firewall-init: firewall.d/ipv4/filter - simplifications and readability fixes

baggins baggins at pld-linux.org
Tue Dec 29 22:33:20 CET 2009 

Author: baggins                      Date: Tue Dec 29 21:33:20 2009 GMT
Module: firewall-init                 Tag: HEAD
---- Log message:
- simplifications and readability fixes

---- Files affected:
firewall-init/firewall.d/ipv4:
   filter (1.14 -> 1.15) 

---- Diffs:

================================================================
Index: firewall-init/firewall.d/ipv4/filter
diff -u firewall-init/firewall.d/ipv4/filter:1.14 firewall-init/firewall.d/ipv4/filter:1.15
--- firewall-init/firewall.d/ipv4/filter:1.14	Tue Dec 29 22:19:36 2009
+++ firewall-init/firewall.d/ipv4/filter	Tue Dec 29 22:33:15 2009
@@ -4,54 +4,85 @@
 
 OUTSIDE_IF=eth0
 
-# TCP
-ipv4_in_allow_tcp()
+ipv4_filter_FORWARD_rules()
 {
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+	# Block trojan ports:
+#	ipv4_trojan_killer FORWARD
+	# Block adverts if need be
+#	ipv4_ads_killer FORWARD
+	return
+}
+
+ipv4_filter_INPUT_rules()
+{
+	# INPUT
+	# Selective LOG/DROP/ACCEPT for ICMP
+#	$iptables -A INPUT -p icmp -j ICMP
+	# Check if someone is not scanning us first:
+#	$iptables -A INPUT -m psd -j SCAN
+
+#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j ACCEPT
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 67:69 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j ACCEPT
 #	$iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j ACCEPT
-#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
-#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
-#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
-#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
-	$iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport 515 -j ACCEPT
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
-	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
-}
-
-# UDP
-ipv4_in_allow_udp()
-{
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
 #	$iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
 #	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
 #	$iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
 #	$iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j ACCEPT
-#	$iptables -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 513:514 -j ACCEPT
+#	$iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport 515 -j ACCEPT
 #	$iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
+#	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
+
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
+#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
+
+#	ipv4_in_allow_rpc
+
+	# Block adverts if need be
+#	ipv4_ads_killer INPUT
+	# Block trojan ports:
+#	ipv4_trojan_killer INPUT
+
+	# DROP SSH brute force scans
+#	$iptables -N SSH_BRUTE_FORCE
+#	$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_BRUTE_FORCE
+#	$iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
+#	$iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
+#	$iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
+#	$iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60 --hitcount 6 --name SSH -j RETURN
+#	$iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
+#	$iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force Attempt: "
+#	$iptables -A SSH_BRUTE_FORCE -p tcp -j DROP
+
+	# Block and log everything else
+#	$iptables -A INPUT -m state --state NEW -j LDROP
 	return
 }
 
-ipv4_in_drop_udp()
+ipv4_filter_OUTPUT_rules()
 {
-	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
-	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
-	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
+	return
 }
 
 # Allow RPC for internal net only
@@ -87,56 +118,4 @@
 	cat $FIREWALL_DIR/trojan.ports | while read LINIA; do
 		$iptables -A $CLASS -p tcp -m state --state NEW -m multiport --port $LINIA -j REJECT --reject-with icmp-port-unreachable
 	done
-}
-
-ipv4_ssh_brute_force_killer()
-{
-	$iptables -N SSH_BRUTE_FORCE
-	$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_BRUTE_FORCE 
-#	$iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
-#	$iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
-	$iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
-	$iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60 --hitcount 6 --name SSH -j RETURN 
-	$iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
-	$iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force Attempt: " 
-	$iptables -A SSH_BRUTE_FORCE -p tcp -j TARPIT 
-}
-
-ipv4_filter_FORWARD_rules()
-{
-#	# Block trojan ports:
-#	ipv4_trojan_killer FORWARD
-#	# Block adverts if need be
-#	ipv4_ads_killer FORWARD
-	return
-}
-
-ipv4_filter_INPUT_rules()
-{
-#	# INPUT
-#	# Selective LOG/DROP/ACCEPT for ICMP
-#	$iptables -A INPUT -p icmp -j ICMP
-#	# Check if someone is not scanning us first:
-#	$iptables -A INPUT -m psd -j SCAN
-#
-#	ipv4_in_allow_tcp
-#	ipv4_in_allow_udp
-#	ipv4_in_drop_udp
-#	ipv4_in_allow_rpc
-#
-#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-#	# Block adverts if need be
-#	ipv4_ads_killer INPUT
-#	# Block trojan ports:
-#	ipv4_trojan_killer INPUT
-#	TARPIT SSH brute force scans
-#	ipv4_ssh_brute_force_killer()
-#	# Block everything else
-#	$iptables -A INPUT -m state --state NEW -j LDROP
-	return
-}
-
-ipv4_filter_OUTPUT_rules()
-{
-	return
 }
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/firewall-init/firewall.d/ipv4/filter?r1=1.14&r2=1.15&f=u

More information about the pld-cvs-commit mailing list