[elpa] externals/nftables-mode 869f14abf4 34/41: Initial import.

[Stefan Monnier]

branch: externals/nftables-mode
commit 869f14abf41c504fc9fcb2538033e566f425b1f4
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>

    Initial import.
---
 iptab     | 50 +++++++++++++++++++++++++++++++++++++++++++++
 iptab.ips | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 iptab.nat | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 184 insertions(+)

diff --git a/iptab b/iptab
new file mode 100644
index 0000000000..bedc228d3e
--- /dev/null
+++ b/iptab
@@ -0,0 +1,50 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1).  For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically.  First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from 
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error, 
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT         ACCEPT          # Local users/processes are trusted.
+:INPUT          DROP            # Ingress policy is "default deny".
+:FORWARD        DROP            # Routing policy is "default deny".
+:PRELUDE        -               # Best practices for filtered chains.
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as 
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## YOUR RULES GO HERE.  Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+-A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT
+-A FORWARD -d www  -p tcp -m multiport --dports http,https            -j ACCEPT
+## Finally, politely reject all other attempts.  Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT   -j REJECT
+-A FORWARD -j REJECT
+COMMIT
diff --git a/iptab.ips b/iptab.ips
new file mode 100644
index 0000000000..c619f9b38e
--- /dev/null
+++ b/iptab.ips
@@ -0,0 +1,69 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1).  For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically.  First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from 
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error, 
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT         ACCEPT          # Local users/processes are trusted.
+:INPUT          DROP            # Ingress policy is "default deny".
+:FORWARD        DROP            # Routing policy is "default deny".
+:PRELUDE        -               # Best practices for filtered chains.
+:BLACKLIST      -
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as 
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## An automated SSH brute-force blacklist.  Requires xtables.  Unlike
+## fail2ban or DenyHosts, there are NO userspace requirements -- not
+## even sshd is needed!  echo +1.2.3.4 >/proc/net/xt_recent/whitelist
+## to whitelist 1.2.3.4 for an hour.  Protects both this host AND all
+## hosts "behind" this one.
+##
+# New connections from IPs blacklisted within the last ten minutes are
+# chaotically rejected, AND reset the countdown back to ten minutes.
+# This is in PRELUDE such that blacklisted attackers are refused ALL
+# services, not just rate-limited ones.
+-A PRELUDE -m recent --name blacklist --update --seconds 600 --rttl -j 
BLACKLIST
+# This NON-TERMINAL chain counts connections passing through it.  When
+# a connection rate exceeds 3/min/srcip/dstip/dstport, the source IP
+# is blacklisted.  Acting on the blacklist is done elsewhere, as is
+# accepting or rejecting this connection.
+-A PRELUDE -i ppp+ -p tcp --dport ssh -m hashlimit --hashlimit-name 
maybe-blacklist --hashlimit-mode srcip,dstip,dstport --hashlimit-above 1/min 
--hashlimit-burst 3 -m recent --name blacklist --set -j LOG --log-prefix 
"Blacklisted SRC: "
+-A BLACKLIST -m recent --name whitelist --rcheck --seconds 3600 -j RETURN -m 
comment --comment "whitelist overrides blacklist"
+-A BLACKLIST -j CHAOS --tarpit
+## YOUR RULES GO HERE.  Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+-A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT
+-A FORWARD -d www  -p tcp -m multiport --dports http,https            -j ACCEPT
+## Finally, politely reject all other attempts.  Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT   -j REJECT
+-A FORWARD -j REJECT
+COMMIT
diff --git a/iptab.nat b/iptab.nat
new file mode 100644
index 0000000000..642224e704
--- /dev/null
+++ b/iptab.nat
@@ -0,0 +1,65 @@
+#!/usr/sbin/iptables-apply
+### This -*-conf-*- file is my template /etc/iptab for new hosts.
+### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
+### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
+### Ruleset can and should be loaded BEFORE network ifaces exist.
+###
+### Named hosts and services names are resolved ONCE, at load time.
+### See getent(1).  For meaningful ethernet iface names, edit
+### /etc/udev/rules.d/*persistent-net.rules and reboot.
+###
+### Date: Aug 2009
+
+######################################################################
+## Rulesets (*foo ... COMMIT) load atomically.  First load a deny-all
+## ruleset so that if the "real" ruleset fails to load, the system
+## WILL NOT be left in an allow-all state.
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from 
LAN."
+-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error, 
avoid DNS timeout delays"
+COMMIT
+
+######################################################################
+*filter
+:OUTPUT         ACCEPT          # Local users/processes are trusted.
+:INPUT          DROP            # Ingress policy is "default deny".
+:FORWARD        DROP            # Routing policy is "default deny".
+:PRELUDE        -               # Best practices for filtered chains.
+## Quickly handle the essentials of a "default deny" environment.
+## Anything left after this chain implicitly has --ctstate NEW.
+-A INPUT -j PRELUDE
+-A FORWARD -j PRELUDE
+-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
+-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as 
--ctstate INVALID."
+-A PRELUDE -p icmp -j ACCEPT
+-A PRELUDE -i lo -j ACCEPT
+## YOUR RULES GO HERE.  Below is a simple example: a firewalling
+## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
+## with a web server "www" and a mail server "mail" behind it.
+-A INPUT -p tcp --dport ssh -j ACCEPT
+-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
+## Finally, politely reject all other attempts.  Omit these to use the
+## chains' default policies (DROP, above) instead.
+-A INPUT   -j REJECT
+-A FORWARD -j REJECT
+COMMIT
+
+*nat
+:PREROUTING     ACCEPT
+:POSTROUTING    ACCEPT
+:OUTPUT         ACCEPT
+## Translate private LAN IPs to a single, dynamic public IP.
+## If you have a static IP or multiple IPs, use SNAT instead.
+## DO NOT use NAT between LANs; route between them.
+-A POSTROUTING -o upstream -j MASQUERADE
+## Route inbound traffic on specific ports, to machines in the DMZ.
+## DNAT destinations cannot be hostnames, because a hostname could
+## resolve to more than one IP, which would not be meaningful.
+##
+## Note that these flows must also be allowed in *filter.
+-A PREROUTING -i upstream -p tcp -m multiport --dport smtp,submission,imaps -j 
DNAT --to 192.168.1.2
+-A PREROUTING -i upstream -p tcp -m multiport --dport http,https            -j 
DNAT --to 192.168.1.3
+COMMIT