#!/bin/sh
#05/2001#
###fif3## 
#########
# Some of the firewall rules require kernel patches:
# www.getrewted.net's grsecurity patch with the latest
# netfilter patches.
####################################################

IPT=`which iptables`
chattr -aiR /var/log

INET="external.ip.address"
HOME="internal.ip.address"
WLAN="wireless.ip.address"
WORK="trusted.work.ip.range"

cd /sbin
echo "
Using iNet of: ${INET} 
" ;${IPT} -F

function secured {
 (chattr -ai $1 ;chgrp $2 $1 ;chmod g+s $1 ;chattr +ai $1)
 }

secured /usr/sbin/proftpd sdaemon ;secured /usr/sbin/gnu-pop3d sdaemon
secured /usr/bin/nmap sdaemon ;secured /usr/local/bin/nmap sdaemon
secured /usr/sbin/sshd sdaemon ;secured $IPT sdaemon ;secured /usr/sbin/httpd http 
chattr -ai /usr/bin/nmap /usr/local/bin/nmap ;chmod a+s /usr/bin/nmap /usr/local/bin/nmap

##
## define all server programs, offer to reset them or kill them
 SERVERS='xinetd inetd ridentd.pl squid nmbd smbd dhcpd proftpd httpd \
 named sendmail gnu-pop3d portsentry iplog snort guardian.pl ftpd \
 ssh vpnd proftpd'

if [[ $1 = reset ]] ;then
 echo "resetting all servers..."
 (killall $SERVERS ;killall -9 $SERVERS) 1>/dev/null 2>/dev/null ;sleep 2 ;fi

if [[ $1 = kill ]] ;then
 echo "killing all servers..."
 (killall $SERVERS ;killall -9 $SERVERS) 1>/dev/null 2>/dev/null ;exit ;fi

##
## check, and if servers aren't running, start them
 (killall -9 ridentd.pl ) 1>/dev/null 2>/dev/null
 (/usr/local/bin/ridentd.pl SILENT &) 1>/dev/null 2>/dev/null

secured /usr/sbin/nmbd sdaemon
if [[ ! `ps ax |grep nmbd |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing nmbd"
 (/usr/sbin/nmbd &) ;fi 

secured /usr/sbin/smbd sdaemon
if [[ ! `ps ax |grep smbd |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing smbd"
 (/usr/sbin/smbd &) ;fi

secured /usr/sbin/dhcpd sdaemon
if [[ ! `ps ax |grep dhcpd |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing dhcpd"
 (/usr/sbin/dhcpd eth2 >/dev/null 1>/dev/null 2>/dev/null & ) >/dev/null 1>/dev/null 2>/dev/null ;fi

secured /chroot/named/bin/named sdaemon
if [[ ! `ps ax |grep named |grep -v grep |grep -v conf |grep -v man |grep -v syslog` ]] ;then
 echo "....................initializing named"
 (/chroot/named/bin/named -u named -g named -t /chroot/named/ &) ;fi

if [[ ! `ps ax |grep inetd |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing inetd"
 (/usr/bin/nohup /usr/sbin/inetd 1>/dev/null 2>/dev/null & ) ;fi

if [[ ! `ps ax |grep sendmail |grep q15m |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing sendmail"
 #(/usr/sbin/sendmail -bd -q5m &) ;fi  #without inetd
 (/usr/sbin/sendmail -q15m &) ;fi  #with inetd

##
## begin ids and counter-measures
secured /usr/local/bin/portsentry sdaemon
if [[ ! `ps ax |grep portsentry |grep -v grep |grep tcp` || \
 ! `ps ax |grep portsentry |grep -v grep |grep udp` ]] ;then
 echo "....................initializing portsentry" ;(killall -9 portsentry) 1> /dev/null 2> /dev/null ;sleep 1
 ( /usr/local/bin/portsentry -atcp & ) ; ( /usr/local/bin/portsentry -audp & )
 ( /usr/local/bin/portsentry -udp  & ) ;fi

secured /usr/local/sbin/iplog sdaemon
if [[ ! `ps ax |grep iplog |grep -v grep |grep -v vi |grep -v man` ]] ;then
 echo "....................initializing iplog"
 (/usr/local/sbin/iplog -z &) 1> /dev/null 2> /dev/null ;fi

secured /usr/local/bin/snort sdaemon
if [[ ! `ps ax |grep snort |grep -v snortsnarf |grep -v grep |grep -v man` ]] ;then
 echo "....................initializing snort"
 ( cd /etc/snort ;/usr/local/bin/snort -Di eth1 -c /etc/snort/snort.conf & ) 1>/dev/null ; fi 

if [[ ! `ps ax |grep perl |grep snortsnarf |grep -v grep |grep -v man` ]] ;then
 ( /usr/local/bin/snortsnarf & ) ;fi

##
## begin kernel opts
 (echo 1 > /proc/sys/net/ipv4/ip_forward &) 
 (echo 1 > /proc/sys/net/ipv4/tcp_restrict_rst &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/udp_restrict_pu &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/icmp_restrict &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/igmp_restrict &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/tcp_ignore_ack &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/tcp_ignore_synfin &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/tcp_ignore_bogus &) 2>/dev/null
 (echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all &)
 (echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts &)
 (echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses &)
 (echo 1 > /proc/sys/net/ipv4/tcp_syncookies &)
 ## all interfaces
 (echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter &)
 (echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects &)
 (echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route &)
 (echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay &)
 (echo 1 > /proc/sys/net/ipv4/conf/all/forwarding &)
 (echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects &)
 (echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp &)
 ## defaults
 (echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter &)
 (echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects &)
 (echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route &)
 (echo 0 > /proc/sys/net/ipv4/conf/default/bootp_relay &)
 (echo 1 > /proc/sys/net/ipv4/conf/default/forwarding &)
 (echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects &)
 (echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp &)

##
## new chains
for i in web rates ;do
 (if [[ ! `iptables -L $i |grep chain |grep $i` ]] ;then
 $IPT -N $i ;fi ) 1>/dev/null 2>/dev/null ;done

##
## begin firewall configurations
## 
## outbound rules
## this rule allows tcpd to work with non ident clients
 $IPT -A OUTPUT -p tcp -s ${INET}     --dport 113 -j REJECT
 $IPT -A OUTPUT -p tcp -s 127.0.0.0/8 --dport 113 -j REJECT

## this makes incoming portscans take longer
 $IPT -A OUTPUT -p tcp -s ${INET} --tcp-flags RST RST -j DROP

## allow all loopback traffic
 $IPT -A INPUT -i lo+ -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


##
## main drop rules
## incoming from external nic block spoofing
 $IPT -A INPUT -i eth1+ -s 0.0.0.0/8          -j DROP
 $IPT -A INPUT -i eth1+ -s 10.0.0.0/8         -j DROP 
 $IPT -A INPUT -i eth1+ -s 127.0.0.0/8        -j DROP
 $IPT -A INPUT -i eth1+ -s 169.254.0.0/16     -j DROP
 $IPT -A INPUT -i eth1+ -s 172.16.0.0/12      -j DROP
 $IPT -A INPUT -i eth1+ -s 192.0.2.0/24       -j DROP
 $IPT -A INPUT -i eth1+ -s 192.168.0.0/16     -j DROP
 $IPT -A INPUT -i eth1+ -s 224.0.0.0/4        -j DROP
 $IPT -A INPUT -i eth1+ -s 240.0.0.0/5        -j DROP
 $IPT -A INPUT -i eth1+ -s 248.0.0.0/5        -j DROP
 $IPT -A INPUT -i eth1+ -s 24.176.200.255/32  -j DROP
 $IPT -A INPUT -i eth1+ -s 255.255.255.255/32 -j DROP
## forward from external nic block spoofing
 $IPT -A FORWARD -i eth1+ -s 0.0.0.0/8          -j DROP
 $IPT -A FORWARD -i eth1+ -s 10.0.0.0/8         -j DROP
 $IPT -A FORWARD -i eth1+ -s 127.0.0.0/8        -j DROP
 $IPT -A FORWARD -i eth1+ -s 169.254.0.0/16     -j DROP
 $IPT -A FORWARD -i eth1+ -s 172.16.0.0/12      -j DROP
 $IPT -A FORWARD -i eth1+ -s 192.0.2.0/24       -j DROP
 $IPT -A FORWARD -i eth1+ -s 192.168.0.0/16     -j DROP
 $IPT -A FORWARD -i eth1+ -s 224.0.0.0/4        -j DROP
 $IPT -A FORWARD -i eth1+ -s 240.0.0.0/5        -j DROP
 $IPT -A FORWARD -i eth1+ -s 248.0.0.0/5        -j DROP
 $IPT -A FORWARD -i eth1+ -s 24.176.200.255/32  -j DROP
 $IPT -A FORWARD -i eth1+ -s 255.255.255.255/32 -j DROP
## incoming ports block
 $IPT -A INPUT -p tcp -d ${INET} --dport  53     -j DROP
 $IPT -A INPUT -p udp -d ${INET} --dport  53     -j DROP
 $IPT -A INPUT -p tcp -d ${INET} --dport 130:140 -j DROP
 $IPT -A INPUT -p udp -d ${INET} --dport 130:140 -j DROP 
 $IPT -A INPUT -p tcp -d ${INET} -m unclean -j DROP
 $IPT -A INPUT     -f -d ${INET} -j DROP
## forwarded ports block 
 $IPT -A FORWARD -p tcp --dport 130:140 -j DROP
 $IPT -A FORWARD -p udp --dport 130:140 -j DROP
 $IPT -A FORWARD -m state --state INVALID -j DROP
 $IPT -A FORWARD -m unclean -j DROP
 $IPT -A FORWARD -i eth1+ -f -j DROP


## limit connections per IP address
 $IPT -A INPUT -p TCP --dport 20     -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 21     -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 22     -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 25     -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 53     -m iplimit --iplimit-above 2  -j DROP
 $IPT -A INPUT -p TCP --dport 80     -m iplimit --iplimit-above 10 -j DROP
 $IPT -A INPUT -p TCP --dport 110    -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 113    -m iplimit --iplimit-above 2  -j DROP
 $IPT -A INPUT -p TCP --dport 139    -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 443    -m iplimit --iplimit-above 10 -j DROP
 $IPT -A INPUT -p TCP --dport 465    -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 995    -m iplimit --iplimit-above 5  -j DROP
 $IPT -A INPUT -p TCP --dport 1:1023 -m iplimit --iplimit-above 40 -j DROP

## rate limit out services
## limit tcp
 $IPT -A rates -p TCP --syn --dport 21  -m limit --limit 10/s --limit-burst 20 -j RETURN
 $IPT -A rates -p TCP --syn --dport 22  -m limit --limit 10/s --limit-burst 20 -j RETURN
 $IPT -A rates -p TCP --syn --dport 25  -m limit --limit 10/s --limit-burst 20 -j RETURN
 $IPT -A rates -p TCP --syn --dport 53  -m limit --limit  5/s --limit-burst 10 -j RETURN
 $IPT -A rates -p TCP --syn --dport 80  -m limit --limit 20/s --limit-burst 30 -j RETURN
 $IPT -A rates -p TCP --syn --dport 110 -m limit --limit 10/s --limit-burst 20 -j RETURN
 $IPT -A rates -p TCP --syn --dport 113 -m limit --limit  5/s --limit-burst 10 -j RETURN
 $IPT -A rates -p TCP --syn --dport 139 -m limit --limit  5/s --limit-burst 10 -j RETURN
 $IPT -A rates -p TCP --syn --dport 443 -m limit --limit 20/s --limit-burst 30 -j RETURN
 $IPT -A rates -p TCP --syn --dport 465 -m limit --limit 10/s --limit-burst 10 -j RETURN
 $IPT -A rates -p TCP --syn --dport 995 -m limit --limit 10/s --limit-burst 10 -j RETURN
 $IPT -A rates -p TCP --syn -j DROP
## limit udp
 $IPT -A rates -p UDP --dport 53  -m limit --limit 20/s --limit-burst 40 -j RETURN
 $IPT -A rates -p UDP --dport 137 -m limit --limit 20/s --limit-burst 40 -j RETURN
 $IPT -A rates -p UDP --dport 138 -m limit --limit 20/s --limit-burst 40 -j RETURN
 $IPT -A rates -p UDP -j DROP
 $IPT -A rates -j RETURN
## link input to our rate limited chain
 $IPT -I INPUT 1 -p TCP -m multiport --dport 21,22,25,53,80,110,113,139,443,465,995 -j rates
 $IPT -I INPUT 1 -p UDP -m multiport --dport 53,137,138 -j rates


## transparent proxy and masqerading
## force routed dns traffic through local bind server
 $IPT -t nat -A PREROUTING -i eth2+ -p udp --dport 53 -j REDIRECT --to-port 53

## nat forwarding rules for local IP range
 $IPT -t nat -A POSTROUTING -o eth1+ -j MASQUERADE
 $IPT -A FORWARD -i eth1+  -m state --state NEW,INVALID -j DROP
 $IPT -A FORWARD -i eth2+  -s 192.168.0.0/24 -j ACCEPT 
 $IPT -A FORWARD -i wlan0+ -s 192.168.1.0/24 -j ACCEPT
 $IPT -A FORWARD -p TCP -j ACCEPT
 $IPT -A FORWARD -p UDP -j ACCEPT
 $IPT -P FORWARD DROP


## trusted ip ranges
 $IPT -A INPUT -p tcp -i eth2+  -s 192.168.0.0/24 -m multiport --dport 20,21,22,25,53,80,110,113,139,443,465,995 -j ACCEPT
 $IPT -A INPUT -p tcp -i wlan0+ -s 192.168.1.0/24 -m multiport --dport 80,113,443,465,995 -j ACCEPT
for i in $TRUSTED1 $TRUSTED2 $WORK ;do
 $IPT -s $i -A INPUT -p tcp -d $INET -m multiport --dport 20,21,22,25,80,110,443,465,995 -j ACCEPT
 done

## drop rules
 $IPT -A INPUT -p tcp -d $INET -m multiport --dport 21,53,110 -j DROP

## damn att@home
 $IPT -s 24.176.200.1/32 -A INPUT -j ACCEPT
 $IPT -s 24.0.0.0/16     -A INPUT -j DROP
 $IPT -s 24.0.94.130/32  -A INPUT -j DROP

## mangle some packets, make ssh fast
 $IPT -A PREROUTING -t mangle -p tcp --sport 22 -j TOS --set-tos Minimize-Delay
 $IPT -A PREROUTING -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
 $IPT -A OUTPUT     -t mangle -p tcp --sport 22 -j TOS --set-tos Minimize-Delay
 $IPT -A OUTPUT     -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay


## accept rules
 $IPT -A INPUT -p tcp --sport 20 --dport 1000:65535 -j ACCEPT
 $IPT -A INPUT -p tcp -i eth1+  -m multiport --dport 20,21,22,25,80,110,113,443,465,995 -j ACCEPT
 $IPT -A INPUT -p tcp -i eth2+  -m multiport --dport 20,21,22,25,53,80,110,113,139,443,465,995,10000 -j ACCEPT
 $IPT -A INPUT -p tcp -i wlan0+ -m multiport --dport 80,113 -j ACCEPT

## allow ICMP
 $IPT -A INPUT -p icmp -j ACCEPT

## cleanup rules
 $IPT -A INPUT -p tcp --syn -j DROP 
 $IPT -A INPUT -p tcp -j ACCEPT
 $IPT -A INPUT -p udp -j ACCEPT
 $IPT -A INPUT -j DROP


## block tracking agency crap
 $IPT -I INPUT 1   -p tcp --sport 80 -j web
 $IPT -I INPUT 1   -p tcp --dport 80 -j web
 $IPT -I FORWARD 1 -p tcp --sport 80 -j web
 $IPT -I FORWARD 1 -p tcp --dport 80 -j web
## block web sites
 $IPT -A web -s 216.37.13.0/24     -j REJECT
 $IPT -A web -s 208.184.172.0/24   -j REJECT
 $IPT -A web -s 216.251.229.0/24   -j REJECT
 $IPT -A web -s 209.246.21.0/24    -j REJECT
 $IPT -A web -s 199.95.207.0/24    -j REJECT
 $IPT -A web -s 199.95.208.0/24    -j REJECT
 $IPT -A web -s 199.95.209.0/24    -j REJECT
 $IPT -A web -s 204.253.104.0/24   -j REJECT
 $IPT -A web -s 205.138.3.0/24     -j REJECT
 $IPT -A web -s 208.211.225.0/24   -j REJECT
 $IPT -A web -s 205.138.3.0/24     -j REJECT
 $IPT -A web -s 204.178.0.0/16     -j REJECT
 $IPT -A web -s 209.67.38.0/24     -j REJECT
 $IPT -A web -s 208.184.29.0/24    -j REJECT
 $IPT -A web -s 208.48.126.1/28    -j REJECT
 $IPT -A web -s 216.200.16.0/24    -j REJECT
 $IPT -A web -s 207.88.241.0/24    -j REJECT
 $IPT -A web -s 207.240.119.0/24   -j REJECT
 $IPT -A web -s 216.52.6.0/24      -j REJECT
 $IPT -A web -s 63.91.145.0/24     -j REJECT
 $IPT -A web -s 216.34.88.0/24     -j REJECT
 $IPT -A web -s 63.251.8.0/24      -j REJECT
 $IPT -A web -s 205.180.221.0/24   -j REJECT
 $IPT -A web -s 209.1.25.0/24      -j REJECT
 $IPT -A web -s 63.81.184.0/24     -j REJECT
 $IPT -A web -s 216.52.12.0/24     -j REJECT
 $IPT -A web -s 206.132.79.0/24    -j REJECT
 $IPT -A web -s 204.71.191.0/24    -j REJECT
 $IPT -A web -s 209.143.238.1/28   -j REJECT
 $IPT -A web -s 207.200.75.0/24    -j REJECT
 $IPT -A web -s 204.178.119.224/28 -j REJECT
 $IPT -A web -s 208.147.89.0/24    -j REJECT
 $IPT -A web -s 204.6.92.0/24      -j REJECT
 $IPT -A web -s 216.35.217.0/24    -j REJECT
 $IPT -A web -s 128.11.42.0/24     -j REJECT
 $IPT -A web -s 216.32.119.0/24    -j REJECT
 $IPT -A web -s 207.245.246.0/24   -j REJECT
 $IPT -A web -s 209.41.28.0/24     -j REJECT
 $IPT -A web -s 216.165.161.19/32  -j REJECT
 $IPT -A web -s 207.211.106.16/26  -j REJECT
 $IPT -A web -s 216.33.46.174/26   -j REJECT
 $IPT -A web -s 216.162.192.10/26  -j REJECT
 $IPT -A web -s 207.240.167.174/30 -j REJECT
 $IPT -A web -s 209.249.45.85/30   -j REJECT
 $IPT -A web -s 216.33.121.86/30   -j REJECT
 $IPT -A web -s 209.58.112.8/30    -j REJECT
 $IPT -A web -s 208.61.252.91/30   -j REJECT
 $IPT -A web -s 209.85.3.8/30      -j REJECT
 $IPT -A web -s 206.253.217.6/30   -j REJECT
 $IPT -A web -s 208.32.211.0/24    -j REJECT


  cd /var/log
   for i in iplog.log sulog messages syslog maillog ;do
    chattr +a $i ;done