Настройка HAVP

# Включаем форвардинг
echo 1 > /proc/sys/net/ipv4/ip_forward

# Удаляем все цепочки и правила
iptables -F
iptables -X

# Ставим действия по умолчанию
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP

# Настраиваем маскарадинг (nat)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Разрешаем все входящие соединения на шлюз только от узлов нашей внутренней сети
iptables -A INPUT -i eth0 --source 192.168.1.0/24 --match state --state NEW,ESTABLISHED -j ACCEPT
# Разрешаем шлюзу отвечать нашей сети
iptables -A OUTPUT -o eth0 --destination 192.168.1.0/24 --match state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 --destination 192.168.1.0/24 --match state --state ESTABLISHED -j ACCEPT

#
# This is the configuration file for HAVP
#
# All lines starting with a hash (#) or empty lines are ignored.
# Uncomment parameters you want to change!
#
# All parameters configurable in this file are explained and their default
# values are shown. If no default value is defined "NONE" is specified.
#
# General syntax: Parameter Value
# Value can be: true/false, number, or path
#
# Extra spaces and tabs are ignored.
#

# You must remove this line for HAVP to start.
# This makes sure you have (hopefully) reviewed the configuration.
# Hint: You must enable some scanner! Find them in the end..
# REMOVETHISLINE deleteme

#
# For reasons of security it is recommended to run a proxy program
# without root rights. It is recommended to create user that is not
# used by any other program.
#
# Default:
# USER havp
# GROUP havp

# Если рекомендации приведённые выше соблюдены, тогда HAVP запустится
# в качестве демона, в фоновом режиме.
# Для тестирования мы можете запустить HAVP в вашей консоли.
#
# По умолчанию:
DAEMON true

#
# Process id (PID) of the main HAVP process is written to this file.
# Be sure that it is writeable by the user under which HAVP is running.
# /etc/init.d/havp script requires this to work.
#
# Default:
# PIDFILE /var/run/havp/havp.pid

#
# Количество процессов, запускаемых демоном HAVP.
# Для повышения производительности должно быть запущено нексколько
# экземпляров HAVP.
# Укажите сколько сервисов (дочерних процессов) одновременно
# прослушивают порт для подключения. Минимальное значение должно
# быть: пик запросов в секунду ожидать и +5 быть в запасе.
# Для лучшей производительности, у вас должно приходиться 16 процессов
# на одно ядро CPU.
#
# Для домашнего использования значение должно быть минимум 8.
# Для корпоративного использования, 500 и более пользователей, значение должно быть 40 и выше.
#
# Значение может и должно быть выше рекомендуемых. ОЗУ и CPU
# зависит только от колличества одновременных запросов.
#
# Больше дочерних процессов создаётся автоматически, в плоть до MAXSERVERS.
#
# По умолчанию:
SERVERNUMBER 8
MAXSERVERS 100

#
# Файлы где регистрируются запросы и информация/ошибки,
# должны иметь разречение на запись пользователем HAVP.
#
# По умолчанию:
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
# VIRUSLOG (ссмотреть в ACCESSLOG)

#
# Формат для меток в логах.
# Смотрите: man strftime
#
# По умолчанию:
TIMEFORMAT %d/%m/%Y %H:%M:%S

#
# Syslog can be used instead of logging to file.
# For facilities and levels, see "man syslog".
#
# Default:
# USESYSLOG false
# SYSLOGNAME havp
# SYSLOGFACILITY daemon
# SYSLOGLEVEL info
# SYSLOGVIRUSLEVEL warning

#
# true: Полная статистика
# false: Статистика по обнаруженным вирусам
#
# По умолчанию:
LOG_OKS false

#
# Уровень логирования HAVP
# 0 = Информация только о серьёзных ошибках
# 1 = Включено больше информации
#
# По умолчанию:
LOGLEVEL 0

#
# Temporary scan file.
# This file must reside on a partition for which mandatory
# locking is enabled. For Linux, use "-o mand" in mount command.
# See "man mount" for details. Solaris does not need any special
# steps, it works directly.
#
# Specify absolute path to a file which name must contain "XXXXXX".
# These characters are used by system to create unique named files.
#
# Default:
# SCANTEMPFILE /var/spool/havp/havp-XXXXXX

#
# Directory for ClamAV and other scanner created tempfiles.
# Needs to be writable by HAVP user. Use ramdisk for best performance.
#
# Default:
# TEMPDIR /var/tmp

#
# Обновление вирусных баз сканеров при получении сигнала
# (отправка SIGHUP к PID от PIDFILE, смотрете "man kill") или
# после указанного периуда времени. Укажите здесь через сколько
# минут обновлять.
#
# Это влияет только на библиотеку сканеров (clamlib, trophie).
# Други сканеры нужно обновлять в ручную.
#
# По умолчанию:
DBRELOAD 60

#
# Run HAVP as transparent Proxy?
#
# If you don't know what this means read the mini-howto
# TransparentProxy written by Daniel Kiracofe.
# (e.g.: http://www.tldp.org/HOWTO/mini... Proxy.html)
# Definitely you have more to do than setting this to true.
# You are warned!
#
# Default:
# TRANSPARENT false

#
# Specify a parent proxy (e.g. Squid) HAVP should use.
# If needed, user and password authentication can be used,
# but only Basic-authentication scheme is supported.
#
# Default: NONE
# PARENTPROXY localhost
# PARENTPORT 3128
# PARENTUSER username
# PARENTPASSWORD password

#
# В логах фиксируется адрес локального прокси (если он есть) или
# IP адреса (пользователей) из подсети.
#
# По умолчанию:
FORWARDED_IP true

#
# Send X-Forwarded-For: header to servers?
#
# If client sent this header, FORWARDED_IP setting defines the value,
# then it is passed on. You might want to keep this disabled for security
# reasons. Enable this if you use your own parent proxy after HAVP, so it
# will see the original client IP.
#
# Disabling this also disables Via: header generation.
#
# Default:
# X_FORWARDED_FOR false

#
# Порт который слушает HAVP.
#
# По умолчанию:
PORT 8080

#
# IP адрес (интерфейс) который слушает HAVP.
# Пусть он будет не определён, для прослушки всех адресов.
#
# Default: NONE
# BIND_ADDRESS 127.0.0.1

#
# IP address used for sending outbound packets.
# Let it be undefined if you want OS to handle right address.
#
# Default: NONE
# SOURCE_ADDRESS 1.2.3.4

#
# Путь к шаблонам.
#
# По умолчанию:
TEMPLATEPATH /etc/havp/templates/ru

#
# Set to true if you want to prefer Whitelist.
# If URL is Whitelisted, then Blacklist is ignored.
# Otherwise Blacklist is preferred.
#
# Default:
# WHITELISTFIRST true

#
# List of URLs not to scan.
#
# Default:
# WHITELIST /etc/havp/whitelist

#
# List of URLs that are denied access.
#
# Default:
# BLACKLIST /etc/havp/blacklist

#
#
# Не исправимая ошибка сканера?
#
# Задаётся действие для файлов, которые сканер не смог проверить
# Например, типы архивов которые неподдерживаются сканером могут возвращать ошибку.
#
# true: Пользователь получает страницу с ошибкой
# false: Не происходить уведомление об ошибке (вирус может быть не обнаружен)
#
# По умолчанию:
FAILSCANERROR false

#
# When scanning takes longer than this, it will be aborted.
# Timer is started after HAVP has fully received all data.
# If set too low, complex files/archives might produce timeout.
# Timeout is always a fatal error regardless of FAILSCANERROR.
#
# Time in minutes!
#
# Default:
# SCANNERTIMEOUT 10

#
# Разрешить диопазон (Range) HTTP Range запросов?
#
# false: Прерванные закачки не могу быть возобновленны
# true: Могут быть возобновленны прерванные закачки
#
# Разрешать Range представляет угрозу безопастности, потому что
# не полные HTTP запросы не могут правильно сканироваться.
#
# Сайтам из Whitelisted разрешается использовать Range в любоом случае.
#
# По умолчанию:
RANGE true

#
# Allow HTTP Range request to get the ZIP header first?
#
# This allows (partial) scanning of ZIP files that are bigger than
# MAXSCANSIZE. Scanning is done up to that many bytes into the file.
#
# Default:
# PRELOADZIPHEADER true

#
# If you really need more performance, you can disable scanning of
# JPG, GIF and PNG files. These are probably the most common files
# around, so it will save lots of CPU. But be warned, image exploits
# exist and more could be found. Think twice if you want to disable!
#
# In addition of checking Content-Type: image/*, this setting uses
# file magic to make sure the file is really image.
#
# Also see SCANMIME/SKIPMIME settings to control scanning based
# on just the Content-Type header.
#
# Default:
# SCANIMAGES true

#
# What MIME types NOT to scan. For performance reasons, you could
# exclude all media types.
#
# Based on Content-Type: header as given by the HTTP server.
# Note that it is easy to forge and should not be trusted.
#
# Basic wildcard match supported.
#
# Default: NONE
# SKIPMIME image/* video/* audio/*

#
# If set, then ONLY these MIME types will be scanned.
#
# Based on Content-Type: header as given by the HTTP server.
# Note that it is easy to forge and should not be trusted.
#
# Basic wildcard match supported.
#
# Default: NONE
# SCANMIME application/*

#
# Temporary file will grow only up to this size. This means scanner
# will scan data until this limit is reached.
#
# There are two sides to this setting. By limiting the size, you gain
# performance, less waiting for big files and less needed temporary space.
# But there is slightly higher chance of virus slipping through (though
# scanning large archives should not be gateways function, HAVP is more
# geared towards small exploit detection etc).
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = No size limit
#
# Default:
# MAXSCANSIZE 5000000

#
# Amount of data going to browser that is held back, until it
# is scanned. When we know file is clean, this held back data
# can be sent to browser. You can safely set bigger value, only
# thing you will notice is some "delay" in beginning of download.
# Virus found in files bigger than this might not produce HAVP
# error page, but result in a "broken" download.
#
# VALUE IN BYTES NOT KB OR MB!!!!
#
# Default:
# KEEPBACKBUFFER 200000

#
# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
# initially receive data from server, before sending anything to client.
# Even trickling is not done before this time elapses. This way files that
# are received fast are more secure and user can get virus report page for
# files bigger than KEEPBACKBUFFER.
#
# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
#
# Default:
# KEEPBACKTIME 5

#
# After Trickling Time (seconds), some bytes are sent to browser
# to keep the connection alive. Trickling is not needed if timeouts
# are not expected for files smaller than KEEPBACKBUFFER, but it is
# recommended to set anyway.
#
# 0 = No Trickling
#
# Default:
# TRICKLING 30

#
# Send this many bytes to browser every TRICKLING seconds, see above
#
# Default:
# TRICKLINGBYTES 1

#
# Downloads larger than MAXDOWNLOADSIZE will be blocked.
# Only if not Whitelisted!
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = Unlimited Downloads
#
# Default:
# MAXDOWNLOADSIZE 0

#
# Space separated list of strings to partially match User-Agent: header.
# These are used for streaming content, so scanning is generally not needed
# and tempfiles grow unnecessary. Remember when enabled, that user could
# fake header and pass some scanning. HTTP Range requests are allowed for
# these, so players can seek content.
#
# You can uncomment here a list of most popular players.
#
# Default: NONE
# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS

#
# Bytes to scan from beginning of streams.
# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
# It is not recommended as there are some exploits for players.
#
# Default:
# STREAMSCANSIZE 20000

#
# Disable mandatory locking (dynamic scanning) for certain file types.
# This is intended for fixing cases where a scanner forces use of mmap()
# call. Mandatory locking might not allow this, so you could get errors
# regarding memory allocation or I/O. You can test the "None" option
# anyway, as it might even work depending on your OS (some Linux seems
# to allow mand+mmap).
#
# Allowed values:
# None
# ClamAV:BinHex (mmap forced in versions older than 0.96)
# ClamAV:PDF (mmap forced in versions older than 0.96)
# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94)
# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED)
#
# Default:
# DISABLELOCKINGFOR AVG:ALL

#
# Whitelist specific viruses by case-insensitive substring match.
# For example, "Oversized." and "Encrypted." are good candidates,
# if you can't disable those checks any other way.
#
# Default: NONE
# IGNOREVIRUS Oversized. Encrypted. Phishing.


#####
##### ClamAV Library Scanner (libclamav)
#####

ENABLECLAMLIB true

# HAVP uses libclamav hardcoded pattern directory, which usually is
# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
# CLAMDBDIR /var/lib/clamav

# Should we block broken executables?
#
# Default:
# CLAMBLOCKBROKEN false

# Should we block encrypted archives?
#
# Default:
# CLAMBLOCKENCRYPTED false

# Should we block files that go over maximum archive limits?
#
# Default:
# CLAMBLOCKMAX false

# Scanning limits?
# You can find some additional info from documentation or clamd.conf
#
# Stop when this many total bytes scanned (MB)
# CLAMMAXSCANSIZE 20
#
# Stop when this many files have been scanned
# CLAMMAXFILES 50
#
# Don't scan files over this size (MB)
# CLAMMAXFILESIZE 100
#
# Maximum archive recursion
# CLAMMAXRECURSION 8


#####
##### ClamAV Socket Scanner (clamd)
#####
##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
#####

ENABLECLAMD false

# Path to clamd socket
#
# Default:
# CLAMDSOCKET /tmp/clamd

# ..OR if you use clamd TCP socket, uncomment to enable use
#
# Clamd daemon needs to run on the same server as HAVP
#
# Default: NONE
# CLAMDSERVER 127.0.0.1
# CLAMDPORT 3310


#####
##### F-Prot Socket Scanner
#####

ENABLEFPROT false

# F-Prot daemon needs to run on same server as HAVP
#
# Default:
# FPROTSERVER 127.0.0.1
# FPROTPORT 10200

# F-Prot options (only for version 6+ !)
#
# See "fpscand-client.sh --help" for possible options.
#
# At the moment:
# --scanlevel=<n> Which scanlevel to use, 0-4 (2).
# --heurlevel=<n> How aggressive heuristics should be used, 0-4 (2).
# --archive=<n> Scan inside supported archives n levels deep 1-99 (5).
# --adware Instructs the daemon to flag adware.
# --applications Instructs the daemon to flag potentially unwanted applications.
#
# Default: NONE
# FPROTOPTIONS --scanlevel=2 --heurlevel=2


#####
##### AVG Socket Scanner
#####

ENABLEAVG false

# AVG daemon needs to run on the same server as HAVP
#
# Default:
# AVGSERVER 127.0.0.1
# AVGPORT 55555


#####
##### Kaspersky Socket Scanner
#####

ENABLEAVESERVER false

# Path to aveserver socket
#
# Default:
# AVESOCKET /var/run/aveserver


#####
##### Sophos Scanner (Sophie)
#####

ENABLESOPHIE false

# Path to sophie socket
#
# Default:
# SOPHIESOCKET /var/run/sophie


#####
##### Trend Micro Library Scanner (Trophie)
#####

ENABLETROPHIE false

# Scanning limits inside archives (filesize = MB):
#
# Default:
# TROPHIEMAXFILES 50
# TROPHIEMAXFILESIZE 10
# TROPHIEMAXRATIO 250


#####
##### NOD32 Socket Scanner
#####

ENABLENOD32 false

# Path to nod32d socket
#
# For 3.0+ version, try /tmp/esets.sock
#
# Default:
# NOD32SOCKET /tmp/nod32d.sock

# Used NOD32 Version
#
# 30 = 3.0+
# 25 = 2.5+
# 21 = 2.x (very old)
#
# Default:
# NOD32VERSION 25


#####
##### Avast! Socket Scanner
#####

ENABLEAVAST false

# Path to avastd socket
#
# Default:
# AVASTSOCKET /var/run/avast4/local.sock

# ..OR if you use avastd TCP socket, uncomment to enable use
#
# Avast daemon needs to run on the same server as HAVP
#
# Default: NONE
# AVASTSERVER 127.0.0.1
# AVASTPORT 5036


#####
##### Arcavir Socket Scanner
#####

ENABLEARCAVIR false

# Path to arcavird socket
#
# For version 2008, default socket is /var/run/arcad.ctl
#
# Default:
# ARCAVIRSOCKET /var/run/arcavird.socket

# Used Arcavir version
# 2007 = Version 2007 and earlier
# 2008 = Version 2008 and later
#
# Default:
# ARCAVIRVERSION 2007


#####
##### DrWeb Socket Scanner
#####

ENABLEDRWEB false

# Enable heuristic scanning?
#
# Default:
# DRWEBHEURISTIC true

# Enable malware detection?
# (Adware, Dialer, Joke, Riskware, Hacktool)
#
# Default:
# DRWEBMALWARE true

# Path to drwebd socket
#
# Default:
# DRWEBSOCKET /var/drweb/run/.daemon

# ..OR if you use drwebd TCP socket, uncomment to enable use
#
# DrWeb daemon needs to run on the same server as HAVP
#
# Default: NONE
# DRWEBSERVER 127.0.0.1
# DRWEBPORT 3000

# Включаем форвардинг
echo 1 > /proc/sys/net/ipv4/ip_forward

# Удаляем все цепочки и правила
iptables -F
iptables -X

# Ставим действия по умолчанию
iptables -P FORWARD ACCEPT

# Настраиваем маскарадинг (nat)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A OUTPUT -p udp -m udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -m udp -i ppp0 --dport 1024:65535 --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i ppp0 --dport 1024:65535 --sport 53 -j ACCEPT