iptables.rules.sh


# ------------------------------------------------------------------------------------------
# -- 
# ------------------------------------------------------------------------------------------
  

IPT=/usr/sbin/iptables

EXTINT=eth3

EXTIP=130.88.zyx.wvu


# ------------------------------------------------------------------------------------------
# -- SECTION 0.3 ::  :
# ------------------------------------------------------------------------------------------


. /root/etc/iptables.rules.functions.sh


# ------------------------------------------------------------------------------------------
# -- 
# ------------------------------------------------------------------------------------------


if [ "$1" == "--restart-ssh-service" ] ; then

    restart_chain_ssh_service
    exit

elif [ "$1" == "--restart-total" ] ; then

    echo -e "\nTotal restart..."

else
    echo -e "\nDoing nothing."
    echo -e "\nUsage:"
    echo -e "    --restart-ssh-service"
    echo -e "    --restart-total  [--no-revert]"
    echo -e "\n"
    exit
fi


# ------------------------------------------------------------------------------------------
# -- SECTION 0.1 ::  Start by cleaning the bath :
# ------------------------------------------------------------------------------------------


for i in filter nat mangle
do
    $IPT -t $i -F
    $IPT -t $i -X
done


$IPT -t filter -P INPUT  ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
    #
    # ...these are changed to DROP at the bottom...
    #


# ------------------------------------------------------------------------------------------
# -- SECTION 0.2 :: DEBUG :
# ------------------------------------------------------------------------------------------

    # ...just in case we get it horribly wrong, here are some liferafts for the sysadmins...

for host in 130.88.pqr.aaa  130.88.pqr.aab
do
    $IPT -t filter -i $EXTINT  -A INPUT  -p tcp -s $host -j ACCEPT
    $IPT -t filter -o $EXTINT  -A OUTPUT -p tcp -d $host -j ACCEPT
done


# ------------------------------------------------------------------------------------------
# --
# ------------------------------------------------------------------------------------------


# -- allow traffic from an existing connection:
#
$IPT -t filter -A INPUT  -m state --state ESTABLISHED,RELATED  -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT


# ------------------------------------------------------------------------------------------
# -- Safety net:  revert to last saved rule set after a few minutes unless state otherwise :
# ------------------------------------------------------------------------------------------


Q_REV=""
REVERT_TIME="2 minutes"

if [ "$2" == "--no-revert" ] ; then
    echo -e "\nNot reverting..."
    until [ "$Q_REV" == "NOREVERT" ] ; do
        echo -e "     ...enter NOREVERT to confirm or Ctrl-C to exit..."
        read Q_REV
    done
    echo -e "Confirmed --- NOT reverting..."
else
    echo -e "\nWill revert to saved set in $REVERT_TIME..."
    sleep 1

    AT_CMD="at -m -f /root/etc/iptables.load_active.sh now + $REVERT_TIME"
    echo -e "\nReverting using:"
    echo -e "    $AT_CMD\n"
    $AT_CMD
    echo -e "\nIssuing remaining firewall commands..."
fi


# ------------------------------------------------------------------------------------------
# -- SECTION 0.4 ::
# ------------------------------------------------------------------------------------------


#
# -- somethings like to seem to send externally-addressed traffic over any and 
#    all interfaces :
#

$IPT -t filter -A INPUT   -s $EXTIP -j ACCEPT
$IPT -t filter -A OUTPUT  -d $EXTIP -j ACCEPT
    #
    # **NOT**:    $IPT -t filter -A INPUT   -d $EXTIP -j ACCEPT     **NO!!!**
    # **NOT**:    $IPT -t filter -A OUTPUT  -s $EXTIP -j ACCEPT     **NO!!!**
    #


# ------------------------------------------------------------------------------------------
# -- SECTION 0.5 :: Other interfaces :
# ------------------------------------------------------------------------------------------


$IPT -t filter -i eth0 -A INPUT  -j ACCEPT
$IPT -t filter -o eth0 -A OUTPUT -j ACCEPT

$IPT -t filter -i eth1 -A INPUT  -j ACCEPT
$IPT -t filter -o eth1 -A OUTPUT -j ACCEPT

$IPT -t filter -i eth2 -A INPUT  -j ACCEPT
$IPT -t filter -o eth2 -A OUTPUT -j ACCEPT


# ------------------------------------------------------------------------------------------
# -- SECTION 0.6 :: Local Interface :
# ------------------------------------------------------------------------------------------


local_interface_rules "LO_SPOOF" 


# ==========================================================================================
# == SECTION 1 :: TRUSTED HOSTS :
# ==========================================================================================


    # ...trusted host stuff is the first major section...
    # ...trusted host stuff is the first major section...

$IPT -N TRUSTED_HOST
$IPT -A TRUSTED_HOST -j ACCEPT


# ------------------------------------------------------------------------------------------
# -- Backups :
# ------------------------------------------------------------------------------------------


$IPT -N BACKUPS

for host in  tbu.abc  tbu.abd
do
    $IPT -t filter -A INPUT   -i $EXTINT -d $EXTIP  -s 130.88.$host  -j BACKUPS
    $IPT -t filter -A OUTPUT  -o $EXTINT -s $EXTIP  -d 130.88.$host  -j BACKUPS
done

$IPT -A BACKUPS -j TRUSTED_HOST


# ------------------------------------------------------------------------------------------
# -- Patching :
# ------------------------------------------------------------------------------------------


$IPT -N PATCHING


$IPT -t filter -A OUTPUT  -o $EXTINT -s $EXTIP  -d www.vendor.country  -j PATCHING
$IPT -t filter -A INPUT   -i $EXTINT -d $EXTIP  -s www.vendor.country  -j PATCHING

$IPT -t filter -A OUTPUT  -o $EXTINT -s $EXTIP  -d mirror.dom  -j PATCHING
$IPT -t filter -A INPUT   -i $EXTINT -d $EXTIP  -s mirror.dom  -j PATCHING


$IPT -A PATCHING -j TRUSTED_HOST


# ==========================================================================================
# == SECTION 2 :: PINHOLE LOOKUPS and OUTBOUND CONNECTIONS :
# ==========================================================================================


# ------------------------------------------------------------------------------------------
# -- DNS :  
# ------------------------------------------------------------------------------------------

    # ...we want to talk to our local DNS servers...

$IPT -N DNS_LOOKUPS

$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 53 -j DNS_LOOKUPS
$IPT -t filter -A INPUT  -i $EXTINT -d $EXTIP -p udp --sport 53 -j DNS_LOOKUPS

allow_udp_out  DNS_LOOKUPS  130.88.ac.efg  130.88.ac.efh  130.88.baa.ghi 

$IPT -t filter -A DNS_LOOKUPS  -j LOG  --log-prefix " **DNS_LOOKUPS DROP** "
$IPT -t filter -A DNS_LOOKUPS  -j DROP
    #
    # -- Pinhole chain:
    #     -- default-log-and-drop;
    #         -- we should use only trusted DNS servers, else nothing is secure!
    #


# ------------------------------------------------------------------------------------------
# -- SysLog :
# ------------------------------------------------------------------------------------------

    # ...allow out UDP packets to our remote syslog servers...

$IPT -N SYSLOG_OUT

$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 514 -j SYSLOG_OUT
$IPT -t filter -A INPUT  -i $EXTINT -d $EXTIP -p udp --sport 514 -j SYSLOG_OUT

allow_udp_out  SYSLOG_OUT  syslogone.manc.ac.uk  syslogtwo.manc.ac.uk

$IPT -t filter -A SYSLOG_OUT  -j LOG  --log-prefix " **SYSLOG_OUT DROP** "
$IPT -t filter -A SYSLOG_OUT  -j DROP
    #
    # -- Pinhole chain:
    #     -- default-log-and-drop;
    #         -- we should copy syslogs to only trusted syslog servers...
    #


# ------------------------------------------------------------------------------------------
# -- SMTP :
# ------------------------------------------------------------------------------------------

    # ...allow out email to given router (e.g., "your job has finished..."), but no
    #    connection inward...

$IPT -N SMTP_OUT

$IPT -t filter -A OUTPUT -o $EXTINT  -p tcp --dport 25  -s $EXTIP  -j SMTP_OUT
$IPT -t filter -A INPUT  -i $EXTINT  -p tcp --sport 25  -d $EXTIP  -j SMTP_OUT

allow_tcp_out  SMTP_OUT  relay.manc.ac.uk  
 
$IPT -t filter -A SMTP_OUT  -j LOG  --log-prefix " **SMTP_OUT DROP** "
$IPT -t filter -A SMTP_OUT  -j DROP
    #
    # -- Pinhole chain:
    #     -- default-log-and-drop;
    #         -- we should be using the UoM SMTP relay for everything.
    #


# ------------------------------------------------------------------------------------------
# -- NTP (Pub Int) :  
# ------------------------------------------------------------------------------------------

    # ...we want to talk to our local NTP servers...

$IPT -N NTP_LOOKUPS

$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 123 -j NTP_LOOKUPS
$IPT -t filter -A INPUT  -i $EXTINT -d $EXTIP -p udp --sport 123 -j NTP_LOOKUPS

allow_udp_out  NTP_LOOKUPS  ntpone.manc.ac.uk  ntptwo.manc.ac.uk  

$IPT -t filter -A NTP_LOOKUPS  -j LOG  --log-prefix " **NTP_LOOKUPS DROP** "
$IPT -t filter -A NTP_LOOKUPS  -j DROP
    #
    # -- Pinhole chain:
    #     -- default-log-and-drop:
    #         -- getting time right is important for security , so use only
    #            trusted NTP boxen.
    #


# ==========================================================================================
# == SECTION 3 :: SERVICES ON LOW-NUMBERED PORTS :
# ==========================================================================================


# ------------------------------------------------------------------------------------------
# -- Web Service :  
# ------------------------------------------------------------------------------------------


$IPT -N WEB_SERVICE

$IPT -t filter -A INPUT  -i $EXTINT -d $EXTIP  -p tcp -m multiport --sports 80,443  -j WEB_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP  -p tcp -m multiport --sports 80,443  -j WEB_SERVICE

allow_tcp_in  WEB_SERVICE  130.88.0.0/16  

$IPT -t filter -A WEB_SERVICE  -j LOG  --log-prefix " **WEB_SERVICE DROP** "
$IPT -t filter -A WEB_SERVICE  -j DROP
    #
    # -- Pinhole chain for service on low-numbered port:
    #     -- default-log-and-drop;
    #         -- should be no other traffic to/from our port 80;
    #


# ------------------------------------------------------------------------------------------
# -- SSH Service :
# ------------------------------------------------------------------------------------------


$IPT -N SSH_SERVICE 

$IPT -t filter -A INPUT  -i $EXTINT  -p tcp --dport 22  -d $EXTIP  -j SSH_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT  -p tcp --sport 22  -s $EXTIP  -j SSH_SERVICE

restart_chain_ssh_service



# ==========================================================================================
# == SECTION 4 :: SERVICES USING HIGH-NUMBERED PORTS :
# ==========================================================================================


# ------------------------------------------------------------------------------------------
# -- Ganglia "Service" :
# ------------------------------------------------------------------------------------------

    # ...allow Man4 to talk to our Ganglia-related daemons...

$IPT -N GANGLIA_SERVICE

$IPT -t filter -A INPUT   -i $EXTINT -d $EXTIP  -p tcp -m multiport --dports 8443,8649,8651,8652  -j GANGLIA_SERVICE
$IPT -t filter -A OUTPUT  -o $EXTINT -s $EXTIP  -p tcp -m multiport --sports 8443,8649,8651,8652  -j GANGLIA_SERVICE

$IPT -t filter -A INPUT   -i $EXTINT -d $EXTIP  -p udp -m multiport --dports 8443,8649,8651,8652  -j GANGLIA_SERVICE
$IPT -t filter -A OUTPUT  -o $EXTINT -s $EXTIP  -p udp -m multiport --sports 8443,8649,8651,8652  -j GANGLIA_SERVICE

allow_tcp_in  GANGLIA_SERVICE  ganglia.manc.ac.uk
allow_udp_in  GANGLIA_SERVICE  ganglia.manc.ac.uk

    #
    # -- Service on high-numbered ports:
    #
    #     -- assuming a daemon is bound to all these ports, there should be no traffic 
    #        other than that ACCEPTed above, so we should be able to default-DROP;
    #
    #     -- but it's possible that not all the above are in use, so we will DROP only NEW                                        DEVEL  DEVEL    !!!!!
    #        incoming packets and LOG the rest (which will, e.g., allow 8443 as the source
    #        port for an out-going connection) :                                                                                  DEVEL  DEVEL    !!!!!
    #
$IPT -t filter -A GANGLIA_SERVICE  -i $EXTINT -d $EXTIP  -m state --state NEW  -j LOG --log-prefix " **GANGLIA_SERVICE: DROP** "
$IPT -t filter -A GANGLIA_SERVICE  -i $EXTINT -d $EXTIP  -m state --state NEW  -j DROP
$IPT -t filter -A GANGLIA_SERVICE  -j LOG --log-prefix " **GANGLIA_SERVICE: LOG** "


# ==========================================================================================
# == SECTION 5 :: OUTREACH :
# ==========================================================================================


# ------------------------------------------------------------------------------------------
# -- SSH outwards :
# ------------------------------------------------------------------------------------------


$IPT -N SSH_FROM_US


$IPT -t filter -A OUTPUT -o $EXTINT  -p tcp --dport 22  -s $EXTIP  -j SSH_FROM_US
$IPT -t filter -A INPUT  -i $EXTINT  -p tcp --sport 22  -d $EXTIP  -j SSH_FROM_US

allow_tcp_out  SSH_FROM_US  sysadminone.manc.ac.uk  sysadmintwo.manc.ac.uk  

$IPT -t filter -A SSH_FROM_US  -j LOG  --log-prefix " **SSH_FROM_US DROP** "
$IPT -t filter -A SSH_FROM_US  -j DROP
    #
    # -- default-log-and-drop as for SSH outbound:
    #     -- this is really mean...
    #

 
# ------------------------------------------------------------------------------------------
# -- Web Out :  
# ------------------------------------------------------------------------------------------

    # ...Bruno.Harbulot@manchester.ac.uk would to talk to squid1/2 and pulsar...

    ## Does Bruno still need this?  pulsar.vidar.ngs.manchester.ac.uk 80
    ## Does Bruno still need this?  pulsar.vidar.ngs.manchester.ac.uk 80

$IPT -N WEB_PROXY_OUT

$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP  -p tcp --dport 3128  -j WEB_PROXY_OUT
$IPT -t filter -A INPUT  -i $EXTINT -d $EXTIP  -p tcp --sport 3128  -j WEB_PROXY_OUT

allow_tcp_out  WEB_PROXY_OUT  proxyone.manc.ac.uk  proxytwo.manc.ac.uk

$IPT -t filter -A WEB_PROXY_OUT  -j LOG  --log-prefix " **WEB_PROXY_OUT DROP** "
$IPT -t filter -A WEB_PROXY_OUT  -j DROP
    #
    # -- default-log-and-drop as we don't trust other Web Proxies --- they may forward
    #    us to faked/phishing sites for example...
    #

 
# ==========================================================================================
# == SECTION 6 :: FORWARDS/MASQUERADES/NAT :
# ==========================================================================================


# -- tweak that kernel :
#
echo 1 > /proc/sys/net/ipv4/ip_forward


    # ...recall that INPUT/OUTPUT rules do NOT affect traffic from 10.2.64.0/24 destined to be FORWARDed via 10.2.64.25\0, so we need
    #    addition block/allow rules here to filter storage and the compute nodes (see ascii-art diagram in the IPTables\ HOWTO)...


# -- forward stuff from 192.168.104.0/24, the headnode-facing interface of the compute-nodes :
#
# -- DNS :
#
$IPT -A FORWARD -p udp  -i eth0 -o eth3  -s 192.168.104.0/24 -d 130.88.ac.efg   -j ACCEPT
$IPT -A FORWARD -p udp  -i eth0 -o eth3  -s 192.168.104.0/24 -d 130.88.ac.efh   -j ACCEPT
$IPT -A FORWARD -p udp  -i eth0 -o eth3  -s 192.168.104.0/24 -d 130.88.baa.ghi  -j ACCEPT


# -- forward anything related/established :
#
$IPT -A FORWARD  -m state --state ESTABLISHED,RELATED  -j ACCEPT


# -- default don't forward :
#
$IPT -A FORWARD -j LOG --log-prefix " FORWARD-DROP "
$IPT -A FORWARD -j DROP


# -- we're going to a ball :
#
$IPT -t nat -A POSTROUTING -s 192.168.104.0/24 -j MASQUERADE



# ==========================================================================================
# == SECTION 7 :: TMP :
# ==========================================================================================


# -- for testing Gold stuff :
#
$IPT -t filter -A INPUT  -s ddd.rst.manchester.ac.uk -j ACCEPT
$IPT -t filter -A OUTPUT -d ddd.rst.manchester.ac.uk -j ACCEPT


# ==========================================================================================
# == SECTION 8 :: DEFAULTS :
# ==========================================================================================


    ## ...Silently drop the junkmail deluge :


$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 137 --dport 137  -j DROP  # ...Windoze...
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 138 --dport 138  -j DROP  # ...Windoze...
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 520 --dport 520  -j DROP  # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 631 --dport 631  -j DROP  # ...IPP...

$IPT -t filter -i $EXTINT -A INPUT -p udp -m multiport --destination-ports 1026,1027,1028,1029 -j DROP  # ...Windoze...

$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4500  --dport 4500  -j DROP  # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4501  --dport 4501  -j DROP  # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4502  --dport 4502  -j DROP  # ...??????

$IPT -t filter -i $EXTINT -A INPUT -s 130.88.zxy.250 -d 224.0.0.1   -j DROP  # ...all hosts multicast from router...


    ## ...Log everything else... 


$IPT -t filter -i $EXTINT -A INPUT  -m limit --limit 5/minute --limit-burst 10 -j LOG --log-level warn --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-prefix " **INPUT DEFAULT** "
$IPT -t filter -o $EXTINT -A OUTPUT -m limit --limit 5/minute --limit-burst 10 -j LOG --log-level warn --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-prefix " **OUTPUT DEFAULT** "


    ## ...then drop it : 


$IPT -t filter -i $EXTINT -A INPUT  -j DROP
$IPT -t filter -o $EXTINT -A OUTPUT -j DROP


# ==========================================================================================
# == SECTION 9 :: POLICY :
# ==========================================================================================


$IPT -t filter -P INPUT  DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP


# ==========================================================================================
# == Time for a nice mug of tea.
# ==========================================================================================