From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Sat, 18 Dec 2021 14:48:17 +0100 Message-ID: <2ab43082-5d2d-d4bf-eba1-c78dede9b8b7@ipfire.org> In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1751077103073324421==" List-Id: --===============1751077103073324421== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks. Signed-off-by: Peter M=C3=BCller --- src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" =20 + # Log and subsequently drop spoofed packets or "martians", arriving from so= urces + # on interfaces where we don't expect them + iptables -N SPOOFED_MARTIAN + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-pref= ix "DROP_SPOOFED_MARTIAN " + fi + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MART= IAN" + # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP =20 @@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT =20 - # Accept everything on loopback + # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -j ACCEPT - iptables -A LOOPBACK -o lo -j ACCEPT + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT + + # ... and drop everything else on the loopback interface, since no other tr= affic should appear there + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN =20 - # Filter all packets with loopback addresses on non-loopback interfaces. - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + # Filter all packets with loopback addresses on non-loopback interfaces (sp= oofed) + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN =20 for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK --=20 2.26.2 --===============1751077103073324421==--