[05/11] firewall: Introduce DROP_HOSTILE

Message ID c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org
State Accepted
Commit 97154d057bdbc7fa34309e9a5ad389775eff210d
Headers show
Series firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection | expand

Commit Message

Peter Müller Dec. 18, 2021, 1:48 p.m. UTC
Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Michael Tremer Jan. 7, 2022, 5:04 p.m. UTC | #1
Hello,

I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.

Whenever we download the database, we extract everything:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD

So this should always work.

-Michael

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Similar to the Location block, this chain logs and drops all traffic
> from and to networks known to pose technical threats to IPFire users.
> 
> Doing so in a dedicated chain makes sense for transparency reasons, as
> we won't interfer with other firewall rules or the Location block, so it
> is always clear why a packet from or to such a network has been dropped.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 9e62c0245..ebc8168ae 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -139,6 +139,20 @@ iptables_init() {
> 	iptables -t nat -N CUSTOMPOSTROUTING
> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
> 
> +	# Log and drop any traffic from and to networks known as being hostile, posing
> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> +	if [ "$DROPHOSTILE" == "on" ]; then
> +		iptables -N DROP_HOSTILE
> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
> +
> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +
> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
> +	fi
> +
> 	# P2PBLOCK
> 	iptables -N P2PBLOCK
> 	iptables -A INPUT -j P2PBLOCK
> -- 
> 2.26.2
Peter Müller Jan. 8, 2022, 10:39 a.m. UTC | #2
Hello Michael,

thanks for your reply.

This is good to know as I was surprised to see this working on my testing machine without
any further exports/converting/${whatever} of the location database. :-)

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
> 
> Whenever we download the database, we extract everything:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD
> 
> So this should always work.
> 
> -Michael
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Similar to the Location block, this chain logs and drops all traffic
>> from and to networks known to pose technical threats to IPFire users.
>>
>> Doing so in a dedicated chain makes sense for transparency reasons, as
>> we won't interfer with other firewall rules or the Location block, so it
>> is always clear why a packet from or to such a network has been dropped.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 9e62c0245..ebc8168ae 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -139,6 +139,20 @@ iptables_init() {
>> 	iptables -t nat -N CUSTOMPOSTROUTING
>> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>>
>> +	# Log and drop any traffic from and to networks known as being hostile, posing
>> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
>> +	if [ "$DROPHOSTILE" == "on" ]; then
>> +		iptables -N DROP_HOSTILE
>> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
>> +
>> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
>> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +
>> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
>> +	fi
>> +
>> 	# P2PBLOCK
>> 	iptables -N P2PBLOCK
>> 	iptables -A INPUT -j P2PBLOCK
>> -- 
>> 2.26.2
>

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9e62c0245..ebc8168ae 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -139,6 +139,20 @@  iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# Log and drop any traffic from and to networks known as being hostile, posing
+	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
+	if [ "$DROPHOSTILE" == "on" ]; then
+		iptables -N DROP_HOSTILE
+		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
+
+		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
+		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+
+		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
+	fi
+
 	# P2PBLOCK
 	iptables -N P2PBLOCK
 	iptables -A INPUT -j P2PBLOCK