free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
6824 Commits
5 Branches
Tree: eb1a820bc1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'eb1a820bc1'
${ noResults }
freedombone/src/freedombone-utils-firewall

freedombone-utils-firewall 23KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Firewall functions

  12. #

  13. # TODO: in future investigate using nftables

  14. #

  15. # License

  16. # =======

  17. #

  18. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>

  19. #

  20. # This program is free software: you can redistribute it and/or modify

  21. # it under the terms of the GNU Affero General Public License as published by

  22. # the Free Software Foundation, either version 3 of the License, or

  23. # (at your option) any later version.

  24. #

  25. # This program is distributed in the hope that it will be useful,

  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  28. # GNU Affero General Public License for more details.

  29. #

  30. # You should have received a copy of the GNU Affero General Public License

  31. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  32. 

  33. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg

  34. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg

  35. 

  36. function save_firewall_settings {

  37.     iptables-save > /etc/firewall.conf

  38.     ip6tables-save > /etc/firewall6.conf

  39.     printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables

  40.     printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables

  41.     printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables

  42.     if [ -f /etc/network/if-up.d/iptables ]; then

  43.         chmod +x /etc/network/if-up.d/iptables

  44.     fi

  45. }

  46. 

  47. function firewall_block_bad_ip_ranges {

  48.     if [ $INSTALLING_MESH ]; then

  49.         return

  50.     fi

  51.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  52.         return

  53.     fi

  54. 

  55.     # There are various blocklists out there, but they're difficult

  56.     # to verify. Indiscriminately blocking ranges without evidence

  57.     # would be a bad idea.

  58. 

  59.     # From Wikipedia and elsewhere: US military addresses

  60.     iptables -A INPUT -s 6.0.0.0/8 -j DROP

  61.     iptables -A OUTPUT -s 6.0.0.0/8 -j DROP

  62.     iptables -A INPUT -s 7.0.0.0/8 -j DROP

  63.     iptables -A OUTPUT -s 7.0.0.0/8 -j DROP

  64.     iptables -A INPUT -s 11.0.0.0/8 -j DROP

  65.     iptables -A OUTPUT -s 11.0.0.0/8 -j DROP

  66.     iptables -A INPUT -s 21.0.0.0/8 -j DROP

  67.     iptables -A OUTPUT -s 21.0.0.0/8 -j DROP

  68.     iptables -A INPUT -s 22.0.0.0/8 -j DROP

  69.     iptables -A OUTPUT -s 22.0.0.0/8 -j DROP

  70.     iptables -A INPUT -s 26.0.0.0/8 -j DROP

  71.     iptables -A OUTPUT -s 26.0.0.0/8 -j DROP

  72.     iptables -A INPUT -s 28.0.0.0/8 -j DROP

  73.     iptables -A OUTPUT -s 28.0.0.0/8 -j DROP

  74.     iptables -A INPUT -s 29.0.0.0/8 -j DROP

  75.     iptables -A OUTPUT -s 29.0.0.0/8 -j DROP

  76.     iptables -A INPUT -s 30.0.0.0/8 -j DROP

  77.     iptables -A OUTPUT -s 30.0.0.0/8 -j DROP

  78.     iptables -A INPUT -s 33.0.0.0/8 -j DROP

  79.     iptables -A OUTPUT -s 33.0.0.0/8 -j DROP

  80.     iptables -A INPUT -s 55.0.0.0/8 -j DROP

  81.     iptables -A OUTPUT -s 55.0.0.0/8 -j DROP

  82.     iptables -A INPUT -s 214.0.0.0/8 -j DROP

  83.     iptables -A OUTPUT -s 214.0.0.0/8 -j DROP

  84.     iptables -A INPUT -s 215.0.0.0/8 -j DROP

  85.     iptables -A OUTPUT -s 215.0.0.0/8 -j DROP

  86.     save_firewall_settings

  87.     mark_completed $FUNCNAME

  88. }

  89. 

  90. function global_rate_limit {

  91.     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then

  92.         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf

  93.     else

  94.         sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf

  95.     fi

  96.     sysctl -p -q

  97. }

  98. 

  99. function enable_ipv6 {

  100.     # endure that ipv6 is enabled and can route

  101.     sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf

  102.     #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf

  103.     #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf

  104.     sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf

  105.     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

  106. }

  107. 

  108. function configure_firewall {

  109.     if [ $INSTALLING_MESH ]; then

  110.         mesh_firewall

  111.         return

  112.     fi

  113.     if grep -q "RELATED" /etc/firewall.conf; then

  114.         # recreate the firewall to remove RELATED

  115.         sed -i "/firewall/d" $COMPLETION_FILE

  116.     fi

  117.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  118.         return

  119.     fi

  120.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  121.         # docker does its own firewalling

  122.         return

  123.     fi

  124.     iptables -P INPUT ACCEPT

  125.     ip6tables -P INPUT ACCEPT

  126.     iptables -F

  127.     ip6tables -F

  128.     iptables -t nat -F

  129.     ip6tables -t nat -F

  130.     iptables -X

  131.     ip6tables -X

  132.     iptables -P INPUT DROP

  133.     ip6tables -P INPUT DROP

  134.     iptables -P FORWARD DROP

  135.     ip6tables -P FORWARD DROP

  136.     iptables -A INPUT -i lo -j ACCEPT

  137.     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

  138. 

  139.     # Drop invalid packets

  140.     iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

  141. 

  142.     # Make sure incoming tcp connections are SYN packets

  143.     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  144.     iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

  145. 

  146.     # Drop SYN packets with suspicious MSS value

  147.     iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

  148. 

  149.     # Drop packets with incoming fragments

  150.     iptables -A INPUT -f -j DROP

  151. 

  152.     # Drop bogons

  153.     iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

  154.     iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

  155.     iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  156.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

  157.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

  158.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  159.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  160.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

  161.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP

  162.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

  163.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

  164.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

  165.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

  166.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

  167.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

  168.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP

  169.     iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  170. 

  171.     # Incoming malformed NULL packets:

  172.     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

  173. 

  174.     mark_completed $FUNCNAME

  175. }

  176. 

  177. function firewall_drop_telnet {

  178.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  179.         return

  180.     fi

  181.     # telnet isn't enabled as an input and we can also

  182.     # drop any outgoing telnet, just in case

  183.     iptables -A OUTPUT -p tcp --dport telnet -j REJECT

  184.     iptables -A OUTPUT -p udp --dport telnet -j REJECT

  185.     function_check save_firewall_settings

  186.     save_firewall_settings

  187.     mark_completed $FUNCNAME

  188. }

  189. 

  190. function configure_firewall_ping {

  191.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  192.         return

  193.     fi

  194.     # Only allow ping for mesh installs

  195.     if [[ $SYSTEM_TYPE != "mesh"* ]]; then

  196.         return

  197.     fi

  198.     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  199.     iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

  200.     function_check save_firewall_settings

  201.     save_firewall_settings

  202.     mark_completed $FUNCNAME

  203. }

  204. 

  205. function configure_internet_protocol {

  206.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  207.         return

  208.     fi

  209.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  210.         return

  211.     fi

  212. 

  213.     sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  214.     sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  215.     sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  216.     sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  217.     sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  218.     sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  219.     sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  220.     sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  221.     sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  222.     sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  223. 

  224.     sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  225.     sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  226.     sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  227.     sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  228.     sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  229.     sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  230.     sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  231.     sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  232.     sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  233.     sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  234. 

  235. 

  236.     if ! grep -q "ignore pings" /etc/sysctl.conf; then

  237.         echo '# ignore pings' >> /etc/sysctl.conf

  238.         echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  239.         echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  240.     fi

  241.     if ! grep -q "disable ipv6" /etc/sysctl.conf; then

  242.         echo '# disable ipv6' >> /etc/sysctl.conf

  243.         echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf

  244.     fi

  245.     if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then

  246.         echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf

  247.         echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf

  248.     fi

  249.     if ! grep -q "keepalive" /etc/sysctl.conf; then

  250.         echo '# keepalive' >> /etc/sysctl.conf

  251.         echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf

  252.         echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf

  253.         echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf

  254.     fi

  255.     if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then

  256.         echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf

  257.     else

  258.         sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  259.         sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  260.         sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  261.     fi

  262.     if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then

  263.         echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf

  264.     else

  265.         sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  266.         sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  267.         sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  268.     fi

  269.     if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then

  270.         echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

  271.     else

  272.         sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  273.         sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  274.         sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  275.     fi

  276.     if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then

  277.         echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf

  278.     else

  279.         sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  280.         sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  281.         sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  282.     fi

  283.     if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then

  284.         echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

  285.     else

  286.         sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  287.         sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  288.         sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  289.     fi

  290.     mark_completed $FUNCNAME

  291. }

  292. 

  293. function mesh_firewall {

  294.     FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service

  295.     MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall

  296. 

  297.     echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT

  298.     echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  299.     echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  300.     echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT

  301.     echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT

  302.     echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  303.     echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  304.     echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT

  305.     echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT

  306.     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  307.     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  308.     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  309.     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  310.     echo '' >> $MESH_FIREWALL_SCRIPT

  311.     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT

  312.     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT

  313.     echo '' >> $MESH_FIREWALL_SCRIPT

  314.     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT

  315.     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT

  316.     echo '' >> $MESH_FIREWALL_SCRIPT

  317.     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT

  318.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT

  319.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  320.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  321.     echo '' >> $MESH_FIREWALL_SCRIPT

  322.     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT

  323.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT

  324.     echo '' >> $MESH_FIREWALL_SCRIPT

  325.     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  326.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  327.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  328.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  329.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  330.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  331.     chmod +x $MESH_FIREWALL_SCRIPT

  332. 

  333.     echo '[Unit]' > $FIREWALL_FILENAME

  334.     echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME

  335.     echo '' >> $FIREWALL_FILENAME

  336.     echo '[Service]' >> $FIREWALL_FILENAME

  337.     echo 'Type=oneshot' >> $FIREWALL_FILENAME

  338.     echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME

  339.     echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME

  340.     echo '' >> $FIREWALL_FILENAME

  341.     echo 'TimeoutSec=30' >> $FIREWALL_FILENAME

  342.     echo '' >> $FIREWALL_FILENAME

  343.     echo '[Install]' >> $FIREWALL_FILENAME

  344.     echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME

  345.     chmod +x $FIREWALL_FILENAME

  346.     chroot "$rootdir" systemctl enable meshfirewall

  347. }

  348. 

  349. function firewall_add {

  350.     firewall_name=$(echo "$1" | sed "s| |-|g")

  351.     firewall_port=$2

  352.     firewall_protocol="$3"

  353. 

  354.     if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then

  355.         echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG

  356.         if [ ! ${firewall_protocol} ]; then

  357.             iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  358.             iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  359.         else

  360.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  361.                 iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  362.             fi

  363.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  364.                 iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  365.             fi

  366.         fi

  367.         save_firewall_settings

  368.     fi

  369. }

  370. 

  371. function firewall_add_range {

  372.     firewall_name=$(echo "$1" | sed "s| |-|g")

  373.     firewall_port_start=$2

  374.     firewall_port_end=$3

  375.     firewall_protocol="$4"

  376. 

  377.     if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then

  378.         echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG

  379.         if [ ! ${firewall_protocol} ]; then

  380.             iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  381.             iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  382.         else

  383.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  384.                 iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  385.             fi

  386.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  387.                 iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  388.             fi

  389.         fi

  390.         save_firewall_settings

  391.     fi

  392. }

  393. 

  394. 

  395. function firewall_remove {

  396.     firewall_port=$1

  397.     firewall_protocol="$2"

  398. 

  399.     if [ ! -f $FIREWALL_CONFIG ]; then

  400.         return

  401.     fi

  402. 

  403.     if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then

  404.         if [ ! ${firewall_protocol} ]; then

  405.             iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  406.             iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  407.         else

  408.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  409.                 iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  410.             fi

  411.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  412.                 iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  413.             fi

  414.         fi

  415.         sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG

  416.         save_firewall_settings

  417.     fi

  418. }

  419. 

  420. function domain_to_hex_string {

  421.     domain="$1"

  422.     ctr=1

  423.     segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')

  424.     while [ ${#segment} -gt 0 ]

  425.     do

  426.         characters=$(echo -n "$segment" | wc -c)

  427.         hexnum=$(echo "obase=16; $characters" | bc)

  428.         echo -n "|"

  429.         if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then

  430.             echo -n "0"

  431.         fi

  432.         echo -n "$hexnum|$segment"

  433.         ctr=$((ctr + 1))

  434.         segment=$(echo "$domain" | awk -F '.' -v value="$ctr" '{print $value}')

  435.     done

  436.     echo ""

  437. }

  438. 

  439. function firewall_block_domain {

  440.     blocked_domain="$1"

  441.     if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then

  442.         hexstr=$(domain_to_hex_string $blocked_domain)

  443.         iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  444.         iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  445.         iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  446.         iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  447.         iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  448.         iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  449.         echo "${blocked_domain}" >> $FIREWALL_DOMAINS

  450.         save_firewall_settings

  451. 

  452.         # run the blocking rules now

  453.         if [ -f /usr/bin/gnusocial-firewall ]; then

  454.             /usr/bin/gnusocial-firewall

  455.         fi

  456.         if [ -f /usr/bin/postactiv-firewall ]; then

  457.             /usr/bin/postactiv-firewall

  458.         fi

  459.     fi

  460. }

  461. 

  462. function firewall_unblock_domain {

  463.     unblocked_domain="$1"

  464.     if grep "${unblocked_domain}" $FIREWALL_DOMAINS; then

  465.         hexstr=$(domain_to_hex_string $unblocked_domain)

  466.         iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  467.         iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  468.         iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  469.         iptables -D OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  470.         iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  471.         iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  472.         sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS

  473.         save_firewall_settings

  474.     fi

  475. }

  476. 

  477. function firewall_drop_spoofed_packets {

  478.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  479.         return

  480.     fi

  481.     iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP

  482.     iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP

  483.     iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

  484.     iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP

  485.     iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP

  486.     iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP

  487.     iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

  488.     function_check save_firewall_settings

  489.     save_firewall_settings

  490.     mark_completed $FUNCNAME

  491. }

  492. 

  493. function firewall_rate_limits {

  494.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  495.         return

  496.     fi

  497. 

  498.     # Limit connections per source IP

  499.     iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

  500. 

  501.     # Limit RST packets

  502.     iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

  503.     iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

  504. 

  505.     # Limit new TCP connections per second per source IP

  506.     iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

  507.     iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

  508. 

  509.     # SSH brute-force protection

  510.     iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set

  511.     iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

  512. 

  513.     function_check save_firewall_settings

  514.     save_firewall_settings

  515.     mark_completed $FUNCNAME

  516. }

  517. 

  518. # NOTE: deliberately no exit 0