5 # some system-specific config...
15 SUBNET6
='2001:470:1f05:cb8::/64'
20 # note that behavior between v4 and v6 is slightly different
25 IPTABLES
=$(which iptables)
26 IP6TABLES
=$(which ip6tables)
29 SYSCTL
=/usr
/sbin
/sysctl
30 F2B_CTL
="/etc/init.d/fail2ban"
32 if [ "commit" != "$1" ]; then
33 IPTABLES
="echo ${IPTABLES}"
34 IP6TABLES
="echo ${IP6TABLES}"
37 SYSCTL
="echo ${SYSCTL}"
38 F2B_CTL
="echo ${F2B_CTL}"
41 # fail2ban writes its own chains, don't flush tables before shutting it down
43 if f2b_pid
=$(cat /var/run/fail2ban/fail2ban.pid)
45 f2b_comm
=`ps -o comm= -p ${f2b_pid}`
47 if [ "fail2ban-server" = "${f2b_comm}" ]; then
53 function sysctl_set
(){
54 if [ "$2" != $($SYSCTL -ne "$1") ]
56 echo "setting $1 to $2"
63 sysctl_set net.ipv4.ip_forward
1
64 sysctl_set net.ipv6.conf.all.forwarding
1
65 # disable routing triangulation; queries go out same interface
66 sysctl_set net.ipv4.conf.all.rp_filter
1
67 # log malformed packets
68 #${SYSCTL} -w net.ipv4.conf.all.log_martians=1
69 sysctl_set net.ipv4.conf.all.log_martians
0
71 sysctl_set net.ipv4.conf.all.send_redirects
0
72 sysctl_set net.ipv4.conf.all.accept_redirects
0
73 # disable source routed packets
74 sysctl_set net.ipv4.conf.all.accept_source_route
0
76 sysctl_set net.ipv4.tcp_syncookies
1
78 if [ ${f2b_needs_attention} -eq 1 ]; then
86 ${IPTABLES} -F FORWARD
87 ${IPTABLES} -F -t mangle
95 $IP6TABLES -F -t mangle
99 $IPTABLES -P INPUT DROP
100 $IPTABLES -P OUTPUT ACCEPT
101 $IPTABLES -P FORWARD ACCEPT
103 $IP6TABLES -P INPUT DROP
104 $IP6TABLES -P OUTPUT DROP
105 $IP6TABLES -P FORWARD DROP
107 # clear and reset traffic control
110 if $TC qdisc del dev
${EXT_IF}
112 echo "removed existing qdisc"
116 if $TC qdisc add dev
${EXT_IF} root handle
1: htb default
30
118 echo "qdisc root exists"
120 echo "new qdisc root"
122 $TC class add dev
${EXT_IF} parent
1: classid
1:1 htb rate
${UPLINK}kbit burst
${BURST}k
123 $TC class add dev
${EXT_IF} parent
1:1 class
1:10 htb rate
${UPLINK}kbit burst
${BURST}k prio
1
124 $TC class add dev
${EXT_IF} parent
1:1 class
1:20 htb rate
${UPLINK}kbit burst
${BURST}k prio
2
125 $TC class add dev
${EXT_IF} parent
1:1 class
1:30 htb rate
$(expr 9 \* ${UPLINK} / 10)kbit burst
${BURST}k prio
3
126 $TC class add dev
${EXT_IF} parent
1:1 class
1:40 htb rate
$(expr 5 \* ${UPLINK} / 10)kbit burst
${BURST}k prio
4
127 $TC class add dev
${EXT_IF} parent
1:1 class
1:50 htb rate
$(expr 5 \* ${UPLINK} / 10)kbit burst
$(expr 2 \* ${BURST} / 3)k prio
5
131 $TC qdisc add dev
${EXT_IF} parent
1:${x}0 handle
${x}0: sfq perturb
10
132 $TC filter add dev
${EXT_IF} parent
1: prio
0 protocol ip handle
${x} fw flowid
1:${x}0
136 SHAPE_CHAIN
='SHAPER-OUT'
138 $IPTABLES -t mangle
-X ${SHAPE_CHAIN}
139 $IPTABLES -t mangle
-N ${SHAPE_CHAIN}
140 $IP6TABLES -t mangle
-X ${SHAPE_CHAIN}
141 $IP6TABLES -t mangle
-N ${SHAPE_CHAIN}
146 if ! $IPTABLES -t mangle
-C ${SHAPE_CHAIN} "$@" -j MARK
--set-mark ${PRIO} >/dev
/null
2>&1
148 $IPTABLES -t mangle
-A ${SHAPE_CHAIN} "$@" -j MARK
--set-mark ${PRIO}
150 if ! $IP6TABLES -t mangle
-C ${SHAPE_CHAIN} "$@" -j MARK
--set-mark ${PRIO} >/dev
/null
2>&1
152 $IP6TABLES -t mangle
-A ${SHAPE_CHAIN} "$@" -j MARK
--set-mark ${PRIO}
156 # prioritize small and responsive things
160 #shape 1 -p tcp -m length :64
161 #shape 1 -p tcp --syn -m length 40:68
162 #shape 1 -p tcp --tcp-flags ALL ACK -m length --length 40:100
163 shape
1 -p tcp
--tcp-flags ALL RST
164 shape
1 -p tcp
--tcp-flags ALL ACK
,RST
165 shape
1 -p tcp
--tcp-flags ALL ACK
,FIN
168 shape
2 -p tcp
--dport 22
171 shape
4 -p tcp
--dport 20
172 shape
4 -p tcp
--dport 115
175 shape
5 -p tcp
--dport 8881:8899
176 shape
5 -p tcp
--sport 8881:8899
178 # default everything else to middle
179 shape
3 -m mark
--mark 0
182 $IPTABLES -t mangle
-I POSTROUTING
-o ${EXT_IF} -j ${SHAPE_CHAIN}
185 # reserve a special place in hell for some people
186 $IPTABLES -N xenophobe
187 $IPTABLES -A xenophobe
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
188 $IPTABLES -A xenophobe
-j REJECT
--reject-with icmp
-port-unreachable
190 $IP6TABLES -N xenophobe
191 $IP6TABLES -A xenophobe
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
192 $IP6TABLES -A xenophobe
-j REJECT
--reject-with icmp6
-port-unreachable
194 # create ipsets for v4 and v6
195 for s
in xenophobe sinokorea
197 $IPSET create
"$s" -exist hash:net counters
198 $IPSET create
"$s"6 -exist hash:net family inet6 counters
202 $IPSET create
"$s" -exist hash:net
203 $IPSET create
"$s"6 -exist hash:net family inet6
206 # create ipsets shared by v4 and v6
207 for s
in allowed_udp allowed_tcp
209 $IPSET create
"$s" -exist bitmap
:port range
0-65535
217 # allow local traffics
218 $IPTABLES -A INPUT
-i lo
-j ACCEPT
219 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
220 $IP6TABLES -A OUTPUT
-o lo
-j ACCEPT
222 # allow anything out to v6
223 $IP6TABLES -A OUTPUT
-o ${EXT6_IF} -j ACCEPT
225 # allow all internal traffic in
226 $IP6TABLES -I INPUT
-i ${INT6_IF} -j ACCEPT
229 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
230 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
231 $IP6TABLES -A OUTPUT
-p ipv6
-icmp -j ACCEPT
232 $IP6TABLES -A FORWARD
-p ipv6
-icmp -j ACCEPT
234 # drop source-route headered v6
235 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
|| echo "MISSING RT MATCH" 1>&2
237 # drop bad packets; these are all illegal combinations
238 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
240 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
243 # allow trusted things
244 $IPTABLES -A INPUT
-m set --match-set trusted src
-j ACCEPT
245 $IP6TABLES -A INPUT
-m set --match-set trusted6 src
-j ACCEPT
247 # drop sketchy things
248 $IPTABLES -A INPUT
-m set --match-set xenophobe src
-j xenophobe
249 $IP6TABLES -A INPUT
-m set --match-set xenophobe6 src
-j xenophobe
251 # drop asia from ssh and smtp
252 $IPTABLES -A INPUT
-m set --match-set sinokorea src
-m multiport
-p tcp
--dports ssh,smtp
-j xenophobe
253 $IP6TABLES -A INPUT
-m set --match-set sinokorea6 src
-m multiport
-p tcp
--dports ssh,smtp
-j xenophobe
255 # don't forward packets in
256 $IPTABLES -A FORWARD
-i ${EXT_IF} -m conntrack
--ctstate NEW
,INVALID
-j DROP
258 # forward from internal site subnet
259 $IP6TABLES -A FORWARD
-i ${INT6_IF} -o ${EXT6_IF} -s ${SUBNET6} -m conntrack
--ctstate NEW
-j ACCEPT
261 # allow things we've dealt with
262 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
263 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
264 $IP6TABLES -A FORWARD
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j ACCEPT
266 # accept ipv6 link-local
267 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
268 $IP6TABLES -A OUTPUT
-s fe80
::/10 -j ACCEPT
270 # accept ipv6 multicast
271 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
272 $IP6TABLES -A OUTPUT
-s ff00
::/8 -j ACCEPT
275 $IPTABLES -t nat
-A POSTROUTING
-o ${EXT_IF} -j SNAT
--to ${EXT}
277 # accept internal network traffic
278 $IPTABLES -A INPUT
-i ${INT_IF} -j ACCEPT
280 # accept list of external ports
281 $IPTABLES -A INPUT
-i ${EXT_IF} -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
282 $IPTABLES -A INPUT
-i ${EXT_IF} -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
283 $IP6TABLES -A INPUT
-i ${EXT6_IF} -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
284 $IP6TABLES -A INPUT
-i ${EXT6_IF} -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
287 # inserts, so stack order matters
292 if [ ${f2b_needs_attention} -eq 1 ]; then