WIP: Added a way to block ASNs and IPs with ipset
This is a work in progress to ban ASNs and IP addresses in an efficient way with `ipset`. More things in minifirewall could be replaced with `ipset`, like the HTTPSITE part, but for now I'm only focused on banning networks. Please review the code (I followed the current coding style), test it, and make comments!
This commit is contained in:
parent
30041b8949
commit
c7c5e9814a
38
README.md
38
README.md
|
@ -38,6 +38,44 @@ If you want to add minifirewall in boot sequence:
|
|||
systemctl enable minifirewall
|
||||
~~~
|
||||
|
||||
## Ban a whole AS
|
||||
|
||||
### Automatic way using an API
|
||||
|
||||
Set the AS number you want to ban in BANNEDASNS.
|
||||
|
||||
### Manual way
|
||||
|
||||
The manual way is here only for reference.
|
||||
|
||||
First find the AS for one IP address.
|
||||
~~~
|
||||
$ whois IP | grep origin:
|
||||
Or if no result, use a specific whois server
|
||||
$ whois -h whois.radb.net IP | grep origin:
|
||||
Or if no result, use a specific whois server
|
||||
$ whois -h whois.cymru.com IP
|
||||
~~~
|
||||
|
||||
Then, get the routes of this AS.
|
||||
~~~
|
||||
$ whois -i origin ASNUMBER | grep route:
|
||||
Or if no result, use a specific whois server
|
||||
$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
|
||||
Or if no result, use a specific API
|
||||
$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER
|
||||
~~~
|
||||
|
||||
Finally, add a kernel set and DROP the set.
|
||||
|
||||
~~~
|
||||
# ipset -N ASNUMBER hash:net family inet
|
||||
# ipset -A ASNUMBER 192.0.2.0/24
|
||||
# ipset -A ASNUMBER 198.51.100.0/24
|
||||
# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP
|
||||
~~~
|
||||
|
||||
|
||||
## License
|
||||
|
||||
This is an [Evolix](https://evolix.com) project and is licensed
|
||||
|
|
75
minifirewall
75
minifirewall
|
@ -38,6 +38,7 @@ NAME="minifirewall"
|
|||
# iptables paths
|
||||
IPT=/sbin/iptables
|
||||
IPT6=/sbin/ip6tables
|
||||
IPSET=/sbin/ipset
|
||||
|
||||
# TCP/IP variables
|
||||
LOOPBACK='127.0.0.0/8'
|
||||
|
@ -57,6 +58,8 @@ configfile="/etc/default/minifirewall"
|
|||
|
||||
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||
|
||||
WHOISSERVER="whois.radb.net"
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
|
||||
|
@ -104,15 +107,25 @@ for i in /proc/sys/net/ipv4/conf/*/log_martians; do
|
|||
echo 1 > $i
|
||||
done
|
||||
|
||||
# ipset init for banned IP addresses
|
||||
$IPSET -N BANNED-IP4 hash:net family inet
|
||||
$IPSET -N BANNED-IP6 hash:net family inet6
|
||||
|
||||
# IPTables configuration
|
||||
########################
|
||||
|
||||
$IPT -N LOG_DROP
|
||||
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||
$IPT -A LOG_DROP -j DROP
|
||||
$IPT6 -N LOG_DROP
|
||||
$IPT6 -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||
$IPT6 -A LOG_DROP -j DROP
|
||||
$IPT -N LOG_ACCEPT
|
||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||
$IPT6 -N LOG_ACCEPT
|
||||
$IPT6 -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
$IPT6 -A LOG_ACCEPT -j ACCEPT
|
||||
|
||||
|
||||
if test -f $oldconfigfile; then
|
||||
|
@ -134,6 +147,16 @@ if [ -s $tmpfile ]; then
|
|||
fi
|
||||
rm $tmpfile
|
||||
|
||||
# Banned IP addresses
|
||||
$IPT -I INPUT -m set --match-set BANNED-IP4 src -j LOG_DROP
|
||||
$IPT6 -I INPUT -m set --match-set BANNED-IP6 src -j LOG_DROP
|
||||
# We reject with icmp-admin-prohibited to help sysadmins understand
|
||||
# that the IP address is banned if maybe they forgot banning it
|
||||
$IPT -I OUTPUT -m set --match-set BANNED-IP4 dst -j REJECT \
|
||||
--reject-with icmp-admin-prohibited
|
||||
$IPT6 -I OUTPUT -m set --match-set BANNED-IP6 dst -j REJECT \
|
||||
--reject-with icmp6-adm-prohibited
|
||||
|
||||
# Trusted ip addresses
|
||||
$IPT -N ONLYTRUSTED
|
||||
$IPT -A ONLYTRUSTED -j LOG_DROP
|
||||
|
@ -166,7 +189,6 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
|||
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
|
||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||
|
||||
|
||||
# Local services restrictions
|
||||
#############################
|
||||
|
||||
|
@ -281,6 +303,50 @@ for x in $NTPOK
|
|||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
|
||||
done
|
||||
|
||||
# WHOIS authorizations
|
||||
for x in $WHOISOK
|
||||
do
|
||||
$IPT -A INPUT -p udp --sport 43 -s $x -j ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 43 --match state --state NEW -j ACCEPT
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 43 -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# IP addresses banned
|
||||
for x in $BANNEDIPS
|
||||
do
|
||||
$IPSET -exist -A BANNED-IP4 $x
|
||||
done
|
||||
|
||||
# IPv6 addresses banned
|
||||
for x in $BANNEDIPS6
|
||||
do
|
||||
$IPSET -exist -A BANNED-IP6 $x
|
||||
done
|
||||
|
||||
# AS numbers banned
|
||||
for x in $BANNEDASNS
|
||||
do
|
||||
# Init the set
|
||||
$IPSET -N BANNED-AS4-${x} hash:net family inet
|
||||
$IPSET -N BANNED-AS6-${x} hash:net family inet6
|
||||
# Get the route information of the ASN
|
||||
ASN4LIST=$(whois -h $WHOISSERVER -i origin $x | grep route: | awk '{print $2}')
|
||||
for ASN4 in $ASN4LIST
|
||||
do
|
||||
$IPSET -exist -A BANNED-AS4-${x} $ASN4
|
||||
done
|
||||
ASN6LIST=$(whois -h $WHOISSERVER -i origin $x | grep route6: | awk '{print $2}')
|
||||
for ASN6 in $ASN6LIST
|
||||
do
|
||||
$IPSET -exist -A BANNED-AS6-${x} $ASN6
|
||||
done
|
||||
# Ban the set
|
||||
$IPT -I INPUT -m set --match-set BANNED-AS4-${x} src -j LOG_DROP
|
||||
$IPT -I OUTPUT -m set --match-set BANNED-AS4-${x} dst -j REJECT --reject-with icmp-admin-prohibited
|
||||
$IPT6 -I INPUT -m set --match-set BANNED-AS6-${x} src -j LOG_DROP
|
||||
$IPT6 -I OUTPUT -m set --match-set BANNED-AS6-${x} dst -j REJECT --reject-with icmp6-adm-prohibited
|
||||
done
|
||||
|
||||
# Always allow ICMP
|
||||
$IPT -A INPUT -p icmp -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
||||
|
@ -322,6 +388,8 @@ trap - INT TERM EXIT
|
|||
$IPT -F OUTPUT
|
||||
$IPT -F LOG_DROP
|
||||
$IPT -F LOG_ACCEPT
|
||||
$IPT6 -F LOG_DROP
|
||||
$IPT6 -F LOG_ACCEPT
|
||||
$IPT -F ONLYTRUSTED
|
||||
$IPT -F ONLYPRIVILEGIED
|
||||
$IPT -F NEEDRESTRICT
|
||||
|
@ -342,10 +410,15 @@ trap - INT TERM EXIT
|
|||
# Delete non-standard chains
|
||||
$IPT -X LOG_DROP
|
||||
$IPT -X LOG_ACCEPT
|
||||
$IPT6 -X LOG_DROP
|
||||
$IPT6 -X LOG_ACCEPT
|
||||
$IPT -X ONLYPRIVILEGIED
|
||||
$IPT -X ONLYTRUSTED
|
||||
$IPT -X NEEDRESTRICT
|
||||
|
||||
# Destroy all ipset
|
||||
$IPSET destroy
|
||||
|
||||
echo "...flushing IPTables rules is now finish : OK"
|
||||
;;
|
||||
|
||||
|
|
|
@ -70,6 +70,25 @@ SMTPSECUREOK=''
|
|||
# NTP authorizations
|
||||
NTPOK='0.0.0.0/0'
|
||||
|
||||
# WHOIS authorizations
|
||||
WHOISOK='0.0.0.0/0'
|
||||
|
||||
# IP addresses ban
|
||||
# you can add an IP address on the BANNED set without restarting
|
||||
# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
|
||||
BANNEDIPS='192.0.2.0'
|
||||
|
||||
# IPv6 addresses ban
|
||||
# you can add an IPv6 address on the BANNED set without restarting
|
||||
# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
|
||||
BANNEDIPS6='2001:db8::0'
|
||||
|
||||
# AS Numbers ban
|
||||
# Be aware that minifirewall will get the route information at every
|
||||
# restart and if you ban many ASNs it may take time
|
||||
# Use with parsimony
|
||||
# Read the README.md for an explanation
|
||||
BANNEDASNS=''
|
||||
|
||||
# IPv6 Specific rules
|
||||
#####################
|
||||
|
|
Loading…
Reference in a new issue