webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Log and drop spoofed loopback packets

Browse Source 
Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This commit is contained in:
Peter Müller
2021-12-18 14:48:17 +01:00
parent 4d25c1f39a
commit a36cd34eac
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/initscripts/system/firewall
View File

@@ -80,6 +80,14 @@ iptables_init() {
fi
iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
# Log and subsequently drop spoofed packets or "martians", arriving from sources
# on interfaces where we don't expect them
iptables -N SPOOFED_MARTIAN
if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
fi
iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
# Chain to contain all the rules relating to bad TCP flags
iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() {
iptables -A INPUT -j ICMPINPUT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
# Accept everything on loopback if source/destination is loopback space...
iptables -N LOOPBACK
iptables -A LOOPBACK -i lo -j ACCEPT
iptables -A LOOPBACK -o lo -j ACCEPT
iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces.
iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# ... and drop everything else on the loopback interface, since no other traffic should appear there
iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do
iptables -A ${i} -j LOOPBACK