Free filtering software for linux

Packet filtering setup script by Anthony C. Zboralski. Adapted by Didi Damian for iptables version 1.0.0

Sample:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Set up variables
EXT_IF="eth0"
INT_IF="eth1"
EXT_IP=24.x.x.x/32
INT_IP=192.168.0.1/32
EXT_NET=24.x.x.0/24
INT_NET=192.168.0.0/24
MASQ_NETS="192.168.0.0/24"
LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"
MAIL_RELAY=24.x.x.x/32
SMB_ACCESS="192.168.0.2/32"
SMB_BCAST="192.168.0.255/32"

# Turn on IP forwarding
echo Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load the ip_tables module
echo Loading ip_tables module.
/sbin/modprobe ip_tables || exit 1
# I let the kernel dynamically load the other modules

echo Flush standard tables.
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
echo Deny everything until firewall setup is completed.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

CHAINS=`iptables -n -L |perl -n -e /Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "`
echo Remove remaining chains:
echo $CHAINS
for chain in $CHAINS; do
iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
iptables --delete-chain $chain
done

for net in $MASQ_NETS; do
# I delete all the rules so you can rerun the scripts without bloating
# your nat entries.
iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1
done
iptables --policy FORWARD ACCEPT

# Create a target for logging and dropping packets
iptables --new LDROP 2>/dev/null
iptables -A LDROP --proto tcp -j LOG --log-level info
--log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-level info
--log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-level info
--log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-level info
--log-prefix "GRE Drop "

iptables -A LDROP -f -j LOG --log-level emerg
--log-prefix "FRAG Drop "
iptables -A LDROP -j DROP

# Create a table for watching some accepting rules
iptables --new WATCH 2>/dev/null
iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
iptables -A WATCH -j ACCEPT


echo Special target for local addresses:
iptables --new LOCAL 2>/dev/null
echo $LOCAL_ADDRS
for ip in $LOCAL_ADDRS; do
iptables -A INPUT --dst $ip -j LOCAL
# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protect
done
echo Authorize mail from mail relay.
iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPT


echo Authorizing samba access to:
echo $SMB_ACCESS
iptables --new SMB 2>/dev/null
for ip in $SMB_ACCESS; do
iptables -A SMB -s $ip -j ACCEPT
done
iptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMB
iptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcast

echo Drop and log every other incoming tcp connection attempts.
iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP

echo Authorize dns access for local nets.
for net in $MASQ_NETS 127.0.0.0/8; do
iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPT
done


echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
iptables --new ICMP 2>/dev/null
iptables -A INPUT --proto icmp -j ICMP
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
iptables -A ICMP -p icmp -j LDROP

echo Authorize tcp traffic.
iptables -A INPUT --proto tcp -j ACCEPT

echo Authorize packet output.
iptables --policy OUTPUT ACCEPT

#echo reject ident if you drop em you gotta wait for timeout
#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECT

echo Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP

echo Drop rpc dynamic udp port:
RPC_UDP=`rpcinfo -p localhost|perl -n -e /.*udps+(d+)s+/ && print $1,"n"|sort -u`
echo $RPC_UDP
for port in $RPC_UDP; do
iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP
done

echo Authorize udp above 1024.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT

ip-filter-cgi is a set of perl script to modify rules of IP Filter (IP Filter is a TCP/IP packet filter cf: http://coombs.anu.edu.au/~avalon/ip-filter.html). If you make any improvement, correction send it back to. The scripts is not complete and is provided for testing purpose.
adulau@metatix.com .
Main features:
- Perl 5.0 (+CGI.pm)
- a HTTP server (Apache)

FIR filter Plugin is an effect plugin for XMMS which enables to filter audio data using long FIR (finite impulse response) filters. Typical applications is loudspeaker or room equalization which typically requires filters with more than 300 taps (filter weights).

The FIR filter plugin uses the fftw3 library to perform the filtering using the overlap-and-add method. If fftw3 is not available the plugin will perform the filtering (convolution) in the time-domain which is much less efficient for long filters.

squid-filter project was designed to build filtering capabilities comparable to those of Muffin into Squid. It consists of
a patch to Squid, containing a module loader and filtering hooks, and a set of filter modules.
Currently available filters:
- Redirection of URIs.
- Rejection of certain (configurable) MIME content types.
- Suppression of cookies.
- Removal of Javascript and ActiveX.
- Breaking of GIF animation loops.
- Detection of 1x1 images.
Main features:
- Modular, easily extensible by writing new filters.
- Flexible configuration. Filters are independent from each other.
- Each filter can take a list of URIs which should not be filtered (allow list). URIs are specified as full regular expressions.
- Client can choose to bypass filters case-by-case.
- Filtering keeps Content-Length where possible.
Purpose
A filtering proxy allows users to remove unwanted stuff from Web pages as they browse them. What "unwanted stuff" is obviously depends on the individual user, but things which are commonly regarded as annoyances include
banner ads, user behaviour tracking via cookies,
animated pictures, JavaScript, VBScript, ActiveX (dangerous as well as annoying).
Some of those things can be avoided by filtering URIs, which Squid can already do via an external redirect program. Others require a content filter.
Usually, a filtering proxy runs standalone and does nothing but filtering. Users have to configure this proxy in their browsers, and if they use a caching proxy too, chain them after the filter. In situations where the user runs Squid anyway (mostly because of caching for different browsers or a small LAN), it is convenient to build this capability into Squid.

Filter::cpp is a cpp source filter.

SYNOPSIS

use Filter::cpp ;

This source filter pipes the current source file through the C pre-processor (cpp) if it is available.

As with all source filters its scope is limited to the current source file only. Every file you want to be processed by the filter must have a

use Filter::cpp ;

near the top.

Here is an example script which uses the filter:

use Filter::cpp ;

#define FRED 1
$a = 2 + FRED ;
print "a = $an" ;
#ifdef FRED
print "Hello FREDn" ;
#else
print "Where is FREDn" ;
#endif

And here is what it will output:

a = 3
Hello FRED

This example below, provided by Michael G Schwern, shows a clever way to get Perl to use a C pre-processor macro when the Filter::cpp module is available, or to use a Perl sub when it is not.

# use Filter::cpp if we can.
BEGIN { eval use Filter::cpp }

sub PRINT {
my($string) = shift;

#define PRINT($string)
(print $string."n")
}

PRINT("Mu");

Look at Michaels Tie::VecArray module for a practical use.

Hook::Filter is a runtime filtering layer on top of subroutine calls.

SYNOPSIS

Imagine you have a big program using a logging library that exports 3 functions called mydebug, myinfo and mywarn. Those functions generate far too much log, so you want to skip calling them except in some specific circumstances.

In your main program, write:

use Hook::Filter hook => ["mydebug","myinfo","mywarn"];

In all modules making use of the logging library, write:

use Hook::Filter;

Then create a file called ./hook_filter.rules. This file contains boolean expressions that specify when calls to the filtered subroutines should be allowed:

# allow calls to mydebug only inside package My::Filthy:Attempt
is_sub(mydebug) && from_pkg(My::Filthy::Attempt)

# allow all calls to myinfo except from inside packages under the namespace My::Test::
is_sub(myinfo) && !from_pkg(/^My::Test/)

# allow calls to mywarn from function do_stuff in package main
# whose third argument is a message that does not match the string invalid login name
is_sub(mywarn) && from_sub(do_stuff) && from_pkg(main) && !has_arg(3,/invalid login name/)

# all other calls to myinfo, mydebug or mywarn will be skipped

SYNOPSIS, Log::Dispatch

Your program uses Log::Dispatch. You want to enable Hook::Filter on top of the methods log and log_to from Log::Dispatch everywhere at once. And you want to use the filter rules located in /etc/myconf/filter_rules.conf. Easy: in main, write:

use Hook::Filter rules => /etc/myconf/filter_rules.conf, hook => [Log::Dispatch::log,Log::Dispatch::log_to];

IOLib-Filters is a filter package for IOLib. IOLib-Filters is mainly an example of how to write filters for IOLib.

IOLib is a portable universal data IO library. Implementations exist in C, C++ and Objective C and for many different platforms (including Linux, Win32, MacOS X and .NET).

IOLib provides a unified interface for accessing different types of data streams. It currently supports file IO, BSD sockets, memory buffers and SOCKS4/5 connections and can be extended with drivers easily.

It has support for different binary formats (Intel, Motorola, PDP) and it supports filters. You can write your own filters (e.g. for encryption or compression) and use them with IOLib.