ipf.rules sample config file. Runs on FreeBSD Unix

[zzsql]

This is a typical ipf.rules file that configures your firewall.
Here you can see how 22/SSH and 80/TCP is permitted.
ALL else is dropped.
This breaks RFCs and might be better if I permitted some ICMP error reporting but I'm not a high-flow destination.

Try FreeBSD unix. It's wonderful!



# Reparse the ruleset: ipf -Fa -f /etc/ipf.rules
# Specific ip address require the /32
# Block entire subnets with /8, /16, /24 or custom /28
# Blocks at the top are recommended
# Enable the firewall in rc.conf

# Let me in you bastard guy!
# This kinda trumps all other denys.
# pass in log quick on xl0 proto tcp from any to any port = 22 flags S keep frags keep state
 
# From 10.5 home net.
pass in log quick from 10.5.1.0/24 to any port = 22 keep state
block in log quick from any to any port = 22
# identd
# pass in log quick on xl0 from any to any port = 113
# now, only for udp
pass in log quick on xl0 proto udp from any to any port = 113

# Interlopers
block in quick from 66.225.225.224/32 to any
block in quick from 64.236.240.190/32 to any
block in quick from 71.56.150.108/32 to any

# advertisers:
block in quick from 204.16.208.59/32 to any

# Chinese
block in log quick from 221.10.0.0/16 to any

# Israellis
block in log quick from 85.0.0.0/8 to any

# Russians
block in log quick from 81.0.0.0/8 to any

#repeated scanning
block in log quick from 71.56.123.125/32 to any
block in log quick from 71.56.255.188/32 to any

# Allow all else to port 80
pass in quick on xl0 proto tcp from any to any port = 80

# Allow ssh only from 10.5.1.0/24, internal net.
pass in quick on xl0 proto tcp from 10.5.1.0/24 to any

# block all other ssh src
block in log quick on xl0 proto tcp from any to any port = 22

# Block tiny IP frags
block in quick on xl0 all with frags

# Block short tcp packets
block in quick on xl0 proto tcp all with short

# block source routed packets
block in quick on xl0 all with opt lsrr
block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on xl0 all with ipopts

# Logging incoming mail ports TCP 25,  587 and 22
pass in log quick on xl0 proto tcp from any to any port = 25
# pass in log quick on xl0 proto tcp from any to any port = 587
# pass in log quick on xl0 proto tcp from any to any port = 22

# loopback in/out:
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all outgoing ssh
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep frags keep state

####   Then allow other web visitors   ####
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep frags keep state
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep frags keep state

####   Allow DNS lookups   ####
pass out quick on xl0 proto udp from any to any port = 53 keep state keep frags

# Allow other requests out like ftp, icmp, udp.
# The UDP below probably duplicates dns lookups allow above.
# pass out quick on xl0 proto tcp from any to any keep frags keep state
pass out quick on xl0 proto tcp from any to any flags S keep frags keep state
pass out quick on xl0 proto udp from any to any keep state keep frags
pass out quick on xl0 proto icmp from any to any keep state
pass out quick on xl0 from 10.5.1.10 to any

# Dump all else. Who need them? (Block by default)
block in log quick on xl0 all
block out quick on xl0 all

# Unused
# Isn't that ident service?
# pass in quick on xl0 proto tcp from any to any port = 113 flags S keep frags keep state

# DHCP, not necessary unless NAT-ing for DHClients
# pass in log quick on xl0 proto udp from any to any port = 68 keep state

[zzsql]

I haven't updated this yet.

[zzsql]

Here's a standard iptables config script for a linux box:


#!/bin/sh
echo ""
echo "   setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
 
# adjust /proc
echo "   applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
 
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
 
# setup nat
echo "   applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 10.5.2.0/24 -o eth1 -j SNAT --to-source 10.5.1.3
 
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
 
# allow established and related packets back in
$iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# blocking reserved private networks incoming from the internet
echo "   applying incoming internet blocking of reserved private networks"
echo ""
#$iptables -I INPUT -i eth1 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i eth1 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth1 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth1 -s 127.0.0.0/8 -j DROP
#$iptables -I FORWARD -i eth1 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth1 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth1 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth1 -s 127.0.0.0/8 -j DROP
 
# blocked hosts
echo "   dropping all packets from blocked hosts"
echo ""
#$iptables -I INPUT -s 80.80.32.0/24 -j DROP
#$iptables -I FORWARD -s 80.80.32.0/24 -j DROP
 
# icmp
echo "   applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth1 -j DROP
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
 
# apply icmp type match blocking
echo "   applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# open ports to the firewall
echo "   applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
# open and forward ports to the internal machine(s)
echo "   applying port forwarding rules"
echo ""
$iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d 10.5.1.3 --dport 80 -j DNAT --to-destination 10.5.2.10:80

# logging
echo "   applying logging rules"
echo ""
$iptables -A INPUT -i eth1 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth1 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
 
# drop all other packets
echo "   applying default drop policies"
echo ""
$iptables -A INPUT -i eth1 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth1 -p udp --dport 0:65535 -j DROP
 
echo "### firewall is loaded ###"
echo ""