From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Fri, 07 Jan 2022 17:01:06 +0000 Message-ID: <944746CA-5121-4DB9-905F-66E251DA6288@ipfire.org> In-Reply-To: <2ab43082-5d2d-d4bf-eba1-c78dede9b8b7@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4061466733634318268==" List-Id: --===============4061466733634318268== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 18 Dec 2021, at 13:48, Peter M=C3=BCller wr= ote: >=20 > Traffic from and to 127.0.0.0/8 must only appear on the loopback > interface, never on any other interface. This ensures offending packets > are logged, and the loopback interface cannot be abused for processing > traffic from and to any other networks. >=20 > Signed-off-by: Peter M=C3=BCller > --- > src/initscripts/system/firewall | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) >=20 > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index cc5baa292..1c62c6e2c 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -80,6 +80,14 @@ iptables_init() { > fi > iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >=20 > + # Log and subsequently drop spoofed packets or "martians", arriving from = sources > + # on interfaces where we don't expect them > + iptables -N SPOOFED_MARTIAN > + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then DROP? Shouldn=E2=80=99t the variable be called LOGSPOOFEDMARTIAN? You will always drop any packets sent to this chain, but you won=E2=80=99t al= ways log them. Is this what you intended? > + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-pr= efix "DROP_SPOOFED_MARTIAN " > + fi > + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MA= RTIAN" > + > # Chain to contain all the rules relating to bad TCP flags > iptables -N BADTCP >=20 > @@ -177,14 +185,18 @@ iptables_init() { > iptables -A INPUT -j ICMPINPUT > iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >=20 > - # Accept everything on loopback > + # Accept everything on loopback if source/destination is loopback space... > iptables -N LOOPBACK > - iptables -A LOOPBACK -i lo -j ACCEPT > - iptables -A LOOPBACK -o lo -j ACCEPT > + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT > + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT > + > + # ... and drop everything else on the loopback interface, since no other = traffic should appear there > + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN > + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >=20 > - # Filter all packets with loopback addresses on non-loopback interfaces. > - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP > - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP > + # Filter all packets with loopback addresses on non-loopback interfaces (= spoofed) > + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN > + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >=20 > for i in INPUT FORWARD OUTPUT; do > iptables -A ${i} -j LOOPBACK > --=20 > 2.26.2 --===============4061466733634318268==--