[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode 869f14abf4 34/41: Initial import.
From: |
Stefan Monnier |
Subject: |
[elpa] externals/nftables-mode 869f14abf4 34/41: Initial import. |
Date: |
Mon, 23 May 2022 09:27:25 -0400 (EDT) |
branch: externals/nftables-mode
commit 869f14abf41c504fc9fcb2538033e566f425b1f4
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
Initial import.
---
iptab | 50 +++++++++++++++++++++++++++++++++++++++++++++
iptab.ips | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
iptab.nat | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 184 insertions(+)
diff --git a/iptab b/iptab
new file mode 100644
index 0000000000..bedc228d3e
--- /dev/null
+++ b/iptab
@@ -0,0 +1,50 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1). For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically. First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error,
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT ACCEPT # Local users/processes are trusted.
+:INPUT DROP # Ingress policy is "default deny".
+:FORWARD DROP # Routing policy is "default deny".
+:PRELUDE - # Best practices for filtered chains.
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## YOUR RULES GO HERE. Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+-A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT
+-A FORWARD -d www -p tcp -m multiport --dports http,https -j ACCEPT
+## Finally, politely reject all other attempts. Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+COMMIT
diff --git a/iptab.ips b/iptab.ips
new file mode 100644
index 0000000000..c619f9b38e
--- /dev/null
+++ b/iptab.ips
@@ -0,0 +1,69 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1). For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically. First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error,
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT ACCEPT # Local users/processes are trusted.
+:INPUT DROP # Ingress policy is "default deny".
+:FORWARD DROP # Routing policy is "default deny".
+:PRELUDE - # Best practices for filtered chains.
+:BLACKLIST -
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## An automated SSH brute-force blacklist. Requires xtables. Unlike
+## fail2ban or DenyHosts, there are NO userspace requirements -- not
+## even sshd is needed! echo +1.2.3.4 >/proc/net/xt_recent/whitelist
+## to whitelist 1.2.3.4 for an hour. Protects both this host AND all
+## hosts "behind" this one.
+##
+# New connections from IPs blacklisted within the last ten minutes are
+# chaotically rejected, AND reset the countdown back to ten minutes.
+# This is in PRELUDE such that blacklisted attackers are refused ALL
+# services, not just rate-limited ones.
+-A PRELUDE -m recent --name blacklist --update --seconds 600 --rttl -j
BLACKLIST
+# This NON-TERMINAL chain counts connections passing through it. When
+# a connection rate exceeds 3/min/srcip/dstip/dstport, the source IP
+# is blacklisted. Acting on the blacklist is done elsewhere, as is
+# accepting or rejecting this connection.
+-A PRELUDE -i ppp+ -p tcp --dport ssh -m hashlimit --hashlimit-name
maybe-blacklist --hashlimit-mode srcip,dstip,dstport --hashlimit-above 1/min
--hashlimit-burst 3 -m recent --name blacklist --set -j LOG --log-prefix
"Blacklisted SRC: "
+-A BLACKLIST -m recent --name whitelist --rcheck --seconds 3600 -j RETURN -m
comment --comment "whitelist overrides blacklist"
+-A BLACKLIST -j CHAOS --tarpit
+## YOUR RULES GO HERE. Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+-A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT
+-A FORWARD -d www -p tcp -m multiport --dports http,https -j ACCEPT
+## Finally, politely reject all other attempts. Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+COMMIT
diff --git a/iptab.nat b/iptab.nat
new file mode 100644
index 0000000000..642224e704
--- /dev/null
+++ b/iptab.nat
@@ -0,0 +1,65 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1). For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically. First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error,
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT ACCEPT # Local users/processes are trusted.
+:INPUT DROP # Ingress policy is "default deny".
+:FORWARD DROP # Routing policy is "default deny".
+:PRELUDE - # Best practices for filtered chains.
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## YOUR RULES GO HERE. Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+## Finally, politely reject all other attempts. Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+COMMIT
+
+*nat
+:PREROUTING ACCEPT
+:POSTROUTING ACCEPT
+:OUTPUT ACCEPT
+## Translate private LAN IPs to a single, dynamic public IP.
+## If you have a static IP or multiple IPs, use SNAT instead.
+## DO NOT use NAT between LANs; route between them.
+-A POSTROUTING -o upstream -j MASQUERADE
+## Route inbound traffic on specific ports, to machines in the DMZ.
+## DNAT destinations cannot be hostnames, because a hostname could
+## resolve to more than one IP, which would not be meaningful.
+##
+## Note that these flows must also be allowed in *filter.
+-A PREROUTING -i upstream -p tcp -m multiport --dport smtp,submission,imaps -j
DNAT --to 192.168.1.2
+-A PREROUTING -i upstream -p tcp -m multiport --dport http,https -j
DNAT --to 192.168.1.3
+COMMIT
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, (continued)
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 760486c219 27/41: update note from sshguard, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70b0e577a6 31/41: Debian doesn't have "pptp" in /etc/services, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 20fa3d3a55 38/41: Oops, this was never under version control before., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 869f14abf4 34/41: Initial import.,
Stefan Monnier <=
- [elpa] externals/nftables-mode 3a03651cda 39/41: Old changes that I forgot to commit, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7b031a2014 36/41: Merge remote-tracking branch 'ansible/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 05600129ee 41/41: Minor changes to follow more conventions, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9058451303 09/41: correct for Towards a Perfect Ruleset number, Stefan Monnier, 2022/05/23