[2/2] firewall: Move dropping hostile networks to rules.pl.
Commit Message
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/firewall/rules.pl | 33 +++++++++++++++++++++++++++++++++
src/initscripts/system/firewall | 23 ++++++++---------------
2 files changed, 41 insertions(+), 15 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 27 Feb 2022, at 13:49, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> config/firewall/rules.pl | 33 +++++++++++++++++++++++++++++++++
> src/initscripts/system/firewall | 23 ++++++++---------------
> 2 files changed, 41 insertions(+), 15 deletions(-)
>
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 7a7c8ed31..b12764d18 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -59,6 +59,9 @@ my @PRIVATE_NETWORKS = (
> # MARK masks
> my $NAT_MASK = 0x0f000000;
>
> +# Country code, which is used to mark hostile networks.
> +my $HOSTILE_CCODE = "XD";
> +
> my %fwdfwsettings=();
> my %fwoptions = ();
> my %defaultNetworks=();
> @@ -97,6 +100,9 @@ if (-e "$locationfile") {
> # Get all available locations.
> my @locations = &Location::Functions::get_locations();
>
> +# Name or the RED interface.
> +my $RED_DEV = &General::get_red_interface();
> +
> my @log_limit_options = &make_log_limit_options();
>
> my $POLICY_INPUT_ALLOWED = 0;
> @@ -135,6 +141,9 @@ sub main {
> # Load Location block rules.
> &locationblock();
>
> + # Load rules to block hostile networks.
> + &drop_hostile_networks();
> +
> # Reload firewall policy.
> run("/usr/sbin/firewall-policy");
>
> @@ -676,6 +685,30 @@ sub locationblock {
> }
> }
>
> +sub drop_hostile_networks () {
> + # Flush the HOSTILE firewall chain.
> + run("$IPTABLES -F HOSTILE");
> +
> + # If dropping hostile networks is not enabled, we are finished here.
> + if ($fwoptions{'DROPHOSTILE'} ne "on") {
> + # Exit function.
> + return;
> + }
> +
> + # Call function to load the network list of hostile networks.
> + &ipset_restore($HOSTILE_CCODE);
> +
> + # Setup rules to pass traffic which does not belong to a hostile network.
> + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
> + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
> +
> + # Setup logging.
> + run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix \"DROP_HOSTILE \"");
> +
> + # Drop traffic from/to hostile network.
> + run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
> +}
> +
> sub get_protocols {
> my $hash = shift;
> my $key = shift;
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 22e3fae59..2c4d3163b 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -169,21 +169,6 @@ iptables_init() {
> iptables -t nat -N CUSTOMPOSTROUTING
> iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>
> - # Log and drop any traffic from and to networks known as being hostile, posing
> - # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> - iptables -N HOSTILE
> - if [ "$DROPHOSTILE" == "on" ]; then
> - # Call ipset and load the list which contains the hostile networks.
> - ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
> -
> - iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> - iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE
> - iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
> - iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE
> - iptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE
> - fi
> - iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
> -
> # IPS (Guardian) chains
> iptables -N GUARDIAN
> iptables -A INPUT -j GUARDIAN
> @@ -274,6 +259,14 @@ iptables_init() {
> iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> fi
>
> + # Chains for networks known as being hostile, posing a technical threat to our users
> + # (i. e. listed at Spamhaus DROP et al.)
> + iptables -N HOSTILE
> + iptables -A INPUT -i $IFACE -j HOSTILE
> + iptables -A FORWARD -i $IFACE -j HOSTILE
> + iptables -A FORWARD -o $IFACE -j HOSTILE
> + iptables -A OUTPUT -o $IFACE -j HOSTILE
> +
> # Tor (inbound)
> iptables -N TOR_INPUT
> iptables -A INPUT -j TOR_INPUT
> --
> 2.30.2
>
@@ -59,6 +59,9 @@ my @PRIVATE_NETWORKS = (
# MARK masks
my $NAT_MASK = 0x0f000000;
+# Country code, which is used to mark hostile networks.
+my $HOSTILE_CCODE = "XD";
+
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
@@ -97,6 +100,9 @@ if (-e "$locationfile") {
# Get all available locations.
my @locations = &Location::Functions::get_locations();
+# Name or the RED interface.
+my $RED_DEV = &General::get_red_interface();
+
my @log_limit_options = &make_log_limit_options();
my $POLICY_INPUT_ALLOWED = 0;
@@ -135,6 +141,9 @@ sub main {
# Load Location block rules.
&locationblock();
+ # Load rules to block hostile networks.
+ &drop_hostile_networks();
+
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
@@ -676,6 +685,30 @@ sub locationblock {
}
}
+sub drop_hostile_networks () {
+ # Flush the HOSTILE firewall chain.
+ run("$IPTABLES -F HOSTILE");
+
+ # If dropping hostile networks is not enabled, we are finished here.
+ if ($fwoptions{'DROPHOSTILE'} ne "on") {
+ # Exit function.
+ return;
+ }
+
+ # Call function to load the network list of hostile networks.
+ &ipset_restore($HOSTILE_CCODE);
+
+ # Setup rules to pass traffic which does not belong to a hostile network.
+ run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
+ run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
+
+ # Setup logging.
+ run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix \"DROP_HOSTILE \"");
+
+ # Drop traffic from/to hostile network.
+ run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
+}
+
sub get_protocols {
my $hash = shift;
my $key = shift;
@@ -169,21 +169,6 @@ iptables_init() {
iptables -t nat -N CUSTOMPOSTROUTING
iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
- # Log and drop any traffic from and to networks known as being hostile, posing
- # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
- iptables -N HOSTILE
- if [ "$DROPHOSTILE" == "on" ]; then
- # Call ipset and load the list which contains the hostile networks.
- ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
-
- iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE
- iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
- iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE
- iptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE
- fi
- iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
-
# IPS (Guardian) chains
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
@@ -274,6 +259,14 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
+ # Chains for networks known as being hostile, posing a technical threat to our users
+ # (i. e. listed at Spamhaus DROP et al.)
+ iptables -N HOSTILE
+ iptables -A INPUT -i $IFACE -j HOSTILE
+ iptables -A FORWARD -i $IFACE -j HOSTILE
+ iptables -A FORWARD -o $IFACE -j HOSTILE
+ iptables -A OUTPUT -o $IFACE -j HOSTILE
+
# Tor (inbound)
iptables -N TOR_INPUT
iptables -A INPUT -j TOR_INPUT