Block bad ip ranges
This commit is contained in:
Bob Mottram
parent
bd1df3f79f
commit
425a4fc132
|
|
@ -44,6 +44,49 @@ function save_firewall_settings {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function firewall_block_bad_ip_ranges {
|
||||||
|
if [ $INSTALLING_MESH ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
# There are various blocklists out there, but they're difficult
|
||||||
|
# to verify. Indiscriminately blocking ranges without evidence
|
||||||
|
# would be a bad idea.
|
||||||
|
|
||||||
|
# From Wikipedia and elsewhere: US military addresses
|
||||||
|
iptables -A INPUT -s 6.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 7.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 11.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 21.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 22.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 26.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 28.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 29.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 30.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 33.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 55.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 214.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -s 215.0.0.0/8 -j DROP
|
||||||
|
iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
|
||||||
|
save_firewall_settings
|
||||||
|
mark_completed $FUNCNAME
|
||||||
|
}
|
||||||
|
|
||||||
function global_rate_limit {
|
function global_rate_limit {
|
||||||
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
|
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
|
||||||
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
|
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
|
||||||
|
|
|
||||||
|
|
@ -566,6 +566,9 @@ function setup_firewall {
|
||||||
|
|
||||||
function_check global_rate_limit
|
function_check global_rate_limit
|
||||||
global_rate_limit
|
global_rate_limit
|
||||||
|
|
||||||
|
function_check firewall_block_bad_ip_ranges
|
||||||
|
firewall_block_bad_ip_ranges
|
||||||
}
|
}
|
||||||
|
|
||||||
function setup_utils {
|
function setup_utils {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue