5 # some system-specific config...
15 SUBNET6
='2001:470:1f05:cb8::/64'
17 # note that behavior between v4 and v6 is slightly different
22 IPTABLES
=$(which iptables)
23 IP6TABLES
=$(which ip6tables)
26 SYSCTL
=/usr
/sbin
/sysctl
27 F2B_CTL
="/etc/init.d/fail2ban"
29 if [ "commit" != "$1" ]; then
30 IPTABLES
="echo ${IPTABLES}"
31 IP6TABLES
="echo ${IP6TABLES}"
34 SYSCTL
="echo ${SYSCTL}"
35 F2B_CTL
="echo ${F2B_CTL}"
38 # fail2ban writes its own chains, don't flush tables before shutting it down
40 if f2b_pid
=$(cat /var/run/fail2ban/fail2ban.pid)
42 f2b_comm
=`ps -o comm= -p ${f2b_pid}`
44 if [ "fail2ban-server" = "${f2b_comm}" ]; then
50 function sysctl_set
(){
51 if [ "$2" != $($SYSCTL -ne "$1") ]
53 echo "setting $1 to $2"
60 sysctl_set net.ipv4.ip_forward
1
61 sysctl_set net.ipv6.conf.all.forwarding
1
62 # disable routing triangulation; queries go out same interface
63 sysctl_set net.ipv4.conf.all.rp_filter
1
64 # log malformed packets
65 #${SYSCTL} -w net.ipv4.conf.all.log_martians=1
66 sysctl_set net.ipv4.conf.all.log_martians
0
68 sysctl_set net.ipv4.conf.all.send_redirects
0
69 sysctl_set net.ipv4.conf.all.accept_redirects
0
70 # disable source routed packets
71 sysctl_set net.ipv4.conf.all.accept_source_route
0
73 sysctl_set net.ipv4.tcp_syncookies
1
75 if [ ${f2b_needs_attention} -eq 1 ]; then
83 ${IPTABLES} -F FORWARD
84 ${IPTABLES} -F -t mangle
92 $IP6TABLES -F -t mangle
96 $IPTABLES -P INPUT DROP
97 $IPTABLES -P OUTPUT ACCEPT
98 $IPTABLES -P FORWARD ACCEPT
100 $IP6TABLES -P INPUT DROP
101 $IP6TABLES -P OUTPUT DROP
102 $IP6TABLES -P FORWARD DROP
104 .
/shaper.sh
${EXT_IF}
106 # reserve a special place in hell for some people
107 $IPTABLES -N xenophobe
108 $IPTABLES -A xenophobe
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
109 $IPTABLES -A xenophobe
-j REJECT
--reject-with icmp
-port-unreachable
111 $IP6TABLES -N xenophobe
112 $IP6TABLES -A xenophobe
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
113 $IP6TABLES -A xenophobe
-j REJECT
--reject-with icmp6
-port-unreachable
115 # create ipsets for v4 and v6
116 for s
in xenophobe sinokorea
118 $IPSET create
"$s" -exist hash:net counters
119 $IPSET create
"$s"6 -exist hash:net family inet6 counters
123 $IPSET create
"$s" -exist hash:net
124 $IPSET create
"$s"6 -exist hash:net family inet6
127 # create ipsets shared by v4 and v6
128 for s
in allowed_udp allowed_tcp
130 $IPSET create
"$s" -exist bitmap
:port range
0-65535
138 # allow local traffics
139 $IPTABLES -A INPUT
-i lo
-j ACCEPT
140 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
141 $IP6TABLES -A OUTPUT
-o lo
-j ACCEPT
143 # allow anything out to v6
144 $IP6TABLES -A OUTPUT
-o ${EXT6_IF} -j ACCEPT
146 # allow all internal traffic in
147 $IP6TABLES -I INPUT
-i ${INT6_IF} -j ACCEPT
150 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
151 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
152 $IP6TABLES -A OUTPUT
-p ipv6
-icmp -j ACCEPT
153 $IP6TABLES -A FORWARD
-p ipv6
-icmp -j ACCEPT
155 # drop source-route headered v6
156 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
|| echo "MISSING RT MATCH" 1>&2
158 # drop bad packets; these are all illegal combinations
159 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
161 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
164 # allow trusted things
165 $IPTABLES -A INPUT
-m set --match-set trusted src
-j ACCEPT
166 $IP6TABLES -A INPUT
-m set --match-set trusted6 src
-j ACCEPT
168 # drop sketchy things
169 $IPTABLES -A INPUT
-m set --match-set xenophobe src
-j xenophobe
170 $IP6TABLES -A INPUT
-m set --match-set xenophobe6 src
-j xenophobe
172 # drop asia from ssh and smtp
173 $IPTABLES -A INPUT
-m set --match-set sinokorea src
-m multiport
-p tcp
--dports ssh,smtp
-j xenophobe
174 $IP6TABLES -A INPUT
-m set --match-set sinokorea6 src
-m multiport
-p tcp
--dports ssh,smtp
-j xenophobe
176 # don't forward packets in
177 $IPTABLES -A FORWARD
-i ${EXT_IF} -m conntrack
--ctstate NEW
,INVALID
-j DROP
179 # forward from internal site subnet
180 $IP6TABLES -A FORWARD
-i ${INT6_IF} -o ${EXT6_IF} -s ${SUBNET6} -m conntrack
--ctstate NEW
-j ACCEPT
182 # allow things we've dealt with
183 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
184 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
185 $IP6TABLES -A FORWARD
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j ACCEPT
187 # accept ipv6 link-local
188 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
189 $IP6TABLES -A OUTPUT
-s fe80
::/10 -j ACCEPT
191 # accept ipv6 multicast
192 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
193 $IP6TABLES -A OUTPUT
-s ff00
::/8 -j ACCEPT
196 $IPTABLES -t nat
-A POSTROUTING
-o ${EXT_IF} -j SNAT
--to ${EXT}
198 # accept internal network traffic
199 $IPTABLES -A INPUT
-i ${INT_IF} -j ACCEPT
201 .
/services
${EXT_IF} ${EXT6_IF}
204 # inserts, so stack order matters
209 if [ ${f2b_needs_attention} -eq 1 ]; then