Block bad ip ranges

2017-03-31 15:27:09 +01:00 · 2017-03-31 15:27:09 +01:00 · 425a4fc132
parent bd1df3f79f
commit 425a4fc132
2 changed files with 46 additions and 0 deletions
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@ -44,6 +44,49 @@ function save_firewall_settings {
    fi
 }

+function firewall_block_bad_ip_ranges {
+    if [ $INSTALLING_MESH ]; then
+        return
+    fi
+    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
+        return
+    fi
+
+    # There are various blocklists out there, but they're difficult
+    # to verify. Indiscriminately blocking ranges without evidence
+    # would be a bad idea.
+
+    # From Wikipedia and elsewhere: US military addresses
+    iptables -A INPUT -s 6.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
+    iptables -A INPUT -s 7.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
+    iptables -A INPUT -s 11.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
+    iptables -A INPUT -s 21.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
+    iptables -A INPUT -s 22.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
+    iptables -A INPUT -s 26.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
+    iptables -A INPUT -s 28.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
+    iptables -A INPUT -s 29.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
+    iptables -A INPUT -s 30.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
+    iptables -A INPUT -s 33.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
+    iptables -A INPUT -s 55.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
+    iptables -A INPUT -s 214.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
+    iptables -A INPUT -s 215.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
+    save_firewall_settings
+    mark_completed $FUNCNAME
+}
+
 function global_rate_limit {
    if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
        echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@ -566,6 +566,9 @@ function setup_firewall {

    function_check global_rate_limit
    global_rate_limit
+
+    function_check firewall_block_bad_ip_ranges
+    firewall_block_bad_ip_ranges
 }

 function setup_utils {