Browse Source

WIP: Added a way to block ASNs and IPs with ipset

This is a work in progress to ban ASNs and IP addresses in an efficient
way with `ipset`.
More things in minifirewall could be replaced with `ipset`, like the
HTTPSITE part, but for now I'm only focused on banning networks.

Please review the code (I followed the current coding style), test it,
and make comments!
ipset-denylist
Benoît S. 10 months ago
parent
commit
c7c5e9814a
  1. 38
      README.md
  2. 75
      minifirewall
  3. 19
      minifirewall.conf

38
README.md

@ -38,6 +38,44 @@ If you want to add minifirewall in boot sequence:
systemctl enable minifirewall
~~~
## Ban a whole AS
### Automatic way using an API
Set the AS number you want to ban in BANNEDASNS.
### Manual way
The manual way is here only for reference.
First find the AS for one IP address.
~~~
$ whois IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.radb.net IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.cymru.com IP
~~~
Then, get the routes of this AS.
~~~
$ whois -i origin ASNUMBER | grep route:
Or if no result, use a specific whois server
$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
Or if no result, use a specific API
$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER
~~~
Finally, add a kernel set and DROP the set.
~~~
# ipset -N ASNUMBER hash:net family inet
# ipset -A ASNUMBER 192.0.2.0/24
# ipset -A ASNUMBER 198.51.100.0/24
# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP
~~~
## License
This is an [Evolix](https://evolix.com) project and is licensed

75
minifirewall

@ -38,6 +38,7 @@ NAME="minifirewall"
# iptables paths
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
IPSET=/sbin/ipset
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
@ -57,6 +58,8 @@ configfile="/etc/default/minifirewall"
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
WHOISSERVER="whois.radb.net"
case "$1" in
start)
@ -104,15 +107,25 @@ for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
# ipset init for banned IP addresses
$IPSET -N BANNED-IP4 hash:net family inet
$IPSET -N BANNED-IP6 hash:net family inet6
# IPTables configuration
########################
$IPT -N LOG_DROP
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
$IPT -A LOG_DROP -j DROP
$IPT6 -N LOG_DROP
$IPT6 -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
$IPT6 -A LOG_DROP -j DROP
$IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT
$IPT6 -N LOG_ACCEPT
$IPT6 -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT6 -A LOG_ACCEPT -j ACCEPT
if test -f $oldconfigfile; then
@ -134,6 +147,16 @@ if [ -s $tmpfile ]; then
fi
rm $tmpfile
# Banned IP addresses
$IPT -I INPUT -m set --match-set BANNED-IP4 src -j LOG_DROP
$IPT6 -I INPUT -m set --match-set BANNED-IP6 src -j LOG_DROP
# We reject with icmp-admin-prohibited to help sysadmins understand
# that the IP address is banned if maybe they forgot banning it
$IPT -I OUTPUT -m set --match-set BANNED-IP4 dst -j REJECT \
--reject-with icmp-admin-prohibited
$IPT6 -I OUTPUT -m set --match-set BANNED-IP6 dst -j REJECT \
--reject-with icmp6-adm-prohibited
# Trusted ip addresses
$IPT -N ONLYTRUSTED
$IPT -A ONLYTRUSTED -j LOG_DROP
@ -166,7 +189,6 @@ $IPT -A OUTPUT -o lo -j ACCEPT
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
# Local services restrictions
#############################
@ -281,6 +303,50 @@ for x in $NTPOK
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
done
# WHOIS authorizations
for x in $WHOISOK
do
$IPT -A INPUT -p udp --sport 43 -s $x -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 43 --match state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp ! --syn --sport 43 -s $x -j ACCEPT
done
# IP addresses banned
for x in $BANNEDIPS
do
$IPSET -exist -A BANNED-IP4 $x
done
# IPv6 addresses banned
for x in $BANNEDIPS6
do
$IPSET -exist -A BANNED-IP6 $x
done
# AS numbers banned
for x in $BANNEDASNS
do
# Init the set
$IPSET -N BANNED-AS4-${x} hash:net family inet
$IPSET -N BANNED-AS6-${x} hash:net family inet6
# Get the route information of the ASN
ASN4LIST=$(whois -h $WHOISSERVER -i origin $x | grep route: | awk '{print $2}')
for ASN4 in $ASN4LIST
do
$IPSET -exist -A BANNED-AS4-${x} $ASN4
done
ASN6LIST=$(whois -h $WHOISSERVER -i origin $x | grep route6: | awk '{print $2}')
for ASN6 in $ASN6LIST
do
$IPSET -exist -A BANNED-AS6-${x} $ASN6
done
# Ban the set
$IPT -I INPUT -m set --match-set BANNED-AS4-${x} src -j LOG_DROP
$IPT -I OUTPUT -m set --match-set BANNED-AS4-${x} dst -j REJECT --reject-with icmp-admin-prohibited
$IPT6 -I INPUT -m set --match-set BANNED-AS6-${x} src -j LOG_DROP
$IPT6 -I OUTPUT -m set --match-set BANNED-AS6-${x} dst -j REJECT --reject-with icmp6-adm-prohibited
done
# Always allow ICMP
$IPT -A INPUT -p icmp -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
@ -322,6 +388,8 @@ trap - INT TERM EXIT
$IPT -F OUTPUT
$IPT -F LOG_DROP
$IPT -F LOG_ACCEPT
$IPT6 -F LOG_DROP
$IPT6 -F LOG_ACCEPT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
@ -342,10 +410,15 @@ trap - INT TERM EXIT
# Delete non-standard chains
$IPT -X LOG_DROP
$IPT -X LOG_ACCEPT
$IPT6 -X LOG_DROP
$IPT6 -X LOG_ACCEPT
$IPT -X ONLYPRIVILEGIED
$IPT -X ONLYTRUSTED
$IPT -X NEEDRESTRICT
# Destroy all ipset
$IPSET destroy
echo "...flushing IPTables rules is now finish : OK"
;;

19
minifirewall.conf

@ -70,6 +70,25 @@ SMTPSECUREOK=''
# NTP authorizations
NTPOK='0.0.0.0/0'
# WHOIS authorizations
WHOISOK='0.0.0.0/0'
# IP addresses ban
# you can add an IP address on the BANNED set without restarting
# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
BANNEDIPS='192.0.2.0'
# IPv6 addresses ban
# you can add an IPv6 address on the BANNED set without restarting
# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
BANNEDIPS6='2001:db8::0'
# AS Numbers ban
# Be aware that minifirewall will get the route information at every
# restart and if you ban many ASNs it may take time
# Use with parsimony
# Read the README.md for an explanation
BANNEDASNS=''
# IPv6 Specific rules
#####################

Loading…
Cancel
Save