- CONFIG_FILES =
%w[
base.ipt
iface.dmz
iface.forward
ip.allow
ip.deny
ports.private
ports.public
]
- BASE_IPT =
%q{# Generated by Shutter
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Dmz - [0:0]
:ValidCheck - [0:0]
:Jail - [0:0]
:Bastards - [0:0]
:Public - [0:0]
:AllowIP - [0:0]
:Allowed - [0:0]
:Private - [0:0]
:DropJail - [0:0]
:DropBastards - [0:0]
:DropInvalid - [0:0]
:DropScan - [0:0]
:DropDDOS - [0:0]
# [CHAIN:FAIL2BAN]
-A INPUT -i lo -j ACCEPT
-A INPUT -j Jail
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ValidCheck
-A INPUT -j Dmz
-A INPUT -j Bastards
-A INPUT -j Public
-A INPUT -j AllowIP
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
-A INPUT -j DROP
##################################################################
# Jail goes here. Jail and any fail2ban chains will be
# taken care of dynamically in locker-restore.
##################################################################
# [RULES:JAIL]
##################################################################
# Validity checking
##################################################################
-A ValidCheck -m state --state INVALID -j DropInvalid
-A ValidCheck -j RETURN
##################################################################
# DMZ. Read from iface.dmz and added as:
# -A INPUT -i <iface> -j ACCEPT
##################################################################
# [RULES:DMZ]
-A Dmz -j RETURN
##################################################################
# All IP address ranges that are permanently banned. If
# no IP addresses are given, then all will be assumed that no ip
# addresses are banned and create the following rule
# -A Bastards -j RETURN
# otherwise a list of banned ips will be generated from ip.deny
# and will look like this:
# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
##################################################################
# [RULES:BASTARDS]
-A Bastards -j RETURN
##################################################################
# A list of authorized ports for the public access. If there are
# entries in the ports.public file then they will be added as:
# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
##################################################################
# [RULES:PUBLIC]
-A Public -j RETURN
##################################################################
# All IP address ranges that are allowed to access the ports. If
# no IP addresses are given, then all will be assumed and a rule
# to jump to the Allowed chain will be created:
# -A AllowIP -j Allowed
# otherwise a list of allowed ips will be generated from ip.allow
# and will look like this:
# -A AllowIP -s 129.101.159.128/26 -j Allowed
##################################################################
# [RULES:ALLOWIP]
-A AllowIP -j RETURN
##################################################################
# Allowed. If a packet has met all the requirements it will end
# up here. This should be a static chain.
##################################################################
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
-A Allowed -j Private
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
-A Allowed -j ACCEPT
##################################################################
# A list of authorized ports for the allowed IPs. If there are
# entries in the ports.private file then they will be added as:
# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
##################################################################
# [RULES:PRIVATE]
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
-A Private -j DROP
##################################################################
# Log and Drops
##################################################################
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
-A DropJail -j DROP
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
-A DropBastards -j DROP
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
-A DropInvalid -j DROP
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
-A DropScan -j DROP
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
-A DropDDOS -j DROP
##################################################################
# NATing
##################################################################
# [RULES:FORWARD]
-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
-A FORWARD -j DROP
##################################################################
# Add any additional rules that fail2ban has added
##################################################################
# [RULES:FAIL2BAN]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# [RULES:POSTROUTING]
COMMIT
}- IFACE_DMZ =
%q{# Generated by Shutter
# device
# eth0
# eth1
}- IP_ALLOW =
%q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
192.168.0.0/16
}- IP_DENY =
%q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
# 192.168.0.0/16
}- PORTS_PUBLIC =
%q{
# proto port
# 80 tcp
# 443 tcp
}- PORTS_PRIVATE =
%q{
# proto port
22 tcp
}- IFACE_FORWARD =
%q{
# src iface | dst iface
# eth0 eth1
}- IFACE_DMZ_MOCK =
%q{# Generated by Shutter
# device
eth0
eth1
}- IP_ALLOW_MOCK =
%q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
192.168.0.0/16
10.0.0.1
}- IP_DENY_MOCK =
%q{# Generated by Shutter
# ipaddr
# ipaddr/subnet
172.31.0.0/24
8.9.9.9
}- PORTS_PUBLIC_MOCK =
%q{
# proto port
80 tcp
443 tcp
}- PORTS_PRIVATE_MOCK =
%q{
# proto port
22 tcp
}- IFACE_FORWARD_MOCK =
%q{
# src iface | dst iface
eth0 eth1
}