# Firewall configuration for a multi-hosting web server.
# Written 2010 by Wayne Pollock, Tampa Florida USA.
#
# (This file is is iptables-{save,restore} format.)

*filter
# Define default policies for built-in rule chains:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Define my additional rule chains:
:RULZ - [0:0]
:LOGDROP - [0:0]
:RFC-5735 - [0:0]
:DNS_RECENT - [0:0]
:SSH_RECENT - [0:0]

# Create LOGDROP chain (It logs, then drops, all packets):
-A LOGDROP -j LOG
-A LOGDROP -j DROP

#######################################################################
# Drop all packets with invalid source IP addresses (See RFC-5735, previously RFC-3330):

-A RULZ -j RFC-5735

# 0.0.0.0 is only legal as a src IP on a local LAN in DHCP packets.  Since
# this host isn't serving DHCP, it is safe to drop these:
-A RFC-5735 -i eth0 -s 0.0.0.0/8 -j LOGDROP
-A RFC-5735 -s 255.255.255.255 -j LOGDROP

# Shouldn't see loopback address as src on incoming packets on any NICs:
-A RFC-5735 -i ! lo -s 127.0.0.0/8 -j LOGDROP

# Private range IPs can't be forwarded and thus can't be legal src IP
# (except if using VPN; if so change this):
# Don't block 10.0.0.0/8, used on this network:
#-A RFC-5735 -s 10.0.0.0/8 -j LOGDROP
-A RFC-5735 -m iprange --src-range 172.16.0.0-172.31.255.255 -j LOGDROP
-A RFC-5735 -s 192.168.0.0/16 -j LOGDROP

# Multicast addresses can't be valid src IP:
-A RFC-5735 -m iprange --src-range 224.0.0.0-239.255.255.255 -j LOGDROP

# Class E addresses are reserved and thus illegal:
-A RFC-5735 -m iprange --src-range 240.0.0.0-247.255.255.255 -j LOGDROP

# All higher addresses are illegal:
-A RFC-5735 -m iprange --src-range 248.0.0.0-255.255.255.254 -j LOGDROP

# Reseved for zeroconf link-local addressing, not used on my LAN:
-A RFC-5735 -s 169.254.0.0/16 -j LOGDROP

# Reserved for TEST-NET (and -2, and -3), and for documentation purposes:
-A RFC-5735 -s 192.0.2.0/24 -j LOGDROP
-A RFC-5735 -s 198.51.100.0/24 -j LOGDROP
-A RFC-5735 -s 203.0.113.0/24 -j LOGDROP

# Reserved for Internet device benchmark testing:
-A RFC-5735 -s 198.18.0.0/15 -j LOGDROP

# 192.88.99.0/24 used for 6to4 relay anycast, which is only used for some
# IPv6 setups (and isn't used on this host):
-A RFC-5735 -s 192.88.99.0/24 -j LOGDROP

-A RFC-5735 -j RETURN

######################################################################

# Use the same rules for INPUT and FORWARD (Not that this host forwards anything):
-A INPUT -j RULZ
-A FORWARD -j RULZ

######################################################################

# Stop attacks, by limiting incoming connections per source IP:

-A RULZ -p udp --dport 53 -j DNS_RECENT
-A DNS_RECENT -i eth0 -m recent --set --name DNS
-A DNS_RECENT -i eth0 -m recent --update --seconds 60 --hitcount 5 --name DNS -j DROP

# Some IPs are lately trying SSH dictionary attacks so frequently as to cause DoS:
-A RULZ -p tcp --dport 22 -j SSH_RECENT

# White-list HCC, so it doesn't get blocked:
-A SSH_RECENT -p tcp --dport 22 -s 169.139.223.1 -m recent --remove --name SSH -j ACCEPT
-A SSH_RECENT -p tcp --dport 22 -s 169.139.223.21 -m recent --remove --name SSH -j ACCEPT

# Block offensive IP addresses (for 5 minutes = 300 seconds):
-A SSH_RECENT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A SSH_RECENT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --rttl --name SSH -j LOGDROP

######################################################################

# Open holes for incoming connections (note DNS, SSH attackers are already blocked):
-A RULZ -i lo -j ACCEPT
-A RULZ -p icmp --icmp-type any -j ACCEPT
-A RULZ -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RULZ -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RULZ -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

-A RULZ -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RULZ -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RULZ -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RULZ -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT

-A RULZ -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RULZ -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

#-A RULZ -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
#-A RULZ -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
#-A RULZ -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#-A RULZ -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

# CVS pserver (repo=/var/cvs-repo):
#-A RULZ -m state --state NEW -m tcp -p tcp --dport 2401 -j LOG
#-A RULZ -m state --state NEW -m tcp -p tcp --dport 2401 -j ACCEPT

# Data Protector Backup Server (Omni Tape Library) port:
-A RULZ -p tcp -s 169.139.223.54 --dport 5555 -j ACCEPT
-A RULZ -p tcp -s 169.139.222.40 --dport 5555 -j ACCEPT

# Davical (CalDAV) server port:
-A RULZ -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT

# Log any rejected packets to /var/log/messages (for troubleshooting only):
#-A RULZ -j LOG

# Reject anything not permitted by above rules:
-A RULZ -j REJECT --reject-with icmp-host-prohibited
COMMIT