From 49996391c0a72e72d2f07c9959e94f6036d621bb Mon Sep 17 00:00:00 2001
From: mitty <mitty@7d2118f6-f56c-43e7-95a2-4bb3031d96e7>
Date: Sat, 4 Jul 2009 22:20:56 +0000
Subject: [PATCH]  * change --log-level to "err"  * accept FORWARD from LAN
 (eth0 with 192.168.100.0/24)  * drop CIFS access from/to
 WAN (eth1)  * accept access from LAN  * add custom rules
 for 'setfilter' script    * mangle.rules, raw.rules

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@12 7d2118f6-f56c-43e7-95a2-4bb3031d96e7
---
 iptables/ufw/after.rules  |    4 ++--
 iptables/ufw/before.rules |   23 +++++++++++++++++++++--
 iptables/ufw/mangle.rules |   12 ++++++++++++
 iptables/ufw/raw.rules    |   33 +++++++++++++++++++++++++++++++++
 4 files changed, 68 insertions(+), 4 deletions(-)
 create mode 100644 iptables/ufw/mangle.rules
 create mode 100644 iptables/ufw/raw.rules

diff --git a/iptables/ufw/after.rules b/iptables/ufw/after.rules
index 70b5624..37fc6e7 100644
--- a/iptables/ufw/after.rules
+++ b/iptables/ufw/after.rules
@@ -24,8 +24,8 @@
 -A ufw-after-input -p udp --dport 68 -j RETURN
 
 # catchall for logging
--A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
--A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
+-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err
+-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err
 
 # don't delete the 'COMMIT' line or these rules won't be processed
 COMMIT
diff --git a/iptables/ufw/before.rules b/iptables/ufw/before.rules
index 8177fb1..a26e524 100644
--- a/iptables/ufw/before.rules
+++ b/iptables/ufw/before.rules
@@ -23,12 +23,31 @@
 
 # connection tracking rules
 -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # drop INVALID packets
 # uncomment to log INVALID packets
-#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
+-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10
 -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
 
+## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
+
+## DROP CIFS(Samba) access from/to WAN(eth1)
+-A ufw-before-input   -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-input   -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+
+## Access from LAN
+-A ufw-before-input -i eth0 -j ACCEPT
+-A ufw-before-forward -i eth0 -j ACCEPT
+
 # connection tracking for outbound
 -A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
@@ -57,7 +76,7 @@
 # if BROADCAST, RETURN
 -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
 
--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err
 
 # all other non-local packets are dropped
 -A ufw-not-local -j DROP
diff --git a/iptables/ufw/mangle.rules b/iptables/ufw/mangle.rules
new file mode 100644
index 0000000..a54f525
--- /dev/null
+++ b/iptables/ufw/mangle.rules
@@ -0,0 +1,12 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in mangle table.
+
+
+*mangle
+# to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets
+# see iptables(8)
+-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+COMMIT
diff --git a/iptables/ufw/raw.rules b/iptables/ufw/raw.rules
new file mode 100644
index 0000000..8b4a306
--- /dev/null
+++ b/iptables/ufw/raw.rules
@@ -0,0 +1,33 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in raw table.
+# These are mainly used to filter evil or wrong packets.
+
+
+*raw
+:LOG_ICMP - [0:0]
+:LOG_SPOOF - [0:0]
+
+## LOG and DROP fragmented packets (not head fragments)
+-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A PREROUTING --fragment -j DROP
+
+## LOG and DROP strange icmp packets
+-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_ICMP -j DROP
+# Too large icmp requests
+-A PREROUTING -p icmp --icmp-type echo-request -m length --length 85: -j LOG_ICMP
+# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
+-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
+-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
+
+## LOG and DROP IP spoofing (eth1:WAN)
+-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_SPOOF -j DROP
+-A PREROUTING -i eth1 -s    127.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s     10.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s  172.16.0.0/12 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
+
+COMMIT
-- 
1.7.9.5