#!/bin/sh
#
# EXPERIMENTAL iptables rules for vsftp under targeted policy.
#
# Note that we only do the context match here in one place, for the
# new connection, and let conntrack do the rest of the work for
# ESTABLISHED and RELATED packets.
#
set -e
set -x
MODPROBE=/sbin/modprobe
IPT=/usr/local/sbin/iptables
IPTSK="$IPT -t skfilter"

$MODPROBE ip_conntrack_ftp

$IPT -X
$IPT -F

$IPTSK -F
$IPTSK -X
$IPTSK -N LD

# SSH bypass rules for debugging
$IPTSK -A SOCKET  -p tcp --dport 22 -j ACCEPT
$IPTSK -A OUTPUT -p tcp --sport 22 -j ACCEPT

# DNS bypass rules
$IPTSK -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTSK -A SOCKET  -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTSK -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTSK -A SOCKET  -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Ensure that only the ftpd_t domain can accept new connnections and then
# allow only related traffic.
#
# It may be better to only have this and a drop rule in the skfilter table,
# and putting related traffic rules in the main filter table, to catch
# some possible related packets that don't make it to the socket layer.
#
$IPTSK  -A SOCKET  -p tcp --dport 21 -m owner \
	--ctx-owner system_u:system_r:ftpd_t -m state --state NEW -j ACCEPT

# Related TCP traffic
$IPTSK -A SOCKET -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTSK -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Related ICMP
$IPTSK -A SOCKET -p icmp -m state --state RELATED -j ACCEPT
$IPTSK -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT

# Drop everything else
$IPTSK -A SOCKET -j LD
$IPTSK -A OUTPUT -j LD

$IPTSK -A LD -j LOG --log-context --log-prefix="dropping: "
$IPTSK -A LD -j DROP

$IPTSK -L