From 38072abc54e3ed93bc0c90af7fcaf88fbb4cb4e7 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 25 Apr 2017 13:40:11 +0100
Subject: [PATCH] Drop spoofed packets

---
 src/freedombone-utils-firewall | 16 ++++++++++++++++
 src/freedombone-utils-setup    |  3 +++
 2 files changed, 19 insertions(+)

diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 8d435ff3a..481b6158a 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -466,4 +466,20 @@ function firewall_unblock_domain {
     fi
 }
 
+function firewall_drop_spoofed_packets {
+    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
+        return
+    fi
+    iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
+    iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
+    iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
+    iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
+    iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
+    iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
+    iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
+    function_check save_firewall_settings
+    save_firewall_settings
+    mark_completed $FUNCNAME
+}
+
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index 91eeca3e2..b4778161d 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -564,6 +564,9 @@ function setup_firewall {
     function_check firewall_drop_telnet
     firewall_drop_telnet
 
+    function_check firewall_drop_spoofed_packets
+    firewall_drop_spoofed_packets
+
     function_check configure_firewall_for_dns
     configure_firewall_for_dns
 
-- 
GitLab