# Generated by iptables-save v1.4.21 on Sun Dec 3 20:16:58 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :acceptlog - [0:0] :cs-bx - [0:0] :dev0-in - [0:0] :dev0-out - [0:0] :dev1-in - [0:0] :dev1-out - [0:0] :droplog - [0:0] :local-srvr - [0:0] :marklog - [0:0] :schl-srvr - [0:0] :world-bx - [0:0] :wrld-srvr - [0:0] # incoming IP packets # local - internal loopback, always accept -A INPUT -i lo -j ACCEPT # ethernet card 0 - use dev0-in chain, main interface card to world. -A INPUT -i eth0 -j dev0-in # ethernet card 1 - use dev1-in chain, private subnet between dept.'s servers. -A INPUT -i eth1 -j dev1-in # anything else, jump to the droplog chain, which logs and drops it. -A INPUT -j droplog # # outgoing packets # local - internal loopback, always accept -A OUTPUT -o lo -j ACCEPT # ethernet card 0 - use dev0-ut chain, main interface card to world. -A OUTPUT -o eth0 -j dev0-out # ethernet card 1 - use dev1-out chain, private subnet between dept.'s servers. -A OUTPUT -o eth1 -j dev1-out # anything else, jump to the droplog chain, which logs and drops it. -A OUTPUT -j droplog # # jumped to from rules further down, will log and then allow to complete. -A acceptlog -j LOG --log-prefix "[accept] " --log-level 6 -A acceptlog -j ACCEPT # # cs-bx rules are an end point for incoming packets that haven't already # been ACCEPTed or rejected for specific reasons. # cs-bx generally drops packets but may or may not log first. # # 137, netbios UDP query, ignore as we don't support on hopper. -A cs-bx -p udp -m udp --dport 137 -j DROP # # 138, netbios UDP query, ignore -A cs-bx -p udp -m udp --dport 138 -j DROP # # 513, rlogin port, similar to telnet, not supported because not secure. -A cs-bx -p udp -m udp --dport 513 -j DROP # # common malware ports, drop without logging. -A cs-bx -p udp -m udp --dport 1534 -j DROP -A cs-bx -p udp -m udp --dport 1947 -j DROP -A cs-bx -p udp -m udp --dport 631 -j DROP -A cs-bx -p udp -m udp --dport 5353 -j DROP -A cs-bx -p udp -m udp --dport 8612 -j DROP -A cs-bx -p udp -m udp --dport 12307 -j DROP -A cs-bx -p udp -m udp --dport 17500 -j DROP -A cs-bx -p udp -m udp --dport 52217 -j DROP -A cs-bx -p udp -m udp --dport 57621 -j DROP # # snooping packet for multicast which we don't support on hopper. -A cs-bx -d 224.0.0.1/32 -p igmp -j DROP # log and drop any other packets. -A cs-bx -j droplog # # broadcast incoming packet, process with world-bx chain. -A dev0-in -d 255.255.255.255/32 -j world-bx # # Bonjour multicast probe, proces with cs-bx rules (drop). -A dev0-in -d 224.0.0.251/32 -j cs-bx # # packet is multi-cast, process with cs-bx rules (drop). -A dev0-in -d 224.0.0.1/32 -j cs-bx # # These broadcast IPs on NIUs private subnet, process with cs-bx rules. # Will discard all, but my log first. -A dev0-in -d 10.158.255.255/32 -j cs-bx -A dev0-in -d 10.158.63.255/32 -j cs-bx # # packet is targeted at hopper, process futher. # all potential valid packets are routed to the wrld-srver rules. -A dev0-in -d 10.158.56.24/32 -j wrld-srvr # # wrld-srvr rule chain returns here for final processing of anything # not already filtered. # # This filters packets from the gateway into the static IP subnet and # is a multi-cast pakcet, drop -A dev0-in -s 10.158.56.1/32 -d 224.0.0.1/32 -p igmp -j DROP # # log and drop anything else. -A dev0-in -j droplog # # Rule chain for out-going packets. # Packet targeting other machines on CSCI's local sub-net (obsolete). -A dev0-out -d 131.156.145.41/32 -j ACCEPT # # port 22, ssh. These should be packets being sent back to users who have # ssh'ed into this machine. Don't care from where. -A dev0-out -p tcp -m tcp --sport 22 -j ACCEPT # # Contact between local host (hopper) and another host at NIU for getting # a list of Computer Science students. These rules guarentee that the # connection happens in a certain order. # # -tcp-flags, list1, list2 # list1 is the flags to examine # list2 is the flags that must be on. # flags listed in list1 but not list2 must be off. # Possible flags # URG - urgent pointer field # ACK - acknowledgement filed # PSH - push function # SYN - Synchronize sequence numbers. # FIN - No more data. # The following rule says to allow an initial ssh connection to any device on # NIU's private subnet. # -A dev0-out -d 10.0.0.0/8 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # This then flips the test and say allow if any of the other test flags is true. # These two combined basically block tunneling from the outside. -A dev0-out -p tcp -m tcp --dport 22 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # Allows ssh to 2 systems at ID'ed IPs. -A dev0-out -d 192.30.253.112/31 -p tcp -m tcp --dport 22 -j ACCEPT # # Any other attempt to ssh to a system outside of NIU's private network, # log and drop -A dev0-out -p tcp -m tcp --dport 22 -j droplog # # If DNS query to remote system, allow. -A dev0-out -p udp -m udp --dport 53 -j ACCEPT # # If SMTP (email) to remote system, allow. Note that the university # may still block this. -A dev0-out -p tcp -m tcp --dport 25 -j ACCEPT # # If SMTP (email) response (sport) to a mail fetch from another system # on campus, allow. -A dev0-out -d 10.0.0.0/8 -p tcp -m tcp --sport 25 -j acceptlog # # If SMTP (email) response (sport) to a mail fetch from anywhere else, # log and dro -A dev0-out -p tcp -m tcp --sport 25 -j droplog # # 113, authentication. If replying to another system on CSCI's subnet, allow. -A dev0-out -d 10.158.0.0/16 -p tcp -m tcp --sport 113 -j ACCEPT # # If requesting autentication from a remote system anywhere, allow. -A dev0-out -p tcp -m tcp --dport 113 -j ACCEPT # # 20 and 21 are ftp server ports. Allow connections from anywhere. # This actually doesn't work because we don't have a server listening. -A dev0-out -p tcp -m tcp --sport 21 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 20 -j ACCEPT # # allow ftp to anywhere else in the world. # This may actually be being blocked by NIU's firewall. -A dev0-out -d 131.156.97.101/32 -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -d 131.156.97.101/32 -p tcp -m tcp --dport 20 -j ACCEPT -A dev0-out -d 131.156.29.4/32 -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -d 131.156.29.4/32 -p tcp -m tcp --dport 20 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 20 -j ACCEPT # # http and https port packets on remote systems. -A dev0-out -d 10.158.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 80 -j ACCEPT -A dev0-out -d 10.158.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 443 -j ACCEPT # # local Bootp/DHCP reply port. allow. -A dev0-out -p udp -m udp --sport 68 -j ACCEPT # # 123 network time service reply. allow. -A dev0-out -p udp -m udp --sport 123 -j ACCEPT # # ICMP are status packets used for network management, allow. -A dev0-out -p icmp -m icmp --icmp-type 8 -j ACCEPT -A dev0-out -p icmp -m icmp --icmp-type 0 -j ACCEPT -A dev0-out -p icmp -m icmp --icmp-type 3/3 -j ACCEPT # # http/https packet requests to local web server from other systems on # CSCI's local sub-net, allow. # Note, we are not actually running web server. -A dev0-out -d 10.158.0.0/16 -p tcp -m tcp --sport 80 -j ACCEPT -A dev0-out -d 10.158.0.0/16 -p tcp -m tcp --sport 443 -j ACCEPT # # All other connection replys from the local web server to anywhere else # in the world, log and drop. -A dev0-out -p tcp -m tcp --sport 80 -j droplog -A dev0-out -p tcp -m tcp --sport 443 -j droplog # # bacula port - local host part of our backup system. Accept. -A dev0-out -p tcp -m tcp --sport 9102 -j ACCEPT # bacula port - server part of our backup system. Accept. -A dev0-out -d 10.128.0.0/11 -p tcp -m tcp --dport 9103 -j ACCEPT # # Line printer daemon on remote system, allow. -A dev0-out -p tcp -m tcp --dport 515 -j ACCEPT # # remote SMTP (secure) email service, allow. -A dev0-out -p tcp -m tcp --dport 587 -j ACCEPT # # I2P (Invisible Internet Project), Only allow transmission to other # systems on NIU's private sub-net. -A dev0-out -d 10.128.0.0/10 -p udp -m udp --dport 4445:4446 -j ACCEPT # # Being used for research. -A dev0-out -p tcp -m tcp --sport 9600:9649 -j ACCEPT -A dev0-out -p udp -m udp --sport 9600:9649 -j ACCEPT -A dev0-out -p udp -m udp --sport 4445:4446 -j ACCEPT # -A dev0-out -d 10.128.0.0/10 -p tcp -m tcp --sport 9800:9899 -j ACCEPT -A dev0-out -d 10.128.0.0/10 -p udp -m udp --sport 9800:9899 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 13 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 13 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9877 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9700:9799 -j ACCEPT -A dev0-out -p udp -m udp --sport 9700:9799 -j ACCEPT # # sctp is a streaming TCP level protocol. And the IP is a CSCI dept. server. -A dev0-out -d 10.158.56.25/32 -p sctp -j ACCEPT # # This basically says that any client port involved in a previously "ACCEPT'd" # initial connection, may continue to communicate. # RELATED is used for things like ftp which negotiates a connection # on port 21 and then transfers data on port 20 (20 is a related port). -A dev0-out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT # # This accepts anything that hasn't been already handled after logging it. -A dev0-out -j acceptlog # # These are the rules for the incoming packets on the private CSCI # private backbone. Run them through the local-srvr rule chain. -A dev1-in -d 192.168.8.11/32 -j local-srvr # # Note and discard any packets not filtered by the local-srvr rule chain # or other misdirected packets. -A dev1-in -j droplog # # -A dev1-out -d 192.168.8.0/24 -p tcp -m tcp --sport 1:1023 -j ACCEPT -A dev1-out -d 192.168.8.0/24 -p udp -m udp --sport 1:1023 -j ACCEPT -A dev1-out -d 192.168.8.0/24 -p tcp -m tcp --dport 1:1023 -j ACCEPT -A dev1-out -d 192.168.8.0/24 -p udp -m udp --dport 1:1023 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p tcp -m tcp --sport 9000:9999 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p udp -m udp --sport 9000:9999 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p tcp -m tcp --dport 9000:9999 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p udp -m udp --dport 9000:9999 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p tcp -m tcp --dport 2049 -j ACCEPT -A dev1-out -d 192.168.8.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT -A dev1-out -d 192.168.8.10/32 -p tcp -m tcp --sport 2049 -j ACCEPT -A dev1-out -p tcp -m tcp --dport 636 -j ACCEPT -A dev1-out -p tcp -m tcp --dport 5432 -j ACCEPT -A dev1-out -p tcp -m tcp --dport 3306 -j ACCEPT -A dev1-out -p tcp -m tcp --dport 27017 -j ACCEPT -A dev1-out -p icmp -m icmp --icmp-type 8 -j ACCEPT -A dev1-out -p icmp -m icmp --icmp-type 0 -j ACCEPT -A dev1-out -j droplog -A droplog -j LOG --log-prefix "[drop] " --log-level 6 --log-uid -A droplog -j DROP # # # Accept any server connections between this machine and any other # machine on the CSCI private subnet. # Generally, accept all packets targetting a well known service # or originating from one, as long as the packet originatted # on the local private sub-net. -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --dport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p udp -m udp --dport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --sport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p udp -m udp --sport 1:1023 -j ACCEPT # # Allow packets using 9000-9999 between hopper and turing on the # private sub-net. -A local-srvr -s 192.168.8.10/32 -p tcp -m tcp --dport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.10/32 -p udp -m udp --dport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.10/32 -p tcp -m tcp --sport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.10/32 -p udp -m udp --sport 9000:9999 -j ACCEPT # # NFS requests to other systems on private sub-net. -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --sport 2049 -j ACCEPT # NFS requests from turing. -A local-srvr -s 192.168.8.10/32 -p tcp -m tcp --dport 2049 -j ACCEPT # # allow connections postgres and mysql ports (on babbage) over private sub-net. -A local-srvr -p tcp -m tcp --sport 5432 -j ACCEPT -A local-srvr -p tcp -m tcp --sport 3306 -j ACCEPT # # -A local-srvr -p icmp -m icmp --icmp-type 8 -j ACCEPT -A local-srvr -p icmp -m icmp --icmp-type 0 -j ACCEPT # # Return to calling chain. -A local-srvr -j RETURN # # set of rules for packets originating from elsewhere on campus. # # Network Time Protocol reply, accept -A schl-srvr -s 10.158.0.0/16 -p udp -m udp --sport 123 -j ACCEPT # # -A schl-srvr -s 131.156.97.101/32 -p tcp -m tcp --sport 21 -j ACCEPT -A schl-srvr -s 131.156.97.101/32 -p tcp -m tcp --sport 20 -j ACCEPT -A schl-srvr -s 131.156.29.4/32 -p tcp -m tcp --sport 21 -j ACCEPT -A schl-srvr -s 131.156.29.4/32 -p tcp -m tcp --sport 20 -j ACCEPT -A schl-srvr -p tcp -m tcp --sport 25 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A schl-srvr -s 10.158.0.0/16 -p tcp -m tcp --dport 113 -j ACCEPT -A schl-srvr -p tcp -m tcp --dport 80 -j ACCEPT -A schl-srvr -s 10.158.56.3/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A schl-srvr -s 131.156.5.76/32 -p tcp -m tcp --sport 515 -j ACCEPT -A schl-srvr -s 131.156.145.212/32 -p tcp -j ACCEPT -A schl-srvr -s 131.156.145.115/32 -p tcp -j ACCEPT -A schl-srvr -s 10.158.0.0/16 -p tcp -m tcp --dport 9800:9899 -j ACCEPT -A schl-srvr -s 10.158.0.0/16 -p udp -m udp --dport 9800:9899 -j ACCEPT -A schl-srvr -p tcp -m tcp --dport 9700:9799 -j ACCEPT -A schl-srvr -p udp -m udp --dport 9700:9799 -j ACCEPT -A schl-srvr -s 10.156.240.17/32 -p tcp -m tcp --dport 9102 -j ACCEPT -A schl-srvr -s 10.156.240.17/32 -p tcp -m tcp --sport 9103 -j ACCEPT -A schl-srvr -s 131.156.145.41/32 -j ACCEPT -A schl-srvr -s 10.158.0.0/16 -p udp -m udp --sport 4445:4446 -j ACCEPT -A schl-srvr -p udp -m udp --dport 4445:4446 -j ACCEPT -A schl-srvr -p icmp -m icmp --icmp-type 3/3 -j ACCEPT -A schl-srvr -p sctp -m sctp --sport 30327 -j ACCEPT -A schl-srvr -p udp -m udp --dport 2054 -j DROP -A schl-srvr -p udp -m udp --dport 8612 -j DROP -A schl-srvr -s 10.158.63.255/32 -j cs-bx -A schl-srvr -s 10.158.255.255/32 -j cs-bx -A schl-srvr -j RETURN # # For a number of broadcast probing packets targetting # common service ports, just drop, since we aren't # providing service. # # 67/68 dhcp -A world-bx -p udp -m udp --dport 67 -j DROP -A world-bx -p udp -m udp --dport 68 -j DROP # nework time. -A world-bx -p udp -m udp --dport 123 -j DROP # netbios -A world-bx -p udp -m udp --dport 137 -j DROP # HASP license manager -A world-bx -p udp -m udp --dport 1947 -j DROP # -A world-bx -p udp -m udp --dport 2222 -j DROP # X display manager -A world-bx -p udp -m udp --sport 177 -j DROP # Cannon print discovery -A world-bx -p udp -m udp --dport 8612 -j DROP # Dropbox -A world-bx -p udp -m udp --dport 17500 -j DROP # ? -A world-bx -p udp -m udp --dport 52217 -j DROP # # For other broadcast probing packets, # log and drop. -A world-bx -j droplog # # Packet originated from on-campus, use special rules. -A wrld-srvr -s 10.128.0.0/10 -j schl-srvr # # If reply from DNS service, accept. -A wrld-srvr -p udp -m udp --sport 53 -j ACCEPT # # If targetted at the sshd, accept. -A wrld-srvr -p tcp -m tcp --dport 22 -j ACCEPT # Accept non-syn packets on port 22. -A wrld-srvr -p tcp -m tcp --sport 22 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # -A wrld-srvr -s 131.156.1.0/24 -p tcp -m tcp --dport 2222 -j ACCEPT -A wrld-srvr -s 131.156.1.0/24 -p tcp -m tcp --sport 2222 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # accept rsync replies as long as they were requested. -A wrld-srvr -p tcp -m tcp --sport 873 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # Accept webpage requests. Note, we may not actually have a web server running. -A wrld-srvr -p tcp -m tcp --dport 80 -j ACCEPT # # allow webpage server responses from elsewhere as long as the request was # iniitated from hopper. -A wrld-srvr -p tcp -m tcp --sport 80 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Same for https -A wrld-srvr -p tcp -m tcp --dport 443 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 443 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # Accept ftp service request. We are not runnnig ftp and this will probably be # changed to drop. -A wrld-srvr -p tcp -m tcp --dport 21 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 20 -j ACCEPT # # Allow ftp requests to a remote ftp server. # This may actually be blocked at the NIU firewall. -A wrld-srvr -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 20 -j ACCEPT # # allow access to remote smtp mail server -A wrld-srvr -p tcp -m tcp --dport 25 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 25 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # allow authentication response from remote service. -A wrld-srvr -p tcp -m tcp --sport 113 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # allow response from remote whois service (ICANN). -A wrld-srvr -p tcp -m tcp --sport 43 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # # date and time service. -A wrld-srvr -p tcp -m tcp --dport 13 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 13 -j ACCEPT # # Ports set aside for research/homework -A wrld-srvr -p tcp -m tcp --dport 9600:9649 -j ACCEPT -A wrld-srvr -p udp -m udp --dport 9600:9649 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 9877 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 9700:9799 -j ACCEPT -A wrld-srvr -p udp -m udp --dport 9700:9799 -j ACCEPT # # ICMP report/probe packets, ACCEPT -A wrld-srvr -p icmp -m icmp --icmp-type 8 -j ACCEPT -A wrld-srvr -p icmp -m icmp --icmp-type 0 -j ACCEPT # # From 'broadcast' source, examine and drop. -A wrld-srvr -s 255.255.255.255/32 -j world-bx # # If ephemeral ports with TCP packets as a result of an initial approved # connection, accept. -A wrld-srvr -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT # # Netbios probe, drop. We're not a Windows system. -A wrld-srvr -p udp -m udp --dport 137 -j DROP # # -A wrld-srvr -p udp -m udp --dport 1026:1027 -j DROP -A wrld-srvr -p tcp -m tcp --dport 5364 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A wrld-srvr -p tcp -m tcp --dport 2967 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP # # return to calling rule. -A wrld-srvr -j RETURN COMMIT # Completed on Sun Dec 3 20:16:58 2017