20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.13" |
25 MBSEFW_VERSION="0.0.15" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
228 echo " Install $BLOCKLIST" | $LOGGER |
228 echo " Install $BLOCKLIST" | $LOGGER |
229 $IPSET create mbsefw-blk4ip hash:ip counters -exist |
229 $IPSET create mbsefw-blk4ip hash:ip counters -exist |
230 $IPSET create mbsefw-blk4net hash:net counters -exist |
230 $IPSET create mbsefw-blk4net hash:net counters -exist |
231 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set mbsefw-blk4ip src -j DROP |
231 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
232 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set mbsefw-blk4net src -j DROP |
232 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
233 if [ "$FW_FORWARD" = "1" ]; then |
233 if [ "$FW_FORWARD" = "1" ]; then |
234 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set mbsefw-blk4ip src -j DROP |
234 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
235 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set mbsefw-blk4net src -j DROP |
235 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
236 fi |
236 fi |
237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
238 set $L |
238 set $L |
239 if echo $1 | $GREP -q "/" ; then |
239 if echo $1 | $GREP -q "/" ; then |
240 $IPSET add mbsefw-blk4net $1 -exist |
240 $IPSET add mbsefw-blk4net $1 -exist |
252 if [ -n "$IF_EXT6" ]; then |
252 if [ -n "$IF_EXT6" ]; then |
253 IF6=$IF_EXT6 |
253 IF6=$IF_EXT6 |
254 else |
254 else |
255 IF6=$IF_EXT |
255 IF6=$IF_EXT |
256 fi |
256 fi |
257 $IP6TABLES -A INPUT -i $IF6 -m set --match-set mbsefw-blk6 src -j DROP |
257 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
258 if [ "$FW_FORWARD" = "1" ]; then |
258 if [ "$FW_FORWARD" = "1" ]; then |
259 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set mbsefw-blk6 src -j DROP |
259 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
260 fi |
260 fi |
261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
262 set $L |
262 set $L |
263 $IPSET add mbsefw-blk6 $1 -exist |
263 $IPSET add mbsefw-blk6 $1 -exist |
264 done |
264 done |
587 # Ignore timing problems with old connections |
587 # Ignore timing problems with old connections |
588 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
588 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
589 [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
589 [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
590 |
590 |
591 # Install the final autoblock rule if this is the INPUT or FORWARD chain. |
591 # Install the final autoblock rule if this is the INPUT or FORWARD chain. |
592 # We allow upto 1 probe per minute or a burst of 3 probes. This should be |
592 # We allow upto 5 probes per minute or a burst of 10 probes. This should be |
593 # a good balance to catch the real bad guys. Note that until the IP is |
593 # a good balance to catch the real bad guys. Note that until the IP is |
594 # blocked these systems are logged using the rule below this one. |
594 # blocked these systems are logged using the rule below this one. |
595 if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then |
595 if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then |
596 if [ "${EXTERN4}" = "1" ]; then |
596 if [ "${EXTERN4}" = "1" ]; then |
|
597 # First, ignore these. Can happen after a temporary network problem. |
|
598 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
|
599 # Now the real rule. |
597 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
600 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
598 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
601 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
599 -j SET --add-set mbsefw-auto4 src |
602 -j SET --add-set mbsefw-auto4 src |
600 fi |
603 fi |
601 if [ "${EXTERN6}" = "1" ]; then |
604 if [ "${EXTERN6}" = "1" ]; then |
|
605 # First, ignore these. Can happen after a temporary network problem. |
|
606 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
|
607 # Now the real rule. |
602 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
608 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
603 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
609 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
604 -j SET --add-set mbsefw-auto6 src |
610 -j SET --add-set mbsefw-auto6 src |
605 fi |
611 fi |
606 fi |
612 fi |