Firewall Macros

The macros in the sample firewall_macros.cfg configuration file below are used for configuring the iptables firewall.  Generally, we want to confine changeable configuration parameters to this macro #include file and leave the parent iptables and other include files unmodified.

The =badboys macro specifies IP addresses of hosts and/or networks that are behaving badly, for example, attempting to hack our systems, launching DOS (denial-of-service) attacks, mirroring our website (unauthorized), hogging our bandwidth, or otherwise causing us fits.

The =userips macro lists our non-server, user systems.  At different times and circumstances, we want to shut down various services to and from those systems, for example, web browsing (http) and file transfer (ftp).  Under normal circumstances, i.e., we are "attentive", we would include just the Dell and HP PCs in the list of machines to restrict http and ftp traffic.  As we move up the security scale from "cautious" to "worried" to "paranoid", we add more and more of the machines (typically Linux systems) to the userips list until, at the highest security setting, "paranoid", all user systems are so restricted.

///////////////////////////////////////////////////////////////////////////////
//
// firewall_macros.cfg - iptables firewall macros
//
///////////////////////////////////////////////////////////////////////////////

logopt          --log-level=3 -m limit --limit 3/minute --limit-burst 3

synopt          -m limit --limit 5/second --limit-burst 10

badboys
#if moniot
                =piktnullchar
#elsif vitry
                // forum spammers
                203.121.69.153
                194.84.172.84
                195.2.114.2             // >  700 reg tries 0701 thru 0704!
                87.118.106.4            // > 1600 reg tries 0701 thru 0704!
                ...
 
                // other
                172.16.3.0/8
                10.0.0.5
                169.254.99.3
                ...
#else
                =piktnullchar
#endif

#if moniot
ntpservers      130.126.24.24   // ntp-1.gw.uiuc.edu
#endif

badiprfc        0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
                192.0.2.0/24 224.0.0.0/4 240.0.0.0/5 255.255.255.255
 
ip_lully        192.168.3.250   // Dell PC
ip_cornysh      192.168.3.251   // HP PC
ip_guido        192.168.3.185   // guido-com
ip_ofelia       192.168.3.190   // ofelia-com
ip_robert       192.168.3.192   // robert-com (middle XP)
ip_berto        192.168.3.195   // berto-com (right XP)
ip_tye          192.168.3.180   // tye-com

userips_family
                =ip_lully
                =ip_cornysh
                =ip_guido

userips_all
#if moniot
#  ifdef paranoid
                =ip_lully
                =ip_cornysh
                =ip_guido
                =ip_ofelia
                =ip_robert
                =ip_berto
                =ip_tye
#  elsifdef worried
                =ip_lully
                =ip_cornysh
                =ip_guido
                =ip_ofelia
#  elsifdef cautious
                =ip_lully
                =ip_cornysh
                =ip_guido
#  elsifdef attentive
                =ip_lully
                =ip_cornysh
#  endifdef
                =piktnullchar
#elsif vitry | ciconia
                =piktnullchar
#else
                =piktnullchar
#endif
 
///////////////////////////////////////////////////////////////////////////////

For more examples, see Samples.