Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3542 bytes --]

Hello,

> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
> 
> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
> packets.
> 
> Should I update the misleading "DROP*" variables as well to keep things consistent?

Yes. I would say so. I like things when they are tidy.

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>> interface, never on any other interface. This ensures offending packets
>>> are logged, and the loopback interface cannot be abused for processing
>>> traffic from and to any other networks.
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>> 
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index cc5baa292..1c62c6e2c 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -80,6 +80,14 @@ iptables_init() {
>>> 	fi
>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>> 
>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>> +	# on interfaces where we don't expect them
>>> +	iptables -N SPOOFED_MARTIAN
>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>> 
>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
>> 
>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>> +	fi
>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>> +
>>> 	# Chain to contain all the rules relating to bad TCP flags
>>> 	iptables -N BADTCP
>>> 
>>> @@ -177,14 +185,18 @@ iptables_init() {
>>> 	iptables -A INPUT -j ICMPINPUT
>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>> 
>>> -	# Accept everything on loopback
>>> +	# Accept everything on loopback if source/destination is loopback space...
>>> 	iptables -N LOOPBACK
>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>> +
>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>> 
>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> 
>>> 	for i in INPUT FORWARD OUTPUT; do
>>> 		iptables -A ${i} -j LOOPBACK
>>> -- 
>>> 2.26.2
>>