In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs "Xmas" and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7 /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID /sbin/iptables -t nat -N PORTFW /sbin/iptables -t nat -A PREROUTING -j PORTFW # last rule in input and forward chain is for logging. /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT $GREEN_DEV is the LAN interface and here are the tc commands: # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 10: htb r2q 1 tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2 tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3 tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4 tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5 tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6 tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7 _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
