freedombone-utils-firewall 25KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Firewall functions
  12. #
  13. # TODO: in future investigate using nftables
  14. #
  15. # License
  16. # =======
  17. #
  18. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
  19. #
  20. # This program is free software: you can redistribute it and/or modify
  21. # it under the terms of the GNU Affero General Public License as published by
  22. # the Free Software Foundation, either version 3 of the License, or
  23. # (at your option) any later version.
  24. #
  25. # This program is distributed in the hope that it will be useful,
  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  28. # GNU Affero General Public License for more details.
  29. #
  30. # You should have received a copy of the GNU Affero General Public License
  31. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  32. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
  33. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
  34. function save_firewall_settings {
  35. iptables-save > /etc/firewall.conf
  36. ip6tables-save > /etc/firewall6.conf
  37. printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
  38. printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
  39. printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
  40. if [ -f /etc/network/if-up.d/iptables ]; then
  41. chmod +x /etc/network/if-up.d/iptables
  42. fi
  43. }
  44. function firewall_block_bad_ip_ranges {
  45. if [ $INSTALLING_MESH ]; then
  46. return
  47. fi
  48. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  49. return
  50. fi
  51. # There are various blocklists out there, but they're difficult
  52. # to verify. Indiscriminately blocking ranges without evidence
  53. # would be a bad idea.
  54. # From Wikipedia and elsewhere: US military addresses
  55. iptables -A INPUT -s 6.0.0.0/8 -j DROP
  56. iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
  57. iptables -A INPUT -s 7.0.0.0/8 -j DROP
  58. iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
  59. iptables -A INPUT -s 11.0.0.0/8 -j DROP
  60. iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
  61. iptables -A INPUT -s 21.0.0.0/8 -j DROP
  62. iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
  63. iptables -A INPUT -s 22.0.0.0/8 -j DROP
  64. iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
  65. iptables -A INPUT -s 26.0.0.0/8 -j DROP
  66. iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
  67. iptables -A INPUT -s 28.0.0.0/8 -j DROP
  68. iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
  69. iptables -A INPUT -s 29.0.0.0/8 -j DROP
  70. iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
  71. iptables -A INPUT -s 30.0.0.0/8 -j DROP
  72. iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
  73. iptables -A INPUT -s 33.0.0.0/8 -j DROP
  74. iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
  75. iptables -A INPUT -s 55.0.0.0/8 -j DROP
  76. iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
  77. iptables -A INPUT -s 214.0.0.0/8 -j DROP
  78. iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
  79. iptables -A INPUT -s 215.0.0.0/8 -j DROP
  80. iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
  81. save_firewall_settings
  82. mark_completed $FUNCNAME
  83. }
  84. function global_rate_limit {
  85. if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
  86. echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
  87. else
  88. sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
  89. fi
  90. sysctl -p -q
  91. }
  92. function enable_ipv6 {
  93. # endure that ipv6 is enabled and can route
  94. sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
  95. #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
  96. #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
  97. sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
  98. echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  99. }
  100. function configure_firewall {
  101. if [ $INSTALLING_MESH ]; then
  102. mesh_firewall
  103. return
  104. fi
  105. if grep -q "RELATED" /etc/firewall.conf; then
  106. # recreate the firewall to remove RELATED
  107. sed -i "/firewall/d" $COMPLETION_FILE
  108. fi
  109. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  110. return
  111. fi
  112. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  113. # docker does its own firewalling
  114. return
  115. fi
  116. iptables -P INPUT ACCEPT
  117. ip6tables -P INPUT ACCEPT
  118. iptables -F
  119. ip6tables -F
  120. iptables -t nat -F
  121. ip6tables -t nat -F
  122. iptables -X
  123. ip6tables -X
  124. iptables -P INPUT DROP
  125. ip6tables -P INPUT DROP
  126. iptables -P FORWARD DROP
  127. ip6tables -P FORWARD DROP
  128. iptables -A INPUT -i lo -j ACCEPT
  129. iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
  130. # Drop invalid packets
  131. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  132. # Make sure incoming tcp connections are SYN packets
  133. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  134. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  135. # Drop SYN packets with suspicious MSS value
  136. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  137. # Drop packets with incoming fragments
  138. iptables -A INPUT -f -j DROP
  139. # Drop bogons
  140. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  141. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  142. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  143. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  144. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  145. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  146. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  147. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  148. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  149. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  150. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  151. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  152. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  153. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  154. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  155. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  156. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  157. # Incoming malformed NULL packets:
  158. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  159. mark_completed $FUNCNAME
  160. }
  161. function firewall_drop_telnet {
  162. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  163. return
  164. fi
  165. # telnet isn't enabled as an input and we can also
  166. # drop any outgoing telnet, just in case
  167. iptables -A OUTPUT -p tcp --dport telnet -j REJECT
  168. iptables -A OUTPUT -p udp --dport telnet -j REJECT
  169. function_check save_firewall_settings
  170. save_firewall_settings
  171. mark_completed $FUNCNAME
  172. }
  173. function configure_firewall_ping {
  174. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  175. return
  176. fi
  177. # Only allow ping for mesh installs
  178. if [[ $SYSTEM_TYPE != "mesh"* ]]; then
  179. return
  180. fi
  181. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  182. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  183. function_check save_firewall_settings
  184. save_firewall_settings
  185. mark_completed $FUNCNAME
  186. }
  187. function configure_internet_protocol {
  188. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  189. return
  190. fi
  191. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  192. return
  193. fi
  194. sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  195. sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  196. sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  197. sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  198. sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  199. sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  200. sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  201. sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  202. sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  203. sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  204. sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  205. sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  206. sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  207. sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  208. sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  209. sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  210. sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  211. sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  212. sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  213. sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  214. if ! grep -q "ignore pings" /etc/sysctl.conf; then
  215. echo '# ignore pings' >> /etc/sysctl.conf
  216. echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  217. echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  218. fi
  219. if ! grep -q "disable ipv6" /etc/sysctl.conf; then
  220. echo '# disable ipv6' >> /etc/sysctl.conf
  221. echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
  222. fi
  223. if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
  224. echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
  225. echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
  226. fi
  227. if ! grep -q "keepalive" /etc/sysctl.conf; then
  228. echo '# keepalive' >> /etc/sysctl.conf
  229. echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
  230. echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
  231. echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
  232. fi
  233. if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
  234. echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
  235. else
  236. sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  237. sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  238. sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  239. fi
  240. if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then
  241. echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
  242. else
  243. sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  244. sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  245. sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  246. fi
  247. if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then
  248. echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
  249. else
  250. sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  251. sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  252. sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  253. fi
  254. if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then
  255. echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
  256. else
  257. sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  258. sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  259. sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  260. fi
  261. if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then
  262. echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
  263. else
  264. sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  265. sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  266. sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  267. fi
  268. mark_completed $FUNCNAME
  269. }
  270. function mesh_firewall {
  271. FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
  272. MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
  273. echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
  274. echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  275. echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  276. echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
  277. echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
  278. echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  279. echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  280. echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
  281. echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
  282. echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  283. echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  284. echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  285. echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  286. echo '' >> $MESH_FIREWALL_SCRIPT
  287. echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
  288. echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
  289. echo '' >> $MESH_FIREWALL_SCRIPT
  290. echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
  291. echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
  292. echo '' >> $MESH_FIREWALL_SCRIPT
  293. echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
  294. echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
  295. echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  296. echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  297. echo '' >> $MESH_FIREWALL_SCRIPT
  298. echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
  299. echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
  300. echo '' >> $MESH_FIREWALL_SCRIPT
  301. echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  302. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  303. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  304. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  305. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  306. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  307. chmod +x $MESH_FIREWALL_SCRIPT
  308. echo '[Unit]' > $FIREWALL_FILENAME
  309. echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
  310. echo '' >> $FIREWALL_FILENAME
  311. echo '[Service]' >> $FIREWALL_FILENAME
  312. echo 'Type=oneshot' >> $FIREWALL_FILENAME
  313. echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
  314. echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
  315. echo '' >> $FIREWALL_FILENAME
  316. echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
  317. echo '' >> $FIREWALL_FILENAME
  318. echo '[Install]' >> $FIREWALL_FILENAME
  319. echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
  320. chmod +x $FIREWALL_FILENAME
  321. chroot "$rootdir" systemctl enable meshfirewall
  322. }
  323. function firewall_add {
  324. firewall_name=$(echo "$1" | sed "s| |-|g")
  325. firewall_port=$2
  326. firewall_protocol="$3"
  327. if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
  328. echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
  329. if [ ! ${firewall_protocol} ]; then
  330. iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
  331. if [ ! "$?" = "0" ]; then
  332. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  333. fi
  334. iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  335. if [ ! "$?" = "0" ]; then
  336. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  337. fi
  338. else
  339. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  340. iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
  341. if [ ! "$?" = "0" ]; then
  342. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  343. fi
  344. fi
  345. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  346. iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  347. if [ ! "$?" = "0" ]; then
  348. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  349. fi
  350. fi
  351. fi
  352. save_firewall_settings
  353. fi
  354. }
  355. function firewall_add_range {
  356. firewall_name=$(echo "$1" | sed "s| |-|g")
  357. firewall_port_start=$2
  358. firewall_port_end=$3
  359. firewall_protocol="$4"
  360. if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
  361. echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
  362. if [ ! ${firewall_protocol} ]; then
  363. iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  364. if [ ! "$?" = "0" ]; then
  365. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  366. fi
  367. iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  368. if [ ! "$?" = "0" ]; then
  369. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  370. fi
  371. else
  372. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  373. iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  374. if [ ! "$?" = "0" ]; then
  375. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  376. fi
  377. fi
  378. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  379. iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  380. if [ ! "$?" = "0" ]; then
  381. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  382. fi
  383. fi
  384. fi
  385. save_firewall_settings
  386. fi
  387. }
  388. function firewall_remove {
  389. firewall_port=$1
  390. firewall_protocol="$2"
  391. if [ ! -f $FIREWALL_CONFIG ]; then
  392. return
  393. fi
  394. if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
  395. if [ ! ${firewall_protocol} ]; then
  396. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  397. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  398. else
  399. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  400. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  401. fi
  402. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  403. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  404. fi
  405. fi
  406. sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
  407. save_firewall_settings
  408. fi
  409. }
  410. function domain_to_hex_string {
  411. domain="$1"
  412. ctr=1
  413. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  414. while [ ${#segment} -gt 0 ]
  415. do
  416. characters=$(echo -n "$segment" | wc -c)
  417. hexnum=$(echo "obase=16; $characters" | bc)
  418. echo -n "|"
  419. if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then
  420. echo -n "0"
  421. fi
  422. echo -n "$hexnum|$segment"
  423. ctr=$((ctr + 1))
  424. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  425. done
  426. echo ""
  427. }
  428. function firewall_block_domain {
  429. blocked_domain="$1"
  430. if [[ "$blocked_domain" == *'@'* ]]; then
  431. # Don't try to block email/microblog addresses
  432. return
  433. fi
  434. if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then
  435. hexstr=$(domain_to_hex_string $blocked_domain)
  436. iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  437. if [ ! "$?" = "0" ]; then
  438. iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  439. iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  440. iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  441. iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  442. iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  443. iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  444. echo "${blocked_domain}" >> $FIREWALL_DOMAINS
  445. save_firewall_settings
  446. fi
  447. # run the blocking rules now
  448. if [ -f /usr/bin/gnusocial-firewall ]; then
  449. /usr/bin/gnusocial-firewall
  450. fi
  451. if [ -f /usr/bin/postactiv-firewall ]; then
  452. /usr/bin/postactiv-firewall
  453. fi
  454. fi
  455. }
  456. function firewall_refresh_blocklist {
  457. if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then
  458. return
  459. fi
  460. while read blocked_domain; do
  461. firewall_block_domain $blocked_domain
  462. done </root/${PROJECT_NAME}-firewall-domains.cfg
  463. }
  464. function firewall_unblock_domain {
  465. unblocked_domain="$1"
  466. if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then
  467. hexstr=$(domain_to_hex_string $unblocked_domain)
  468. iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  469. iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  470. iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  471. iptables -D OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  472. iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  473. iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  474. sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS
  475. save_firewall_settings
  476. fi
  477. }
  478. function firewall_drop_spoofed_packets {
  479. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  480. return
  481. fi
  482. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  483. iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  484. iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  485. iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  486. iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  487. iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  488. iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  489. function_check save_firewall_settings
  490. save_firewall_settings
  491. mark_completed $FUNCNAME
  492. }
  493. function firewall_rate_limits {
  494. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  495. return
  496. fi
  497. # Limit connections per source IP
  498. iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  499. # Limit RST packets
  500. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  501. iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  502. # Limit new TCP connections per second per source IP
  503. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  504. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  505. # SSH brute-force protection
  506. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
  507. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  508. function_check save_firewall_settings
  509. save_firewall_settings
  510. mark_completed $FUNCNAME
  511. }
  512. # NOTE: deliberately no exit 0