#################################################################################### # You should put this config-file (iptables-firewall.conf) in for example in /etc/ # # Make sure it's only root readable! -> "chmod 600" & "chown root" it!) # #################################################################################### # ---------------------------------------------------------------------------------------------------------------------- # Configuration file for Arno's iptables single- & multi-homed firewall script (rc.iptables) # (C) Copyright 2001-2004 by Arno van Amersfoort # Homepage : http://rocky.molphys.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT x s 4 a l l DOT n l # ---------------------------------------------------------------------------------------------------------------------- # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------------------------------------------------------------- ############################################ # Required variables for correct operation # ############################################ IPTABLES="/sbin/iptables" # Location of the iptables-binary (use 'locate iptables' or 'whereis iptables' # to manually locate it). EXT_IF="eth0" # The external interface that will be protected (and used as internet connection) # This is probably ppp+ for (A)DSL (for non-transparent (A)DSL routers!) # otherwise it should be "ethX" (ex. eth0) EXT_IF_DHCP_IP=0 # Enable if THIS machines (dynamically) obtains its IP through DHCP (from your ISP) ################################################################################################################# # These options should (only) be used when you have an ADSL/DSL modem which works with a # # PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection). # # # # You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown). # # This means that if your modem is bridging (a transparant (NAT) router) or the network interface the modem is # # connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)! # ################################################################################################################# #MODEM_IF="eth1" # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!) #MODEM_IF_IP="10.0.0.150" # (OPTIONAL!) The IP of the network interface (MODEM_IF) your ADSL modem is connected # to (IP shown for the modem interface (MODEM_IF) in 'ifconfig') #MODEM_IP="10.0.0.138" # (OPTIONAL!) The IP of your (A)DSL modem itself ##################################### # LAN & NAT (masquerading) settings # ##################################### #INT_IF="eth0" # Internal network interface or interfaces (multiple(!) interfaces should be # space seperated). Remark this if you don't have any internal network interfaces. #INTERNAL_NET="192.168.0.0/24" # Your internal subnet which is connected to the internal interface (INT_IF. For # multiple interfaces(!) you can either specify multiple subnets here or specify one # big subnet for all internal interfaces. Note that packets from these subnets are always # accepted! NAT=0 # Enable this if you want to perform NAT for your internal network (LAN) # (ie, share your internet connection with your internal net(s) connected to INT_IF) #NAT_STATIC_IP="193.2.1.1" # (EXPERT SETTING!). In case you would like to use SNAT instead of MASQUERADING then # uncomment and set the IP here of your static external IP-address. NAT_INTERNAL_NET="" # (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to # be able to access the internet. When no value is specified, you're whole internal LAN # will have access. In both cases its only meaningful of course when NAT is enabled. MODEM_INTERNAL_NET=$INTERNAL_NET # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should have # access to the (A)DSL modem itself (manage modem settings). The default setting # ($INTERNAL_NET) allows access from everybody on your LAN. #PROXY_PORT="3128" # (EXPERT SETTING!). Use this if you want to use a transparent http proxy for your # internal network (auto redirect of HTTP (port 80) traffic). #################### # General settings # #################### MANGLE_TOS=1 # Enable this if you want TOS mangling (RFC) SET_MSS=1 # Set the maximum packet size via the Maximum Segment Size(MSS field) RESOLV_IPS=0 # Enable this to resolve names of DNS/TH IP's etc. USE_IRC=0 # Enable support for the IRC-protocol LOOSE_FORWARD=0 # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note # that it *could* be less secure. DROP_PRIVATE_ADDRESSES=1 # Enable this if you want to drop packets originating from a private address. Normally # this should be enabled(1). DROP_IANA_RESERVED=0 # Enable this if you want to drop addresses which are registered as reserved by IANA. # This option exists as the IANA list simply changes too often. DRDOS_PROTECT=1 # Protect this machine from being abused for a DRDOS-attack (Distributed Denial Of # Service attack). DHCP_BOOTP_NET="" # Enter the subnet here you running a DHCP/BOOTP service (server) for on the # external interface(!). Note that you don't need this for internal networks, as for # these nets all protocols (also DHCP) are accepted by default. FREESWAN_NET="" # Enter your remote Freeswan subnet(s) here to enable "Virtual IP" # support for Freeswan. This allows you to have remote Virtual IP's which are in the # same subnet as yourself, to be routed into your network. ######################################################################### # Logging options - All logging is rate limited to prevent log flooding # ######################################################################### BLOCKED_HOST_LOG=1 # Enable logging for explicitly blocked hosts SCAN_LOG=1 # Enable logging for various stealth scans (reliable) POSSIBLE_SCAN_LOG=1 # Enable logging for possible stealth scans (less reliable) BAD_FLAGS_LOG=1 # Enable logging for TCP-packets with bad flags INVALID_PACKET_LOG=1 # Enable logging of invalid packets RESERVED_NET_LOG=1 # Enable logging of source IP's with reserved addresses FRAG_LOG=1 # Enable logging of fragmented packets DHCP_BROADCAST_LOG=0 # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you # have a DHCP server in your subnet but don't use it yourself. LOST_CONNECTION_LOG=0 # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms DENY_LOG=1 # Enable logging for explicitly DENIED packets (ports / protocols) REJECT_LOG=0 # Enable logging for explicitly REJECTED packets (ports) OUTPUT_DENY_LOG=1 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections. ICMP_DROP_LOG=1 # Enable logging for dropped ICMP-requests PRIV_TCP_LOG=1 # Enable logging of (other) connection attempts to privileged TCP ports PRIV_UDP_LOG=1 # Enable logging of (other) connection attempts to privileged UDP ports UNPRIV_TCP_LOG=1 # Enable logging of (other) connection attempts to unprivileged TCP ports UNPRIV_UDP_LOG=1 # Enable logging of (other) connection attempts to unprivileged UDP ports OTHER_IP_LOG=1 # Enable logging of (other) connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP) ICMP_FLOOD_LOG=1 # Enable logging for ICMP flooding #FIREWALL_LOG=/var/log/firewall # (EXPERT SETTING!). The location of the dedicated firewall log file. When enabled # the firewall script will also log start/stop etc. info to this file as well. # Note that in order to make this work, you should also configure syslogd to log # firewall messages to this file (see LOGELVEL below for further info) LOGLEVEL=info # Current log-level ("info": default kernel syslog level) # "debug": can be used to log to /var/log/firewall, # but you have to configure syslogd accordingly (see included syslogd.conf example) ########################################### # /proc based settings (EXPERT SETTINGS!) # ########################################### SYN_PROT=1 # Enable if you want synflood protection (through /proc/.../tcp_syncookies) REDUCE_DOS_ABILITY=1 # Enable this to reduce the ability of others DOS'ing your machine ECHO_IGNORE=0 # Enable if you want to ignore all ICMP echo-requests (IPv4) on ALL interfaces LOG_MARTIANS=0 # Enable if you want to log packets with impossible addresses to the kernel log ICMP_REDIRECT=0 # Enable if you want to accept ICMP redirect messages # Should be set to "0" in case of a router CONNTRACK=85534 # Enable/modify this if you want to be a able to handle a larger (or smaller) number of # simultaneous connections (uses more memory but recommended for (high-traffic) machines) LOOSE_UDP_PATCH=0 # You may need to enable this to get some internet games to work, # but note that it's *less* secure ECN=0 # Enable ECN (Explicit Congestion Notification) TCP flag # Disabled by default, as some routers are still not compatible with this RP_FILTER=1 # Use the rp_filter to drop connections from non-routable IPs. This should be # disabled(0) when you for example want to use Freeswan (VPN) to route external private # addresses into your network. ################################################################################################################# # (EXPERT SETTING!). Put in the following variable to specify the subnets that are DMZ-classified. # # This means that any FORWARD traffic from the external interface (in)to these interfaces is allowed. # ################################################################################################################# DMZ_IF="" ################################################################################################################# # (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP traffic should be ACCEPTED. # # (multiple(!) interfaces should be space seperated). Be warned that anything TO and FROM these interfaces is # # allowed (ACCEPTED) so make sure its NOT routable(accessible) from the outside world (internet)! # ################################################################################################################# TRUSTED_IF="eth1" ################################################################################################################# # Put in the following variable which hosts (subnets) you want have full access via your internet (EXT_IF) # # connection(!). NOTE: Don't mistake this variable with the one used for internal nets (INT_IF) # ################################################################################################################# FULL_ACCESS_HOSTS="85.90.44.212 81.70.85.155 208.8.12.70 81.207.205.236 67.66.243.7 67.66.243.6 67.66.243.2 84.83.69.71 70.250.240.0/24 84.82.90.196 193.173.159.34 70.250.240.35 83.85.185.160 37.251.34.67 82.215.57.208 85.223.53.253 80.94.68.64/26 24.119.24.139 80.94.65.165 86.87.14.16 80.94.68.102" ################################################################################################################# # Put in the following variable which DNS servers you use # # Only required when you run your own DNS server (for example BIND) # ################################################################################################################# DNS_SERVERS="" # These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND) #ROOT_DNS_SERVERS="128.63.2.53 192.33.4.12 192.112.36.4 192.5.5.241 128.9.0.107 \ # 198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \ # 192.203.230.10 128.8.10.90 198.41.0.4" ################################################################################################################# # Put in the following variables which ports or IP protocols you want to leave open to the whole world # ################################################################################################################# OPEN_TCP="20 21 25 53 80 81 110 143 220 443 993 1863 2222 2525 3306 6667 7778 3214 5556 8000 8001 52314 18080" OPEN_UDP="53 3214 8000 8001" OPEN_IP="" OPEN_ICMP=1 ################################################################################################################# # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for everyone. Also use these variables# # if you want to log connection attempts to these ports from everyone (also trusted & full access hosts) # ################################################################################################################# DENY_TCP="" DENY_UDP="" ################################################################################################################# # Put in the following variables which hosts you want to allow for certain services # # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... # # IP protocol format (HOST_OPEN_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... # ################################################################################################################# HOST_OPEN_TCP="66.153.114.238,80.126.55.144,80.84.237.243,213.84.137.40,208.8.12.66,208.8.12.67,213.201.163.0/24,62.212.90.106,69.150.147,70.190.201.159,81.102.70.92,86.20.159.131,84.92.159.125>22 208.8.12.66,130.13.64.146,24.117.232.0/24,81.101.216.47,80.60.63.91,130.13.113.214,64.173.10.117,81.178.177.72>48203 81.26.219.176>18080" HOST_OPEN_UDP="" HOST_OPEN_IP="" HOST_OPEN_ICMP="" ################################################################################################################# # Put in the following variables which TCP/UDP ports you want to REJECT (instead of DROP) for certain hosts. # # TCP/UDP port format (HOST_REJECT_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... # ################################################################################################################# HOST_REJECT_TCP="" HOST_REJECT_UDP="" ################################################################################################################# # Put in the following variables which ports you want to DENY(DROP) for everyone but NOT logged. # # This is very useful if you have constant probes on the same port(s) over and over again (code red worm) # # and don't want your logs flooded with it. # ################################################################################################################# DENY_TCP_NOLOG="" DENY_UDP_NOLOG="" ################################################################################################################# # Put in the following variables which TCP/UDP ports or IP protocols you want to DENY(DROP) for certain hosts # # but NOT logged. # # TCP/UDP port format (HOST_xxx_NOLOG) : host1,host2>port1,port2 host3,host4>port3,port4 ... # # IP protocol format (HOST_IP_LOG) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... # ################################################################################################################# HOST_DENY_TCP_NOLOG="" HOST_DENY_UDP_NOLOG="" HOST_DENY_IP_NOLOG="" ################################################################################################################# # Put in the following variables which TCP/UDP ports or IP protocols you want to DENY(DROP) for certain hosts # # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... # ################################################################################################################# HOST_DENY_TCP="" HOST_DENY_UDP="" HOST_DENY_IP="" HOST_DENY_ICMP="" ################################################################################################################# # Put in the following variables which ports/protocols THIS machine is NOT permitted to connect TO # # (remote end-point) via the external (internet) interface. Example of usage is for blocking IRC (tcp 6666:6669)# ################################################################################################################# DENY_TCP_OUTPUT="" DENY_UDP_OUTPUT="" DENY_IP_OUTPUT="" ################################################################################################################# # Put in the following variables which TCP/UDP ports or IP protocols you want to log connection attempts to # # from certain hosts. # # TCP/UDP port format (LOG_HOST_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... # # IP protocol format (LOG_HOST_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... # ################################################################################################################# LOG_HOST_TCP="" LOG_HOST_UDP="" LOG_HOST_IP="" ################################################################################################################# # Put in the following variables which TCP/UDP ports or IP protocols you want to log outgoing connections # # (attempts) for (packet watch). # ################################################################################################################# LOG_TCP_OUTPUT="" LOG_UDP_OUTPUT="" LOG_IP_OUTPUT="" ################################################################################################################# # Put in the following variables which TCP/UDP ports or IP protocols you want to log incoming connections # # (attempts) for (packet watch). # ################################################################################################################# LOG_TCP_INPUT="" LOG_UDP_INPUT="" LOG_IP_INPUT="" ################################################################################################################# # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to an internal client through (D)NAT # # TCP/UDP form : "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} {SRCIP3,...:}PORT3,...>DESTIP2:port}"# # IP form : "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 {SRCIP3:}PROTO3,PROTO4,...>DESTIP2" # # NOTE 1: {:port} is optional. Use it to redirect a specific port to a different port on the internal client # # NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source IP addresses # # NOTE 3: Port ranges MUST be written as "PORT1-PORT3" (ie. "1024-1030" would include ports 1024 until 1030) # ################################################################################################################# NAT_TCP_FORWARD="587,2525>80.94.68.66:25 1863>80.94.68.71:7778 5556>80.94.68.71:6667" # NAT TCP port-forward(s). NAT_UDP_FORWARD="" # NAT UDP port-forward(s). # TCP/UDP port forward examples: # Simple : NAT_xxx_FORWARD="80>192.168.0.10" # Advanced : NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80" NAT_IP_FORWARD="" # NAT IP protocol forward(s) (useful for forwarding non-TCP/UDP/ICMP protocols). # NAT IP protocol forward example: "47,48>192.168.0.10" ################################################################################################################# # (EXPERT SETTING!) Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) # # which the MASQUERADED hosts(LAN) are permitted to connect to via the external (internet) interface. When # # these variables are empty (""), these hosts are permitted to connect ANY port/protocol. # ################################################################################################################# LAN_ALLOW_TCP="" LAN_ALLOW_UDP="" LAN_ALLOW_IP="" ################################################################################################################# # Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) which the MASQUERADED # # hosts(LAN) are NOT permitted to connect to via the external (internet) interface. Examples of usage are for # # blocking IRC (TCP 6666:6669) for the internal network # ################################################################################################################# LAN_DENY_TCP="" LAN_DENY_UDP="" LAN_DENY_IP="" ################################################################################################################# # Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host) # ################################################################################################################# BLOCK_HOSTS="" ################################################################################################################# # Location of the BLOCKED HOSTS file (if any). Note that the last line of this file should always contain a # # carriage-return (enter)! # ################################################################################################################# BLOCK_HOSTS_FILE=/etc/iptables-blocked-hosts ################################################################################################################# # Location of the custom IPTABLES rules file (if any): # ################################################################################################################# CUSTOM_RULES=/etc/iptables-custom-rules