# fss-0002

main:
  # initialize the firewall
  action none
  direction none
  protocol none
  chain none

  rule -F
  rule -Z

  tool iptables
  rule -t nat -F
  rule -t mangle -F
  tool ip46tables


INPUT:
  # main input chain, expect this to act as the final RETURN handler.
  direction input
  protocol none

  # handle local (loopback) connections.
  device lo
  rule -j input-loop
  device all

  # Drop all INVALID packets so they aren't even processed
  rule -m conntrack --ctstate INVALID -j input-invalid

  # Allow ALL connections that have already been established by this host
  #rule -m state --state ESTABLISHED,RELATED -j ACCEPT
  rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  # send to whitelist and blacklist, which should return here.
  rule -j input-blacklist
  rule -j input-whitelist

  # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided.
  # unicasts are the normal behavior and blocking them would be very unusual.
  rule -m pkttype --pkt-type broadcast -j input-casting
  rule -m pkttype --pkt-type multicast -j input-casting
  #rule -m pkttype --pkt-type unicast -j input-casting

  # send all tcp packets to the tcp queue
  protocol tcp
  rule -m state --state NEW -j input-tcp

  # send all udp packets to the udp queue
  protocol udp
  rule -m state --state NEW -j input-udp

  # send all icmp packets to the icmp queue
  protocol icmp
  rule -m state --state NEW -j input-icmp

  # send all icmpv6 packets to the icmpv6 queue
  tool ip6tables
  protocol icmpv6
  rule -m state --state NEW -j input-icmpv6
  tool ip46tables

  # load custom device-specific rules
  rule -j input-devices

  # remaining packets
  #rule -j LOG --log-prefix "INPUT:"
  rule -j DROP


input-invalid:
  direction input
  protocol none

  # silently drop invalid RST tcp packets instead of sending a RST back.
  protocol tcp
  rule --tcp-flags RST RST -j DROP

  # invalid FIN,ACK (server is wanting a FIN response), silently DROP it, send RST back, or send a FIN back.
  #rule --tcp-flags ALL ACK,FIN -j DROP
  #rule --tcp-flags ALL ACK,FIN -j REJECT --reject-with tcp-reset
  rule --tcp-flags ALL ACK,FIN -j ACCEPT


  # remaining packets
  protocol none
  #rule -j LOG --log-prefix "INV_IN:"
  rule -j DROP


input-invalid-stream:
  direction input
  protocol tcp

  # remaining packets
  rule -j REJECT --reject-with tcp-reset


input-loop:
  direction input
  protocol none

  # allow cups via loopback.
  protocol tcp
  tool iptables
  rule --sport 631 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  rule --dport 631 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

  # allow local dns server
  #protocol udp
  #rule --dport 53 -s 127.0.0.0/8 -d 127.0.1.1 -j ACCEPT

  # this is the localhost address, valid localhost are allowed to return to the previous chain.
  protocol none
  rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN
  tool ip6tables
  rule -s ::1 -d ::1 -j RETURN
  tool iptables

  # it may be necessay to add a return for individual ips because there are some cases that result in non-localhost addresses going through loopback.
  #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN
  tool ip46tables

  # remaining packets
  #rule -j DROP
  rule -j RETURN


input-blacklist:
  direction input
  protocol none


input-whitelist:
  direction input
  protocol none


input-devices:
  direction input
  protocol none

  # add device-specific rules here.


input-tcp:
  direction input
  protocol tcp

  # Resist TCP sequence number spoof attacks.
  rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j input-invalid

  # TCP streams must always start with SYN, all others are invalid and may be an attack.
  rule ! --syn -m conntrack --ctstate NEW -j input-invalid-stream

  # Prevent an XMAS attacks
  rule --tcp-flags ALL FIN,URG,PSH -j input-invalid
  rule --tcp-flags ALL ALL -j input-invalid
  rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j input-invalid

  # Prevent NULL attack
  rule --tcp-flags ALL NONE -j input-invalid

  # Prevent Sync Reset Attacks
  rule --tcp-flags SYN,RST SYN,RST -j input-invalid
  rule --tcp-flags SYN,FIN SYN,FIN -j input-invalid

  # XMPP ports.
  #rule -m multiport --dports 5222,5223,5269 -j ACCEPT

  # Postgresql standard port
  #rule --dport 5432 -j ACCEPT

  # Mysql standard port
  #rule --dport 5432 -j ACCEPT

  # Oracle standard port
  #rule --dport 1521 -j ACCEPT

  # Web standard ports
  #rule -m multiport --dports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT

  # ldap standard ports
  #rule -m multiport --dports 389,636,1636 -j ACCEPT

  # mail standard ports
  #rule -m multiport --dports 25,465,993 -j ACCEPT

  # ssh standard port
  #rule --dport 22 -j ACCEPT

  # require 3 knocks before opening the door for SSH.
  #rule --dport 22 -m state --state NEW -m recent --set
  #rule --dport 22 -m state --state NEW -m recent --update --seconds 15 --hitcount 3 -j ACCEPT

  # common chef ssh ports
  #rule --dport 2200:2210 -j ACCEPT

  # gpg standard port
  #rule --dport 9050 -j ACCEPT

  # ftp standard port
  #rule --dport 21 -j ACCEPT

  # dns standard port (via tcp)
  #rule --dport 53 -j ACCEPT

  # rdp standard port
  #rule --dport 3389 -j ACCEPT

  # spice standard ports
  #rule -m multiport --dports 5900:5905 -j ACCEPT

  # allow high ports
  #rule -m multiport --dports 49152:65535 -j ACCEPT

  # accept all loopback
  tool iptables
  rule -d 127.0.0.0/8 -j ACCEPT
  tool ip6tables
  rule -d ::1 -j ACCEPT
  tool ip46tables


input-udp:
  direction input
  protocol udp

  # openvpn standard port
  #rule --dport 1194 -j ACCEPT

  # dns standard port
  #rule --dport 53 -j ACCEPT

  # mdns standard port
  #rule --dport 5353 -j ACCEPT

  # dhcp standard port
  rule --sport 67:68 --dport 67:68 -j ACCEPT

  # ntp standard port
  #rule --dport 123 -j ACCEPT

  # teeworlds game server and client
  #rule --dport 8300:8310 -j ACCEPT

  # XMPP ports.
  #rule -m multiport --dports 5222,5223,5269 -j ACCEPT

  # allow high ports
  #rule -m multiport --dports 49152:65535 -j ACCEPT

  # accept all loopback
  tool iptables
  rule -d 127.0.0.0/8 -j ACCEPT
  tool ip6tables
  rule -d ::1 -j ACCEPT
  tool ip46tables


input-icmp:
  direction input
  protocol icmp
  tool iptables

  # destination unreachable
  rule --icmp-type 3 -j ACCEPT

  # redirect
  rule --icmp-type 5 -j ACCEPT

  # (outgoing) ping
  rule --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  # time exceeded
  rule --icmp-type 11 -j ACCEPT

  # parameter problem
  rule --icmp-type 12 -j ACCEPT

  # all loopback ICMP traffic
  tool iptables
  rule -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  tool ip46tables

  # remaining packets
  #rule -j LOG --log-prefix "ICMP_IN:"
  #rule -j DROP
  rule -j ACCEPT


input-icmpv6:
  direction input
  protocol icmp
  tool ip6tables

  #rule -j LOG --log-prefix "ICMP6_IN:"
  #rule -j DROP
  rule -j ACCEPT

  tool ip46tables


input-casting:
  direction input
  protocol none
  tool ip46tables

  # do not auto-drop dhcp messages sent from a dhcp server to a local dhcp client.
  # dhcp offer/acknowledge (the source address must be the routers address, so do not allow 0.0.0.0/0)
  protocol udp
  tool iptables
  rule --sport 67 -d 255.255.255.255 --dport 68 -j RETURN
  protocol none

  # Move ICMPv6 along.
  tool ip6tables
  protocol icmpv6
  rule -m state --state NEW -j input-icmpv6
  tool ip46tables

  # drop all remaining broadcasts and multicasts
  #rule -j LOG --log-prefix "CAST_IN:"
  #rule -j DROP
  rule -j RETURN


OUTPUT:
  # main output chain, expect this to act as the final RETURN handler.
  direction output
  protocol none

  # handle local (loopback) connections.
  device lo
  rule -j output-loop
  device all

  # Drop all INVALID packets so they aren't even processed
  rule -m conntrack --ctstate INVALID -j output-invalid

  # Allow ALL connections that have already been established by this host
  #rule -m state --state ESTABLISHED,RELATED -j ACCEPT
  rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  # send to whitelist and blacklist, which should return here.
  rule -j input-blacklist
  rule -j input-whitelist

  # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided.
  # unicasts are the normal behavior and blocking them would be very unusual.
  rule -m pkttype --pkt-type broadcast -j output-casting
  rule -m pkttype --pkt-type multicast -j output-casting
  #rule -m pkttype --pkt-type unicast -j output-casting

  # send all tcp packets to the tcp queue
  protocol tcp
  rule -m state --state NEW -j output-tcp

  # send all udp packets to the udp queue
  protocol udp
  rule -m state --state NEW -j output-udp

  # send all icmp packets to the icmp queue
  protocol icmp
  rule -m state --state NEW -j output-icmp

  # send all icmpv6 packets to the icmpv6 queue
  tool ip6tables
  protocol icmpv6
  rule -m state --state NEW -j output-icmpv6
  tool ip46tables

  # load custom device-specific rules
  rule -j input-devices

  # remaining packets
  #rule -j LOG --log-prefix "OUTPUT:"
  #rule -j DROP
  rule -j ACCEPT


output-invalid:
  direction output
  protocol none

  # remaining packets
  #rule -j LOG --log-prefix "INV_OUT:"
  rule -j DROP


output-invalid-stream:
  direction input
  protocol tcp

  # remaining packets
  rule -j REJECT --reject-with tcp-reset


output-loop:
  direction output
  protocol none

  # allow cups via loopback.
  protocol tcp
  tool iptables
  rule --sport 631 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  rule --dport 631 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

  # allow local dns server
  protocol udp
  rule --sport 53 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

  # this is the localhost address, valid localhost are allowed to return to the previous chain.
  protocol none
  rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN

  # it may be necessay to add a return for individual ips because there are some cases that result in non-localhost addresses going through loopback.
  #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN
  tool ip46tables

  # remaining packets
  #rule -j DROP
  rule -j RETURN


output-blacklist:
  direction output
  protocol none


output-whitelist:
  direction output
  protocol none


output-devices:
  direction output
  protocol none

  # add device-specific rules here.


output-tcp:
  direction output
  protocol tcp

  # allow sending TCP RST even when there is no valid local connection
  protocol tcp
  rule --tcp-flags RST RST -j ACCEPT

  # allow sending ACK,PSH,FIN even when there is no valid local connection.
  # the connection may already be closed locally by the time this packet goes out and it could improperly be marked as invalid before it leaves the system.
  # allowing this ensures that the client gets the final disconnect acknowledgment.
  rule --tcp-flags ALL ACK,FIN -j ACCEPT
  rule --tcp-flags ALL ACK,PSH,FIN -j ACCEPT

  # Resist TCP sequence number spoof attacks.
  rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j input-invalid

  # TCP streams must always start with SYN, all others are invalid and may be an attack.
  rule ! --syn -m conntrack --ctstate NEW -j output-invalid-stream

  # Prevent an XMAS attacks
  rule --tcp-flags ALL FIN,URG,PSH -j output-invalid
  rule --tcp-flags ALL ALL -j output-invalid
  rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j output-invalid

  # Prevent NULL attack
  rule --tcp-flags ALL NONE -j output-invalid

  # Prevent Sync Reset Attacks
  rule --tcp-flags SYN,RST SYN,RST -j output-invalid
  rule --tcp-flags SYN,FIN SYN,FIN -j output-invalid

  # Postgresql standard port
  #rule --sport 5432 -j ACCEPT

  # Mysql standard port
  #rule --sport 5432 -j ACCEPT

  # Oracle standard port
  #rule --sport 1521 -j ACCEPT

  # Web standard ports
  rule -m multiport --dports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT
  #rule -m multiport --sports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT

  # ldap standard ports
  rule -m multiport --dports 389,636,1636 -j ACCEPT
  #rule -m multiport --sports 389,636,1636 -j ACCEPT

  # mail standard ports
  rule -m multiport --dports 25,465,993 -j ACCEPT
  #rule -m multiport --sports 25,465,993 -j ACCEPT

  # XMPP ports
  rule -m multiport --dports 5222,5223,5269 -j ACCEPT

  # ssh standard port
  rule --dport 22 -j ACCEPT
  #rule --sport 22 -j ACCEPT

  # common chef ssh ports
  #rule --dport 2200:2210 -j ACCEPT
  #rule --sport 2200:2210 -j ACCEPT

  # gpg standard port
  rule --dport 9050 -j ACCEPT
  #rule --sport 9050 -j ACCEPT

  # pgp keyserver port
  rule --dport 11371 -j ACCEPT

  # ftp standard port
  rule --dport 21 -j ACCEPT
  #rule --sport 21 -j ACCEPT

  # dns standard port (via tcp)
  rule --dport 53 -j ACCEPT
  #rule --sport 53 -j ACCEPT

  # rdp standard port
  rule --dport 3389 -j ACCEPT
  #rule --sport 3389 -j ACCEPT

  # spice standard ports
  rule -m multiport --dports 5900:5905 -j ACCEPT
  #rule -m multiport --sports 5900:5905 -j ACCEPT

  # allow high ports
  rule -m multiport --sports 49152:65535 -j ACCEPT
  #rule -m multiport --dports 49152:65535 -j ACCEPT

  # accept all loopback
  tool iptables
  rule -s 127.0.0.0/8 -j ACCEPT
  tool ip6tables
  rule -d ::1 -j ACCEPT
  tool ip46tables


output-udp:
  direction output
  protocol udp

  # openvpn standard port
  rule --dport 1194 -j ACCEPT
  #rule --sport 1194 -j ACCEPT

  # dns standard port
  rule --dport 53 -j ACCEPT
  #rule --sport 53 -j ACCEPT

  # mdns standard port
  #rule --dport 5353 -j ACCEPT
  #rule --sport 5353 -j ACCEPT

  # dhcp standard port
  rule --sport 67:68 --dport 67:68 -j ACCEPT

  # ntp standard port
  rule --dport 123 -j ACCEPT
  #rule --sport 123 -j ACCEPT

  # ntpsec standard port
  rule --dport 4460 -j ACCEPT

  # teeworlds game server and client
  rule --dport 8300:8310 -j ACCEPT

  # XMPP ports
  rule -m multiport --dports 5222,5223,5269 -j ACCEPT

  # allow high ports
  rule -m multiport --sports 49152:65535 -j ACCEPT
  #rule -m multiport --dports 49152:65535 -j ACCEPT

  # accept all loopback
  tool iptables
  rule -s 127.0.0.0/8 -j ACCEPT
  tool ip6tables
  rule -d ::1 -j ACCEPT
  tool ip46tables


output-icmp:
  direction output
  protocol icmp
  tool iptables

  # destination unreachable
  rule --icmp-type 3 -j ACCEPT

  # redirect
  rule --icmp-type 5 -j ACCEPT

  # (outgoing) ping
  rule --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

  # time exceeded
  rule --icmp-type 11 -j ACCEPT

  # parameter problem
  rule --icmp-type 12 -j ACCEPT

  # all loopback ICMP traffic
  tool iptables
  rule -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  tool ip46tables

  # remaining packets
  #rule -j LOG --log-prefix "ICMP_OUT:"
  #rule -j DROP
  rule -j ACCEPT


output-icmpv6:
  direction output
  protocol icmp
  tool ip6tables

  #rule -j LOG --log-prefix "ICMP6_OUT:"
  #rule -j DROP
  rule -j ACCEPT

  tool ip46tables


output-casting:
  direction output
  protocol none
  tool ip46tables

  # do not auto-drop dhcp client messages sent to a dhcp server.
  # dhcp discover/request (for the request, the dhcp server ip address is known but for some reason the dhcp standard states tat the src is 0.0.0.0.
  protocol udp
  tool iptables
  rule --sport 68 -d 255.255.255.255 --dport 67 -j RETURN
  protocol none
  tool ip46tables

  # Move ICMPv6 along.
  tool ip6tables
  protocol icmpv6
  rule -m state --state NEW -j output-icmpv6
  tool ip46tables

  # drop all remaining broadcasts and multicasts
  #rule -j LOG --log-prefix "CAST:"
  #rule -j DROP
  rule -j ACCEPT


FORWARD:

  # load custom device-specific rules
  rule -j forward-devices

  #rule -j LOG --log-prefix "FORWARDs:"
  #rule -j DROP
  rule -j ACCEPT


forward-devices:

  # add device-specific rules here.
