#define NetMask = 255.255.240.0 #define NetMask = 255.255.255.255 table ip _ip_ { set Checklist_Http_SynRst { # list of SYN without ACK, we compare on RST type ipv4_addr size 134217728 flags dynamic, timeout timeout 60s } set Checklist_Http_SynFlood { # list with networks of SYN without ACK type ipv4_addr size 134217728 flags dynamic, timeout timeout 60s } set BlockedHosts_Scan { # block hosts which tryd to access non-standard ports type ipv4_addr size 134217728 flags dynamic, timeout timeout 300s } set BlockedHosts { # list of entire hosts to block for RST without ACK and multible SYN without ACK type ipv4_addr size 134217728 flags dynamic, timeout timeout 900s } set BlockedHostsCounts { type ipv4_addr size 134217728 flags dynamic, timeout timeout 1d } set HardBlockedHosts { # list of entire hosts to block for repeated abusing type ipv4_addr size 134217728 flags dynamic, timeout timeout 3d } set BlockedHostsControl { type ipv4_addr size 134217728 counter flags dynamic, timeout timeout 1d } set AllowedHosts_Http { # allow http for hosts with ACK after SYN, to speed up trafic type ipv4_addr size 134217728 flags dynamic, timeout timeout 900s elements = { 10.0.0.2 expires 5475d } } } table ip6 _ip6_ { set Checklist_Http_SynRst { # list of SYN without ACK, we compare on RST type ipv6_addr size 134217728 flags dynamic, timeout timeout 60s } set Checklist_Http_SynFlood { # list with networks of SYN without ACK type ipv6_addr size 134217728 flags dynamic, timeout timeout 60s } set BlockedHosts_Scan { # block hosts which tryd to access non-standard ports type ipv6_addr size 134217728 flags dynamic, timeout timeout 300s } set HardBlockedHosts { # list of entire hosts to block for repeated abusing type ipv6_addr size 134217728 flags dynamic, timeout timeout 3d } set BlockedHosts { # list of entire hosts to block for RST without ACK and multible SYN without ACK type ipv6_addr size 134217728 flags dynamic, timeout timeout 900s } set BlockedHostsCounts { type ipv6_addr size 134217728 flags dynamic, timeout timeout 1d } set AllowedHosts_Http { # allow http for hosts with ACK after SYN, to speed up trafic type ipv6_addr size 134217728 flags dynamic, timeout timeout 900s } } # Dynamic list of abusing hosts to block include "/mnt/DataDrive/Config/firewall/ip*/*.dynamiclist" # Official assigned ports, wich we do not provide to public ... define ExplicitPorts = { 21, 22, 23, 25, 111, 123, 137, 138, 139, 143, 445, 465, 514, 587, 601, 631, 830, 873, 993, 1900, 1080, 1723, 3020, 3128, 3389, 5000, 5500, 5800, 5801, 5900, 5901, 6514, 8443, 8580, 9000, 9443, 9999, 10514, 16000, 16080, 16200, 16225, 16250, 22222 } table ip6 _ip6_ { chain Http_Block { # block RST without ACK add @BlockedHosts { ip6 saddr } #update @BlockedHostsCounts { ip6 saddr limit rate over 3/day burst 3 packets } add @HardBlockedHosts { ip6 saddr } log prefix "HttpHardBlk " update @BlockedHostsCounts { ip6 saddr limit rate over 3/day } add @HardBlockedHosts { ip6 saddr } log prefix "HttpHardBlk " delete @Checklist_Http_SynRst { ip6 saddr } delete @Checklist_Http_SynFlood { ip6 saddr } drop } chain Http { # don't use "meta length 52" as this seems the default start length for browsers # can't use conntrack, as it processes ack before we see it ... ip6 saddr @AllowedHosts_Http accept # handle combined (rst & ack) packages, by first testing for ack tcp flags ack ip6 saddr @Checklist_Http_SynRst add @AllowedHosts_Http { ip6 saddr } delete @Checklist_Http_SynRst { ip6 saddr } delete @Checklist_Http_SynFlood { ip6 saddr } log prefix "HTTP-Accept " accept # only block http-traffic ip6 saddr @BlockedHosts drop # block RST without ACK tcp flags rst ip6 saddr @Checklist_Http_SynRst log prefix "RST-Block " goto Http_Block # block tcp-id 0 ... tcp sequence == 0 drop # count SYN and block syn-floods if more than 5/second #tcp flags syn update @Checklist_Http_SynFlood { ip6 saddr limit rate over 10/minute burst 10 packets } log prefix "SynFloodBlk " goto Http_Block tcp flags syn update @Checklist_Http_SynFlood { ip6 saddr limit rate over 10/minute } log prefix "SynFloodBlk " goto Http_Block tcp flags syn add @Checklist_Http_SynRst { ip6 saddr } add @Checklist_Http_SynFlood { ip6 saddr } log prefix "HTTP-Start " accept # add syn-package to check for RST without ACK accept } #chain prerouting { type nat hook prerouting priority 0; policy accept; # redirect to local DNS, to prevent DNS Spoofing #tcp dport domain redirect to domain persistent #udp dport domain redirect to domain persistent #} #chain postrouting { type nat hook postrouting priority 0; policy accept; # NAT66 for Shit-Modems #oifname eth0 masquerade random,persistent #} chain input { type filter hook input priority 0; policy drop; iif lo accept ip6 saddr ::1/128 counter drop tcp dport { http, https } goto Http ct status { expected, seen-reply, assured, confirmed } accept ct state { established, related } accept # nothing to reset on improper close of port ... tcp flags rst tcp sport { ftp, ftps, http, pop3, imap2, https, imaps, pop3s } drop # this should go to netdev table ... # Drop all fragments. #ip frag-off & 0x1fff != 0 counter drop # Drop XMAS packets. tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop # Drop NULL packets. tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # Drop uncommon MSS values. tcp flags syn tcp option maxseg size 1-535 counter drop icmpv6 type echo-request iif eth0 accept icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, echo-reply } counter accept # Fritz!Box DHCP # 2026-01-01 working udp dport 546 udp sport 547 ip6 saddr & ::ffff:ffff:ffff:ffff == ::0a96:d7ff:fe40:62c5 accept # local http #tcp dport { http, https } log accept tcp sport < 1024 log drop udp sport < 1024 log drop tcp dport { http, https } log prefix "http " accept ip6 saddr != f0::/4 counter log level info prefix "Public Adresse, no input: " drop log level info prefix "Debug Input Drop: " counter drop } chain forward { type filter hook forward priority 0; policy drop; ip6 saddr ::1/128 iif != lo counter drop ct status { expected, seen-reply, assured, confirmed } accept ct state { established, related } accept iif eth1 log level info prefix "No External forwarding " drop tcp sport < 1024 log drop udp sport < 1024 log drop # this should go to netdev table ... # Drop all fragments. #ip frag-off & 0x1fff != 0 counter drop # Drop XMAS packets. tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop # Drop NULL packets. tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # Drop uncommon MSS values. tcp flags syn tcp option maxseg size 1-535 counter drop ip6 saddr == f0::/4 counter log level info prefix "Private Adress, no forwarding: " drop ip6 daddr == f0::/4 counter log level info prefix "Private Adress, no forwarding: " drop ip6 daddr == 2001:db8::/32 counter log level info prefix "Testing Adress, no forwarding: " drop # Allow only Notebook5 #ip6 saddr != 2001:0470:b637:00fc:8e70:5aff:fe8f:f30c log level info prefix "Unknown Client: " drop #ip6 saddr != 2001:470:7316::/48 log level info prefix "Unknown Client: " drop # allow only traffic to Internet tcp dport { ftp, ftps, http, pop3, imap2, https, imaps, pop3s } accept udp dport 443 accept # Google Talk udp dport { 19294, 19295, 19302 } drop icmpv6 type echo-request accept log level info prefix "wrong protocol no forwarding: " drop } chain output { type filter hook output priority 0; policy accept; #icmpv6 type { 128, 129 } counter accept accept } } table ip _ip_ { chain prerouting { type nat hook prerouting priority -100; policy accept; #ct state { established, related } accept #ct status { expected, seen-reply, assured, confirmed } accept # tcp dport domain redirect to :domain persistent # udp dport domain redirect to :domain persistent #ip daddr 10.0.0.1 tcp dport https dnat 10.6.0.1:4430 #ip daddr 10.0.0.1 tcp dport http dnat 10.6.0.1:8080 } chain postrouting { type nat hook postrouting priority 100; policy accept; #ct state { established, related } accept #ct status { expected, seen-reply, assured, confirmed } accept #masquerade persistent ip daddr 10.0.1.0/24 snat to 10.0.1.1 random,persistent ip daddr 10.0.0.0/24 snat to 10.0.0.1 random,persistent ip daddr 10.3.1.0/16 snat to 10.3.1.1 random,persistent ip daddr 10.5.0.1/30 snat to 10.5.0.1 random,persistent ip daddr 10.6.0.0/30 snat to 10.6.0.2 random,persistent ip daddr 169.254.1.0/24 snat to 169.254.1.2 random,persistent masquerade random,persistent } chain OpenVPN_Clients_OK { limit rate 12/minute burst 2 packets counter log level info prefix "VPN OKEY " accept } chain OpenVPN_Clients { ip saddr { 195.140.138.151, 89.144.192.0/18, 192.164.0.0/16, 194.48.136.0/24, 195.3.108.0/23, 213.147.160.0/19, 213.225.0.0/18, 10.1.3.5, 46.124.0.0/15, 212.95.5.0/19, 213.142.96.0/19, 213.162.64.0/19, 213.162.72.0/23 } goto OpenVPN_Clients_OK limit rate 1/minute burst 2 packets counter log level info prefix "VPN DROP " #reject with icmp type port-unreachable drop } chain Http_Block { # block RST without ACK add @BlockedHosts { ip saddr } delete @Checklist_Http_SynRst { ip saddr } delete @Checklist_Http_SynFlood { ip saddr } update @BlockedHostsControl { ip saddr counter } update @BlockedHostsCounts { ip saddr limit rate over 3/day } add @HardBlockedHosts { ip saddr } delete @BlockedHosts { ip saddr } delete @BlockedHostsCounts { ip saddr } log prefix "HttpHardBlk " drop } chain Http { # don't use "meta length 52" as this seems the default start length for browsers # can't use conntrack, as it processes ack before we see it ... # Block Http-Abusing for one day ... ip saddr @HardBlockedHosts drop #ip saddr @Checklist_Http_SynFlood log prefix "Debug: is in SynFlood " ip saddr @AllowedHosts_Http accept # handle combined (rst & ack) packages, by first testing for ack tcp flags ack ip saddr @Checklist_Http_SynRst add @AllowedHosts_Http { ip saddr } delete @Checklist_Http_SynRst { ip saddr } delete @Checklist_Http_SynFlood { ip saddr } accept # only block http-traffic ip saddr @BlockedHosts drop # block RST without ACK tcp flags rst ip saddr @Checklist_Http_SynRst log prefix "RST-Block " goto Http_Block # block tcp-id 0 ... tcp sequence == 0 drop # count SYN and block syn-floods if more than 5/second #tcp flags syn update @Checklist_Http_SynFlood { ip saddr limit rate over 10/minute burst 10 packets } log prefix "SynFloodBlk " goto Http_Block tcp flags syn update @Checklist_Http_SynFlood { ip saddr limit rate over 10/minute } goto Http_Block tcp flags syn add @Checklist_Http_SynRst { ip saddr } add @Checklist_Http_SynFlood { ip saddr } accept # add syn-package to check for RST without ACK accept } chain input { type filter hook input priority 0; policy drop; iif lo accept # drop multicasts ip daddr 224.0.0.0/4 drop # block abusing networks include "/mnt/DataDrive/Config/firewall/ip/block.all" tcp dport { http, https } goto Http ct state { established, related } accept ct status { expected, seen-reply, assured, confirmed } accept # vtun tcp dport 5000 goto OpenVPN_Clients udp dport 5000 goto OpenVPN_Clients # drop fritzbox access to localnet, after tracking, else no remote access ... ip saddr 10.0.0.2 drop # Telnet tcp dport 23 ip saddr { 10.1.1.0/24, 10.0.1.0/24, 10.3.0.0/16, 10.6.0.0/24 } log level info prefix "Telnet OKEY " accept # Dynamic blocking after Conntrack... #ip saddr & 255.255.255.0 == @BlockedHosts_Scan limit rate 1/minute burst 1 packets log prefix "Is in Blocklist " drop ip saddr @BlockedHosts_Scan counter drop ####### # drop stray ACKs from lost Seassons (due to VPN reconnections) tcp flags ack counter drop # DHCP udp dport 67 iif eth0 udp sport 68 accept # DNS tcp dport 53 ip saddr { 10.0.1.0/24, 10.3.0.0/16, 10.6.0.0/24 } accept udp dport 53 ip saddr { 10.0.1.0/24, 10.3.0.0/16, 10.6.0.0/24 } accept # NTP tcp dport 123 ip saddr { 10.0.1.0/24, 10.3.0.0/16, 10.6.0.0/24 } accept #tcp flags rst tcp sport { ftp, http, pop3, imap2, https, ftps, imaps, pop3s } limit rate 1/second burst 2 packets accept # Syslog udp dport 514 ip saddr 10.0.1.3 accept udp dport 514 ip saddr 10.0.2.2 accept # local http tcp dport 9999 iifname eth0 ip saddr 10.3.0.0/16 log accept tcp dport 9999 iifname Vtun-Server ip saddr 10.6.0.0/24 log accept # local ftp tcp dport 21 iifname eth0 ip saddr 10.3.0.0/16 log accept tcp dport 21 iifname Vtun-Server ip saddr 10.6.0.0/24 log accept ip protocol icmp limit rate 1/second burst 2 packets log accept # Block explicit server-accesses meta l4proto { tcp, udp } th dport $ExplicitPorts log prefix "Portscan: " drop # Blacklist Portscans, untracked and unaccepted from previous rule meta l4proto { tcp, udp } add @BlockedHosts_Scan { ip saddr } drop limit rate 1/minute burst 2 packets log level info prefix "DROP " drop drop } chain forward { type filter hook forward priority 0; policy drop; pkttype broadcast drop pkttype multicast drop # Multicast ip daddr 224.0.0.0/4 drop tcp flags syn tcp option maxseg size set rt mtu ct state { established, related } accept ct status { expected, seen-reply, assured, confirmed } accept # facebook / whatsapp #ip daddr 31.13.0.0/16 drop # UPNP udp dport 1900 drop # Fritzbox Parental-Control tcp dport 14013 drop #tcp flags rst tcp sport { ftp, http, pop3, imap2, https, ftps, imaps, pop3s } limit rate 1/second burst 2 packets accept ip protocol != { icmp, tcp, udp } drop ip saddr 10.0.0.0/8 accept # https forwarded to Mainserver, as this is forward only, no input-rule is required ... #tcp dport 4430 log level info prefix "HTTP " accept #tcp dport 8080 log level info prefix "HTTPs " accept limit rate 1/minute burst 2 packets log level info prefix "DROP " drop drop } chain output { type filter hook output priority 0; policy accept; accept } }