freedombone-utils-firewall 29KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Firewall functions
  12. #
  13. # TODO: in future investigate using nftables
  14. #
  15. # License
  16. # =======
  17. #
  18. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
  19. #
  20. # This program is free software: you can redistribute it and/or modify
  21. # it under the terms of the GNU Affero General Public License as published by
  22. # the Free Software Foundation, either version 3 of the License, or
  23. # (at your option) any later version.
  24. #
  25. # This program is distributed in the hope that it will be useful,
  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  28. # GNU Affero General Public License for more details.
  29. #
  30. # You should have received a copy of the GNU Affero General Public License
  31. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  32. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
  33. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
  34. FIREWALL_EIFACE=eth0
  35. EXTERNAL_IPV4_ADDRESS=
  36. function save_firewall_settings {
  37. iptables-save > /etc/firewall.conf
  38. ip6tables-save > /etc/firewall6.conf
  39. printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
  40. printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
  41. printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
  42. if [ -f /etc/network/if-up.d/iptables ]; then
  43. chmod +x /etc/network/if-up.d/iptables
  44. fi
  45. }
  46. function firewall_block_bad_ip_ranges {
  47. if [ $INSTALLING_MESH ]; then
  48. return
  49. fi
  50. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  51. return
  52. fi
  53. # There are various blocklists out there, but they're difficult
  54. # to verify. Indiscriminately blocking ranges without evidence
  55. # would be a bad idea.
  56. # From Wikipedia and elsewhere: US military addresses
  57. iptables -A INPUT -s 6.0.0.0/8 -j DROP
  58. iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
  59. iptables -A INPUT -s 7.0.0.0/8 -j DROP
  60. iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
  61. iptables -A INPUT -s 11.0.0.0/8 -j DROP
  62. iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
  63. iptables -A INPUT -s 21.0.0.0/8 -j DROP
  64. iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
  65. iptables -A INPUT -s 22.0.0.0/8 -j DROP
  66. iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
  67. iptables -A INPUT -s 26.0.0.0/8 -j DROP
  68. iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
  69. iptables -A INPUT -s 28.0.0.0/8 -j DROP
  70. iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
  71. iptables -A INPUT -s 29.0.0.0/8 -j DROP
  72. iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
  73. iptables -A INPUT -s 30.0.0.0/8 -j DROP
  74. iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
  75. iptables -A INPUT -s 33.0.0.0/8 -j DROP
  76. iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
  77. iptables -A INPUT -s 55.0.0.0/8 -j DROP
  78. iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
  79. iptables -A INPUT -s 214.0.0.0/8 -j DROP
  80. iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
  81. iptables -A INPUT -s 215.0.0.0/8 -j DROP
  82. iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
  83. save_firewall_settings
  84. mark_completed $FUNCNAME
  85. }
  86. function global_rate_limit {
  87. if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
  88. echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
  89. sysctl -p -q
  90. else
  91. if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then
  92. sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
  93. sysctl -p -q
  94. fi
  95. fi
  96. }
  97. function enable_ipv6 {
  98. # endure that ipv6 is enabled and can route
  99. sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
  100. #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
  101. #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
  102. sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
  103. echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  104. }
  105. function update_external_ip {
  106. ip_update_script=/usr/bin/externalipupdate
  107. echo '#!/bin/bash' >> $ip_update_script
  108. echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script
  109. echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script
  110. echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script
  111. echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script
  112. echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script
  113. echo 'fi' >> $ip_update_script
  114. cron_add_mins 10 $ip_update_script
  115. }
  116. function firewall_disable_vpn {
  117. iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT
  118. iptables -D INPUT -i tun+ -j ACCEPT
  119. iptables -D FORWARD -i tun+ -j ACCEPT
  120. iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
  121. iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  122. iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
  123. iptables -D OUTPUT -o tun+ -j ACCEPT
  124. save_firewall_settings
  125. sed -i '/VPN=/d' $FIREWALL_CONFIG
  126. }
  127. function firewall_enable_vpn {
  128. iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT
  129. iptables -A INPUT -i tun+ -j ACCEPT
  130. iptables -A FORWARD -i tun+ -j ACCEPT
  131. iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
  132. iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  133. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
  134. iptables -A OUTPUT -o tun+ -j ACCEPT
  135. save_firewall_settings
  136. echo "VPN=1194" >> $FIREWALL_CONFIG
  137. }
  138. function configure_firewall {
  139. if [ $INSTALLING_MESH ]; then
  140. mesh_firewall
  141. return
  142. fi
  143. if grep -q "RELATED" /etc/firewall.conf; then
  144. # recreate the firewall to remove RELATED
  145. sed -i "/firewall/d" $COMPLETION_FILE
  146. fi
  147. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  148. return
  149. fi
  150. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  151. # docker does its own firewalling
  152. return
  153. fi
  154. iptables -P INPUT ACCEPT
  155. ip6tables -P INPUT ACCEPT
  156. iptables -F
  157. ip6tables -F
  158. iptables -t nat -F
  159. ip6tables -t nat -F
  160. iptables -X
  161. ip6tables -X
  162. iptables -P INPUT DROP
  163. ip6tables -P INPUT DROP
  164. iptables -P FORWARD DROP
  165. ip6tables -P FORWARD DROP
  166. iptables -A INPUT -i lo -j ACCEPT
  167. iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
  168. # Drop invalid packets
  169. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  170. # Make sure incoming tcp connections are SYN packets
  171. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  172. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  173. # Drop SYN packets with suspicious MSS value
  174. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  175. # Drop packets with incoming fragments
  176. iptables -A INPUT -f -j DROP
  177. # Drop bogons
  178. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  179. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  180. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  181. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  182. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  183. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  184. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  185. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  186. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  187. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  188. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  189. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  190. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  191. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  192. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  193. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  194. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  195. # Incoming malformed NULL packets:
  196. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  197. mark_completed $FUNCNAME
  198. }
  199. function firewall_drop_telnet {
  200. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  201. return
  202. fi
  203. # telnet isn't enabled as an input and we can also
  204. # drop any outgoing telnet, just in case
  205. iptables -A OUTPUT -p tcp --dport telnet -j REJECT
  206. iptables -A OUTPUT -p udp --dport telnet -j REJECT
  207. function_check save_firewall_settings
  208. save_firewall_settings
  209. mark_completed $FUNCNAME
  210. }
  211. function configure_firewall_ping {
  212. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  213. return
  214. fi
  215. # Only allow ping for mesh installs
  216. if [[ $SYSTEM_TYPE != "mesh"* ]]; then
  217. return
  218. fi
  219. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  220. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  221. function_check save_firewall_settings
  222. save_firewall_settings
  223. mark_completed $FUNCNAME
  224. }
  225. function configure_internet_protocol {
  226. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  227. return
  228. fi
  229. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  230. return
  231. fi
  232. sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  233. sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  234. sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  235. sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  236. sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  237. sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  238. sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  239. sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  240. sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  241. sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  242. sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  243. sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  244. sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  245. sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  246. sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  247. sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  248. sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  249. sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  250. sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  251. sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  252. if ! grep -q "ignore pings" /etc/sysctl.conf; then
  253. echo '# ignore pings' >> /etc/sysctl.conf
  254. echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  255. echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  256. fi
  257. if ! grep -q "disable ipv6" /etc/sysctl.conf; then
  258. echo '# disable ipv6' >> /etc/sysctl.conf
  259. echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
  260. fi
  261. if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
  262. echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
  263. echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
  264. fi
  265. if ! grep -q "keepalive" /etc/sysctl.conf; then
  266. echo '# keepalive' >> /etc/sysctl.conf
  267. echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
  268. echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
  269. echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
  270. fi
  271. if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
  272. echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
  273. else
  274. sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  275. sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  276. sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  277. fi
  278. if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then
  279. echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
  280. else
  281. sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  282. sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  283. sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  284. fi
  285. if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then
  286. echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
  287. else
  288. sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  289. sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  290. sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  291. fi
  292. if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then
  293. echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
  294. else
  295. sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  296. sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  297. sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  298. fi
  299. if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then
  300. echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
  301. else
  302. sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  303. sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  304. sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  305. fi
  306. # Randomize kernel
  307. if ! grep -q "kernel.randomize_va_space" /etc/sysctl.conf; then
  308. echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf
  309. else
  310. sed -i 's|kernel.randomize_va_space.*|kernel.randomize_va_space=2|g' /etc/sysctl.conf
  311. fi
  312. # Turn off the tcp_timestamps
  313. if ! grep -q "net.ipv4.tcp_timestamps" /etc/sysctl.conf; then
  314. echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.conf
  315. else
  316. sed -i 's|net.ipv4.tcp_timestamps.*|net.ipv4.tcp_timestamps=0|g' /etc/sysctl.conf
  317. fi
  318. /sbin/sysctl -p
  319. mark_completed $FUNCNAME
  320. }
  321. function mesh_firewall {
  322. FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
  323. MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
  324. echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
  325. echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  326. echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  327. echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
  328. echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
  329. echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  330. echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  331. echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
  332. echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
  333. echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  334. echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  335. echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  336. echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  337. echo '' >> $MESH_FIREWALL_SCRIPT
  338. echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
  339. echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
  340. echo '' >> $MESH_FIREWALL_SCRIPT
  341. echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
  342. echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
  343. echo '' >> $MESH_FIREWALL_SCRIPT
  344. echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
  345. echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
  346. echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  347. echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  348. echo '' >> $MESH_FIREWALL_SCRIPT
  349. echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
  350. echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
  351. echo '' >> $MESH_FIREWALL_SCRIPT
  352. echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  353. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  354. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  355. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  356. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  357. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  358. chmod +x $MESH_FIREWALL_SCRIPT
  359. echo '[Unit]' > $FIREWALL_FILENAME
  360. echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
  361. echo '' >> $FIREWALL_FILENAME
  362. echo '[Service]' >> $FIREWALL_FILENAME
  363. echo 'Type=oneshot' >> $FIREWALL_FILENAME
  364. echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
  365. echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
  366. echo '' >> $FIREWALL_FILENAME
  367. echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
  368. echo '' >> $FIREWALL_FILENAME
  369. echo '[Install]' >> $FIREWALL_FILENAME
  370. echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
  371. chmod +x $FIREWALL_FILENAME
  372. chroot "$rootdir" systemctl enable meshfirewall
  373. }
  374. function firewall_add {
  375. firewall_name=$(echo "$1" | sed "s| |-|g")
  376. firewall_port=$2
  377. firewall_protocol="$3"
  378. if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
  379. echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
  380. if [ ! ${firewall_protocol} ]; then
  381. iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
  382. if [ ! "$?" = "0" ]; then
  383. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  384. fi
  385. iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  386. if [ ! "$?" = "0" ]; then
  387. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  388. fi
  389. else
  390. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  391. iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
  392. if [ ! "$?" = "0" ]; then
  393. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  394. fi
  395. fi
  396. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  397. iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  398. if [ ! "$?" = "0" ]; then
  399. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  400. fi
  401. fi
  402. fi
  403. save_firewall_settings
  404. fi
  405. }
  406. function firewall_add_range {
  407. firewall_name=$(echo "$1" | sed "s| |-|g")
  408. firewall_port_start=$2
  409. firewall_port_end=$3
  410. firewall_protocol="$4"
  411. if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
  412. echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
  413. if [ ! ${firewall_protocol} ]; then
  414. iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  415. if [ ! "$?" = "0" ]; then
  416. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  417. fi
  418. iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  419. if [ ! "$?" = "0" ]; then
  420. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  421. fi
  422. else
  423. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  424. iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  425. if [ ! "$?" = "0" ]; then
  426. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  427. fi
  428. fi
  429. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  430. iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  431. if [ ! "$?" = "0" ]; then
  432. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  433. fi
  434. fi
  435. fi
  436. save_firewall_settings
  437. fi
  438. }
  439. function firewall_remove {
  440. firewall_port=$1
  441. firewall_protocol="$2"
  442. if [ ! -f $FIREWALL_CONFIG ]; then
  443. return
  444. fi
  445. if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
  446. if [ ! ${firewall_protocol} ]; then
  447. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  448. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  449. else
  450. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  451. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  452. fi
  453. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  454. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  455. fi
  456. fi
  457. sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
  458. save_firewall_settings
  459. fi
  460. }
  461. function domain_to_hex_string {
  462. domain="$1"
  463. ctr=1
  464. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  465. while [ ${#segment} -gt 0 ]
  466. do
  467. characters=$(echo -n "$segment" | wc -c)
  468. hexnum=$(echo "obase=16; $characters" | bc)
  469. echo -n "|"
  470. if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then
  471. echo -n "0"
  472. fi
  473. echo -n "$hexnum|$segment"
  474. ctr=$((ctr + 1))
  475. segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')
  476. done
  477. echo ""
  478. }
  479. function firewall_block_domain {
  480. blocked_domain="$1"
  481. if [[ "$blocked_domain" == *'@'* ]]; then
  482. # Don't try to block email/microblog addresses
  483. echo "${blocked_domain}" >> $FIREWALL_DOMAINS
  484. return
  485. fi
  486. if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then
  487. hexstr=$(domain_to_hex_string $blocked_domain)
  488. iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  489. if [ ! "$?" = "0" ]; then
  490. iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  491. iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  492. iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  493. iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  494. iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  495. iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  496. echo "${blocked_domain}" >> $FIREWALL_DOMAINS
  497. save_firewall_settings
  498. fi
  499. # run the blocking rules now
  500. if [ -f /usr/bin/gnusocial-firewall ]; then
  501. /usr/bin/gnusocial-firewall
  502. fi
  503. if [ -f /usr/bin/postactiv-firewall ]; then
  504. /usr/bin/postactiv-firewall
  505. fi
  506. fi
  507. }
  508. function firewall_block_ip {
  509. blocked_ip="$1"
  510. if [[ "$blocked_ip" == *'@'* ]]; then
  511. # Don't try to block email/microblog addresses
  512. return
  513. fi
  514. if ! grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
  515. iptables -C INPUT -s $blocked_ip -j DROP
  516. if [ ! "$?" = "0" ]; then
  517. iptables -A INPUT -s $blocked_ip -j DROP
  518. iptables -A OUTPUT -s $blocked_ip -j DROP
  519. echo "${blocked_ip}" >> $FIREWALL_DOMAINS
  520. save_firewall_settings
  521. fi
  522. fi
  523. }
  524. function firewall_unblock_ip {
  525. blocked_ip="$1"
  526. if [[ "$blocked_ip" == *'@'* ]]; then
  527. # Don't try to block email/microblog addresses
  528. return
  529. fi
  530. if grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
  531. iptables -D INPUT -s $blocked_ip -j DROP
  532. iptables -D OUTPUT -s $blocked_ip -j DROP
  533. sed -i '/$blocked_ip/d' $FIREWALL_DOMAINS
  534. echo "${blocked_ip}" >> $FIREWALL_DOMAINS
  535. save_firewall_settings
  536. fi
  537. }
  538. function firewall_refresh_blocklist {
  539. if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then
  540. return
  541. fi
  542. while read blocked_domain; do
  543. firewall_block_domain $blocked_domain
  544. done </root/${PROJECT_NAME}-firewall-domains.cfg
  545. }
  546. function firewall_unblock_domain {
  547. unblocked_domain="$1"
  548. if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then
  549. if [[ "${unblocked_domain}" != *'@'* ]]; then
  550. hexstr=$(domain_to_hex_string $unblocked_domain)
  551. iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  552. iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  553. iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  554. iptables -D OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  555. iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  556. iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  557. save_firewall_settings
  558. fi
  559. sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS
  560. fi
  561. }
  562. function firewall_drop_spoofed_packets {
  563. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  564. return
  565. fi
  566. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  567. iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  568. iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  569. iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  570. iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  571. iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  572. iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  573. function_check save_firewall_settings
  574. save_firewall_settings
  575. mark_completed $FUNCNAME
  576. }
  577. function firewall_rate_limits {
  578. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  579. return
  580. fi
  581. # Limit connections per source IP
  582. iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  583. # Limit RST packets
  584. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  585. iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  586. # Limit new TCP connections per second per source IP
  587. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  588. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  589. # SSH brute-force protection
  590. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
  591. iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  592. function_check save_firewall_settings
  593. save_firewall_settings
  594. mark_completed $FUNCNAME
  595. }
  596. # NOTE: deliberately no exit 0