Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 27 Feb 2022, at 13:49, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 33 +++++++++++++++++++++++++++++++++ src/initscripts/system/firewall | 23 ++++++++--------------- 2 files changed, 41 insertions(+), 15 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7a7c8ed31..b12764d18 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -59,6 +59,9 @@ my @PRIVATE_NETWORKS = ( # MARK masks my $NAT_MASK = 0x0f000000;
+# Country code, which is used to mark hostile networks. +my $HOSTILE_CCODE = "XD";
my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -97,6 +100,9 @@ if (-e "$locationfile") { # Get all available locations. my @locations = &Location::Functions::get_locations();
+# Name or the RED interface. +my $RED_DEV = &General::get_red_interface();
my @log_limit_options = &make_log_limit_options();
my $POLICY_INPUT_ALLOWED = 0; @@ -135,6 +141,9 @@ sub main { # Load Location block rules. &locationblock();
- # Load rules to block hostile networks.
- &drop_hostile_networks();
- # Reload firewall policy. run("/usr/sbin/firewall-policy");
@@ -676,6 +685,30 @@ sub locationblock { } }
+sub drop_hostile_networks () {
- # Flush the HOSTILE firewall chain.
- run("$IPTABLES -F HOSTILE");
- # If dropping hostile networks is not enabled, we are finished here.
- if ($fwoptions{'DROPHOSTILE'} ne "on") {
# Exit function.return;- }
- # Call function to load the network list of hostile networks.
- &ipset_restore($HOSTILE_CCODE);
- # Setup rules to pass traffic which does not belong to a hostile network.
- run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
- run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
- # Setup logging.
- run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "");
- # Drop traffic from/to hostile network.
run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");+}
sub get_protocols { my $hash = shift; my $key = shift; diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 22e3fae59..2c4d3163b 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -169,21 +169,6 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
- # Log and drop any traffic from and to networks known as being hostile, posing
- # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
- iptables -N HOSTILE
- if [ "$DROPHOSTILE" == "on" ]; then
# Call ipset and load the list which contains the hostile networks.ipset restore < $IPSET_DB_DIR/CC_XD.ipset4iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILEiptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILEiptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILEiptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE- fi
- iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
- # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN
@@ -274,6 +259,14 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Chains for networks known as being hostile, posing a technical threat to our users
- # (i. e. listed at Spamhaus DROP et al.)
- iptables -N HOSTILE
- iptables -A INPUT -i $IFACE -j HOSTILE
- iptables -A FORWARD -i $IFACE -j HOSTILE
- iptables -A FORWARD -o $IFACE -j HOSTILE
- iptables -A OUTPUT -o $IFACE -j HOSTILE
- # Tor (inbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT
-- 2.30.2