##################################################
Benji Greenfield
yo at digitalbenji.com
date: April 25, 2010
info: Set up iptables to drop and log all incoming connections
except for those initiated (related).  Allow and log incoming 
connections for SSH that are started by a portknock to port 2999.
#################################################
######## entries for rsyslog.conf ################
:msg,contains,"ICMPLOG" /var/log/iptables/icmp.log
:msg,contains,"SSH" /var/log/iptables/ssh.log
:msg,contains,"LOGDROP" /var/log/iptables/drop.log
##################################################
######## instruction to invoke script ############
sudo iptables-restore <everything below>
##################################################
##################################################

*filter
:INPUT DROP
:FORWARD DROP 
:OUTPUT ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT
##################################################
##################################################
#Port Knocking - SSH to port 2999 before port 22 is open to you
-N KNOCKSTART
-A KNOCKSTART -m recent --name KNOCK --remove
-A KNOCKSTART -m recent --name PORTKNOCK --set
-A KNOCKSTART -m limit --limit 5/minute -j LOG --log-prefix "SSH KNOCK:" --log-tcp-options --log-ip-options --log-level DEBUG

-N KNOCKWIN 
-A KNOCKWIN -m state ! --state RELATED,ESTABLISHED -m limit --limit 5/minute -j LOG --log-prefix "SSH ALLOW:" --log-tcp-options --log-ip-options --log-level DEBUG
-A KNOCKWIN -j ACCEPT

-N KNOCKFAIL
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --name PORTKNOCK --seconds 300 -j KNOCKWIN
-A KNOCKFAIL -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m recent --rcheck --name PORTKNOCK -j KNOCKWIN
-A KNOCKFAIL -m limit --limit 5/hour -j LOG --log-prefix "SSH DROP:" --log-tcp-options --log-ip-options --log-level debug
-A KNOCKFAIL -j DROP

-A INPUT -p tcp -m tcp --dport 2999 -m recent --set --name KNOCK
-A INPUT -p tcp -m tcp --dport 2999 -m recent --rcheck --name KNOCK -j KNOCKSTART
-A INPUT -p tcp -m tcp --dport 22 -j KNOCKFAIL
##################################################
##################################################
#Configure Logging Facilities for DROPs
-N LOGDROP
-F LOGDROP
-A INPUT -j LOGDROP
#LOG Incoming DROPs
-A LOGDROP -p tcp -m multiport ! --dports 22,2999 -m state --state NEW -m limit --limit 5/hour -j LOG --log-prefix "LOGDROP: In: " --log-tcp-options --log-ip-options --log-level debug
#Log ICMP incoming to its own log
-A LOGDROP -p icmp -m limit --limit 5/hour -j LOG --log-prefix "ICMPLOG:ICMP In: " --log-tcp-options --log-ip-options --log-level debug