free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
7433 Commits
5 Branches
Tree: e9c47c397e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e9c47c397e'
${ noResults }
freedombone/src/freedombone-utils-firewall

freedombone-utils-firewall 29KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Firewall functions

  12. #

  13. # TODO: in future investigate using nftables

  14. #

  15. # License

  16. # =======

  17. #

  18. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>

  19. #

  20. # This program is free software: you can redistribute it and/or modify

  21. # it under the terms of the GNU Affero General Public License as published by

  22. # the Free Software Foundation, either version 3 of the License, or

  23. # (at your option) any later version.

  24. #

  25. # This program is distributed in the hope that it will be useful,

  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  28. # GNU Affero General Public License for more details.

  29. #

  30. # You should have received a copy of the GNU Affero General Public License

  31. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  32. 

  33. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg

  34. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg

  35. FIREWALL_EIFACE=eth0

  36. EXTERNAL_IPV4_ADDRESS=

  37. 

  38. function save_firewall_settings {

  39.     iptables-save > /etc/firewall.conf

  40.     ip6tables-save > /etc/firewall6.conf

  41.     printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables

  42.     printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables

  43.     printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables

  44.     if [ -f /etc/network/if-up.d/iptables ]; then

  45.         chmod +x /etc/network/if-up.d/iptables

  46.     fi

  47. }

  48. 

  49. function firewall_block_bad_ip_ranges {

  50.     if [ $INSTALLING_MESH ]; then

  51.         return

  52.     fi

  53.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  54.         return

  55.     fi

  56. 

  57.     # There are various blocklists out there, but they're difficult

  58.     # to verify. Indiscriminately blocking ranges without evidence

  59.     # would be a bad idea.

  60. 

  61.     # From Wikipedia and elsewhere: US military addresses

  62.     iptables -A INPUT -s 6.0.0.0/8 -j DROP

  63.     iptables -A OUTPUT -s 6.0.0.0/8 -j DROP

  64.     iptables -A INPUT -s 7.0.0.0/8 -j DROP

  65.     iptables -A OUTPUT -s 7.0.0.0/8 -j DROP

  66.     iptables -A INPUT -s 11.0.0.0/8 -j DROP

  67.     iptables -A OUTPUT -s 11.0.0.0/8 -j DROP

  68.     iptables -A INPUT -s 21.0.0.0/8 -j DROP

  69.     iptables -A OUTPUT -s 21.0.0.0/8 -j DROP

  70.     iptables -A INPUT -s 22.0.0.0/8 -j DROP

  71.     iptables -A OUTPUT -s 22.0.0.0/8 -j DROP

  72.     iptables -A INPUT -s 26.0.0.0/8 -j DROP

  73.     iptables -A OUTPUT -s 26.0.0.0/8 -j DROP

  74.     iptables -A INPUT -s 28.0.0.0/8 -j DROP

  75.     iptables -A OUTPUT -s 28.0.0.0/8 -j DROP

  76.     iptables -A INPUT -s 29.0.0.0/8 -j DROP

  77.     iptables -A OUTPUT -s 29.0.0.0/8 -j DROP

  78.     iptables -A INPUT -s 30.0.0.0/8 -j DROP

  79.     iptables -A OUTPUT -s 30.0.0.0/8 -j DROP

  80.     iptables -A INPUT -s 33.0.0.0/8 -j DROP

  81.     iptables -A OUTPUT -s 33.0.0.0/8 -j DROP

  82.     iptables -A INPUT -s 55.0.0.0/8 -j DROP

  83.     iptables -A OUTPUT -s 55.0.0.0/8 -j DROP

  84.     iptables -A INPUT -s 214.0.0.0/8 -j DROP

  85.     iptables -A OUTPUT -s 214.0.0.0/8 -j DROP

  86.     iptables -A INPUT -s 215.0.0.0/8 -j DROP

  87.     iptables -A OUTPUT -s 215.0.0.0/8 -j DROP

  88.     save_firewall_settings

  89.     mark_completed $FUNCNAME

  90. }

  91. 

  92. function global_rate_limit {

  93.     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then

  94.         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf

  95.         sysctl -p -q

  96.     else

  97.         if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then

  98.             sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf

  99.             sysctl -p -q

  100.         fi

  101.     fi

  102. }

  103. 

  104. function enable_ipv6 {

  105.     # endure that ipv6 is enabled and can route

  106.     sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf

  107.     #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf

  108.     #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf

  109.     sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf

  110.     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

  111. }

  112. 

  113. function update_external_ip {

  114.     ip_update_script=/usr/bin/externalipupdate

  115.     echo '#!/bin/bash' >> $ip_update_script

  116.     echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script

  117.     echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script

  118.     echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script

  119.     echo "  sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script

  120.     echo '  iptables-save > /etc/firewall.conf' >> $ip_update_script

  121.     echo 'fi' >> $ip_update_script

  122. 

  123.     cron_add_mins 10 $ip_update_script

  124. }

  125. 

  126. function firewall_disable_vpn {

  127.     iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT

  128.     iptables -D INPUT -i tun+ -j ACCEPT

  129.     iptables -D FORWARD -i tun+ -j ACCEPT

  130.     iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT

  131.     iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

  132.     iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE

  133.     iptables -D OUTPUT -o tun+ -j ACCEPT

  134.     save_firewall_settings

  135. 

  136.     sed -i '/VPN=/d' $FIREWALL_CONFIG

  137. }

  138. 

  139. function firewall_enable_vpn {

  140.     iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT

  141.     iptables -A INPUT -i tun+ -j ACCEPT

  142.     iptables -A FORWARD -i tun+ -j ACCEPT

  143.     iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT

  144.     iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

  145.     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE

  146.     iptables -A OUTPUT -o tun+ -j ACCEPT

  147.     save_firewall_settings

  148. 

  149.     echo "VPN=1194" >> $FIREWALL_CONFIG

  150. }

  151. 

  152. function configure_firewall {

  153.     if [ $INSTALLING_MESH ]; then

  154.         mesh_firewall

  155.         return

  156.     fi

  157.     if grep -q "RELATED" /etc/firewall.conf; then

  158.         # recreate the firewall to remove RELATED

  159.         sed -i "/firewall/d" $COMPLETION_FILE

  160.     fi

  161.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  162.         return

  163.     fi

  164.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  165.         # docker does its own firewalling

  166.         return

  167.     fi

  168.     iptables -P INPUT ACCEPT

  169.     ip6tables -P INPUT ACCEPT

  170.     iptables -F

  171.     ip6tables -F

  172.     iptables -t nat -F

  173.     ip6tables -t nat -F

  174.     iptables -X

  175.     ip6tables -X

  176.     iptables -P INPUT DROP

  177.     ip6tables -P INPUT DROP

  178.     iptables -P FORWARD DROP

  179.     ip6tables -P FORWARD DROP

  180.     iptables -A INPUT -i lo -j ACCEPT

  181.     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

  182. 

  183.     # Drop invalid packets

  184.     iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

  185. 

  186.     # Make sure incoming tcp connections are SYN packets

  187.     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  188.     iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

  189. 

  190.     # Drop SYN packets with suspicious MSS value

  191.     iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

  192. 

  193.     # Drop packets with incoming fragments

  194.     iptables -A INPUT -f -j DROP

  195. 

  196.     # Drop bogons

  197.     iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

  198.     iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

  199.     iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  200.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

  201.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

  202.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  203.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  204.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

  205.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP

  206.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

  207.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

  208.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

  209.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

  210.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

  211.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

  212.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP

  213.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  214. 

  215.     # Incoming malformed NULL packets:

  216.     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

  217. 

  218.     mark_completed $FUNCNAME

  219. }

  220. 

  221. function firewall_drop_telnet {

  222.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  223.         return

  224.     fi

  225.     # telnet isn't enabled as an input and we can also

  226.     # drop any outgoing telnet, just in case

  227.     iptables -A OUTPUT -p tcp --dport telnet -j REJECT

  228.     iptables -A OUTPUT -p udp --dport telnet -j REJECT

  229.     function_check save_firewall_settings

  230.     save_firewall_settings

  231.     mark_completed $FUNCNAME

  232. }

  233. 

  234. function configure_firewall_ping {

  235.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  236.         return

  237.     fi

  238.     # Only allow ping for mesh installs

  239.     if [[ $SYSTEM_TYPE != "mesh"* ]]; then

  240.         return

  241.     fi

  242.     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  243.     iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

  244.     function_check save_firewall_settings

  245.     save_firewall_settings

  246.     mark_completed $FUNCNAME

  247. }

  248. 

  249. function configure_internet_protocol {

  250.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  251.         return

  252.     fi

  253.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  254.         return

  255.     fi

  256. 

  257.     sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  258.     sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  259.     sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  260.     sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  261.     sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  262.     sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  263.     sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  264.     sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  265.     sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  266.     sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  267. 

  268.     sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  269.     sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  270.     sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  271.     sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  272.     sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  273.     sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  274.     sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  275.     sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  276.     sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  277.     sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  278. 

  279. 

  280.     if ! grep -q "ignore pings" /etc/sysctl.conf; then

  281.         echo '# ignore pings' >> /etc/sysctl.conf

  282.         echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  283.         echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  284.     fi

  285.     if ! grep -q "disable ipv6" /etc/sysctl.conf; then

  286.         echo '# disable ipv6' >> /etc/sysctl.conf

  287.         echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf

  288.     fi

  289.     if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then

  290.         echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf

  291.         echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf

  292.     fi

  293.     if ! grep -q "keepalive" /etc/sysctl.conf; then

  294.         echo '# keepalive' >> /etc/sysctl.conf

  295.         echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf

  296.         echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf

  297.         echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf

  298.     fi

  299.     if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then

  300.         echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf

  301.     else

  302.         sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  303.         sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  304.         sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  305.     fi

  306.     if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then

  307.         echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf

  308.     else

  309.         sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  310.         sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  311.         sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  312.     fi

  313.     if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then

  314.         echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

  315.     else

  316.         sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  317.         sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  318.         sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  319.     fi

  320.     if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then

  321.         echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf

  322.     else

  323.         sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  324.         sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  325.         sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  326.     fi

  327.     if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then

  328.         echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

  329.     else

  330.         sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  331.         sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  332.         sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  333.     fi

  334. 

  335.     # Randomize kernel

  336.     if ! grep -q "kernel.randomize_va_space" /etc/sysctl.conf; then

  337.         echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf

  338.     else

  339.         sed -i 's|kernel.randomize_va_space.*|kernel.randomize_va_space=2|g' /etc/sysctl.conf

  340.     fi

  341. 

  342.     # Turn off the tcp_timestamps

  343.     if ! grep -q "net.ipv4.tcp_timestamps" /etc/sysctl.conf; then

  344.         echo "net.ipv4.tcp_timestamps=0" >> /etc/sysctl.conf

  345.     else

  346.         sed -i 's|net.ipv4.tcp_timestamps.*|net.ipv4.tcp_timestamps=0|g' /etc/sysctl.conf

  347.     fi

  348.     /sbin/sysctl -p

  349.     mark_completed $FUNCNAME

  350. }

  351. 

  352. function mesh_firewall {

  353.     FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service

  354.     MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall

  355. 

  356.     echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT

  357.     echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  358.     echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  359.     echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT

  360.     echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT

  361.     echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  362.     echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  363.     echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT

  364.     echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT

  365.     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  366.     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  367.     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  368.     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  369.     echo '' >> $MESH_FIREWALL_SCRIPT

  370.     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT

  371.     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT

  372.     echo '' >> $MESH_FIREWALL_SCRIPT

  373.     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT

  374.     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT

  375.     echo '' >> $MESH_FIREWALL_SCRIPT

  376.     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT

  377.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT

  378.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  379.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  380.     echo '' >> $MESH_FIREWALL_SCRIPT

  381.     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT

  382.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT

  383.     echo '' >> $MESH_FIREWALL_SCRIPT

  384.     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  385.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  386.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  387.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  388.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  389.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  390.     chmod +x $MESH_FIREWALL_SCRIPT

  391. 

  392.     echo '[Unit]' > $FIREWALL_FILENAME

  393.     echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME

  394.     echo '' >> $FIREWALL_FILENAME

  395.     echo '[Service]' >> $FIREWALL_FILENAME

  396.     echo 'Type=oneshot' >> $FIREWALL_FILENAME

  397.     echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME

  398.     echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME

  399.     echo '' >> $FIREWALL_FILENAME

  400.     echo 'TimeoutSec=30' >> $FIREWALL_FILENAME

  401.     echo '' >> $FIREWALL_FILENAME

  402.     echo '[Install]' >> $FIREWALL_FILENAME

  403.     echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME

  404.     chmod +x $FIREWALL_FILENAME

  405.     chroot "$rootdir" systemctl enable meshfirewall

  406. }

  407. 

  408. function firewall_add {

  409.     firewall_name=$(echo "$1" | sed "s| |-|g")

  410.     firewall_port=$2

  411.     firewall_protocol="$3"

  412. 

  413.     if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then

  414.         echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG

  415.         if [ ! ${firewall_protocol} ]; then

  416.             iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT

  417.             if [ ! "$?" = "0" ]; then

  418.                 iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  419.             fi

  420. 

  421.             iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  422.             if [ ! "$?" = "0" ]; then

  423.                 iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  424.             fi

  425.         else

  426.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  427.                 iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT

  428.                 if [ ! "$?" = "0" ]; then

  429.                     iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  430.                 fi

  431.             fi

  432.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  433.                 iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  434.                 if [ ! "$?" = "0" ]; then

  435.                     iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  436.                 fi

  437.             fi

  438.         fi

  439.         save_firewall_settings

  440.     fi

  441. }

  442. 

  443. function firewall_add_range {

  444.     firewall_name=$(echo "$1" | sed "s| |-|g")

  445.     firewall_port_start=$2

  446.     firewall_port_end=$3

  447.     firewall_protocol="$4"

  448. 

  449.     if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then

  450.         echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG

  451.         if [ ! ${firewall_protocol} ]; then

  452.             iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  453.             if [ ! "$?" = "0" ]; then

  454.                 iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  455.             fi

  456.             iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  457.             if [ ! "$?" = "0" ]; then

  458.                 iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  459.             fi

  460.         else

  461.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  462.                 iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  463.                 if [ ! "$?" = "0" ]; then

  464.                     iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  465.                 fi

  466.             fi

  467.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  468.                 iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  469.                 if [ ! "$?" = "0" ]; then

  470.                     iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  471.                 fi

  472.             fi

  473.         fi

  474.         save_firewall_settings

  475.     fi

  476. }

  477. 

  478. 

  479. function firewall_remove {

  480.     firewall_port=$1

  481.     firewall_protocol="$2"

  482. 

  483.     if [ ! -f $FIREWALL_CONFIG ]; then

  484.         return

  485.     fi

  486. 

  487.     if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then

  488.         if [ ! ${firewall_protocol} ]; then

  489.             iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  490.             iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  491.         else

  492.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  493.                 iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  494.             fi

  495.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  496.                 iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  497.             fi

  498.         fi

  499.         sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG

  500.         save_firewall_settings

  501.     fi

  502. }

  503. 

  504. function domain_to_hex_string {

  505.     domain="$1"

  506.     ctr=1

  507.     segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')

  508.     while [ ${#segment} -gt 0 ]

  509.     do

  510.         characters=$(echo -n "$segment" | wc -c)

  511.         hexnum=$(echo "obase=16; $characters" | bc)

  512.         echo -n "|"

  513.         if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then

  514.             echo -n "0"

  515.         fi

  516.         echo -n "$hexnum|$segment"

  517.         ctr=$((ctr + 1))

  518.         segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')

  519.     done

  520.     echo ""

  521. }

  522. 

  523. function firewall_block_domain {

  524.     blocked_domain="$1"

  525.     if [[ "$blocked_domain" == *'@'* ]]; then

  526.         # Don't try to block email/microblog addresses

  527.         echo "${blocked_domain}" >> $FIREWALL_DOMAINS

  528.         return

  529.     fi

  530.     if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then

  531.         hexstr=$(domain_to_hex_string $blocked_domain)

  532.         iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  533.         if [ ! "$?" = "0" ]; then

  534.             iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  535.             iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  536.             iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  537.             iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  538.             iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  539.             iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  540.             echo "${blocked_domain}" >> $FIREWALL_DOMAINS

  541.             save_firewall_settings

  542.         fi

  543. 

  544.         # run the blocking rules now

  545.         if [ -f /usr/bin/gnusocial-firewall ]; then

  546.             /usr/bin/gnusocial-firewall

  547.         fi

  548.         if [ -f /usr/bin/postactiv-firewall ]; then

  549.             /usr/bin/postactiv-firewall

  550.         fi

  551.     fi

  552. }

  553. 

  554. function firewall_block_ip {

  555.     blocked_ip="$1"

  556.     if [[ "$blocked_ip" == *'@'* ]]; then

  557.         # Don't try to block email/microblog addresses

  558.         return

  559.     fi

  560.     if ! grep -q "$blocked_ip" $FIREWALL_DOMAINS; then

  561.         iptables -C INPUT -s $blocked_ip -j DROP

  562.         if [ ! "$?" = "0" ]; then

  563.             iptables -A INPUT -s $blocked_ip -j DROP

  564.             iptables -A OUTPUT -s $blocked_ip -j DROP

  565. 

  566.             echo "${blocked_ip}" >> $FIREWALL_DOMAINS

  567.             save_firewall_settings

  568.         fi

  569.     fi

  570. }

  571. 

  572. function firewall_unblock_ip {

  573.     blocked_ip="$1"

  574.     if [[ "$blocked_ip" == *'@'* ]]; then

  575.         # Don't try to block email/microblog addresses

  576.         return

  577.     fi

  578.     if grep -q "$blocked_ip" $FIREWALL_DOMAINS; then

  579.         iptables -D INPUT -s $blocked_ip -j DROP

  580.         iptables -D OUTPUT -s $blocked_ip -j DROP

  581. 

  582.         sed -i '/$blocked_ip/d' $FIREWALL_DOMAINS

  583.         echo "${blocked_ip}" >> $FIREWALL_DOMAINS

  584.         save_firewall_settings

  585.     fi

  586. }

  587. 

  588. function firewall_refresh_blocklist {

  589.     if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then

  590.         return

  591.     fi

  592. 

  593.     while read blocked_domain; do

  594.         firewall_block_domain $blocked_domain

  595.     done </root/${PROJECT_NAME}-firewall-domains.cfg

  596. }

  597. 

  598. function firewall_unblock_domain {

  599.     unblocked_domain="$1"

  600.     if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then

  601.         if [[ "${unblocked_domain}" != *'@'* ]]; then

  602.             hexstr=$(domain_to_hex_string $unblocked_domain)

  603.             iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  604.             iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  605.             iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  606.             iptables -D OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  607.             iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  608.             iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  609.             save_firewall_settings

  610.         fi

  611.         sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS

  612.     fi

  613. }

  614. 

  615. function firewall_drop_spoofed_packets {

  616.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  617.         return

  618.     fi

  619.     iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP

  620.     iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP

  621.     iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

  622.     iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP

  623.     iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP

  624.     iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP

  625.     iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

  626.     function_check save_firewall_settings

  627.     save_firewall_settings

  628.     mark_completed $FUNCNAME

  629. }

  630. 

  631. function firewall_rate_limits {

  632.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  633.         return

  634.     fi

  635. 

  636.     # Limit connections per source IP

  637.     iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

  638. 

  639.     # Limit RST packets

  640.     iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

  641.     iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

  642. 

  643.     # Limit new TCP connections per second per source IP

  644.     iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

  645.     iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

  646. 

  647.     # SSH brute-force protection

  648.     iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set

  649.     iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

  650. 

  651.     function_check save_firewall_settings

  652.     save_firewall_settings

  653.     mark_completed $FUNCNAME

  654. }

  655. 

  656. # NOTE: deliberately no exit 0