[05/11] firewall: Introduce DROP_HOSTILE

Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Hello,

I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.

Whenever we download the database, we extract everything:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD

So this should always work.

-Michael

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Similar to the Location block, this chain logs and drops all traffic
> from and to networks known to pose technical threats to IPFire users.
> 
> Doing so in a dedicated chain makes sense for transparency reasons, as
> we won't interfer with other firewall rules or the Location block, so it
> is always clear why a packet from or to such a network has been dropped.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 9e62c0245..ebc8168ae 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -139,6 +139,20 @@ iptables_init() {
> 	iptables -t nat -N CUSTOMPOSTROUTING
> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
> 
> +	# Log and drop any traffic from and to networks known as being hostile, posing
> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> +	if [ "$DROPHOSTILE" == "on" ]; then
> +		iptables -N DROP_HOSTILE
> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
> +
> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +
> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
> +	fi
> +
> 	# P2PBLOCK
> 	iptables -N P2PBLOCK
> 	iptables -A INPUT -j P2PBLOCK
> -- 
> 2.26.2

Hello Michael,

thanks for your reply.

This is good to know as I was surprised to see this working on my testing machine without
any further exports/converting/${whatever} of the location database. :-)

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
> 
> Whenever we download the database, we extract everything:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD
> 
> So this should always work.
> 
> -Michael
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Similar to the Location block, this chain logs and drops all traffic
>> from and to networks known to pose technical threats to IPFire users.
>>
>> Doing so in a dedicated chain makes sense for transparency reasons, as
>> we won't interfer with other firewall rules or the Location block, so it
>> is always clear why a packet from or to such a network has been dropped.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 9e62c0245..ebc8168ae 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -139,6 +139,20 @@ iptables_init() {
>> 	iptables -t nat -N CUSTOMPOSTROUTING
>> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>>
>> +	# Log and drop any traffic from and to networks known as being hostile, posing
>> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
>> +	if [ "$DROPHOSTILE" == "on" ]; then
>> +		iptables -N DROP_HOSTILE
>> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
>> +
>> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
>> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +
>> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
>> +	fi
>> +
>> 	# P2PBLOCK
>> 	iptables -N P2PBLOCK
>> 	iptables -A INPUT -j P2PBLOCK
>> -- 
>> 2.26.2
>