#!/usr/bin/perl /root/confread mport multiport policy INPUT DROP FORWARD DROP OUTPUT DROP function dnats { my $e = '-j DNAT'; $e .= " --to-destination $_" for split /,/, shift @{+shift}; $e } define psrv 130.73.244 pwlan 130.73.254 proxy 199.100.16.100 pdns $psrv.1 pwww $psrv.2 pwww1 $psrv.21 pwww2 $psrv.22 pmail $psrv.3 pssh $psrv.4 pftp $psrv.5 psqrl $psrv.6 psnat $psrv.44-$psrv.198 pdesk $psrv.8 vmail 10.1.0.4 #dwww $dwww1,$dwww2 dwww $dwww1 dwww1 10.0.1.2:8000 dsqrl 10.0.1.2:9000 ddns 10.0.1.2 dmail 10.0.2.2 ddesk 10.2.0.2 dssh 10.0.4.2 dftp 10.0.5.2 dwww2 10.0.6.2 dhoney 10.10.0.5 mangle PREROUTING src 0.0.0.255/0.0.0.255 DROP src 0.0.0.0/0.0.0.255 DROP dst 0.0.0.255/0.0.0.255 DROP dst 0.0.0.0/0.0.0.255 DROP in srv src 10.10.0.0/24 ACCEPT dst 10.0.1.2 src 10.0.2.2 ACCEPT dst 10.0.0.0/16 log mangle_drop dst 10.0.0.0/16 DROP nat PREROUTING in srv servers in wlan inwless in kiosk inwless servs in iseage inbound servs udp 53 dst $pdns dnats $ddns tcp www dst $pwww dnats $dwww tcp www dst $psqrl dnats $dsqrl tcp 3389,6347,6378 dst $pdesk dnats $ddesk tcp 25,110,995,993,143 dst $pmail dnats $dmail tcp ssh dst $pssh dnats $dssh tcp ftp dst $pftp dnats $dftp inbound prot tcp dnats $dhoney prot udp dnats $dhoney # tcp 222 REDIRECT '--to-port 22' # log to_honey # prot tcp REDIRECT '--to-port 9' # prot udp REDIRECT '--to-port 9' inwless tcp 445,139 dst $pftp dnats $dftp udp 137,138 dst $pftp dnats $dftp #dst $pftp log sambaQ servers tcp 25,143 dst $vmail dnats $dmail ACCEPT POSTROUTING out iseage src 10.0.0.2/255.255.0.255 outgoing out iseage src 10.1.0.0/24 outgoing out iseage src 10.2.0.0/24 outgoing out iseage src 10.10.0.0/24 outgoing out iseage log out_unk out iseage snat $psrv.252 outgoing snat $psnat filter FORWARD attacker state e ACCEPT state i DROP state n tcp_f ! SYN,ACK,RST,FIN SYN DROP state n src ! 10.0.0.0/8 log I in srv out srv internal in srv src 10.0.0.2/255.255.0.255 state n,e outgoing in srv out iseage src 10.10.0.0/24 ACCEPT in srv log _bad-src in srv DROP #Out to servers out srv dst 10.0.0.2/255.255.0.255 incoming out srv in iseage dst 10.10.0.0/24 state e ACCEPT out iseage in wlan state n,r,e ACCEPT in iseage out wlan state r,e ACCEPT out iseage in kiosk state n,r,e ACCEPT in iseage out kiosk state r,e ACCEPT out kiosk ACCEPT tcp 3389,6347,6378 log _fw_drop internal src 10.0.1.2 dst 10.0.2.2 tcp 25,143 ACCEPT src 10.0.2.2 dst 10.0.1.2 tcp_s 25,143 state e ACCEPT src 10.10.0.0/24 dst 10.0.0.2/255.255.0.255 ACCEPT dst 10.0.0.2/255.255.0.255 src 10.10.0.0/24 state e ACCEPT src 10.0.1.2 tcp 113 DROP log internal DROP attacker src 0.0.0.0 DROP outgoing state e ACCEPT state r src $dftp dst ! 10.0.0.0/16 prot tcp ACCEPT state r log _out_related state r DROP udp 53 dst $proxy ACCEPT tcp 53 dst $proxy ACCEPT udp 53 DROP log _out_new DROP incoming state n,e tcp 8000,9000 dst 10.0.1.2 ACCEPT state n,e udp 53 dst 10.0.1.2 ACCEPT state n,e tcp 25,110,995,993,143 dst 10.0.2.2 ACCEPT state n,e tcp ssh dst $dssh ACCEPT state r,e dst $dftp ACCEPT state n tcp ftp,139 dst $dftp ACCEPT state n udp 137 dst $dftp ACCEPT state n,e tcp www dst 10.0.6.2 ACCEPT state e udp_s 53 src $proxy ACCEPT state e tcp_s 53 src $proxy ACCEPT # state r,e ACCEPT state n log in_new state e log in_est DROP