WIP: Added a way to block ASNs and IPs with ipset

This is a work in progress to ban ASNs and IP addresses in an efficient
way with `ipset`.
More things in minifirewall could be replaced with `ipset`, like the
HTTPSITE part, but for now I'm only focused on banning networks.

Please review the code (I followed the current coding style), test it,
and make comments!
This commit is contained in:
Benoît S. 2020-07-22 10:31:47 +09:00
parent 30041b8949
commit c7c5e9814a
3 changed files with 131 additions and 1 deletions

View File

@ -38,6 +38,44 @@ If you want to add minifirewall in boot sequence:
systemctl enable minifirewall
~~~
## Ban a whole AS
### Automatic way using an API
Set the AS number you want to ban in BANNEDASNS.
### Manual way
The manual way is here only for reference.
First find the AS for one IP address.
~~~
$ whois IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.radb.net IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.cymru.com IP
~~~
Then, get the routes of this AS.
~~~
$ whois -i origin ASNUMBER | grep route:
Or if no result, use a specific whois server
$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
Or if no result, use a specific API
$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER
~~~
Finally, add a kernel set and DROP the set.
~~~
# ipset -N ASNUMBER hash:net family inet
# ipset -A ASNUMBER 192.0.2.0/24
# ipset -A ASNUMBER 198.51.100.0/24
# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP
~~~
## License
This is an [Evolix](https://evolix.com) project and is licensed

View File

@ -38,6 +38,7 @@ NAME="minifirewall"
# iptables paths
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
IPSET=/sbin/ipset
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
@ -57,6 +58,8 @@ configfile="/etc/default/minifirewall"
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
WHOISSERVER="whois.radb.net"
case "$1" in
start)
@ -104,15 +107,25 @@ for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
# ipset init for banned IP addresses
$IPSET -N BANNED-IP4 hash:net family inet
$IPSET -N BANNED-IP6 hash:net family inet6
# IPTables configuration
########################
$IPT -N LOG_DROP
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
$IPT -A LOG_DROP -j DROP
$IPT6 -N LOG_DROP
$IPT6 -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
$IPT6 -A LOG_DROP -j DROP
$IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT
$IPT6 -N LOG_ACCEPT
$IPT6 -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT6 -A LOG_ACCEPT -j ACCEPT
if test -f $oldconfigfile; then
@ -134,6 +147,16 @@ if [ -s $tmpfile ]; then
fi
rm $tmpfile
# Banned IP addresses
$IPT -I INPUT -m set --match-set BANNED-IP4 src -j LOG_DROP
$IPT6 -I INPUT -m set --match-set BANNED-IP6 src -j LOG_DROP
# We reject with icmp-admin-prohibited to help sysadmins understand
# that the IP address is banned if maybe they forgot banning it
$IPT -I OUTPUT -m set --match-set BANNED-IP4 dst -j REJECT \
--reject-with icmp-admin-prohibited
$IPT6 -I OUTPUT -m set --match-set BANNED-IP6 dst -j REJECT \
--reject-with icmp6-adm-prohibited
# Trusted ip addresses
$IPT -N ONLYTRUSTED
$IPT -A ONLYTRUSTED -j LOG_DROP
@ -166,7 +189,6 @@ $IPT -A OUTPUT -o lo -j ACCEPT
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
# Local services restrictions
#############################
@ -281,6 +303,50 @@ for x in $NTPOK
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
done
# WHOIS authorizations
for x in $WHOISOK
do
$IPT -A INPUT -p udp --sport 43 -s $x -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 43 --match state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp ! --syn --sport 43 -s $x -j ACCEPT
done
# IP addresses banned
for x in $BANNEDIPS
do
$IPSET -exist -A BANNED-IP4 $x
done
# IPv6 addresses banned
for x in $BANNEDIPS6
do
$IPSET -exist -A BANNED-IP6 $x
done
# AS numbers banned
for x in $BANNEDASNS
do
# Init the set
$IPSET -N BANNED-AS4-${x} hash:net family inet
$IPSET -N BANNED-AS6-${x} hash:net family inet6
# Get the route information of the ASN
ASN4LIST=$(whois -h $WHOISSERVER -i origin $x | grep route: | awk '{print $2}')
for ASN4 in $ASN4LIST
do
$IPSET -exist -A BANNED-AS4-${x} $ASN4
done
ASN6LIST=$(whois -h $WHOISSERVER -i origin $x | grep route6: | awk '{print $2}')
for ASN6 in $ASN6LIST
do
$IPSET -exist -A BANNED-AS6-${x} $ASN6
done
# Ban the set
$IPT -I INPUT -m set --match-set BANNED-AS4-${x} src -j LOG_DROP
$IPT -I OUTPUT -m set --match-set BANNED-AS4-${x} dst -j REJECT --reject-with icmp-admin-prohibited
$IPT6 -I INPUT -m set --match-set BANNED-AS6-${x} src -j LOG_DROP
$IPT6 -I OUTPUT -m set --match-set BANNED-AS6-${x} dst -j REJECT --reject-with icmp6-adm-prohibited
done
# Always allow ICMP
$IPT -A INPUT -p icmp -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
@ -322,6 +388,8 @@ trap - INT TERM EXIT
$IPT -F OUTPUT
$IPT -F LOG_DROP
$IPT -F LOG_ACCEPT
$IPT6 -F LOG_DROP
$IPT6 -F LOG_ACCEPT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
@ -342,10 +410,15 @@ trap - INT TERM EXIT
# Delete non-standard chains
$IPT -X LOG_DROP
$IPT -X LOG_ACCEPT
$IPT6 -X LOG_DROP
$IPT6 -X LOG_ACCEPT
$IPT -X ONLYPRIVILEGIED
$IPT -X ONLYTRUSTED
$IPT -X NEEDRESTRICT
# Destroy all ipset
$IPSET destroy
echo "...flushing IPTables rules is now finish : OK"
;;

View File

@ -70,6 +70,25 @@ SMTPSECUREOK=''
# NTP authorizations
NTPOK='0.0.0.0/0'
# WHOIS authorizations
WHOISOK='0.0.0.0/0'
# IP addresses ban
# you can add an IP address on the BANNED set without restarting
# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
BANNEDIPS='192.0.2.0'
# IPv6 addresses ban
# you can add an IPv6 address on the BANNED set without restarting
# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
BANNEDIPS6='2001:db8::0'
# AS Numbers ban
# Be aware that minifirewall will get the route information at every
# restart and if you ban many ASNs it may take time
# Use with parsimony
# Read the README.md for an explanation
BANNEDASNS=''
# IPv6 Specific rules
#####################