# fss-0002
main:
- rule tty
+ # initialize the firewall
+ direction none
+ action none
+
+ rule -F
+ rule -Z
+
+ tool iptables
+ rule -t nat -F
+ rule -t mangle -F
+ tool ip46tables
+
+ # setup initial operations
+ chain INPUT
+ direction input
+ action append
+
+
+ # Process all loopback connections and filter out (and log) invalid connections.
+ # Valid connections will return and follow all remaining rules below.
+ device lo
+ chain OUTPUT
+ direction output
+ rule -j output-loopback
+
+ chain INPUT
+ direction input
+ rule -j input-loopback
+ device all
+
+
+ # Handle all packets parked INVALID in separate chains.
+ chain OUTPUT
+ #rule -m state --state INVALID -j output-invalid
+ rule -m conntrack --ctstate INVALID -j output-invalid
+
+ chain INPUT
+ #rule -m state --state INVALID -j input-invalid
+ rule -m conntrack --ctstate INVALID -j input-invalid
+
+
+ # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided.
+ # unicasts are the normal behavior and blocking them would be very unusual.
+ chain OUTPUT
+ rule -m pkttype --pkt-type broadcast -j output-casting
+ rule -m pkttype --pkt-type multicast -j output-casting
+ #rule -m pkttype --pkt-type unicast -j output-casting
+
+ chain INPUT
+ rule -m pkttype --pkt-type broadcast -j input-casting
+ rule -m pkttype --pkt-type multicast -j input-casting
+ #rule -m pkttype --pkt-type unicast -j input-casting
+
+
+ # handle tcp-security before accepting established or related packets.
+ protocol tcp
+ rule -j input-tcp-security
+ rule -j output-tcp-security
+ protocol none
+
+
+ # Allow ALL input and output connections that have already been established by this host (and made it this far in the chain process).
+ chain OUTPUT
+ #rule -m state --state ESTABLISHED,RELATED -j ACCEPT
+ rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+ chain INPUT
+ #rule -m state --state ESTABLISHED,RELATED -j ACCEPT
+ rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+
+ # send all tcp packets to the tcp queue.
+ chain OUTPUT
+ protocol tcp
+ rule -m state --state NEW -j output-tcp
+
+ chain INPUT
+ rule -m state --state NEW -j input-tcp
+
+
+ # send all udp packets to the udp queue
+ chain OUTPUT
+ protocol udp
+ rule -m state --state NEW -j output-udp
+
+ chain INPUT
+ rule -m state --state NEW -j input-udp
+
+
+ # send all ipv4 icmp packets to the icmp queue.
+ tool iptables
+ chain OUTPUT
+ protocol icmp
+ rule -m state --state NEW -j output-icmp
+
+ chain INPUT
+ rule -m state --state NEW -j input-icmp
+
+ # send all ipv6 icmp packets to the icmp queue (alternatively put this in its own chain, such as input-icmpv6 and output-icmpv6).
+ tool ip6tables
+ chain OUTPUT
+ protocol icmpv6
+ rule -m state --state NEW -j output-icmp
+
+ chain INPUT
+ rule -m state --state NEW -j input-icmp
+
+
+ # send all remaining packets to the unknown queue
+ chain OUTPUT
+ protocol udp
+ rule -m state --state NEW -j output-unknown
+
+ chain INPUT
+ rule -m state --state NEW -j input-unknown
+
+
+output-tcp:
+ direction output
+ protocol tcp
+
+
+input-tcp:
+ direction input
+ protocol tcp
+
+ # Prevent an XMAS attack
+ rule --tcp-flags ALL ALL -j DROP
+
+ # Prevent NULL attack
+ rule --tcp-flags ALL NONE -j DROP
+
+
+output-udp:
+ direction output
+ protocol udp
+
+
+input-udp:
+ direction input
+ protocol udp
+
+ # Allow dhcp client renewals (from server to client). If these are blocked, you will not be able to renew easily.
+ tool iptables
+ rule -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
+ tool ip46tables
+
+
+output-icmp:
+ direction output
+ protocol icmp
+
+
+input-icmp:
+ direction input
+ protocol icmp
+
+
+output-unkown:
+ direction output
+ protocol none
+
+ # drop unknown packets.
+ #rule -j DROP
+
+
+input-unkown:
+ direction input
+ protocol none
+
+ # drop unknown packets.
+ #rule -j DROP
+
+
+input-casting:
+ # pre-process broadcasts and multicasts.
+ direction input
+ protocol none
+ tool ip46tables
+
+ # do not auto-drop dhcp messages sent from a dhcp server to a local dhcp client.
+ # dhcp offer/acknowledge (the source address must be the routers address, so do not allow 0.0.0.0/0)
+ protocol udp
+ tool iptables
+ rule --sport 67 -d 255.255.255.255 --dport 68 -j RETURN
+ protocol none
+ tool ip46tables
+
+ # drop all remaining broadcasts and multicasts
+ rule -j DROP
+
+
+output-casting:
+ # pre-process broadcasts and multicasts.
+ direction output
+ protocol none
+ tool ip46tables
+
+ # do not auto-drop dhcp client messages sent to a dhcp server.
+ # dhcp discover/request (for the request, the dhcp server ip address is known but for some reason the dhcp standard states tat the src is 0.0.0.0.
+ protocol udp
+ tool iptables
+ rule --sport 68 -d 255.255.255.255 --dport 67 -j RETURN
+ protocol none
+ tool ip46tables
+
+ # drop all remaining broadcasts and multicasts
+ rule -j DROP
+
+
+input-loopback:
+ direction input
+ protocol none
+
+ # send all valid loopback connections back to the main tree so that the remainder firewall rules apply.
+ tool iptables
+ rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN
+ tool ip6tables
+ rule -s ::1/128 -d ::1/128 -j RETURN
+
+ # this is a link-local address.
+ rule -s fe80::/10 -d fe80::/10 -j RETURN
+ tool ip46tables
+
+
+ # all packets to a known ethernet devices ip address are (incorrectly) sent to loopback by applications like apache.
+ # these specific rules may need to be allowed despite the ip address being incorrect.
+ # specifically, only 127.0.0.0/8 ip address should ever been sent to the loopback.
+ # this is an example rule using an example ip address.
+ #tool iptables
+ #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN
+ #tool ip46tables
+
+ # the remaining loopback packets are therefore invalid, log them and then drop them. (these options might be handy: --log-uid --log-tcp-options --log-ip-options)
+ rule -j LOG --log-prefix "INVALID:INPUT:LOOP "
+ rule -j DROP
+
+
+output-loopback:
+ direction output
+ protocol none
+
+ # send all valid loopback connections back to the main tree so that the remainder firewall rules apply.
+ tool iptables
+ rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN
+ tool ip6tables
+ rule -s ::1/128 -d ::1/128 -j RETURN
+
+ # this is a link-local address.
+ rule -s fe80::/10 -d fe80::/10 -j RETURN
+ tool ip46tables
+
+
+ # all packets to a known ethernet devices ip address are (incorrectly) sent to loopback by applications like apache.
+ # these specific rules may need to be allowed despite the ip address being incorrect.
+ # specifically, only 127.0.0.0/8 ip address should ever been sent to the loopback.
+ # this is an example rule using an example ip address.
+ #tool iptables
+ #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN
+ #tool ip46tables
+
+ # the remaining loopback packets are therefore invalid, log them and then drop them. (these options might be handy: --log-uid --log-tcp-options --log-ip-options)
+ rule -j LOG --log-prefix "INVALID:OUTPUT:LOOP "
+ rule -j DROP
+
+
+input-invalid:
+ direction input
+ protocol tcp
+
+ # silently drop invalid RST tcp packets instead of sending a RST back.
+ rule --tcp-flags RST RST -j DROP
+
+ # Reject all remaining invalid tcp packets.
+ rule -j REJECT --reject-with tcp-reset
+
+ # Drop all remaining protocols with invalid data.
+ protocol none
+ rule -j DROP
+
+
+output-invalid:
+ direction output
+ protocol tcp
+
+ # Allow sending TCP RST even when there is no valid local connection.
+ rule --tcp-flags RST RST -j ACCEPT
+
+ # Reject all remaining invalid tcp packets.
+ rule -j REJECT --reject-with tcp-reset
+
+ # Drop all remaining protocols with invalid data.
+ protocol none
+ rule -j DROP
+
+
+input-tcp-security:
+ direction input
+ protocol tcp
+
+ # Resist TCP sequence number spoof attacks (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html).
+ rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j input-invalid
+
+ # TCP streams must always start with SYN, all others are invalid and may be an attack (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6193.html).
+ rule ! --syn -m conntrack --ctstate NEW -j input-invalid
+
+ # Prevent an XMAS-type attacks (drop packets).
+ rule --tcp-flags ALL FIN,URG,PSH -j DROP
+ rule --tcp-flags ALL ALL -j DROP
+ rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+ # Prevent NULL attack (drop packets).
+ rule --tcp-flags ALL NONE -j DROP
+
+ # Prevent Sync Reset Attacks (drop packets).
+ rule --tcp-flags SYN,RST SYN,RST -j DROP
+ rule --tcp-flags SYN,FIN SYN,FIN -j DROP
+
+
+output-tcp-security:
+ direction output
+ protocol tcp
+
+ # Resist TCP sequence number spoof attacks (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html).
+ rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j output-invalid
+
+ # TCP streams must always start with SYN, all others are invalid and may be an attack (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6193.html).
+ rule ! --syn -m conntrack --ctstate NEW -j output-invalid
+
+ # Prevent an XMAS-type attacks (drop packets).
+ rule --tcp-flags ALL FIN,URG,PSH -j DROP
+ rule --tcp-flags ALL ALL -j DROP
+ rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+ # Prevent NULL attack (drop packets).
+ rule --tcp-flags ALL NONE -j DROP
+
+ # Prevent Sync Reset Attacks (drop packets).
+ rule --tcp-flags SYN,RST SYN,RST -j DROP
+ rule --tcp-flags SYN,FIN SYN,FIN -j DROP
projects / fll / commitdiff