Commit a8ea0dcb authored by Branko Mikić's avatar Branko Mikić

LIMITER implemented, BLOCK chain revised.

~ BLOCK chain extended to use a specific log prefix depending on mark byte set.
~ ANTI-FLOOD and INVALID chain now marking packets before dropping them to BLOCK chain.
~ LIMITER implemented using the hashlimit table feature. Can be used to eg. to avoid bashing (brute force attacks) on the ssh port.
parent 240d462e
Pipeline #179 failed with stages
in 24 seconds
......@@ -20,7 +20,7 @@ printAbout()
[FORWARD_SUBNET_PROTECTIVE subnet/mask to_link]
[FORWARD_PORT|FORWARD_ROUTING ip|link port(s) to_address[:to_port] [tcp|udp]]
[MAC_FILTER chain mac_address]
[POSTROUTING_MASQUERADE subnet/mask to_link]
[POSTROUTING_MASQUERADE subnet/mask on_link]
[DEBUG_CHAIN chain_name]
[REMOVE_RULES pattern]
......@@ -565,17 +565,35 @@ formatAsHexID() {
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# same as block but logs invalid pakets explicitly
$IPTABLES -N INVALID
$IPTABLES -A INVALID -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] (INVALID) "
$IPTABLES -A INVALID -j DROP
# create a LOG & DROP chain
BLOCK_INVALID=1
BLOCK_LIMITER=2
BLOCK_ANTI_FLOOD=4
$IPTABLES -N BLOCK
$IPTABLES -A BLOCK -m state --state INVALID -j INVALID
$IPTABLES -A BLOCK -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] "
$IPTABLES -A BLOCK --match hashlimit --hashlimit-name DROP_SILENTLY \
--hashlimit-above 3/min -j DROP
$IPTABLES -A BLOCK -m state --state INVALID -j MARK --set-mark $BLOCK_INVALID
$IPTABLES -A BLOCK -m mark --mark $BLOCK_LIMITER -j LOG --log-prefix "[BLOCK] (LIMITER) "
$IPTABLES -A BLOCK -m mark --mark $BLOCK_INVALID -j LOG --log-prefix "[BLOCK] (INVALID) "
$IPTABLES -A BLOCK -m mark --mark $BLOCK_ANTI_FLOOD -j LOG --log-prefix "[BLOCK] (ANTIFLOOD) "
$IPTABLES -A BLOCK -m mark --mark 0 -j LOG --log-prefix "[BLOCK] "
$IPTABLES -A BLOCK -j DROP
# create an ANTI-FLOOD protection chain. Maximises the rate of incoming connections.
# Used for protection against SYN or PING_OF_DEATH flooding
$IPTABLES -N ANTI-FLOOD
$IPTABLES -A ANTI-FLOOD -m limit --limit 3/s -j RETURN
$IPTABLES -A ANTI-FLOOD -m mark --mark $BLOCK_ANTI_FLOOD -j BLOCK
# limits the connection attempts
$IPTABLES -N LIMITER
$IPTABLES -A LIMITER -m state ! --state NEW -j RETURN
$IPTABLES -A LIMITER --match hashlimit --hashlimit-name LIMITER --hashlimit-mode srcip \
--hashlimit-upto 3/hour --hashlimit-burst 3 -j RETURN
$IPTABLES -A LIMITER -j MARK --set-mark $BLOCK_LIMITER
$IPTABLES -A LIMITER -j BLOCK
# Will be used in INPUT, OUTPUT to add allowed subnets on internal links
$IPTABLES -N LOCAL
$IPTABLES -A LOCAL -m addrtype --dst-type LOCAL -j RETURN
......@@ -584,12 +602,6 @@ formatAsHexID() {
$IPTABLES -A LOCAL -j BLOCK
# When this chain retuns it's either a local, multi- or broadcast packet
# create an ANTI-FLOOD protection chain. Maximises the rate of incoming connections.
# Used for protection against SYN or PING_OF_DEATH flooding
$IPTABLES -N ANTI-FLOOD
$IPTABLES -A ANTI-FLOOD -m limit --limit 3/s -j RETURN
$IPTABLES -A ANTI-FLOOD -j LOG --log-prefix "[BLOCK] (ANTIFLOOD) "
$IPTABLES -A ANTI-FLOOD -j DROP
# will be used in INPUT, OUTPUT & FORWARD
# this chain should return always! (don't place DROP rules on specific ICMPs here!)
......@@ -673,7 +685,8 @@ formatAsHexID() {
# furtive port scanner
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ANTI-FLOOD
# allow some safe ports
# allow some safe ports (but use a limiter especially for ssh port)
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j LIMITER -m comment --comment "avoid bashing on ssh port"
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
# stateful packets intiated by ourself going out
......@@ -767,7 +780,9 @@ formatAsHexID() {
(( $? != 0 )) && error 41 "ALLOW_LINK_LOCAL expects an interface node argument (eg: eth0)"
probeChains LOCAL
(( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
(( $? != 0 )) && error 42 "The 'LOCAL' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
#TODO: check back if interface has configured the correct subnet (169.254.0.0/16 fe80::/10)
ID="ALLOW_LINK_LOCAL on $(getLinkID $1)"
deleteRules LOCAL "$ID"
......@@ -778,13 +793,23 @@ formatAsHexID() {
printf "# allowing link local (%s) on %s\n" $sz $1
$IPTABLES -I LOCAL 1 -i $1 -d $sz -j ACCEPT -m comment --comment "$ID"
$IPTABLES -I LOCAL 1 -i $1 -s $sz -m pkttype --pkt-type multicast -j ACCEPT -m comment --comment "$ID (multicast)"
# This is called ALLOW_LINK_LOCAL don't know why multicast is allowed here too!
# $IPTABLES -I LOCAL 1 -i $1 -s $sz -m pkttype --pkt-type multicast -j ACCEPT -m comment --comment "$ID (multicast)"
$IPTABLES -I LOCAL 1 -o $1 -s $sz -j ACCEPT -m comment --comment "$ID"
shift
;;
# ALLOW_MULTICAST)
# #-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
# iptables -I LOCAL 1 -m pkttype --pkt-type multicast -i macvlan0 -s 10.1.0.0/16 -j ACCEPT
# iptables -O LOCAL 1 -m pkttype --pkt-type multicast -o macvlan0 -d 10.1.0.0/16 -j ACCEPT
# shift
# ;;
ALLOW_SERVICE_DISCOVERY)
checkLink $1
(( $? != 0 )) && error 36 "ALLOW_SERVICE_DISCOVERY expects an interface node argument (eg: eth0)"
......@@ -799,10 +824,14 @@ formatAsHexID() {
if [ $ENVID -eq 4 ]; then
$IPTABLES -I LOCAL 1 -d 224.0.0.251/32 -p udp -m udp -i $1 --dport 5353 -j ACCEPT -m comment --comment "$ID (multicast mDNS)"
$IPTABLES -I LOCAL 1 -d 224.0.0.252/32 -p udp -m udp -i $1 --dport 5355 -j ACCEPT -m comment --comment "$ID (multicast LLMNR)"
$IPTABLES -I LOCAL 1 -d 239.255.255.250/32 -p udp -m udp -i $1 --dport 1900 -j ACCEPT -m comment --comment "$ID (multicast UPnP)"
fi
if [ $ENVID -eq 6 ]; then
$IPTABLES -I LOCAL 1 -d ff02::fb/128 -p udp -m udp -i $1 --dport 5353 -j ACCEPT -m comment --comment "$ID (multicast mDNS)"
$IPTABLES -I LOCAL 1 -d ff02::1:3/128 -p udp -m udp -i $1 --dport 5355 -j ACCEPT -m comment --comment "$ID (multicast LLMNR)"
$IPTABLES -I LOCAL 1 -d ff02::f/128 -p udp -m udp -i $1 --dport 1900 -j ACCEPT -m comment --comment "$ID (multicast UPnP)"
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment