freedombone-utils-firewall 28KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650
  1. #!/bin/bash
  2. # _____ _ _
  3. # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
  4. # | __| _| -_| -_| . | . | | . | . | | -_|
  5. # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
  6. #
  7. # Freedom in the Cloud
  8. #
  9. # Firewall functions
  10. #
  11. # TODO: in future investigate using nftables
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
  31. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
  32. FIREWALL_EIFACE=eth0
  33. EXTERNAL_IPV4_ADDRESS=
  34. function save_firewall_settings {
  35. iptables-save > /etc/firewall.conf
  36. ip6tables-save > /etc/firewall6.conf
  37. printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
  38. printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
  39. printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
  40. if [ -f /etc/network/if-up.d/iptables ]; then
  41. chmod +x /etc/network/if-up.d/iptables
  42. fi
  43. }
  44. function firewall_block_bad_ip_ranges {
  45. if [ "$INSTALLING_MESH" ]; then
  46. return
  47. fi
  48. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  49. return
  50. fi
  51. # There are various blocklists out there, but they're difficult
  52. # to verify. Indiscriminately blocking ranges without evidence
  53. # would be a bad idea.
  54. # From Wikipedia and elsewhere: US military addresses
  55. iptables -A INPUT -s 6.0.0.0/8 -j DROP
  56. iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
  57. iptables -A INPUT -s 7.0.0.0/8 -j DROP
  58. iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
  59. iptables -A INPUT -s 11.0.0.0/8 -j DROP
  60. iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
  61. iptables -A INPUT -s 21.0.0.0/8 -j DROP
  62. iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
  63. iptables -A INPUT -s 22.0.0.0/8 -j DROP
  64. iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
  65. iptables -A INPUT -s 26.0.0.0/8 -j DROP
  66. iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
  67. iptables -A INPUT -s 28.0.0.0/8 -j DROP
  68. iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
  69. iptables -A INPUT -s 29.0.0.0/8 -j DROP
  70. iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
  71. iptables -A INPUT -s 30.0.0.0/8 -j DROP
  72. iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
  73. iptables -A INPUT -s 33.0.0.0/8 -j DROP
  74. iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
  75. iptables -A INPUT -s 55.0.0.0/8 -j DROP
  76. iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
  77. iptables -A INPUT -s 214.0.0.0/8 -j DROP
  78. iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
  79. iptables -A INPUT -s 215.0.0.0/8 -j DROP
  80. iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
  81. save_firewall_settings
  82. mark_completed "${FUNCNAME[0]}"
  83. }
  84. function global_rate_limit {
  85. if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
  86. echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
  87. sysctl -p -q
  88. else
  89. if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then
  90. sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
  91. sysctl -p -q
  92. fi
  93. fi
  94. }
  95. function enable_ipv6 {
  96. # endure that ipv6 is enabled and can route
  97. sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
  98. #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
  99. #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
  100. sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
  101. echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  102. }
  103. function firewall_disable_vpn {
  104. firewall_remove VPN 1194
  105. iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
  106. iptables -D INPUT -i tun+ -j ACCEPT
  107. iptables -D FORWARD -i tun+ -j ACCEPT
  108. iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
  109. iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  110. iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
  111. iptables -D OUTPUT -o tun+ -j ACCEPT
  112. save_firewall_settings
  113. }
  114. function firewall_enable_vpn {
  115. firewall_add VPN 1194 tcp
  116. iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
  117. iptables -A INPUT -i tun+ -j ACCEPT
  118. iptables -A FORWARD -i tun+ -j ACCEPT
  119. iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
  120. iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  121. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
  122. iptables -A OUTPUT -o tun+ -j ACCEPT
  123. save_firewall_settings
  124. }
  125. function configure_firewall {
  126. if [ "$INSTALLING_MESH" ]; then
  127. mesh_firewall
  128. return
  129. fi
  130. if grep -q "RELATED" /etc/firewall.conf; then
  131. # recreate the firewall to remove RELATED
  132. sed -i "/firewall/d" "$COMPLETION_FILE"
  133. fi
  134. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  135. return
  136. fi
  137. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  138. # docker does its own firewalling
  139. return
  140. fi
  141. iptables -P INPUT ACCEPT
  142. ip6tables -P INPUT ACCEPT
  143. iptables -F
  144. ip6tables -F
  145. iptables -t nat -F
  146. ip6tables -t nat -F
  147. iptables -X
  148. ip6tables -X
  149. iptables -P INPUT DROP
  150. ip6tables -P INPUT DROP
  151. iptables -P FORWARD DROP
  152. ip6tables -P FORWARD DROP
  153. iptables -A INPUT -i lo -j ACCEPT
  154. iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
  155. # Drop invalid packets
  156. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  157. # Make sure incoming tcp connections are SYN packets
  158. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  159. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  160. # Drop SYN packets with suspicious MSS value
  161. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  162. # Drop packets with incoming fragments
  163. iptables -A INPUT -f -j DROP
  164. # Drop bogons
  165. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  166. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  167. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  168. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  169. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  170. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  171. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  172. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  173. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  174. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  175. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  176. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  177. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  178. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  179. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  180. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  181. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  182. # Incoming malformed NULL packets:
  183. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  184. mark_completed "${FUNCNAME[0]}"
  185. }
  186. function firewall_drop_telnet {
  187. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  188. return
  189. fi
  190. # telnet isn't enabled as an input and we can also
  191. # drop any outgoing telnet, just in case
  192. iptables -A OUTPUT -p tcp --dport telnet -j REJECT
  193. iptables -A OUTPUT -p udp --dport telnet -j REJECT
  194. function_check save_firewall_settings
  195. save_firewall_settings
  196. mark_completed "${FUNCNAME[0]}"
  197. }
  198. function configure_firewall_ping {
  199. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  200. return
  201. fi
  202. # Only allow ping for mesh installs
  203. if [[ $SYSTEM_TYPE != "mesh"* ]]; then
  204. return
  205. fi
  206. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  207. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  208. function_check save_firewall_settings
  209. save_firewall_settings
  210. mark_completed "${FUNCNAME[0]}"
  211. }
  212. function configure_internet_protocol {
  213. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  214. return
  215. fi
  216. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  217. return
  218. fi
  219. sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  220. sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  221. sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  222. sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  223. sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  224. sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  225. sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  226. sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  227. sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  228. sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  229. sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  230. sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  231. sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  232. sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  233. sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  234. sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  235. sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  236. sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  237. sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  238. sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  239. if ! grep -q "ignore pings" /etc/sysctl.conf; then
  240. echo '# ignore pings' >> /etc/sysctl.conf
  241. echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  242. #echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  243. fi
  244. if ! grep -q "disable ipv6" /etc/sysctl.conf; then
  245. echo '# disable ipv6' >> /etc/sysctl.conf
  246. echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
  247. fi
  248. if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
  249. echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
  250. echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
  251. fi
  252. if ! grep -q "keepalive" /etc/sysctl.conf; then
  253. { echo '# keepalive';
  254. echo 'net.ipv4.tcp_keepalive_probes = 9';
  255. echo 'net.ipv4.tcp_keepalive_intvl = 75';
  256. echo 'net.ipv4.tcp_keepalive_time = 7200'; } >> /etc/sysctl.conf
  257. fi
  258. if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
  259. echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
  260. else
  261. sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  262. sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  263. sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  264. fi
  265. if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then
  266. echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
  267. else
  268. sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  269. sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  270. sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  271. fi
  272. if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then
  273. echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
  274. else
  275. sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  276. sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  277. sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  278. fi
  279. if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then
  280. echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
  281. else
  282. sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  283. sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  284. sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  285. fi
  286. if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then
  287. echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
  288. else
  289. sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  290. sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  291. sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  292. fi
  293. # Randomize kernel
  294. if ! grep -q "kernel.randomize_va_space" /etc/sysctl.conf; then
  295. echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf
  296. else
  297. sed -i 's|kernel.randomize_va_space.*|kernel.randomize_va_space=2|g' /etc/sysctl.conf
  298. fi
  299. # Turn off the tcp_timestamps
  300. if ! grep -q "net.ipv4.tcp_timestamps" /etc/sysctl.conf; then
  301. echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.conf
  302. else
  303. sed -i 's|net.ipv4.tcp_timestamps.*|net.ipv4.tcp_timestamps=0|g' /etc/sysctl.conf
  304. fi
  305. /sbin/sysctl -p
  306. mark_completed "${FUNCNAME[0]}"
  307. }
  308. function mesh_firewall {
  309. # shellcheck disable=SC2154
  310. FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
  311. MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
  312. { echo '#!/bin/bash';
  313. echo 'iptables -P INPUT ACCEPT';
  314. echo 'ip6tables -P INPUT ACCEPT';
  315. echo 'iptables -F';
  316. echo 'ip6tables -F';
  317. echo 'iptables -t nat -F';
  318. echo 'ip6tables -t nat -F';
  319. echo 'iptables -X';
  320. echo 'ip6tables -X';
  321. echo 'iptables -P INPUT DROP';
  322. echo 'ip6tables -P INPUT DROP';
  323. echo 'iptables -A INPUT -i lo -j ACCEPT';
  324. echo 'ip6tables -A INPUT -i lo -j ACCEPT';
  325. echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
  326. echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
  327. echo '';
  328. echo '# Make sure incoming tcp connections are SYN packets';
  329. echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
  330. echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
  331. echo '';
  332. echo '# Drop packets with incoming fragments';
  333. echo 'iptables -A INPUT -f -j DROP';
  334. echo 'ip6tables -A INPUT -f -j DROP';
  335. echo '';
  336. echo '# Drop bogons';
  337. echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
  338. echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
  339. echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
  340. echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
  341. echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
  342. echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
  343. echo '';
  344. echo '# Incoming malformed NULL packets:';
  345. echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
  346. echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
  347. echo '';
  348. echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
  349. echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
  350. echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
  351. echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
  352. echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
  353. echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
  354. echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
  355. echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
  356. echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
  357. echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
  358. echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
  359. echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
  360. chmod +x "$MESH_FIREWALL_SCRIPT"
  361. { echo '[Unit]';
  362. echo 'Description=Mesh Firewall';
  363. echo '';
  364. echo '[Service]';
  365. echo 'Type=oneshot';
  366. echo 'ExecStart=/usr/bin/mesh-firewall';
  367. echo 'RemainAfterExit=no';
  368. echo '';
  369. echo 'TimeoutSec=30';
  370. echo '';
  371. echo '[Install]';
  372. echo 'WantedBy=multi-user.target'; } > "$FIREWALL_FILENAME"
  373. chmod +x "$FIREWALL_FILENAME"
  374. chroot "$rootdir" systemctl enable meshfirewall
  375. }
  376. function firewall_add {
  377. firewall_name=$(string="$1" ; echo "${string// /-}")
  378. firewall_port=$2
  379. firewall_protocol="$3"
  380. if ! grep -q "${firewall_name}=${firewall_port}" "$FIREWALL_CONFIG"; then
  381. echo "${firewall_name}=${firewall_port}" >> "$FIREWALL_CONFIG"
  382. if [ ! "${firewall_protocol}" ]; then
  383. if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
  384. iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
  385. fi
  386. if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
  387. iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
  388. fi
  389. else
  390. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  391. if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
  392. iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
  393. fi
  394. fi
  395. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  396. if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
  397. iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
  398. fi
  399. fi
  400. fi
  401. save_firewall_settings
  402. fi
  403. }
  404. function firewall_add_range {
  405. firewall_name=$(string="$1" ; echo "${string// /-}")
  406. firewall_port_start=$2
  407. firewall_port_end=$3
  408. firewall_protocol="$4"
  409. if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" "$FIREWALL_CONFIG"; then
  410. echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> "$FIREWALL_CONFIG"
  411. if [ ! "${firewall_protocol}" ]; then
  412. if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
  413. iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
  414. fi
  415. if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
  416. iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
  417. fi
  418. else
  419. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  420. if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
  421. iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
  422. fi
  423. fi
  424. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  425. if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
  426. iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
  427. fi
  428. fi
  429. fi
  430. save_firewall_settings
  431. fi
  432. }
  433. function firewall_remove {
  434. firewall_port=$1
  435. firewall_protocol="$2"
  436. if [ ! -f "$FIREWALL_CONFIG" ]; then
  437. return
  438. fi
  439. if grep -q "=${firewall_port}" "$FIREWALL_CONFIG"; then
  440. if [ ! "${firewall_protocol}" ]; then
  441. iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
  442. iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
  443. else
  444. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  445. iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
  446. fi
  447. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  448. iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
  449. fi
  450. fi
  451. sed -i "/=${firewall_port}/d" "$FIREWALL_CONFIG"
  452. save_firewall_settings
  453. fi
  454. }
  455. function domain_to_hex_string {
  456. domain="$1"
  457. ctr=1
  458. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  459. while [ ${#segment} -gt 0 ]
  460. do
  461. characters=$(echo -n "$segment" | wc -c)
  462. hexnum=$(echo "obase=16; $characters" | bc)
  463. echo -n "|"
  464. if [ "$(echo -n "$hexnum" | wc -c)" -lt 2 ]; then
  465. echo -n "0"
  466. fi
  467. echo -n "$hexnum|$segment"
  468. ctr=$((ctr + 1))
  469. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  470. done
  471. echo ""
  472. }
  473. function firewall_block_domain {
  474. blocked_domain="$1"
  475. if [[ "$blocked_domain" == *'@'* ]]; then
  476. # Don't try to block email/microblog addresses
  477. echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
  478. return
  479. fi
  480. if ! grep -q "$blocked_domain" "$FIREWALL_DOMAINS"; then
  481. hexstr=$(domain_to_hex_string "$blocked_domain")
  482. if ! iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP; then
  483. iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  484. iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  485. iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  486. iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  487. iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  488. iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  489. echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
  490. save_firewall_settings
  491. fi
  492. # run the blocking rules now
  493. if [ -f /usr/bin/gnusocial-firewall ]; then
  494. /usr/bin/gnusocial-firewall
  495. fi
  496. if [ -f /usr/bin/postactiv-firewall ]; then
  497. /usr/bin/postactiv-firewall
  498. fi
  499. if [ -f /usr/bin/pleroma-blocking ]; then
  500. /usr/bin/pleroma-blocking
  501. fi
  502. fi
  503. }
  504. function firewall_block_ip {
  505. blocked_ip="$1"
  506. if [[ "$blocked_ip" == *'@'* ]]; then
  507. # Don't try to block email/microblog addresses
  508. return
  509. fi
  510. if ! grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
  511. if ! iptables -C INPUT -s "$blocked_ip" -j DROP; then
  512. iptables -A INPUT -s "$blocked_ip" -j DROP
  513. iptables -A OUTPUT -s "$blocked_ip" -j DROP
  514. echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
  515. save_firewall_settings
  516. fi
  517. fi
  518. }
  519. function firewall_unblock_ip {
  520. blocked_ip="$1"
  521. if [[ "$blocked_ip" == *'@'* ]]; then
  522. # Don't try to block email/microblog addresses
  523. return
  524. fi
  525. if grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
  526. iptables -D INPUT -s "$blocked_ip" -j DROP
  527. iptables -D OUTPUT -s "$blocked_ip" -j DROP
  528. sed -i "/$blocked_ip/d" "$FIREWALL_DOMAINS"
  529. echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
  530. save_firewall_settings
  531. fi
  532. }
  533. function firewall_refresh_blocklist {
  534. if [ ! -f "/root/${PROJECT_NAME}-firewall-domains.cfg" ]; then
  535. return
  536. fi
  537. while read -r blocked_domain; do
  538. firewall_block_domain "$blocked_domain"
  539. done <"/root/${PROJECT_NAME}-firewall-domains.cfg"
  540. }
  541. function firewall_unblock_domain {
  542. unblocked_domain="$1"
  543. if grep -q "${unblocked_domain}" "$FIREWALL_DOMAINS"; then
  544. if [[ "${unblocked_domain}" != *'@'* ]]; then
  545. hexstr=$(domain_to_hex_string "$unblocked_domain")
  546. iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  547. iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  548. iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  549. iptables -D OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  550. iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  551. iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  552. save_firewall_settings
  553. fi
  554. sed -i "/${unblocked_domain}/d" "$FIREWALL_DOMAINS"
  555. fi
  556. if grep -q " $unblocked_domain" /etc/hosts; then
  557. sed -i "/ $unblocked_domain/d" /etc/hosts
  558. fi
  559. }
  560. function firewall_drop_spoofed_packets {
  561. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  562. return
  563. fi
  564. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  565. iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  566. iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  567. iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  568. iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  569. iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  570. iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  571. function_check save_firewall_settings
  572. save_firewall_settings
  573. mark_completed "${FUNCNAME[0]}"
  574. }
  575. function firewall_rate_limits {
  576. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  577. return
  578. fi
  579. # Limit connections per source IP
  580. iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  581. # Limit RST packets
  582. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  583. iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  584. # Limit new TCP connections per second per source IP
  585. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  586. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  587. # SSH brute-force protection
  588. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
  589. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  590. function_check save_firewall_settings
  591. save_firewall_settings
  592. mark_completed "${FUNCNAME[0]}"
  593. }
  594. # NOTE: deliberately no exit 0