From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 05/11] firewall: Introduce DROP_HOSTILE
Date: Sat, 18 Dec 2021 14:48:46 +0100
Message-ID: <c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org>
In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2903320141788962358=="
List-Id: <development.lists.ipfire.org>

--===============2903320141788962358==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9e62c0245..ebc8168ae 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -139,6 +139,20 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
=20
+	# Log and drop any traffic from and to networks known as being hostile, pos=
ing
+	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
+	if [ "$DROPHOSTILE" =3D=3D "on" ]; then
+		iptables -N DROP_HOSTILE
+		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix =
"DROP_HOSTILE "
+
+		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
+		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+
+		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
+	fi
+
 	# P2PBLOCK
 	iptables -N P2PBLOCK
 	iptables -A INPUT -j P2PBLOCK
--=20
2.26.2

--===============2903320141788962358==--