From patchwork Sat Dec 18 13:48:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4928 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyp06Dzz3wtM for ; Sat, 18 Dec 2021 13:48:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyn4kncz4Jy; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyn4K6bz2xqw; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRym23wgz2xXd for ; Sat, 18 Dec 2021 13:48:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyl2mQGz3fh for ; Sat, 18 Dec 2021 13:48:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=uA2KY1mHARltxWYtt6P85Hi0a1f/lDd19deCDDYOb43aAcSwU5MCu3Pf+9eSqo/s69PMV7 dMe7J+imZo02piBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=KQ0UDvl2MnBamAKC0KXu3sCaIwaqU7S+IVG0KaXLHla4cZjz1EiAb2LLc6gxEhbAXwouvk L3L7h7jv9qnxfDJnctqVW48D+vR1X8TeAFci5iVDqr3hltroQ8crq5XHlYQ1YS+bI9ehf6 r0GzbM0K6nGbtikDHUqdMmDseUGlNCFwtNKIIYqJgVq4NfTFurv5MmA/6CEhLn2BUqXC/d c/+1+dS+GMsOqVul9ne/HNDsqT2PujRce1HZJyMllo9RwNdMcE7V8eK/RTOhXqPRTT7rSa W7OwuVlW9vhk/zR3m/4AcSFOfdV9GecU93PFI/ZvSs36KnLpuSuHymZvfRp1lQ== Subject: [PATCH 05/11] firewall: Introduce DROP_HOSTILE To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:48:46 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users. Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # Log and drop any traffic from and to networks known as being hostile, posing + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) + if [ "$DROPHOSTILE" == "on" ]; then + iptables -N DROP_HOSTILE + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" + fi + # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK