
 +#
 +# The Linux kernel will maintain a list of portscan IPs which
 +# can be accessed at the location /proc/net/ipt_recent/BLACKLIST
 +#
 +
 +
 +##########################################################START
 +#
 +#
 +#
 +#
 +#if [ $BLOCK_CONNECTIONS_COUNT -eq 1 ]
 +#then
 +# These rules are set to simply count the number of new connections.
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_1
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_2
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_3
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_4
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_5
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_6
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_7
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_8
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name CONNECTION_COUNT_9
 +#
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_9 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_9 --update --seconds $CONNECTION_TIMEOUT_9 --hitcount $CONNECTION_MAX_9 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_8 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_8 --update --seconds $CONNECTION_TIMEOUT_8 --hitcount $CONNECTION_MAX_8 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_7 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_7 --update --seconds $CONNECTION_TIMEOUT_7 --hitcount $CONNECTION_MAX_7 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_6 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_6 --update --seconds $CONNECTION_TIMEOUT_6 --hitcount $CONNECTION_MAX_6 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_5 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_5 --update --seconds $CONNECTION_TIMEOUT_5 --hitcount $CONNECTION_MAX_5 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_4 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_4 --update --seconds $CONNECTION_TIMEOUT_4 --hitcount $CONNECTION_MAX_4 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_3 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_3 --update --seconds $CONNECTION_TIMEOUT_3 --hitcount $CONNECTION_MAX_3 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_2 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_2 --update --seconds $CONNECTION_TIMEOUT_2 --hitcount $CONNECTION_MAX_2 --rttl -j DROP
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=CONN_COUNT_1 a=DROP "
 +#$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name CONNECTION_COUNT_1 --update --seconds $CONNECTION_TIMEOUT_1 --hitcount $CONNECTION_MAX_1 --rttl -j DROP
 +#
 +#fi
 +#
 +############################################################END
 +#
 +
 +
 +#------------------------------------------
 +# Block any other required ports
 +#
 +#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 1433 -m recent --name BLACKLIST --set -j DROP
 +#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 3306 -m recent --name BLACKLIST --set -j DROP
 +#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 8086 -m recent --name BLACKLIST --set -j DROP
 +#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 10000 -m recent --name BLACKLIST --set -j DROP
 +#$IPTABLES -A BLACKLIST -s 99.99.99.99 -j DROP
 +#
 +
 +#------------------------------------------
 +# Block partizans
 +#
 +$IPTABLES -A BLACKLIST -s $UNTRUSTED_HOSTS -j DROP
 +#
 +
 +#------------------------------------------
 +# Drop Private Network Address On Public Interface
 +#
 +#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INET Addr on Local a=DROP "
 +#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j DROP
 +#
 +
 +#------------------------------------------
 +# Block any flooding
 +#
 +if [ $BLOCK_FLOODS -eq 1 ]
 +then
 +$IPTABLES -A BLACKLIST -j FLOODS
 +fi
 +#
 +
 +#------------------------------------------
 +# Block Viruses
 +#
 +if [ $BLOCK_VIRUSES -eq 1 ]
 +then
 +$IPTABLES -A BLACKLIST -j VIRUS
 +fi
 +#
 +
 +#------------------------------------------
 +# Block Akamai
 +#
 +# http://www.matveev.se/net/akamai.htm
 +#
 +if [ $BLOCK_AKAMAI -eq 1 ]
 +then
 +$IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=AKAMAI a=DROP "
 +
 +$IPTABLES -A BLACKLIST -s $RANGE_AKAMAI -j DROP
 +
 +#$IPTABLES -A BLACKLIST -s 2.16.0.0/13 -j DROP
 +#$IPTABLES -A BLACKLIST -s 2.23.144.0/20 -j DROP
 +#$IPTABLES -A BLACKLIST -s 23.0.0.0/12 -j DROP
 +#$IPTABLES -A BLACKLIST -s 23.32.0.0/11 -j DROP
 +#$IPTABLES -A BLACKLIST -s 23.64.0.0/14 -j DROP
 +#$IPTABLES -A BLACKLIST -s 62.115.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 72.246.0.0/15 -j DROP
 +#$IPTABLES -A BLACKLIST -s 80.239.128.0/19 -j DROP
 +#$IPTABLES -A BLACKLIST -s 80.239.160.0/19 -j DROP
 +#$IPTABLES -A BLACKLIST -s 80.239.192.0/19 -j DROP
 +#$IPTABLES -A BLACKLIST -s 80.239.224.0/19 -j DROP
 +#$IPTABLES -A BLACKLIST -s 84.53.168.0/22 -j DROP
 +#$IPTABLES -A BLACKLIST -s 88.221.176.0/21 -j DROP
 +#$IPTABLES -A BLACKLIST -s 96.6.0.0/15 -j DROP
 +#$IPTABLES -A BLACKLIST -s 96.16.0.0/15 -j DROP
 +#$IPTABLES -A BLACKLIST -s 217.208.0.0/13 -j DROP
 +#$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 74.125.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 173.194.0.0/16 -j DROP
 +#$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP
 +#$IPTABLES -A BLACKLIST -s 209.85.128.0/17 -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +if [ $BLOCK_FACEBOOK -eq 1 ]
 +then
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j DROP
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
 +$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A BLACKLIST -j RETURN
 +#
 +
 +#*********************************************************
 +# Filter Floods
 +#
 +if [ $BLOCK_FLOODS -eq 1 ]
 +then
 +#
 +# Allow 4 TCP connects per second, no more
 +# Allow $LIMIT_PER_SECOND TCP connects per second, no more
 +#
 +#$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst 4 -j RETURN
 +$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst $LIMIT_PER_SECOND -j RETURN
 +#
 +
 +#------------------------------------------
 +# Block DDOS - SYN-flood
 +#
 +#$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN flood:1 a=DROP "
 +#$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j DROP
 +$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:SYN Flood a=DROP "
 +$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above $LIMIT_SYN_MAX -j DROP
 +#
 +
 +# PETER - possibably instead of dropping set a mark or a name and only if name set right at bottom then drop.
 +#       - else it seems that 1st drop for e.g. tcp wont allow this to reach 2nd tcp check...
 +
 +#------------------------------------------
 +# TCP Flood protection. Accept $LIMIT_TCP requests/sec, rest will be logged/dropped.
 +#
 +$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_TCP --limit-burst $LIMIT_TCP_BURST -j RETURN
 +$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=TCP:Flood a=DROP "
 +$IPTABLES -A FLOODS -p tcp -m limit -j DROP
 +#
 +
 +#------------------------------------------
 +# UDP Flood protection. Accept $LIMIT_UDP requests/sec, rest will be logged/dropped.
 +#
 +$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_UDP --limit-burst $LIMIT_UDP_BURST -j RETURN
 +$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP:Flood a=DROP "
 +$IPTABLES -A FLOODS -p udp -m limit -j DROP
 +#
 +
 +#------------------------------------------
 +# TCP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped.
 +# 3 minutes ban for flooders
 +#
 +
 +$IPTABLES -A FLOODS -p tcp -m limit --limit 2/s --limit-burst 6 -m comment --comment "IPT=TCP:Flood Limit " -j RETURN
 +$IPTABLES -A FLOODS -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=TCP:Flood Limit a=DROP "
 +$IPTABLES -A FLOODS -p tcp -m recent --name FLOOD --set -m comment --comment "IPT=TCP:Flood Limit a=DROP " -j DROP
 +#
 +
 +#------------------------------------------
 +# Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!)
 +# 3 minutes ban for flooders
 +#
 +$IPTABLES -A FLOODS -p udp -m limit --limit 10/s --limit-burst 20 -m comment --comment "IPT=UDP:Flood Limit " -j RETURN
 +$IPTABLES -A FLOODS -p udp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "IPT=UDP:Flood Limit a=DROP"
 +$IPTABLES -A FLOODS -p udp -m recent --name FLOOD --set -m comment --comment "IPT=UDP:Flood Limit a=DROP " -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A FLOODS -j RETURN
 +#
 +
 +#
 +fi
 +#
 +
 +#*********************************************************
 +# Create a chain to filter known Viruses
 +#
 +#
 +if [ $BLOCK_VIRUSES -eq 1 ]
 +then
 +#
 +# One of the most powerful netfilter patches allows you to match
 +# packets based on their content.
 +#
 +# Use the experimental string-matching patch to filter out packets
 +# that match a certain string.
 +#
 +
 +#------------------------------------------
 +# DROP HTTP packets related to CodeRed and Nimda viruses silently
 +#
 +#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
 +#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+dir" --algo $STRING_ALGO -j DROP
 +#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+tftp" --algo $STRING_ALGO -j DROP
 +#
 +
 +#------------------------------------------
 +# If you port forward your HTTP requests to an internal host,
 +# filter out the CodeRed virus in the FORWARD chain with this rule:
 +#
 +#$IPTABLES -A FORWARD -t filter -p tcp --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
 +#
 +
 +#------------------------------------------
 +# Torrent ALGO Strings using Boyer-Moore
 +#
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent protocol" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "peer_id=" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".torrent" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce.php?passkey=" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "torrent" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "info_hash" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string "/default.ida?" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c+dir" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c_tftp" -j DROP
 +#
 +
 +#------------------------------------------
 +# Torrent Keys
 +#
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "peer_id" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "BitTorrent protocol" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "bittorrent-announce" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce.php?passkey=" -j DROP
 +#
 +
 +#------------------------------------------
 +# Distributed Hash Table (DHT) Keywords
 +#
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "find_node" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "info_hash" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "get_peers" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce" -j DROP
 +$IPTABLES -A VIRUS -t filter -m string --algo kmp --string "announce_peers" -j DROP
 +#
 +
 +
 +# Block Common Virus Ports
 +
 +#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
 +#iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
 +
 +# add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp
 +# add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
 +# add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp
 +# add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
 +# add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
 +# add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
 +# add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
 +# add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
 +# add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
 +# add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
 +# add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
 +# add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
 +# add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
 +# add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
 +# add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
 +# add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
 +# add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
 +# add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
 +# add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
 +# add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
 +# add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
 +# add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
 +# add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
 +# add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
 +# add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
 +# add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
 +# add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
 +# add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A VIRUS -j RETURN
 +#
 +
 +#
 +fi
 +#
 +
 +#*********************************************************
 +# Create a chain to filter PRIVATE ADDRESS packets
 +# This chain is for inbound (from the Internet) private packets only.
 +#
 +
 +#------------------------------------------
 +# Drop packets from private address ranges coming in on the external
 +# Drop multicast adresses
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:0 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:A a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:127 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:169 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:B a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 192.16.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:C a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 192.0.0.0/24 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:D a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:239 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:240 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -j DROP
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:248 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -j DROP
 +#
 +# 255=FAKE CLASS E
 +#
 +$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IP_SPOOF:255 a=DROP "
 +
 +$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A PRIVATE_PACKETS -j RETURN
 +#
 +
 +#*********************************************************
 +# Create a chain to filter incoming ICMP packets
 +# This chain is for inbound (from the Internet) icmp packets only.
 +#
 +# For more info on ICMP types.
 +#
 +# http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml
 +# iptables -p icmp -h
 +#
 +#
 +# Type 0 is for echo-reply
 +# Type 1 is Unassigned
 +# Type 2 is Unassigned
 +# Type 3 is for destination-unreachable
 +# Type 4 is for source quench (depreciated)
 +# Type 5 is for redirect
 +# Type 6 is for alternative host address
 +# Type 7 is Unassigned
 +# Type 8 is for echo-request.
 +# Type 9 is for router advertisement
 +# Type 10 is for router solicitation
 +# Type 11 is for time-exceeded
 +# Type 12 is for parameter problem
 +# Type 13 is for timestamp
 +# Type 14 is for timestamp-reply
 +# Type 15 is for information-request
 +# Type 16 is for information-reply
 +# Type 17 is for address-mask-request
 +# Type 18 is for address-mask-reply
 +# Type 19 is reserved (for security)
 +# Type 30 is for traceroute
 +# Type 31 is for datagram conversion error
 +# Type 32 is for mobile host redirect
 +# Type 33 is for IPv6 where-are you
 +# Type 34 is for IPv6 I-am-here
 +# Type 35 is for mobile registration request
 +# Type 36 is for mobile registration reply
 +# Type 37 is for domain name request
 +# Type 38 is for domain name reply
 +# Type 39 is for SKIP
 +# Type 40 is for Photunis
 +# Type 41 is for ICMP messages utilized by experimental mobility protocols such as Seamoby
 +#
 +
 +#
 +#--reject-with icmp-port-unreachable
 +#--reject-with icmp6-port-unreachable
 +#
 +
 +
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-reply -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type required-option-missing -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type parameter-problem -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ip-header-bad -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type time-exceeded -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-route-failed -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unknown -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-reply -j ACCEPT
 +# Deny ICMP types inbound
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type destination-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type protocol-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type port-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type fragmentation-needed -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-unknown -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-prohibited -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-prohibited -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-unreachable -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type communication-prohibited -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-precedence-violation -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type precedence-cutoff -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type source-quench -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type redirect -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type network-redirect -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type host-redirect -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-network-redirect -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type TOS-host-redirect -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix “PING REQUEST “
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type echo-request -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-advertisement -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type router-solicitation -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-transit -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-request -j DROP
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type timestamp-reply -j ACCEPT
 +#$IPTABLES -A ICMP_IN -i INET_IFACE -p icmp --icmp-type address-mask-request -j DROP
 +
 +
 +#------------------------------------------
 +# Destination unreachable
 +#
 +# ICMP type 3 is necessary for path MTU discovery to work correctly.
 +# It should be enabled inbound to get top efficiency.
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type destination-unreachable -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Drop Smurf attack
 +#
 +$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:0.255 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
 +#
 +
 +#------------------------------------------
 +# Answer ping requests.
 +#
 +# First Block DOS - Ping of Death
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING-death a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j DROP
 +
 +#------------------------------------------
 +# Now Block DDOS - Smurf
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:Smurf:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j DROP
 +
 +#------------------------------------------
 +# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
 +# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
 +#
 +if [ $ALLOW_PING_IN -eq 1 ]
 +then
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
 +fi
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -j DROP
 +#
 +if [ $ALLOW_PING_IN -eq 1 ]
 +then
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
 +#$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT # Smurf
 +fi
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:PING:2 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -j DROP
 +#
 +
 +#------------------------------------------
 +# Allow traceroute, though it is not required.
 +#
 +# Type 11 (Time Exceeded) is the only one accepted that would
 +# not already be covered by the established connection rule.
 +# Applied to INPUT on the external interface.
 +#
 +# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
 +#
 +if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
 +then
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
 +fi
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:time:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -j DROP
 +#
 +if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
 +then
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
 +fi
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:trace a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Parameter-Problem
 +#
 +# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
 +#
 +if [ $ALLOW_ICMP_PARAM_PROBLEM_IN -eq 1 ]
 +then
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
 +fi
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:params a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:redirect a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -j DROP
 +#
 +
 +#------------------------------------------
 +
 +# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -j DROP
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ttl:2 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -j DROP
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:ts:2 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
 +#
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:1 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -j DROP
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:addr:2 a=DROP "
 +
 +$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -j DROP
 +#
 +
 +#------------------------------------------
 +# Block DOS - Jolt
 +#
 +
 +#
 +# ICMP packets should fit in a Layer 2 frame, thus they should
 +# never be fragmented. Fragmented ICMP packets are a typical sign
 +# of a denial of service attack.
 +#
 +$IPTABLES -A ICMP_IN -p icmp --fragment -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP:frag a=DROP "
 +#$IPTABLES -A ICMP_IN -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-IN:frag a=DROP "
 +$IPTABLES -A ICMP_IN -p icmp --fragment -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A ICMP_IN -p icmp -j DROP
 +#
 +
 +#*********************************************************
 +# Create a chain to filter outgoing ICMP packets
 +# This chain is for outbound (to the Internet) icmp packets only.
 +#
 +
 +#------------------------------------------
 +# Answer ping requests.
 +#
 +# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
 +# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
 +#
 +if [ $ALLOW_PING_OUT -eq 1 ]
 +then
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m conntrack --ctstate NEW -j ACCEPT
 +else
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:1 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -j DROP
 +fi
 +#
 +if [ $ALLOW_PING_OUT -eq 1 ]
 +then
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
 +else
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:PING:2 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +
 +# Time Exceeded
 +# Type 11 (Time Exceeded) is the only one accepted that would
 +# not already be covered by the established connection rule.
 +# Applied to INPUT on the external interface.
 +#
 +if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
 +then
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j ACCEPT
 +else
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:time:1 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j DROP
 +fi
 +#
 +if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
 +then
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j ACCEPT
 +else
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:trace a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:redirect a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:1 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -j DROP
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ttl:2 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Parameter-Problem
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:params a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:1 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -j DROP
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:ts:2 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -j DROP
 +#
 +
 +#------------------------------------------
 +# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:1 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -j DROP
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:addr:2 a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -j DROP
 +#
 +
 +#------------------------------------------
 +# ICMP packets should fit in a Layer 2 frame, thus they should
 +# never be fragmented. Fragmented ICMP packets are a typical sign
 +# of a denial of service attack.
 +#
 +$IPTABLES -A ICMP_OUT -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=ICMP-OUT:frag a=DROP "
 +
 +$IPTABLES -A ICMP_OUT -p icmp --fragment -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A ICMP_OUT -p icmp -j DROP
 +#
 +
 +#*********************************************************
 +# Create a chain to filter UDP packets
 +# Applied to INPUT on the external or Internet interface.
 +#
 +#------------------------------------------
 +# BitTorrent
 +#
 +if [ $ALLOW_BITTORRENT_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BITTORRENT
 +fi
 +#
 +
 +#------------------------------------------
 +# CUPS Printing
 +#
 +if [ $ALLOW_CUPS_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
 +fi
 +#
 +
 +#------------------------------------------
 +# If DHCP, the initial request is a broadcast. The response
 +# doesn't exactly match the outbound packet. This explicitly
 +# allow the DHCP ports to alleviate this problem.
 +#
 +# If you receive your dynamic address by a different means, you
 +# can probably comment out this line.
 +#
 +if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
 +then
 +#$IPTABLES -A UDP_IN -p udp --sport 68 --dport 67 -j ACCEPT
 +$IPTABLES -A UDP_IN -p udp --sport 67:68 --dport 67:68 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DNS
 +#
 +if [ $ALLOW_DNS_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp --dport 53 -j ACCEPT
 +
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT
 +#$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -m state --state ESTABLISHED -j ACCEPT
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT
 +#$IPTABLES -A UDP_IN -p tcp -i $INET_IFACE --sport 53 -j ACCEPT
 +
 +
 +#$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT
 +
 +#$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
 +#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
 +# -o $INET_IFACE -s $INET_IP
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate NEW --dport 53 -j ACCEPT
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
 +
 +#for ip in $DNS_SERVERS
 +#do
 +#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport $PORTS_UNPRIV -m state --state ESTABLISHED -j ACCEPT
 +#done
 +
 +#$IPTABLES -A UDP_IN -p udp -s 0/0 --sport $PORTS_UNPRIV -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 +#$IPTABLES -A UDP_IN -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 +
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE --sport 53 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NC
 +#
 +if [ $ALLOW_NC_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NFS
 +
 +if [ $ALLOW_NFS_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NTP
 +#
 +if [ $DO_QUICK_NTP -ne 0 ]
 +then
 +  if [ $ALLOW_NTP_IN -eq 1 ]
 +  then
 +    $IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
 +  fi
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SAMBA
 +#
 +if [ $ALLOW_SAMBA_IN -eq 1 ]
 +then
 +#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow TRACEROUTE
 +#
 +if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Weblogin
 +#
 +if [ $ALLOW_WEBLOGIN_IN -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin
 +fi
 +#
 +
 +#------------------------------------------
 +# Don't log route packets coming from routers - too much logging
 +#
 +$IPTABLES -A UDP_IN -p udp --dport 520 -m conntrack --ctstate NEW -j DROP
 +#
 +
 +#------------------------------------------
 +# Block DDOS - Fraggle
 +#
 +#$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Fraggle a=DROP "
 +
 +$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -j DROP
 +#
 +
 +#------------------------------------------
 +# Block DOS - Teardrop
 +#
 +$IPTABLES -A UDP_IN -p udp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:Teardrop a=DROP "
 +
 +$IPTABLES -A UDP_IN -p udp --fragment -j DROP
 +#
 +
 +#------------------------------------------
 +# Port 0 fingerprint attempt
 +#
 +$IPTABLES -A UDP_IN -p udp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:finger:0 a=DROP "
 +$IPTABLES -A UDP_IN -p udp --dport 0 -j DROP
 +#
 +
 +#------------------------------------------
 +# Drop the rwho port (513 udp)
 +#
 +$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=UDP-IN:rwho a=DROP "
 +
 +$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m comment --comment "Block rwho port" -j DROP
 +#
 +
 +#------------------------------------------
 +# Separate logging of special portscans/connection attempts
 +#
 +# Port Scanners
 +#
 +if [ $DO_LOG_SCANS -eq 1 ]
 +then
 +$IPTABLES -A UDP_IN -i $INET_IFACE -j SCANS
 +fi
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A UDP_IN -p udp -j RETURN
 +#
 +
 +#*********************************************************
 +# Create a chain to filter outgoing UDP packets
 +#
 +# This chain is for outbound (to the Internet) udp packets only.
 +#
 +#------------------------------------------
 +# Allow printing using CUPS
 +#
 +if [ $ALLOW_CUPS_OUT -eq 1 ]
 +then
 +$IPTABLES -A UDP_OUT -p udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT # Printing CUPS
 +fi
 +#
 +
 +#------------------------------------------
 +# If DHCP, the initial request is a broadcast.  The response
 +# doesn't exactly match the outbound packet. This explicitly
 +# allow the DHCP ports to alleviate this problem.
 +#
 +# If you receive your dynamic address by a different means, you
 +# can probably comment this line.
 +#
 +if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ]
 +then
 +#$IPTABLES -A UDP_OUT -p udp --sport 68 --dport 67 -j ACCEPT
 +$IPTABLES -A UDP_OUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DNS
 +#
 +if [ $ALLOW_DNS_OUT -eq 1 ]
 +then
 +$IPTABLES -A UDP_OUT -p udp --dport 53 -j ACCEPT
 +
 +#$IPTABLES -A UDP_OUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # DNS
 +
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
 +
 +
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE --dport 53 -m state --state ESTABLISHED -j ACCEPT
 +
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE --dport 53 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NTP Time to setup the Date/Time from NTP Server
 +#
 +if [ $ALLOW_NTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A UDP_OUT -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SAMBA
 +#
 +if [ $ALLOW_SAMBA_OUT -eq 1 ]
 +then
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +#
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow TRACEROUTE
 +#
 +if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
 +then
 +$IPTABLES -A UDP_OUT -p udp --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -m conntrack --ctstate NEW -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A UDP_OUT -p udp -j RETURN
 +#
 +
 +#*********************************************************
 +# Create a chain to filter incoming TCP packets
 +#
 +# Applied to INPUT on the external or Internet interface.
 +#
 +
 +#------------------------------------------
 +# Stealth TCP ports.
 +#
 +# A quick and dirty way is to drop all tcp syn packets.
 +# This way you're virtually undetectable to portscanners.
 +# Basically, you're dropping all TCP packets that weren't initiated by your local computer/network.
 +#
 +if [ $DO_STEALTH_ALL_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --syn -j DROP
 +#
 +# I've noticed that this doesn't kill port 0 & 1 for some reason, so those have to be turned off as well.
 +#
 +$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 0 -j DROP
 +$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE --dport 1 -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +# Ident - Silently reject Ident
 +#
 +# Dont DROP ident, because of possible delays when establishing an outbound connection
 +#
 +#$IPTABLES -A TCP_IN -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
 +#$IPTABLES -A TCP_IN -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
 +#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "relationship" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 113 -m recent --name "IDENT" --rcheck --seconds 60 -j REJECT --reject-with icmp-port-unreachable
 +#
 +
 +#------------------------------------------
 +# Allow BitTorrent
 +#
 +if [ $ALLOW_BITTORRENT_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6881 -j ACCEPT # BitTorrent
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow printing using CUPS
 +#
 +if [ $ALLOW_CUPS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow CVS IN
 +#
 +if [ $ALLOW_CVS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DHCP Broadcast
 +#
 +if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
 +then
 +#$IPTABLES -A TCP_IN -p tcp --sport 68 --dport 67 -j ACCEPT
 +$IPTABLES -A TCP_IN -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DNS
 +#
 +if [ $ALLOW_DNS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp --dport 53 -j ACCEPT # DNS
 +
 +#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport 53 -j ACCEPT # DNS
 +#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
 +#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -s $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
 +#$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -d $INET_IP -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
 +
 +#$IPTABLES -A TCP_IN -p tcp --dport 953 -j ACCEPT    # dns internal
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow FTP
 +#
 +if [ $ALLOW_FTP_IN -eq 1 ]
 +then
 +# When you attempt to use ftp on these settings, it stops when enter the PASV
 +# mode. At PASV mode, after establish the connection with port 21, client
 +# appoints >1024 port so that this becomes new connection and is rejected.
 +# You need to have been loaded ip_conntrack_ftp module to use ftp in PASV mode.
 +# Add one line above ip_conntrack ip_conntrack_ftp to /etc/modules.conf then
 +# it is loaded at boot up and ftp will be possible to use.
 +#
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow HTTP
 +#
 +if [ $ALLOW_HTTP_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow HTTPS
 +#
 +if [ $ALLOW_HTTPS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow IMAP
 +#
 +if [ $ALLOW_IMAP_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow IMAPS
 +#
 +if [ $ALLOW_IMAPS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # imap
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow MySQL
 +#
 +if [ $ALLOW_MYSQL_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NC
 +#
 +if [ $ALLOW_NC_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2030 -j ACCEPT # NC
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NFS
 +#
 +if [ $ALLOW_NFS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NTP
 +#
 +if [ $ALLOW_NTP_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # ntp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NNTP
 +#
 +if [ $ALLOW_NNTP_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # nntp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow PLESK
 +#
 +if [ $ALLOW_PLESK_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow PLEX
 +#
 +if [ $ALLOW_PLEX_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POP3
 +#
 +if [ $ALLOW_POP3_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POP3S
 +#
 +if [ $ALLOW_POP3S_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POSTGRESQL
 +#
 +if [ $ALLOW_POSTGRESQL_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SAMBA
 +#
 +if [ $ALLOW_SAMBA_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +#$IPTABLES -A UDP_IN -p udp -i $INET_IFACE -m conntrack --ctstate NEW -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SMTP
 +#
 +if [ $ALLOW_SMTP_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SMTPS
 +#
 +if [ $ALLOW_SMTPS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SSH
 +#
 +if [ $ALLOW_SSH_IN -eq 1 ]
 +then
 +# Allow three port 22 connections from any given IP address within a
 +# 60 second period, and requires 60 seconds of no subsequent connection
 +# attempts before it will resume allowing connections again.
 +#
 +# The --rttl option also takes into account the TTL of the datagram
 +# when matching packets, so as to endeavour to mitigate against spoofed
 +# source addresses.
 +#
 +# Does not not stop any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting.
 +#
 +# Linux kernel will maintain a list of portscan IPs which can be accessed at the location /proc/net/ipt_recent/SSH.
 +#
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:Brute a=DROP "
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
 +
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Squid
 +#
 +if [ $ALLOW_SQUID_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Submission
 +# (RFC 2476)
 +#
 +if [ $ALLOW_SUBMISSION_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476)
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SVN
 +#
 +if [ $ALLOW_SVN_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Telnet
 +#
 +if [ $ALLOW_TELNET_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
 +fi
 +
 +#------------------------------------------
 +# Allow Weblogin
 +#
 +if [ $ALLOW_WEBLOGIN_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2054 -j ACCEPT # weblogin
 +fi
 +
 +#------------------------------------------
 +# Allow XWindows
 +#
 +if [ $ALLOW_XWINDOWS_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6000:6009 -j ACCEPT # XWindows
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow XWindows Font Server
 +if [ $ALLOW_XWINDOWS_FONTSERVER_IN -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 7100 -j ACCEPT # XWindows Font Server
 +fi
 +#
 +
 +#------------------------------------------
 +# Separate logging of special portscans/connection attempts
 +#
 +# Port Scanners
 +#
 +if [ $DO_LOG_SCANS -eq 1 ]
 +then
 +$IPTABLES -A TCP_IN -i $INET_IFACE -j SCANS
 +fi
 +#
 +
 +#------------------------------------------
 +# *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
 +#
 +# iptables -A TCP_IN -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow unpriviledged ports
 +#
 +##$IPTABLES -A TCP_IN -p tcp -m tcp --dport $PORTS_UNPRIV -m state --state RELATED -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A TCP_IN -p tcp -j RETURN
 +#
 +
 +#*********************************************************
 +# Create a chain to filter outgoing TCP packets
 +#
 +# Applied to OUTPUT on the external or Internet interface.
 +#
 +
 +#------------------------------------------
 +# Ident - Silently reject Ident
 +#
 +# Dont DROP ident, because of possible delays when establishing an outbound connection
 +#
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with tcp-reset
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with icmp-port-unreachable
 +$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP -d $INET_GW --dport 113 -j ACCEPT
 +$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -s $INET_IP --dport 113 -j ACCEPT
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "relationship" --rdest --set
 +$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m recent --name "IDENT" --rdest --set
 +#
 +
 +#------------------------------------------
 +# Public services running ON Server
 +#
 +# Allow printing using CUPS
 +#
 +if [ $ALLOW_CUPS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow CVS
 +#
 +if [ $ALLOW_CVS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2401 -j ACCEPT # CVS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DHCP Broadcast
 +#
 +if [ $ALLOW_DHCP_BROADCAST_OUT -eq 1 ]
 +then
 +#$IPTABLES -A TCP_OUT -p tcp --sport 68 --dport 67 -j ACCEPT
 +$IPTABLES -A TCP_OUT -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow DNS
 +#
 +if [ $ALLOW_DNS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -d $INET_IP -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
 +#$IPTABLES -A TCP_OUT -p tcp --dport 53 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow FTP
 +#
 +if [ $ALLOW_FTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow HTTP
 +#
 +if [ $ALLOW_HTTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
 +$IPTABLES -A TCP_OUT -p tcp -o INET_IFACE --sport 80 -m state --state ESTABLISHED -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow HTTPS
 +#
 +if [ $ALLOW_HTTPS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow IMAP
 +#
 +if [ $ALLOW_IMAP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow IMAPS
 +#
 +if [ $ALLOW_IMAPS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 993 -j ACCEPT # IMAPS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow IRC
 +#
 +# This usually needs the ip_conntrack_irc kernel module.
 +#
 +if [ $ALLOW_IRC_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 6667 -j ACCEPT # IRC
 +#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow MySQL
 +#
 +if [ $ALLOW_MYSQL_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
 +fi
 +
 +#------------------------------------------
 +# Allow NFS
 +#
 +if [ $ALLOW_NFS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NTP
 +#
 +if [ $ALLOW_NTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 123 -j ACCEPT # NTP
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow NNTP
 +#
 +if [ $ALLOW_NNTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 119 -j ACCEPT # NNTP
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow OPENVPN
 +#
 +if [ $ALLOW_OPENVPN_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1194 -j ACCEPT # OPENVPN
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow PLESK
 +#
 +if [ $ALLOW_PLESK_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8443 -j ACCEPT # PLESK https
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 8880 -j ACCEPT # PLESK http
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow PLEX
 +#
 +if [ $ALLOW_PLEX_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_PLEX -j ACCEPT # PLEX
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POP3
 +#
 +if [ $ALLOW_POP3_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POP3S
 +#
 +if [ $ALLOW_POP3S_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 995 -j ACCEPT # POP-3S
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow POSTGRESQL
 +#
 +if [ $ALLOW_POSTGRESQL_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 5432 -j ACCEPT # PostgreSQL
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow RWHOIS
 +#
 +if [ $ALLOW_RWHOIS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 4321 -j ACCEPT # RWHOIS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SAMBA
 +#
 +if [ $ALLOW_SAMBA_OUT -eq 1 ]
 +then
 +#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --sports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +
 +$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +#$IPTABLES -A UDP_OUT -p udp -o $INET_IFACE -m multiport --dports 135,137,138,139,445,1433,1434 -m conntrack --ctstate NEW -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SMTP
 +#
 +if [ $ALLOW_SMTP_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 25 -j ACCEPT # smtp
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
 +#
 +if [ $ALLOW_SMTPS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT # smtps
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --sport 465 -j ACCEPT # smtps
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SOCKS5
 +#
 +if [ $ALLOW_SOCKS5_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 1080 -j ACCEPT # SOCKS5
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SSH
 +#
 +if [ $ALLOW_SSH_OUT -eq 1 ]
 +then
 +# Allow three port 22 connections from any given IP address within a
 +# 60 second period, and requires 60 seconds of no subsequent connection
 +# attempts before it will resume allowing connections again.
 +#
 +# The --rttl option also takes into account the TTL of the datagram
 +# when matching packets, so as to endeavour to mitigate against spoofed
 +# source addresses.
 +#
 +# Does not not stop any established SSH connections from the host
 +# that has made too many SSH connections in a short period of time,
 +# and allows for whitelisting.
 +#
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
 +##$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j WHITELIST_SSH
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP "
 +#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
 +
 +
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "IPT=SSH:OUT:Brute a=DROP "
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
 +
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Squid
 +#
 +if [ $ALLOW_SQUID_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Submission
 +# (RFC 2476)
 +#
 +if [ $ALLOW_SUBMISSION_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT # Submission (RFC 2476)
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow SVN
 +#
 +if [ $ALLOW_SVN_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3690 -j ACCEPT # SVN
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow Telnet
 +#
 +if [ $ALLOW_TELNET_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow TOR
 +# (http://tor.eff.org)
 +#
 +if [ $ALLOW_TOR_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport $PORTS_TOR -j ACCEPT # tor
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow WHOIS
 +#
 +if [ $ALLOW_WHOIS_OUT -eq 1 ]
 +then
 +$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 43 -j ACCEPT # WHOIS
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow unpriviledged ports
 +#
 +##$IPTABLES -A TCP_OUT -p tcp -m tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A TCP_OUT -p tcp -j RETURN
 +#
 +
 +#*********************************************************
 +# Create a chain to filter known SCANS
 +# Applied to INPUT on the external or Internet interface.
 +#
 +# Trojan portscan, special services, etc
 +#
 +if [ $DO_LOG_SCANS -eq 1 ]
 +then
 +
 +#------------------------------------------
 +# Deepthroat scan
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6670 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Deepthroat a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 6670 -j DROP
 +#
 +
 +#------------------------------------------
 +# Subseven scan
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:1 a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 1243 -j DROP
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:2 a=DROP "
 +
 +$IPTABLES -A SCANS -p udp --dport 1243 -j DROP
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:3 a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 27374 -j DROP
 +
 +$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:4 a=DROP "
 +
 +$IPTABLES -A SCANS -p udp --dport 27374 -j DROP
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6711:6713 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Subseven:5 a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 6711:6713 -j DROP
 +#
 +
 +#------------------------------------------
 +# Netbus scan
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 12345:12346 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:1 a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 12345:12346 -j DROP
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 20034 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Netbus:2 a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport 20034 -j DROP
 +#
 +
 +#------------------------------------------
 +# Back Oriface scan
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 31337:31338 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Back-Orifice a=DROP "
 +
 +$IPTABLES -A SCANS -p udp --dport 31337:31338 -j DROP
 +#
 +
 +#------------------------------------------
 +# X-Win scan
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport $PORTS_XWIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=X-Win a=DROP "
 +
 +$IPTABLES -A SCANS -p tcp --dport $PORTS_XWIN -j DROP
 +#
 +
 +#------------------------------------------
 +# Hack'a'Tack 2000
 +#
 +$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 28431 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=Hack'a'Tack-2000 a=DROP "
 +
 +$IPTABLES -A SCANS -p udp --dport 28431 -j DROP
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A SCANS -j RETURN
 +#
 +
 +#
 +fi
 +#
 +
 +#*********************************************************
 +# Create a chain to filter packets that are not to be logged.
 +# Applied to INPUT on the external or Internet interface.
 +#
 +#------------------------------------------
 +# Drop SMB, CIFS, and related Windows traffic without logging.
 +#
 +# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
 +#
 +if [ $BLOCK_SAMBA_WITHOUT_LOGGING -eq 1 ]
 +then
 +$IPTABLES -A NO_LOGGING -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
 +$IPTABLES -A NO_LOGGING -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
 +#
 +$IPTABLES -A NO_LOGGING -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
 +$IPTABLES -A NO_LOGGING -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +# Ignore Dropbox LAN Sync broadcasts
 +#
 +# Do not log as too much logging.
 +#
 +if [ $BLOCK_DROPBOX_LAN_SYNC_BROADCASTS -eq 1 ]
 +then
 +$IPTABLES -A NO_LOGGING -p udp -m udp --dport $PORTS_DROPBOX_LAN_SYNC_BROADCASTS -j DROP
 +fi
 +#
 +
 +#------------------------------------------
 +# All good, so return
 +#
 +$IPTABLES -A NO_LOGGING -j RETURN
 +#
 +
 +#*********************************************************
 +#
 +# INPUT CHAIN
 +#
 +# Add comments to your rules:
 +#
 +# -m comment --comment "Comments help to read output of iptables -nvL"
 +#
 +
 +#------------------------------------------
 +# Allow incoming for loopback interfaces
 +# Allow traffic on loopback interface (lo0)
 +#
 +$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Drop all traffic to 127/8 that doesn't use lo0
 +# Should already be catched by kernel/rp_filter
 +#
 +$IPTABLES -A INPUT -i !$LO_IFACE -d 127.0.0.0/8 -j REJECT
 +#
 +
 +#------------------------------------------
 +# Allow previously initiated connections to bypass rules
 +#
 +$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 +#$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +#
 +
 +#$IPTABLES -A INPUT -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT
 +#$IPTABLES -A INPUT -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j ACCEPT
 +#$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +#$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j ACCEPT
 +
 +
 +
 +# DROP 29691 - Microsoft something or other - I think against Win 10...
 +#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 29691 -j DROP
 +#$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW --dport 29691 -j DROP
 +
 +#------------------------------------------
 +# Allow incoming from local INET
 +#
 +#$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
 +# peter enabled this... checking...
 +$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow HTTP
 +#
 +if [ $ALLOW_HTTP_IN -eq 1 ]
 +then
 +$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow HTTPS
 +#
 +if [ $ALLOW_HTTPS_IN -eq 1 ]
 +then
 +$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
 +fi
 +#
 +
 +#------------------------------------------
 +# This should be one of the first rules.
 +# so dns lookups are already allowed for our other rules.
 +$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
 +$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
 +
 +#iptables -A INPUT -p udp --dport 53 --dport 1024:65535 -j ACCEPT
 +#iptables -A INPUT -p tcp --dport 53 --dport 1024:65535 -j ACCEPT
 +#iptables -A INPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
 +#iptables -A INPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
 +#
 +#$IPTABLES -A INPUT -p tcp -m tcp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:TCP LIMIT a=DROP " --log-level $LOG_LEVEL
 +#$IPTABLES -A INPUT -p udp -m udp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "IPT=DNS:UDP LIMIT a=DROP " --log-level $LOG_LEVEL
 +
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP BURST a=DROP "
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:TCP TOTAL a=DROP "
 +$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP
 +
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_BURST_LIMIT --rsource
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP BURST a=DROP "
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${DNS_BURST} --name DNS_BURST_LIMIT --rsource -j DROP
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNS_TOTAL_LIMIT --rsource
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --rcheck --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=DNS:UDP TOTAL a=DROP "
 +$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds ${DNS_TIMEOUT} --hitcount ${DNS_TOTAL_REQUESTS} --name DNS_TOTAL_LIMIT --rsource -j DROP
 +
 +
 +$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
 +$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
 +
 +#for ip in $DNS_SERVER
 +#do
 +#       echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
 +#       $IPTABLES -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
 +#       $IPTABLES -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
 +#       $IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 +#       $IPTABLES -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 +#done
 +
 +#PTR1
 +#------------------------------------------
 +# Allow packets not coming from the outside
 +#
 +$IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# This should be one of the first rules.
 +# to drop any previously detected attackers.
 +if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ]
 +then
 +# Check for any offences.
 +# If so then drop for that period of time, into the specific banned group - which determines the timeout.
 +# Otherwise, if not yet banned, check if this is an attack.
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_9 --name BANNED9 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_8 --name BANNED8 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_7 --name BANNED7 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_6 --name BANNED6 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_5 --name BANNED5 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_4 --name BANNED4 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_3 --name BANNED3 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_2 --name BANNED2 --rsource -j DROP
 +$IPTABLES -A INPUT -m recent --rcheck --seconds $CONNECTION_TIMEOUT_1 --name BANNED1 --rsource -j DROP
 +$IPTABLES -A INPUT -m conntrack --ctstate NEW -j ATTACK_CHECK
 +fi
 +
 +#------------------------------------------
 +# Allow incoming from the gateway
 +#
 +$IPTABLES -A INPUT -s $INET_GW -d $INET_IP -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow incoming from local INET to local BCAST
 +#
 +$IPTABLES -A INPUT -s $INET_NET -d $INET_BCAST -j ACCEPT
 +$IPTABLES -A INPUT -d $PORTS_BROADCAST -j ACCEPT
 +#$IPTABLES -A INPUT -s $INET_NET -d $PORTS_BROADCAST -j ACCEPT
 +#$IPTABLES -A INPUT -s $INET_NET -d $PORTS_UNIVERSE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow incoming from local INET
 +#
 +#$IPTABLES -A INPUT -s $INET_NET -d $INET_IP -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow packets not coming from the outside
 +#
 +$IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Check Quotas
 +#
 +if [ $DO_QUOTA -eq 1 ]
 +then
 +$IPTABLES -A INPUT -j QUOTAS
 +fi
 +#
 +
 +#------------------------------------------
 +# Drop invalid packets
 +#
 +$IPTABLES -A INPUT -j BAD_PACKETS
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +#$IPTABLES -A INPUT -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Always allow certain packets
 +#
 +if [ $DO_WHITELISTING -eq 1 ]
 +then
 +$IPTABLES -A INPUT -j WHITELIST
 +fi
 +#
 +
 +#------------------------------------------
 +# Drop enemies
 +
 +$IPTABLES -A INPUT -j BLACKLIST
 +#
 +
 +#------------------------------------------
 +# Route the rest to the appropriate user chain
 +#
 +$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j TCP_IN
 +$IPTABLES -A INPUT -p udp -i $INET_IFACE -j UDP_IN
 +$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j ICMP_IN
 +$IPTABLES -A INPUT -p igmp -j DROP
 +#
 +
 +#------------------------------------------
 +# Drop any traffic from IANA-reserved IPs.
 +#
 +$IPTABLES -A INPUT -i $INET_IFACE -j IANA_RESERVED
 +#
 +
 +#------------------------------------------
 +# Allow Port Knocking
 +#
 +if [ $DO_PORT_KNOCKING -eq 1 ]
 +then
 +$IPTABLES -A INPUT -j PORT_KNOCK
 +fi
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +$IPTABLES -A INPUT -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Drop packets from private address ranges coming in on the external
 +#
 +$IPTABLES -A INPUT -i $INET_IFACE -j PRIVATE_PACKETS
 +#
 +
 +#------------------------------------------
 +# Drop without logging broadcasts that get this far.
 +# Cuts down on log clutter.
 +# Comment this line if testing new rules that impact
 +# broadcast protocols.
 +#
 +$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
 +#
 +
 +#------------------------------------------
 +# Catch all
 +# Log packets that still don't match, and then DROP them.
 +#
 +if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
 +then
 +$IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=REJECT "
 +$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 +$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +$IPTABLES -A INPUT -j REJECT --reject-with icmp-proto-unreachable
 +else
 +$IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=INPUT:999 a=DROP "
 +$IPTABLES -A INPUT -j DROP
 +fi
 +#
 +
 +#*********************************************************
 +#
 +# OUTPUT CHAIN
 +#
 +
 +#------------------------------------------
 +# Allow outgoing for loopback interfaces
 +# Allow traffic on loopback interface (lo0)
 +
 +$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Drop all traffic to 127/8 that doesn't use lo0
 +# Should be already be catched by kernel/rp_filter
 +#
 +$IPTABLES -A OUTPUT -o !$LO_IFACE -d 127.0.0.0/8 -j REJECT
 +#
 +
 +#------------------------------------------
 +# Allow previously initiated connections to bypass rules
 +#
 +$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow outgoing connections EXCEPT invalid
 +#
 +#$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 +
 +#------------------------------------------
 +# This should be one of the first rules.
 +# so dns lookups are already allowed for your other rules
 +$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
 +$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
 +
 +#iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
 +#iptables -A OUTPUT -p tcp --dport 53 --sport 1024:65535 -j ACCEPT
 +#
 +#$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
 +#$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT # DNS
 +#$IPTABLES -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS
 +#$IPTABLES -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --sport 53 -j ACCEPT # DNS
 +
 +#------------------------------------------
 +# Allow established connections, and those not coming from the outside
 +#
 +$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $LOCAL_IFACE -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Drop invalid packets
 +#
 +# Note: Be careful if you're using kernels older than 2.4.29. Some locally
 +# generated ICMP error types (going through OUTPUT) are erroneously tagged
 +# as INVALID (instead of RELATED).
 +# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
 +#
 +$IPTABLES -A OUTPUT -j BAD_PACKETS
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +#$IPTABLES -A OUTPUT -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Always allow certain packets
 +#
 +#if [ $DO_WHITELISTING -eq 1 ]
 +#then
 +#$IPTABLES -A OUTPUT -j WHITELIST
 +#fi
 +#
 +
 +#------------------------------------------
 +# Drop enemies
 +#
 +#$IPTABLES -A OUTPUT -j BLACKLIST
 +#
 +
 +#------------------------------------------
 +# Route the rest to the appropriate user chain
 +#
 +$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -j TCP_OUT
 +$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -j UDP_OUT
 +$IPTABLES -A OUTPUT -p icmp -o $INET_IFACE -j ICMP_OUT
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +$IPTABLES -A OUTPUT -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Catch all
 +#
 +# Log packets that still don't match, and then DROP them.
 +#
 +if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
 +then
 +$IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=REJECT "
 +$IPTABLES -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 +$IPTABLES -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
 +$IPTABLES -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable
 +else
 +$IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=OUTPUT:999 a=DROP "
 +$IPTABLES -A OUTPUT -j DROP
 +fi
 +#
 +
 +#*********************************************************
 +#
 +# FORWARD CHAIN
 +#
 +#
 +$IPTABLES -A FORWARD -j BAD_PACKETS
 +#
 +
 +#------------------------------------------
 +#FORWARD
 +$IPTABLES -A FORWARD -p icmp -j ACCEPT
 +$IPTABLES -A FORWARD -p tcp -s $LOCAL_NET -j ACCEPT         #forward everything from local LAN
 +$IPTABLES -A FORWARD -p udp -s $LOCAL_NET -j ACCEPT         #forward everything from local LAN
 +#$IPTABLES -A FORWARD -i $INET_IFACE -j OUTBOUND             #need both for pass-through
 +#$IPTABLES -A FORWARD -i $LOCAL_IFACE -j OUTBOUND            #need both for pass-through
 +
 +#------------------------------------------
 +# Allows new forwarded packets
 +#
 +#$IPTABLES -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -s $LOCAL_NET -m conntrack --ctstate NEW -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Don't forward from the outside to the inside.
 +#
 +$IPTABLES -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT
 +#$IPTABLES -A FORWARD -s $INET_NET -i $INET_IFACE -j DROP   # Drop from internet which it claims are an addr in LAN ip range.
 +#
 +
 +#------------------------------------------
 +# Allow previously initiated connections to bypass rules
 +#
 +$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 +#
 +
 +#------------------------------------------
 +# Allow established connections, and those not coming from the outside
 +#
 +#$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
 +#
 +
 +#
 +
 +#------------------------------------------
 +# Drop invalid packets
 +#
 +$IPTABLES -A FORWARD -j BAD_PACKETS
 +#
 +
 +#------------------------------------------
 +# Always allow certain packets
 +#
 +if [ $DO_WHITELISTING -eq 1 ]
 +then
 +$IPTABLES -A FORWARD -j WHITELIST
 +fi
 +#
 +
 +#------------------------------------------
 +# Allow outgoing connections from the LAN side
 +# Route packets to either TCP or UDP as appropriate
 +#
 +$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -j TCP_OUT
 +$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p udp -j UDP_OUT
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +#$IPTABLES -A FORWARD -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Drop enemies
 +#
 +$IPTABLES -A FORWARD -j BLACKLIST
 +#
 +
 +#------------------------------------------
 +# Do not log certain packets, as too much logging
 +#
 +$IPTABLES -A FORWARD -j NO_LOGGING
 +#
 +
 +#------------------------------------------
 +# Catch all
 +# Log packets that still don't match, and then DROP them.
 +#
 +if [ $DO_REJECT_INSTEAD_OF_DROP -eq 1 ]
 +then
 +$IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=REJECT "
 +$IPTABLES -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
 +$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
 +$IPTABLES -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
 +else
 +$IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=FORWARD:999 a=DROP "
 +$IPTABLES -A FORWARD -j DROP
 +fi
 +#
 +
 +#*********************************************************
 +#
 +# POSTROUTING CHAIN
 +#
 +
 +#------------------------------------------
 +# Masquerade - Set up your gateway
 +#
 +if [ $DO_MASQUERADE -eq 1 ]
 +then
 +$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE
 +else
 +# POSTROUTING statements for 1:1 NAT
 +# (Connections originating from the home network servers)
 +
 +# SNAT is used to NAT all other outbound connections initiated
 +# from the protected network to appear to come from the local
 +# IP address.
 +#
 +# The reason for choosing MASQUERADE in the previous example
 +# anyway has the following reason: For SNAT one has to specify
 +# the new source-IP explicitly.
 +#
 +# For routers with a static IP address SNAT is the best choice
 +# because it is faster than MASQUERADE which has to check the
 +# current IP address of the outgoing network interface at every
 +# packet. Since SNAT is only meaningful for packets leaving the
 +# router it is used within the POSTROUTING chain only.
 +#
 +#$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j SNAT --to-source $INET_IP
 +$IPTABLES -A POSTROUTING -t nat -s $LOCAL_IP -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
 +#
 +
 +#------------------------------------------
 +# POSTROUTING statements for Many:1 NAT
 +#
 +#$IPTABLES -A POSTROUTING -t nat -s $LOCAL_NET -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
 +fi
 +#
 +
 +#*********************************************************
 +#
 +# PREROUTING CHAIN
 +#
 +#------------------------------------------
 +# DROP packets from hosts with more than 16 active connections.
 +#$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --syn -d $INET_IP -m iplimit --iplimit-above 16 -j DROP
 +#
 +
 +#------------------------------------------
 +if [ $DO_MASQUERADE -eq 0 ]
 +then
 +# PREROUTING statements for 1:1 NAT
 +#
 +#$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -j DNAT --to-destination $INET_IP
 +$IPTABLES -A PREROUTING -t nat -d $LOCAL_IP -i $INET_IFACE -j DNAT --to-destination $INET_IP
 +fi
 +#
 +
 +#------------------------------------------
 +# Blocks oversized unfragmented ICMP packets.
 +#
 +if [ $BLOCK_OVERSIZE_ICMP_PACKETS -eq 1 ]
 +then
 +$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=PRE:oversize_ICMP a=DROP "
 +
 +$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -j DROP
 +fi
 +#
 +
 +
 +
 +
 +
 +
 +
 +#------------------------------------------
 +## RULES END ##
 +rules_number=`egrep '\-j' /sharewiz/firewall/firewall.sh | wc -l`
 +#rules_number=`egrep '\-j' `basename $0 | wc -l`
 +total_rules=$(( rules_number ))
 +echo ""
 +echo "$total_rules rules loaded."
 +echo ""
 +
 +
 +#------------------------------------------
 +# Exit gracefully.
 +#
 +exit 0
 +</code>
 +
computer_setup/firewall.1625306915.txt.gz · Last modified: 2021/07/03 10:08 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki