From patchwork Sat Dec 18 13:48:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4926 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyG0YyZz3wtM for ; Sat, 18 Dec 2021 13:48:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyF4Q2Mz3ZZ; Sat, 18 Dec 2021 13:48:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyF2KZYz2ysF; Sat, 18 Dec 2021 13:48:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyC451gz2xXd for ; Sat, 18 Dec 2021 13:48:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyB3Rqvz192 for ; Sat, 18 Dec 2021 13:48:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835298; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q51kKlgymfGw5ckQ3aICPUzLDF7/yXSb78yad1iRAaM=; b=cX8fdmPBY/eo/+KMoW/JGOEZFIzQ1uuBE/fxuzgGHjDpc1sXHgEeCkZGSQJFGgRj1TEDWd 7S/qpEvLHV0834Cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835298; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q51kKlgymfGw5ckQ3aICPUzLDF7/yXSb78yad1iRAaM=; b=qaCkgK07dde6M6CuHX4hPFTv3Xv/8F7PxxH4XFaIk19EK7FlJvnCm8GhOTUniNwE9JCrcl oCG+9bWQQP5egnTKk0ts4ocK1oxViZ3hQvh/y3y7RSsjIzBH3jCh4N4sF1COjlxBTr5zbq RRBqXu4B3K6iYRhlO01iGfLXVqj513nO0Icvntk5dFhN0G+wgPl/oJwPudIelheGbMmGAl +ek89xudR115enzY6784ESAkAqzw6KptLBJtPbIg2zqUeXOgcUGvDI4N+jqQCzWMDJ25B5 bicLToI9bk2IOlXw09JlG63HjB2LXS29/vGMJ2zEMxihFDgxvkgzgx0ZiU3ysQ== Subject: [PATCH 03/11] firewall: Log and drop spoofed loopback packets To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <2ab43082-5d2d-d4bf-eba1-c78dede9b8b7@ipfire.org> Date: Sat, 18 Dec 2021 14:48:17 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" + # Log and subsequently drop spoofed packets or "martians", arriving from sources + # on interfaces where we don't expect them + iptables -N SPOOFED_MARTIAN + if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN " + fi + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN" + # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP @@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT - # Accept everything on loopback + # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -j ACCEPT - iptables -A LOOPBACK -o lo -j ACCEPT + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT + + # ... and drop everything else on the loopback interface, since no other traffic should appear there + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN - # Filter all packets with loopback addresses on non-loopback interfaces. - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK