webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Log and drop spoofed loopback packets

Browse Source 
Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This commit is contained in:
Peter Müller
2021-12-18 14:48:17 +01:00
parent 4d25c1f39a
commit a36cd34eac
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/initscripts/system/firewall
View File

@@ -80,6 +80,14 @@ iptables_init() {
fi fi
iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
# Log and subsequently drop spoofed packets or "martians", arriving from sources
# on interfaces where we don't expect them
iptables -N SPOOFED_MARTIAN
if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
fi
iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
# Chain to contain all the rules relating to bad TCP flags # Chain to contain all the rules relating to bad TCP flags
iptables -N BADTCP iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() {
iptables -A INPUT -j ICMPINPUT iptables -A INPUT -j ICMPINPUT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback # Accept everything on loopback if source/destination is loopback space...
iptables -N LOOPBACK iptables -N LOOPBACK
iptables -A LOOPBACK -i lo -j ACCEPT iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A LOOPBACK -o lo -j ACCEPT iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces. # ... and drop everything else on the loopback interface, since no other traffic should appear there
iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do for i in INPUT FORWARD OUTPUT; do
iptables -A ${i} -j LOOPBACK iptables -A ${i} -j LOOPBACK