hope for the merge

if-pre-up.d/iptables

@@ -0,0 +1,3 @@
+#!/bin/sh
+/sbin/iptables-restore /etc/iptables.up.rules
+

iptables.up.rules

@@ -0,0 +1,190 @@
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+#
+# WAN			86.83.121.29
+# vps			185.66.250.42
+# tor-exit		185.87.185.45
+
+*filter
+
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:clutter - [0:0]
+
+# Local loopback
+-A INPUT ! -i lo -d 127.0.0.0/8 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped 127.0.0.0/8, from non localhost: " --log-level 7
+-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Active connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Ping
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+# FTP
+#-A OUTPUT -p tcp -m tcp --sport ? --dport 21 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT
+
+# SSH
+#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+#-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+#-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+#-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 22 -j ACCEPT
+
+# Telnet
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 23 -j ACCEPT
+
+# SMTP(S)
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 25 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 49152:65535 --dport 465 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 587 -j ACCEPT
+
+# WHOIS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 43 -j ACCEPT
+
+# DNS
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 53 -j ACCEPT
+
+# DNS for VM
+-A FORWARD -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A FORWARD -p tcp -m tcp --sport 32768:65535 --dport 53 -j ACCEPT
+-A FORWARD -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A FORWARD -p tcp -m tcp --sport 53 --dport 32768:65535 -j ACCEPT
+
+# DHCP client
+#-A INPUT -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+#-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+
+# DHCP for VM
+-A INPUT -s 0.0.0.0 -d 255.255.255.255 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A OUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+
+# HTTP & HTTPS
+#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j DROP
+#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor dir port"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 80 -j ACCEPT
+#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
+#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor OR port"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT
+
+# HTTP & HTTPS for VM
+-A FORWARD -p tcp -m tcp --sport 32768:65535 --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m tcp --sport 80 --dport 32768:65535 -j ACCEPT
+-A FORWARD -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT
+-A FORWARD -p tcp -m tcp --sport 443 --dport 32768:65535 -j ACCEPT
+
+# NTP
+-A OUTPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
+
+# NTP for VM
+-A FORWARD -p udp -m udp --sport 123 --dport 123 -j ACCEPT
+
+# Samba
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 139 -j ACCEPT
+
+# IMAPs
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 143 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 993 -j ACCEPT
+
+# PIP
+#-A OUTPUT -d 185.31.17.223 -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT -m comment --comment "pip"
+
+# Socks5
+#-A OUTPUT -p tcp -m tcp --sport 57448:65535 --dport 1080 -j ACCEPT
+
+# OpenVPN
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
+
+# XMPP
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 5223 -j ACCEPT -m comment --comment "xmpps"
+#-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 1900 -j ACCEPT -m comment --comment "xmpp?"
+
+# KDEconnect: TCP & UDP 1714-1764
+-A OUTPUT -p udp -m udp --sport 1716 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -d 255.255.255.255 -p udp -m udp --sport 1716 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -p tcp -m tcp --sport 32768:65535 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -d 255.255.255.255 -p udp -m udp --sport 32768:65535 --dport 1714 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -d 255.255.255.255 -p udp -m udp --sport 32768:65535 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 1739:1744 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -p udp -m udp --sport 32768:65535 --dport 1714 -j ACCEPT -m comment --comment "KDE Connect"
+-A INPUT -p udp -m udp --sport 32768:65535 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+-A OUTPUT -p tcp -m tcp --sport 49152:65535 --dport 1716 -j ACCEPT -m comment --comment "KDE Connect"
+
+# Multicast DNS
+#-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter
+#-A OUTPUT -d 244.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+#-A INPUT -d 224.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+
+# IRC
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6667 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6697 -j ACCEPT -m comment --comment "IRCs"
+
+# MVNAS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8080 -j ACCEPT
+
+# Privoxy
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8118 -j ACCEPT -m comment --comment "Privoxy"
+
+# Privoxy for VM
+-A FORWARD -p tcp -m tcp --sport 32768:65535 --dport 8118 -j ACCEPT -m comment --comment "Privoxy for VM"
+-A FORWARD -p tcp -m tcp --sport 8118 --dport 32768:65535 -j ACCEPT -m comment --comment "Privoxy for VM"
+
+# Bitcoin
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8333  -j ACCEPT -m comment --comment "Bitcoin"
+
+# MagnaVersum Gogs git SSH
+#-A OUTPUT -d 138.201.205.221 -p tcp -m tcp --sport 32768:65535 --dport 10022 -j ACCEPT -m comment --comment "MagnaVersum Gogs git SSH"
+
+# OpenPGP HTTP Key servers
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 11371 -j ACCEPT -m comment --comment "OpenPGP HTTP key servers"
+
+# Torrents
+-A OUTPUT -p udp -m udp --sport 51413 -j ACCEPT -m comment --comment "Torrents"
+-A OUTPUT -p tcp -m tcp --dport 51413 -j ACCEPT -m comment --comment "Torrents"
+-A OUTPUT -p tcp -m tcp --sport 51413 --dport 1024:65535 -j ACCEPT -m comment --comment "Torrents"
+-A INPUT -p udp -m udp --dport 51413 -j ACCEPT -m comment --comment "Torrents"
+-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT -m comment --comment "Torrents"
+
+# Traceroute
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 6881:33534 -j ACCEPT -m comment --comment "Traceroute"
+
+# Attacks, crawls, scans, etc to clutter chain
+-A INPUT -p icmp -j clutter
+-A INPUT -s 0.0.0.0 -d 255.255.255.255 -j clutter -m comment --comment "Broadcast messages"
+-A INPUT -p udp -m udp --dport 19 -j clutter -m comment --comment "Character generator, looping to echo = DDoS"
+-A INPUT -p tcp -m tcp --dport 23 -j clutter
+-A INPUT -p udp -m udp --dport 53 -j clutter
+-A INPUT -p udp -m udp --dport 111 -j clutter -m comment --comment "Probe/fingerprint Nix OS"
+-A INPUT -p tcp -m tcp --dport 445 -j clutter -m comment --comment "MS-DS active directory"
+-A INPUT -p tcp -m tcp --dport 2323 -j clutter -m comment --comment "3d-nfsd"
+-A INPUT -p udp -m udp --dport 5060 -j clutter
+-A INPUT -p tcp -m tcp --dport 3389 -j clutter -m comment --comment "MS terminal server RDP"
+
+#-A INPUT -d 255.255.255.255 -p tcp -m tcp --sport 67 --dport 68 -j clutter -m comment --comment "DHCP"
+#-A INPUT -m iprange --dst-range 185.66.250.254-185.66.250.255 -j clutter
+#-A INPUT -m mac --mac-source d4:ca:6d:74:87:0d -j clutter
+#-A INPUT -p udp -m udp --dport 3076 -j clutter -m comment --comment "orbix-config"
+
+# Log & drop
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
+-A INPUT -j DROP
+-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables forward dropped: " --log-level 7
+-A FORWARD -j DROP
+-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7
+-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+-A clutter -m limit --limit 5/min -j LOG --log-prefix "iptables clutter dropped: " --log-level 7
+-A clutter -j DROP
+
+COMMIT

logrotate.d/iptables

@@ -0,0 +1,7 @@
+/var/log/iptables/* {
+    missingok
+    daily
+    rotate 1
+    notifempty
+}
+

rsyslog.d/30-iptables.conf

@@ -0,0 +1,30 @@
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables ') \\
+then    -/var/log/iptables/all.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables dropped') \\
+then    -/var/log/iptables/drop.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables rejected') \\
+then    -/var/log/iptables/reject.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables ' and $msg contains ' DHCP') \\
+then    -/var/log/iptables/dhcp.log
+#    &   ~
+
+iptables allowed DHCP
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables dropped' or $msg contains ' iptables rejected') \\
+then    -/var/log/iptables/troubleshooot.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' iptables clutter') \\
+then    -/var/log/iptables/clutter.log
+#    &   ~