Skip to content
Snippets Groups Projects
Commit 425a4fc1 authored by Bob Mottram's avatar Bob Mottram
Browse files

Block bad ip ranges

parent bd1df3f7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/freedombone-utils-firewall
+ 43
0
View file @ 425a4fc1
......@@ -44,6 +44,49 @@ function save_firewall_settings {
fi
}
function firewall_block_bad_ip_ranges {
if [ $INSTALLING_MESH ]; then
return
fi
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
fi
# There are various blocklists out there, but they're difficult
# to verify. Indiscriminately blocking ranges without evidence
# would be a bad idea.
# From Wikipedia and elsewhere: US military addresses
iptables -A INPUT -s 6.0.0.0/8 -j DROP
iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
iptables -A INPUT -s 7.0.0.0/8 -j DROP
iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
iptables -A INPUT -s 11.0.0.0/8 -j DROP
iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
iptables -A INPUT -s 21.0.0.0/8 -j DROP
iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
iptables -A INPUT -s 22.0.0.0/8 -j DROP
iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
iptables -A INPUT -s 26.0.0.0/8 -j DROP
iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
iptables -A INPUT -s 28.0.0.0/8 -j DROP
iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
iptables -A INPUT -s 29.0.0.0/8 -j DROP
iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
iptables -A INPUT -s 30.0.0.0/8 -j DROP
iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
iptables -A INPUT -s 33.0.0.0/8 -j DROP
iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
iptables -A INPUT -s 55.0.0.0/8 -j DROP
iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
iptables -A INPUT -s 214.0.0.0/8 -j DROP
iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
iptables -A INPUT -s 215.0.0.0/8 -j DROP
iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
save_firewall_settings
mark_completed $FUNCNAME
}
function global_rate_limit {
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
......
src/freedombone-utils-setup
+ 3
0
View file @ 425a4fc1
......@@ -566,6 +566,9 @@ function setup_firewall {
function_check global_rate_limit
global_rate_limit
function_check firewall_block_bad_ip_ranges
firewall_block_bad_ip_ranges
}
function setup_utils {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment