From patchwork Sun Feb 27 13:49:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5283 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4K64cs4zkGz3xfp for ; Sun, 27 Feb 2022 13:49:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4K64cq58gNz5SJ; Sun, 27 Feb 2022 13:49:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4K64cq39xvz2y4B; Sun, 27 Feb 2022 13:49:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4K64cp19tgz2xMX for ; Sun, 27 Feb 2022 13:49:30 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4K64cn2KtHz5S9; Sun, 27 Feb 2022 13:49:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1645969769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iEy5qCk8gpY+hQl0Us5A8cIp8ot7ka37+Gx45VNTiqI=; b=jLZEVlqo3JDQHKAb09gveLAnvev8Hjbsg4oJ47E9AuGtDjNdj+dAcCk2vdA9YAl5seTuGH 9qrA/f9BaRkVE2Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1645969769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iEy5qCk8gpY+hQl0Us5A8cIp8ot7ka37+Gx45VNTiqI=; b=BqIxYH3CKP2PJzxGBsRjs/xMhw7tjYc90/UBFCcp1XQne4e0/QAKJq1pKTJGoYrB2/MBgB raA7xkOmENoJ75hfDsg3m3QkwgbIblHIEZdIsAtjbTKicraMQGV66pgWX/biAJBdPYb0ck nKkNKKfgmiNWHLJjIGBUSEolssjErT8zSzv7ZoJUsWV9LJyZLAJCbeYJem3V41a9vTSN3/ +OsPnR5FQWoZ0iJuw3VUwVtfKL20HVGxmN9/HsxGV1LLgZJgOFIUT5nLRPrHNIPvZGrX3b bANeXjrffaMcF1D/TVhPr5eMyMG++4NxsjwkBmC13NqQ6z8/FkmwYL3edCI66Q== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 2/2] firewall: Move dropping hostile networks to rules.pl. Date: Sun, 27 Feb 2022 14:49:03 +0100 Message-Id: <20220227134903.1828-2-stefan.schantl@ipfire.org> In-Reply-To: <20220227134903.1828-1-stefan.schantl@ipfire.org> References: <20220227134903.1828-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer --- config/firewall/rules.pl | 33 +++++++++++++++++++++++++++++++++ src/initscripts/system/firewall | 23 ++++++++--------------- 2 files changed, 41 insertions(+), 15 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7a7c8ed31..b12764d18 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -59,6 +59,9 @@ my @PRIVATE_NETWORKS = ( # MARK masks my $NAT_MASK = 0x0f000000; +# Country code, which is used to mark hostile networks. +my $HOSTILE_CCODE = "XD"; + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -97,6 +100,9 @@ if (-e "$locationfile") { # Get all available locations. my @locations = &Location::Functions::get_locations(); +# Name or the RED interface. +my $RED_DEV = &General::get_red_interface(); + my @log_limit_options = &make_log_limit_options(); my $POLICY_INPUT_ALLOWED = 0; @@ -135,6 +141,9 @@ sub main { # Load Location block rules. &locationblock(); + # Load rules to block hostile networks. + &drop_hostile_networks(); + # Reload firewall policy. run("/usr/sbin/firewall-policy"); @@ -676,6 +685,30 @@ sub locationblock { } } +sub drop_hostile_networks () { + # Flush the HOSTILE firewall chain. + run("$IPTABLES -F HOSTILE"); + + # If dropping hostile networks is not enabled, we are finished here. + if ($fwoptions{'DROPHOSTILE'} ne "on") { + # Exit function. + return; + } + + # Call function to load the network list of hostile networks. + &ipset_restore($HOSTILE_CCODE); + + # Setup rules to pass traffic which does not belong to a hostile network. + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN"); + + # Setup logging. + run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix \"DROP_HOSTILE \""); + + # Drop traffic from/to hostile network. + run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\""); +} + sub get_protocols { my $hash = shift; my $key = shift; diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 22e3fae59..2c4d3163b 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -169,21 +169,6 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING - # Log and drop any traffic from and to networks known as being hostile, posing - # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) - iptables -N HOSTILE - if [ "$DROPHOSTILE" == "on" ]; then - # Call ipset and load the list which contains the hostile networks. - ipset restore < $IPSET_DB_DIR/CC_XD.ipset4 - - iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE - iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE - iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE - iptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE - fi - iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" - # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -274,6 +259,14 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi + # Chains for networks known as being hostile, posing a technical threat to our users + # (i. e. listed at Spamhaus DROP et al.) + iptables -N HOSTILE + iptables -A INPUT -i $IFACE -j HOSTILE + iptables -A FORWARD -i $IFACE -j HOSTILE + iptables -A FORWARD -o $IFACE -j HOSTILE + iptables -A OUTPUT -o $IFACE -j HOSTILE + # Tor (inbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT