From c7c5e9814a8b3e6733308afa911f7bfbc3c46675 Mon Sep 17 00:00:00 2001
From: Benoit S <github@benpro.fr>
Date: Wed, 22 Jul 2020 10:31:47 +0900
Subject: [PATCH] WIP: Added a way to block ASNs and IPs with ipset

This is a work in progress to ban ASNs and IP addresses in an efficient
way with `ipset`.
More things in minifirewall could be replaced with `ipset`, like the
HTTPSITE part, but for now I'm only focused on banning networks.

Please review the code (I followed the current coding style), test it,
and make comments!
---
 README.md         | 38 ++++++++++++++++++++++++
 minifirewall      | 75 ++++++++++++++++++++++++++++++++++++++++++++++-
 minifirewall.conf | 19 ++++++++++++
 3 files changed, 131 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 97e78cd..b01411f 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,44 @@ If you want to add minifirewall in boot sequence:
 systemctl enable minifirewall
 ~~~
 
+## Ban a whole AS
+
+### Automatic way using an API
+
+Set the AS number you want to ban in BANNEDASNS.
+
+### Manual way
+
+The manual way is here only for reference.
+
+First find the AS for one IP address.
+~~~
+$ whois IP | grep origin:
+Or if no result, use a specific whois server
+$ whois -h whois.radb.net IP | grep origin:
+Or if no result, use a specific whois server
+$ whois -h whois.cymru.com IP
+~~~
+
+Then, get the routes of this AS.
+~~~
+$ whois -i origin ASNUMBER | grep route:
+Or if no result, use a specific whois server
+$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
+Or if no result, use a specific API
+$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER
+~~~
+
+Finally, add a kernel set and DROP the set.
+
+~~~
+# ipset -N ASNUMBER hash:net family inet
+# ipset -A ASNUMBER 192.0.2.0/24
+# ipset -A ASNUMBER 198.51.100.0/24
+# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP
+~~~
+
+
 ## License
 
 This is an [Evolix](https://evolix.com) project and is licensed
diff --git a/minifirewall b/minifirewall
index 320fa49..ab66678 100755
--- a/minifirewall
+++ b/minifirewall
@@ -38,6 +38,7 @@ NAME="minifirewall"
 # iptables paths
 IPT=/sbin/iptables
 IPT6=/sbin/ip6tables
+IPSET=/sbin/ipset
 
 # TCP/IP variables
 LOOPBACK='127.0.0.0/8'
@@ -57,6 +58,8 @@ configfile="/etc/default/minifirewall"
 
 IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
 
+WHOISSERVER="whois.radb.net"
+
 case "$1" in
  start)
 
@@ -104,15 +107,25 @@ for i in /proc/sys/net/ipv4/conf/*/log_martians; do
 echo 1 > $i
 done
 
+# ipset init for banned IP addresses
+$IPSET -N BANNED-IP4 hash:net family inet
+$IPSET -N BANNED-IP6 hash:net family inet6
+
 # IPTables configuration
 ########################
 
 $IPT -N LOG_DROP
 $IPT -A LOG_DROP -j LOG  --log-prefix '[IPTABLES DROP] : '
 $IPT -A LOG_DROP -j DROP
+$IPT6 -N LOG_DROP
+$IPT6 -A LOG_DROP -j LOG  --log-prefix '[IPTABLES DROP] : '
+$IPT6 -A LOG_DROP -j DROP
 $IPT -N LOG_ACCEPT
 $IPT -A LOG_ACCEPT -j LOG  --log-prefix '[IPTABLES ACCEPT] : '
 $IPT -A LOG_ACCEPT -j ACCEPT
+$IPT6 -N LOG_ACCEPT
+$IPT6 -A LOG_ACCEPT -j LOG  --log-prefix '[IPTABLES ACCEPT] : '
+$IPT6 -A LOG_ACCEPT -j ACCEPT
 
 
 if test -f $oldconfigfile; then
@@ -134,6 +147,16 @@ if [ -s $tmpfile ]; then
 fi
 rm $tmpfile
 
+# Banned IP addresses
+$IPT -I INPUT -m set --match-set BANNED-IP4 src -j LOG_DROP
+$IPT6 -I INPUT -m set --match-set BANNED-IP6 src -j LOG_DROP
+# We reject with icmp-admin-prohibited to help sysadmins understand
+# that the IP address is banned if maybe they forgot banning it
+$IPT -I OUTPUT -m set --match-set BANNED-IP4 dst -j REJECT \
+    --reject-with icmp-admin-prohibited
+$IPT6 -I OUTPUT -m set --match-set BANNED-IP6 dst -j REJECT \
+    --reject-with icmp6-adm-prohibited
+
 # Trusted ip addresses
 $IPT -N ONLYTRUSTED
 $IPT -A ONLYTRUSTED -j LOG_DROP
@@ -166,7 +189,6 @@ $IPT -A OUTPUT -o lo -j ACCEPT
 # $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
 $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
 
-
 # Local services restrictions
 #############################
 
@@ -281,6 +303,50 @@ for x in $NTPOK
             $IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
         done
 
+# WHOIS authorizations
+for x in $WHOISOK
+        do
+            $IPT -A INPUT -p udp --sport 43 -s $x -j ACCEPT
+            $IPT -A OUTPUT -o $INT -p udp -d $x --dport 43 --match state --state NEW -j ACCEPT
+            $IPT -A INPUT -p tcp ! --syn --sport 43 -s $x -j ACCEPT
+        done
+
+# IP addresses banned
+for x in $BANNEDIPS
+        do
+            $IPSET -exist -A BANNED-IP4 $x
+        done
+
+# IPv6 addresses banned
+for x in $BANNEDIPS6
+        do
+            $IPSET -exist -A BANNED-IP6 $x
+        done
+
+# AS numbers banned
+for x in $BANNEDASNS
+        do
+            # Init the set
+            $IPSET -N BANNED-AS4-${x} hash:net family inet
+            $IPSET -N BANNED-AS6-${x} hash:net family inet6
+            # Get the route information of the ASN
+            ASN4LIST=$(whois -h $WHOISSERVER -i origin $x | grep route: | awk '{print $2}')
+            for ASN4 in $ASN4LIST
+                do
+                    $IPSET -exist -A BANNED-AS4-${x} $ASN4
+                done
+            ASN6LIST=$(whois -h $WHOISSERVER -i origin $x | grep route6: | awk '{print $2}')
+            for ASN6 in $ASN6LIST
+                do
+                    $IPSET -exist -A BANNED-AS6-${x} $ASN6
+                done
+            # Ban the set
+            $IPT -I INPUT -m set --match-set BANNED-AS4-${x} src -j LOG_DROP
+            $IPT -I OUTPUT -m set --match-set BANNED-AS4-${x} dst -j REJECT --reject-with icmp-admin-prohibited
+            $IPT6 -I INPUT -m set --match-set BANNED-AS6-${x} src -j LOG_DROP
+            $IPT6 -I OUTPUT -m set --match-set BANNED-AS6-${x} dst -j REJECT --reject-with icmp6-adm-prohibited
+        done
+
 # Always allow ICMP
 $IPT -A INPUT -p icmp -j ACCEPT
 [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
@@ -322,6 +388,8 @@ trap - INT TERM EXIT
     $IPT -F OUTPUT
     $IPT -F LOG_DROP
     $IPT -F LOG_ACCEPT
+    $IPT6 -F LOG_DROP
+    $IPT6 -F LOG_ACCEPT
     $IPT -F ONLYTRUSTED
     $IPT -F ONLYPRIVILEGIED
     $IPT -F NEEDRESTRICT
@@ -342,10 +410,15 @@ trap - INT TERM EXIT
     # Delete non-standard chains
     $IPT -X LOG_DROP
     $IPT -X LOG_ACCEPT
+    $IPT6 -X LOG_DROP
+    $IPT6 -X LOG_ACCEPT
     $IPT -X ONLYPRIVILEGIED
     $IPT -X ONLYTRUSTED
     $IPT -X NEEDRESTRICT
 
+    # Destroy all ipset
+    $IPSET destroy
+
     echo "...flushing IPTables rules is now finish : OK"
   ;;
 
diff --git a/minifirewall.conf b/minifirewall.conf
index 2599124..1749230 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -70,6 +70,25 @@ SMTPSECUREOK=''
 # NTP authorizations
 NTPOK='0.0.0.0/0'
 
+# WHOIS authorizations
+WHOISOK='0.0.0.0/0'
+
+# IP addresses ban
+# you can add an IP address on the BANNED set without restarting
+# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
+BANNEDIPS='192.0.2.0'
+
+# IPv6 addresses ban
+# you can add an IPv6 address on the BANNED set without restarting
+# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
+BANNEDIPS6='2001:db8::0'
+
+# AS Numbers ban
+# Be aware that minifirewall will get the route information at every
+# restart and if you ban many ASNs it may take time
+# Use with parsimony
+# Read the README.md for an explanation
+BANNEDASNS=''
 
 # IPv6 Specific rules
 #####################