From 425a4fc1329046ab02069ffd8ffdacfe18753074 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Fri, 31 Mar 2017 15:27:09 +0100
Subject: [PATCH] Block bad ip ranges

---
 src/freedombone-utils-firewall | 43 ++++++++++++++++++++++++++++++++++
 src/freedombone-utils-setup    |  3 +++
 2 files changed, 46 insertions(+)

diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 543c91a9c..76ab58216 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -44,6 +44,49 @@ function save_firewall_settings {
     fi
 }
 
+function firewall_block_bad_ip_ranges {
+    if [ $INSTALLING_MESH ]; then
+        return
+    fi
+    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
+        return
+    fi
+
+    # There are various blocklists out there, but they're difficult
+    # to verify. Indiscriminately blocking ranges without evidence
+    # would be a bad idea.
+
+    # From Wikipedia and elsewhere: US military addresses
+    iptables -A INPUT -s 6.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 6.0.0.0/8 -j DROP
+    iptables -A INPUT -s 7.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 7.0.0.0/8 -j DROP
+    iptables -A INPUT -s 11.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 11.0.0.0/8 -j DROP
+    iptables -A INPUT -s 21.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 21.0.0.0/8 -j DROP
+    iptables -A INPUT -s 22.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 22.0.0.0/8 -j DROP
+    iptables -A INPUT -s 26.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 26.0.0.0/8 -j DROP
+    iptables -A INPUT -s 28.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 28.0.0.0/8 -j DROP
+    iptables -A INPUT -s 29.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 29.0.0.0/8 -j DROP
+    iptables -A INPUT -s 30.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 30.0.0.0/8 -j DROP
+    iptables -A INPUT -s 33.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 33.0.0.0/8 -j DROP
+    iptables -A INPUT -s 55.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 55.0.0.0/8 -j DROP
+    iptables -A INPUT -s 214.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 214.0.0.0/8 -j DROP
+    iptables -A INPUT -s 215.0.0.0/8 -j DROP
+    iptables -A OUTPUT -s 215.0.0.0/8 -j DROP
+    save_firewall_settings
+    mark_completed $FUNCNAME
+}
+
 function global_rate_limit {
     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index 3f04ddef3..7f55c8828 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -566,6 +566,9 @@ function setup_firewall {
 
     function_check global_rate_limit
     global_rate_limit
+
+    function_check firewall_block_bad_ip_ranges
+    firewall_block_bad_ip_ranges
 }
 
 function setup_utils {
-- 
GitLab