WIP: Added a way to block ASNs and IPs with ipset #6
38
README.md
38
README.md
|
@ -38,6 +38,44 @@ If you want to add minifirewall in boot sequence:
|
||||||
systemctl enable minifirewall
|
systemctl enable minifirewall
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
## Ban a whole AS
|
||||||
|
|
||||||
|
### Automatic way using an API
|
||||||
|
|
||||||
|
Set the AS number you want to ban in BANNEDASNS.
|
||||||
|
|
||||||
|
### Manual way
|
||||||
|
|
||||||
|
The manual way is here only for reference.
|
||||||
|
|
||||||
|
First find the AS for one IP address.
|
||||||
|
~~~
|
||||||
|
$ whois IP | grep origin:
|
||||||
|
Or if no result, use a specific whois server
|
||||||
|
$ whois -h whois.radb.net IP | grep origin:
|
||||||
|
Or if no result, use a specific whois server
|
||||||
|
$ whois -h whois.cymru.com IP
|
||||||
|
~~~
|
||||||
|
|
||||||
|
Then, get the routes of this AS.
|
||||||
|
~~~
|
||||||
|
$ whois -i origin ASNUMBER | grep route:
|
||||||
|
Or if no result, use a specific whois server
|
||||||
|
$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
|
||||||
|
Or if no result, use a specific API
|
||||||
|
$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER
|
||||||
|
~~~
|
||||||
|
|
||||||
|
Finally, add a kernel set and DROP the set.
|
||||||
|
|
||||||
|
~~~
|
||||||
|
# ipset -N ASNUMBER hash:net family inet
|
||||||
|
# ipset -A ASNUMBER 192.0.2.0/24
|
||||||
|
# ipset -A ASNUMBER 198.51.100.0/24
|
||||||
|
# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP
|
||||||
|
~~~
|
||||||
|
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
This is an [Evolix](https://evolix.com) project and is licensed
|
This is an [Evolix](https://evolix.com) project and is licensed
|
||||||
|
|
75
minifirewall
75
minifirewall
|
@ -38,6 +38,7 @@ NAME="minifirewall"
|
||||||
# iptables paths
|
# iptables paths
|
||||||
IPT=/sbin/iptables
|
IPT=/sbin/iptables
|
||||||
IPT6=/sbin/ip6tables
|
IPT6=/sbin/ip6tables
|
||||||
|
IPSET=/sbin/ipset
|
||||||
|
|
||||||
# TCP/IP variables
|
# TCP/IP variables
|
||||||
LOOPBACK='127.0.0.0/8'
|
LOOPBACK='127.0.0.0/8'
|
||||||
|
@ -57,6 +58,8 @@ configfile="/etc/default/minifirewall"
|
||||||
|
|
||||||
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||||
|
|
||||||
|
WHOISSERVER="whois.radb.net"
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
|
|
||||||
|
@ -104,15 +107,25 @@ for i in /proc/sys/net/ipv4/conf/*/log_martians; do
|
||||||
echo 1 > $i
|
echo 1 > $i
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# ipset init for banned IP addresses
|
||||||
|
$IPSET -N BANNED-IP4 hash:net family inet
|
||||||
|
$IPSET -N BANNED-IP6 hash:net family inet6
|
||||||
|
|
||||||
# IPTables configuration
|
# IPTables configuration
|
||||||
########################
|
########################
|
||||||
|
|
||||||
$IPT -N LOG_DROP
|
$IPT -N LOG_DROP
|
||||||
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||||
$IPT -A LOG_DROP -j DROP
|
$IPT -A LOG_DROP -j DROP
|
||||||
|
$IPT6 -N LOG_DROP
|
||||||
|
$IPT6 -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||||
|
$IPT6 -A LOG_DROP -j DROP
|
||||||
$IPT -N LOG_ACCEPT
|
$IPT -N LOG_ACCEPT
|
||||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
$IPT6 -N LOG_ACCEPT
|
||||||
|
$IPT6 -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
|
$IPT6 -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
|
@ -134,6 +147,16 @@ if [ -s $tmpfile ]; then
|
||||||
fi
|
fi
|
||||||
rm $tmpfile
|
rm $tmpfile
|
||||||
|
|
||||||
|
# Banned IP addresses
|
||||||
|
$IPT -I INPUT -m set --match-set BANNED-IP4 src -j LOG_DROP
|
||||||
|
$IPT6 -I INPUT -m set --match-set BANNED-IP6 src -j LOG_DROP
|
||||||
|
# We reject with icmp-admin-prohibited to help sysadmins understand
|
||||||
|
# that the IP address is banned if maybe they forgot banning it
|
||||||
|
$IPT -I OUTPUT -m set --match-set BANNED-IP4 dst -j REJECT \
|
||||||
|
--reject-with icmp-admin-prohibited
|
||||||
|
$IPT6 -I OUTPUT -m set --match-set BANNED-IP6 dst -j REJECT \
|
||||||
|
--reject-with icmp6-adm-prohibited
|
||||||
|
|
||||||
# Trusted ip addresses
|
# Trusted ip addresses
|
||||||
$IPT -N ONLYTRUSTED
|
$IPT -N ONLYTRUSTED
|
||||||
$IPT -A ONLYTRUSTED -j LOG_DROP
|
$IPT -A ONLYTRUSTED -j LOG_DROP
|
||||||
|
@ -166,7 +189,6 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
||||||
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
|
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
|
||||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||||
|
|
||||||
|
|
||||||
# Local services restrictions
|
# Local services restrictions
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
|
@ -281,6 +303,50 @@ for x in $NTPOK
|
||||||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
|
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# WHOIS authorizations
|
||||||
|
for x in $WHOISOK
|
||||||
|
do
|
||||||
|
$IPT -A INPUT -p udp --sport 43 -s $x -j ACCEPT
|
||||||
|
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 43 --match state --state NEW -j ACCEPT
|
||||||
|
$IPT -A INPUT -p tcp ! --syn --sport 43 -s $x -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
# IP addresses banned
|
||||||
|
for x in $BANNEDIPS
|
||||||
|
do
|
||||||
|
$IPSET -exist -A BANNED-IP4 $x
|
||||||
|
done
|
||||||
|
|
||||||
|
# IPv6 addresses banned
|
||||||
|
for x in $BANNEDIPS6
|
||||||
|
do
|
||||||
|
$IPSET -exist -A BANNED-IP6 $x
|
||||||
|
done
|
||||||
|
|
||||||
|
# AS numbers banned
|
||||||
|
for x in $BANNEDASNS
|
||||||
|
do
|
||||||
|
# Init the set
|
||||||
|
$IPSET -N BANNED-AS4-${x} hash:net family inet
|
||||||
|
$IPSET -N BANNED-AS6-${x} hash:net family inet6
|
||||||
|
# Get the route information of the ASN
|
||||||
|
ASN4LIST=$(whois -h $WHOISSERVER -i origin $x | grep route: | awk '{print $2}')
|
||||||
|
for ASN4 in $ASN4LIST
|
||||||
|
do
|
||||||
|
$IPSET -exist -A BANNED-AS4-${x} $ASN4
|
||||||
|
done
|
||||||
|
ASN6LIST=$(whois -h $WHOISSERVER -i origin $x | grep route6: | awk '{print $2}')
|
||||||
|
for ASN6 in $ASN6LIST
|
||||||
|
do
|
||||||
|
$IPSET -exist -A BANNED-AS6-${x} $ASN6
|
||||||
|
done
|
||||||
|
# Ban the set
|
||||||
|
$IPT -I INPUT -m set --match-set BANNED-AS4-${x} src -j LOG_DROP
|
||||||
|
$IPT -I OUTPUT -m set --match-set BANNED-AS4-${x} dst -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
$IPT6 -I INPUT -m set --match-set BANNED-AS6-${x} src -j LOG_DROP
|
||||||
|
$IPT6 -I OUTPUT -m set --match-set BANNED-AS6-${x} dst -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
|
done
|
||||||
|
|
||||||
# Always allow ICMP
|
# Always allow ICMP
|
||||||
$IPT -A INPUT -p icmp -j ACCEPT
|
$IPT -A INPUT -p icmp -j ACCEPT
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
||||||
|
@ -322,6 +388,8 @@ trap - INT TERM EXIT
|
||||||
$IPT -F OUTPUT
|
$IPT -F OUTPUT
|
||||||
$IPT -F LOG_DROP
|
$IPT -F LOG_DROP
|
||||||
$IPT -F LOG_ACCEPT
|
$IPT -F LOG_ACCEPT
|
||||||
|
$IPT6 -F LOG_DROP
|
||||||
|
$IPT6 -F LOG_ACCEPT
|
||||||
$IPT -F ONLYTRUSTED
|
$IPT -F ONLYTRUSTED
|
||||||
$IPT -F ONLYPRIVILEGIED
|
$IPT -F ONLYPRIVILEGIED
|
||||||
$IPT -F NEEDRESTRICT
|
$IPT -F NEEDRESTRICT
|
||||||
|
@ -342,10 +410,15 @@ trap - INT TERM EXIT
|
||||||
# Delete non-standard chains
|
# Delete non-standard chains
|
||||||
$IPT -X LOG_DROP
|
$IPT -X LOG_DROP
|
||||||
$IPT -X LOG_ACCEPT
|
$IPT -X LOG_ACCEPT
|
||||||
|
$IPT6 -X LOG_DROP
|
||||||
|
$IPT6 -X LOG_ACCEPT
|
||||||
$IPT -X ONLYPRIVILEGIED
|
$IPT -X ONLYPRIVILEGIED
|
||||||
$IPT -X ONLYTRUSTED
|
$IPT -X ONLYTRUSTED
|
||||||
$IPT -X NEEDRESTRICT
|
$IPT -X NEEDRESTRICT
|
||||||
|
|
||||||
|
# Destroy all ipset
|
||||||
|
$IPSET destroy
|
||||||
|
|
||||||
echo "...flushing IPTables rules is now finish : OK"
|
echo "...flushing IPTables rules is now finish : OK"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,25 @@ SMTPSECUREOK=''
|
||||||
# NTP authorizations
|
# NTP authorizations
|
||||||
NTPOK='0.0.0.0/0'
|
NTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
|
# WHOIS authorizations
|
||||||
|
WHOISOK='0.0.0.0/0'
|
||||||
|
|
||||||
|
# IP addresses ban
|
||||||
|
# you can add an IP address on the BANNED set without restarting
|
||||||
|
# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
|
||||||
|
BANNEDIPS='192.0.2.0'
|
||||||
|
|
||||||
|
# IPv6 addresses ban
|
||||||
|
# you can add an IPv6 address on the BANNED set without restarting
|
||||||
|
# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
|
||||||
|
BANNEDIPS6='2001:db8::0'
|
||||||
|
|
||||||
|
# AS Numbers ban
|
||||||
|
# Be aware that minifirewall will get the route information at every
|
||||||
|
# restart and if you ban many ASNs it may take time
|
||||||
|
# Use with parsimony
|
||||||
|
# Read the README.md for an explanation
|
||||||
|
BANNEDASNS=''
|
||||||
|
|
||||||
# IPv6 Specific rules
|
# IPv6 Specific rules
|
||||||
#####################
|
#####################
|
||||||
|
|
Loading…
Reference in a new issue