- ai firehol firehol-tools ulogd2
- sc-status firehol
- sc-start firehol
- sc-restart firehol
vim /etc/default/firehol
START_FIREHOL=YESvim /etc/firehol/firehol-defaults.conf +461
- t /var/log/ulog/syslogemu.log
# IPTABLES PACKETS LOGGING
# LOG mode for iptables
# Default: LOG
# Possible Values: LOG, ULOG, NFLOG
# LOG = syslog
# We recommend to install ulogd and use NFLOG.
FIREHOL_LOG_MODE="NFLOG"vim /etc/firehol/firehol.conf
version 6
wan="enp35s0" # ip -o -4 route show to default | awk '{print $5}'# default
interface4 any world
policy return
protection #strong/bad-packets
server "ssh dns echo icmp dhcp" accept # dhcp 4r lxc
server "http https httpalt" AUDIT_ACCEPT
server "smtp smtps submission imaps " accept
server "rtp stun" accept
client all accept # ipv6
interface6 any world6
protection bad-packets
server "icmpv6 ipv6neigh" accept
client "icmpv6 ipv6neigh" accept
client all accept# LXC - Modul #2
block at end of file
last block
router4 lxc inface lxcbr0 outface "${wan}"
masquerade
server "http" accept
client all accept
route all accept# whitelist
first block
ipset4 create whitelist hash:net
ipset4 addfile whitelist whitelist.netset# blacklist
second block
ipset4 create blacklist hash:net
ipset4 addfile blacklist blacklist.netset
blacklist4 full inface "${wan}" ipset:blacklist \
except src ipset:whitelist- sort -t. -k1,1n -k2,2n -k3,3n -k4,4n /etc/firehol/blacklist.netset -o /etc/firehol/blacklist.netset
# rtp jitsi - Modul #3
dnat4 to 10.0.3.IP inface "${wan}" proto udp dport 10000# dnsbl - Modul #4
ipset4 create dnsbl hash:ip timeout $[86400 * 14] maxelem 500000 prevent_reset_on_restart comment
action4 AUDIT_ACCEPT \
action ACCEPT state NEW log "AUDIT" \
next action ACCEPT
blacklist4 full inface "${wan}" ipset:dnsbl \
except src ipset:whitelist- https://iplists.firehol.org/
- ipset
- insert before the interfaces
# subnets netsets
for x in firehol_level1 firehol_level2 firehol_level3 firehol_level4
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full inface "${wan}" ipset:${x} \
except src ipset:whitelist
done# individual IPs ipsets
- update-ipsets enable blocklist_de_bruteforce blocklist_de_apache blocklist_de_ssh blocklist_de_mail blocklist_de_sip dm_tor dyndns_ponmocup
for x in blocklist_de_bruteforce blocklist_de_apache blocklist_de_ssh blocklist_de_mail blocklist_de_sip dm_tor dyndns_ponmocup
do
ipset4 create ${x} hash:ip
ipset4 addfile ${x} ipsets/${x}.ipset
blacklist4 full inface "${wan}" ipset:${x} \
except src ipset:whitelist
done# ipip_country netsets
- update-ipsets enable ipip_country
- update-ipsets enable ipip_continent_as ipip_continent_af ipip_country_ru ipip_country_ua ipip_country_br
for x in ipip_continent_as ipip_continent_af ipip_country_ru ipip_country_ua ipip_country_br
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/ipip_country/${x}.netset
blacklist4 full inface "${wan}" ipset:${x} \
except src ipset:whitelist
done# SYNPROXY
TRAP_PORTS=http
SUSPECTS_TIMEOUT=3600
TRAP_TIMEOUT=86400
VALID_CONNECTION_COUNT=2
synproxy4 in \
inface "${wan}" dst "${PUBLIC_IPS}" \
dport "${TRAP_PORTS}" action SYN_TRAP_AND_DROP
action4 SYN_TRAP_AND_DROP \
iptrap sockets src,dst,dst ${SUSPECTS_TIMEOUT} \
method hash:ip,port,ip counters \
state NEW log "SYN TRAP AND DROP NEW SOCKET" \
src not ipset:whitelist \
next iptrap suspects src ${SUSPECTS_TIMEOUT} counters \
state NEW log "SYN TRAP AND DROP NEW SUSPECT" \
ipset sockets src,dst,dst no-counters packets 1 \
next iptrap trap src ${TRAP_TIMEOUT} \
state NEW log "SYN TRAP AND DROP TRAPPED" \
ipset suspects src no-counters packets-above ${VALID_CONNECTION_COUNT} \
next action DROP- firehol restart