security/0000770000175000017500000000000013552065566012307 5ustar thomasthomassecurity/Haftungsausschluss0000644000175000017500000000245213552065566016135 0ustar thomasthomasHaftungsausschluss: Die von mir geschriebenen Bash-Script-Programme zum Setzen der Paketfilter-Regeln sind nur Wrapper für die Linux-Programme iptables und nftables. Die Bash-Scripte selber verändern nicht das installierte Betriebssystem und schreiben/erstellen außer journald-Einträgen bei Start und Ende und dem aktuellen ISP- Prefix für IPv6 als Vergleichswert keine weiteren Daten. Ich erhebe keinen Anspruch darauf, dass die Scripte vollständig fehlerfrei programmiert sind und ich behaupte das auch nicht. Sowohl durch Programmierfehler in meinen Code, wie auch durch vorhandene Fehler in den verwendeten Linux-Programmen, sowie durch ggf. zeitgleich auftretende äußere mechanische Einflüsse, wie auch durch den Anwender selber verursacht durch Änderungen an den Programmen oder durch unsachgemäße oder fehlerhafte Einstellungen oder falsche Parameterübergaben innerhalb der Programme ist Datenverlust möglich, wenn z.B. laufende Prozesse durch fehlerhafte Filterregeln so blockiert werden, dass sie nicht mehr ihre Aufgabe erfüllen können. Deshalb schließe ich jede Haftung für Schäden an Software oder Hardware oder Vermögensschäden oder für Datenverlust aus, die durch die Benutzung der Programm-Scripte enstehen. Die Benutzung der Programme erfolgt auf eigenes Risiko. security/etc/0000770000175000017500000000000013325151222013041 5ustar thomasthomassecurity/etc/systemd/0000770000175000017500000000000013552065566014552 5ustar thomasthomassecurity/etc/systemd/netfilter.service0000644000175000017500000000041213552065566020130 0ustar thomasthomas[Unit] Description=thlu:netfilter.service: Set local Netfilter DefaultDependencies=no After=network.target [Service] Type=simple RemainAfterExit=yes ExecStart=/usr/local/bin/netfilter ExecStop= /usr/local/bin/netfilter flush [Install] WantedBy=multi-user.target security/etc/systemd/tmp.mount0000644000175000017500000000042313552065566016440 0ustar thomasthomas[Unit] Description=thlu:tmp.mount: Mount local /tmp to tmpfs DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target [Mount] What=tmpfs Where=/tmp Options=mode=777,strictatime,noexec,nosuid,nodev Type=tmpfs [Install] WantedBy=local-fs.target security/etc/systemd/noexec-dev-shm.service0000644000175000017500000000033113552065566020756 0ustar thomasthomas[Unit] Description=thlu:noexec-dev-shm.service: Disable execute-permissions After=local-fs.target [Service] Type=oneshot ExecStart=/bin/mount -o remount,noexec,nosuid,nodev /dev/shm [Install] WantedBy=basic.targetsecurity/etc/systemd/ReadMe0000644000175000017500000000453413552065566015643 0ustar thomasthomas# Einrichten der folgenden Service-Units: # # /etc/systemd/system/netfilter.service Startet bei Systemstart den Paketfilter # /etc/systemd/system/noexec-dev-shm.service Ausführbare Dateien nicht erlauben # /etc/systemd/system/noexec-home.service dto. # /etc/systemd/system/tmp.mount dto. #========================================================================================================================================== # Die Rechte für die Services wie folgt setzen: chown root:root /etc/systemd/system/netfilter.service ; chmod 644 /etc/systemd/system/netfilter.service chown root:root /etc/systemd/system/noexec-dev-shm.service; chmod 644 /etc/systemd/system/noexec-dev-shm.service chown root:root /etc/systemd/system/noexec-home.service ; chmod 644 /etc/systemd/system/noexec-home.service chown root:root /etc/systemd/system/tmp.mount ; chmod 644 /etc/systemd/system/tmp.mount # Für Systemstart aktivieren: cd /etc/systemd/system ls -lah # Status überprüfen und aktivieren systemctl status netfilter.service noexec-dev-shm.service noexec-home.service tmp.mount # muss "disabled" und "inactive" sein systemctl enable netfilter.service noexec-dev-shm.service noexec-home.service tmp.mount # für Systemstart aktivieren systemctl status netfilter.service noexec-dev-shm.service noexec-home.service tmp.mount # muss "enabled" und "inactive" sein netfilter list # leer = keine aktuelle Regeln systemctl start netfilter.service # Paketfilter manuell sofort starten systemctl status netfilter.service # muss "enabled" und "active" sein netfilter list # aktuelle Regeln sind gesetzt # Achtung: # Die Mounts-Units für home, shm und tmp NICHT manuell starten, da offene Filehandles bestehen können, wegen derer man # vielleicht Instabilitäten provozieren könnte. Nach dem nächsten Systemstart sind diese Mounts konfliktfrei aktiv. security/etc/systemd/noexec-home.service0000644000175000017500000000037313552065566020351 0ustar thomasthomas[Unit] Description=thlu:noexec-home.service: Disable execute-permissions After=local-fs.target [Service] Type=oneshot ExecStart=/bin/mount --bind /home /home ExecStart=/bin/mount -o remount,noexec,nosuid,nodev /home [Install] WantedBy=basic.targetsecurity/usr/0000770000175000017500000000000013325151207013102 5ustar thomasthomassecurity/usr/local/0000770000175000017500000000000013325151213014171 5ustar thomasthomassecurity/usr/local/bin/0000770000175000017500000000000013642374637014764 5ustar thomasthomassecurity/usr/local/bin/is-new-isp-prefix0000644000175000017500000000551213553103426020166 0ustar thomasthomas#!/bin/bash #============================================================================================================================= # Description : Check is new IPv6-ISP-Prefix after separation # Script-Name : is-new-isp-prefix # Date : 27.09.2019 # Version : 5.5 # Licence : GNU General Public License 3 # written by : TomL*thlu.de # # is-new-is-prefix is written and tested for Debian and Raspian #============================================================================================================================= PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:$PATH interface=$(ip route 2>/dev/null | grep default -m 1 | awk -F ' ' '{ print $5 }') AppSendmail=$(which sendmail) mailfrom="" mailto="" echo "active/running Check is new ISP-Prefix on Interface $interface" | systemd-cat -t "thlu:$(basename $0)" -p "info" for ((a=0;a<10;a++)); do gua_ip=$(ip -f inet6 -o addr show $interface | grep mngtmpaddr | egrep -v "deprecated|fd00|fe80" | awk -F 'inet6 ' '{ print $2 }' | cut -d' ' -f1) [ -n "$gua_ip" ] && break sleep 10 done if [ -z "$gua_ip" ]; then echo "active/running Error: No IPv6 found!" | systemd-cat -t "thlu:$(basename $0)" -p "err" if [ -n "$mailto" ]; then if [ -n "$AppSendmail" ]; then echo "active/running Send Mail!" | systemd-cat -t "thlu:$(basename $0)" -p "info" echo -e "From: <$mailfrom>\r\nTo: $mailto\r\nSubject: Kein ISP-Prefix\r\n\r\nISP-Prefix nicht feststellbar: $(date)" | $AppSendmail $mailto fi fi exit 1 fi isp_prefix=$(echo "$gua_ip" | cut -d':' -f1-4) [ -f /var/run/actual_isp_prefix ] && old_prefix=$(cat /var/run/actual_isp_prefix) || old_prefix="" if [ -z "$old_prefix" ] || [ ! "$old_prefix" == "$isp_prefix" ]; then echo "$isp_prefix" >/var/run/actual_isp_prefix echo "active/running ISP-Prefix has changed. Old=$old_prefix New=$isp_prefix. Restart netfilter" | systemd-cat -t "thlu:$(basename $0)" -p "info" if [ -n "$(nft list ruleset | grep "$isp_prefix" -m1)" ];then echo "active/running Netfilter already set with $isp_prefix. No restart needed." | systemd-cat -t "thlu:$(basename $0)" -p "info" else netfilter flush netfilter if [ -n "$mailto" ]; then if [ -n "$AppSendmail" ]; then echo "active/running Send Mail!" | systemd-cat -t "thlu:$(basename $0)" -p "info" echo -e "From: <$mailfrom>\r\nTo: $mailto\r\nSubject: ISP-Prefix on $interface: $isp_prefix\r\n\r\n$isp_prefix\r\nFestgestellt: $(date)" | $AppSendmail $mailto fi fi fi else echo "active/running ISP-Prefix on $interface unchanged." | systemd-cat -t "thlu:$(basename $0)" -p "info" fi exit 0 #============================================================================================================================= # EOF security/usr/local/bin/netfilter-reject-ip0000644000175000017500000000047513552065566020572 0ustar thomasthomas# Add a list of IP (4+6) addresses according to the following pattern: # 1.2.3.4 # 4.5.6.0/24 # 2003::/16 # 2a00:1450:4016:80a::/64 # 2a00:1450:4016:80a::2003 # # If there are more IP addresses than just a handful, ipset is the better solution. 773.94.123.93 288.39.135.777 771.46.202.0/24 2a00:1450:4016:80a::2003 security/usr/local/bin/netfilter.client0000644000175000017500000003121613676337404020164 0ustar thomasthomas#!/bin/bash #================================================================================================================= # Description: Client-Netfilter # Version: 7.0.1 # Date: 23.06.2020 # Written by: TomL*thlu.de # Licence: GNU General Public License 3 # Usage: netfilter Set Netfilter IPv4 and IPv6 # netfilter { 4 | 6 } Set Netfilter IPv4 or IPv6 # netfilter flush Flush Netfilter # netfilter list List all rules #================================================================================================================= PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH [ "$1" == "flush" ] && nft flush ruleset && echo "netfilter flushed!" | systemd-cat -t "thlu:$(basename $0)" -p "warning" [ "$1" == "list" ] && nft -nn list ruleset [ -n "$1" ] && [ ! "$1" == "4" ] && [ ! "$1" == "6" ] && exit 0 echo "netfilter started!" | systemd-cat -t "thlu:$(basename $0)" -p "info" modprobe nf_conntrack modprobe nf_conntrack_ftp # FTP Application-Layer-Getway #modprobe br_netfilter # enable Bridge-Filter sysctl -w net.netfilter.nf_conntrack_helper=1 >/dev/null ipv4="" ipv6="" ipv4_lan="127.0.0.0/8" ipv6_lan="::1/128" ipv4_netw="" ipv6_netw="" interface="" tStart=$(date +%s) tEnd=$(date +%s) timeout=85 #================================================================================================================= # Determine Network Site-Id's for IPv4+6 with waitstates (slaac may take some time) GetNetw() { tTmp=$(date +%s) NetwStack=$1 ip="" while [ $timeout -gt 0 ]; do interface=$(ip route 2>/dev/null | grep default -m 1 | awk -F ' ' '{ print $5 }') if [ -n "$interface" ]; then ip=$(ip -$NetwStack -o addr show $interface | grep -v "deprecated\|^fd00" | grep "scope global" -m 1 | cut -d\ -f 7 | cut -d/ -f 1) [ -n "$ip" ] && break fi (( timeout-- )) sleep 1 done tEnd=$(date +%s) if [ -z "$ip" ]; then echo "netfilter check NIC: terminated with error. IPv$NetwStack is not configured after $((tEnd-tTmp)) seconds waiting." | systemd-cat -t "thlu:$(basename $0)" -p "err" return 1 else [ $NetwStack -eq 4 ] && ipv4_lan=$(echo $ip | cut -d'.' -f1-3)".0/24" && ipv4=$ip [ $NetwStack -eq 6 ] && ipv6_lan=$(echo $ip | cut -d':' -f1-4)"::/64" && ipv6=$ip echo "netfilter check NIC: $((tEnd-tTmp)) seconds waiting until IPv$NetwStack on $interface is configured" | systemd-cat -t "thlu:$(basename $0)" -p "info" fi return 0 } #================================================================================================================= SetInboundV4() { nft add rule ip filter input ct state invalid counter drop # Drop non-conforming packets (malformed headers, etc.) nft add rule ip filter input iifname lo accept # Allow loopback traffic nft add rule ip filter input ct state new limit rate over 1/minute counter drop # limited number of packages allowed, drop flooding nft add rule ip filter input icmp type echo-request limit rate over 10/minute counter reject with icmp type host-unreachable nft add rule ip filter input ip protocol icmp ip saddr == $ipv4_netw accept # Allow local icmp nft add rule ip filter input pkttype { broadcast, multicast } ip saddr == $ipv4_netw accept # Allow local *cast-messages nft add rule ip filter input ct state established,related accept # Allow established connections nft add rule ip filter input ip saddr $ipv4_netw tcp dport 55551 accept # SSH nft add rule ip filter input ip saddr $ipv4_netw tcp dport 55552 accept # VNC nft add rule ip filter input ip protocol tcp counter reject with tcp reset # TCP RST=Close TCP-Connect properly nft add rule ip filter input counter reject with icmp type port-unreachable # reject all other traffic } #================================================================================================================= SetInboundV6() { nft add rule ip6 filter input ct state invalid counter drop # Similar to V4 nft add rule ip6 filter input iifname lo accept nft add rule ip6 filter input ct state new limit rate over 1/minute counter drop nft add rule ip6 filter input icmpv6 type echo-request limit rate over 10/minute counter reject with icmpv6 type port-unreachable nft add rule ip6 filter input meta l4proto ipv6-icmp ip6 saddr == $ipv6_netw accept nft add rule ip6 filter input pkttype { broadcast, multicast } ip6 saddr == $ipv6_netw accept nft add rule ip6 filter input ct state established,related accept nft add rule ip6 filter input ip6 saddr $ipv6_netw tcp dport 55551 accept nft add rule ip6 filter input ip6 saddr $ipv6_netw tcp dport 55552 accept nft add rule ip6 filter input meta l4proto tcp counter reject with tcp reset nft add rule ip6 filter input counter reject with icmpv6 type port-unreachable } #================================================================================================================= SetOutboundV4() { nft add rule ip filter output oifname lo accept # Allow loopback traffic nft add rule ip filter output ip protocol icmp accept # Allow outgoing icmp nft add rule ip filter output pkttype { broadcast, multicast } accept # Allow outgoing packet-types nft add rule ip filter output ct state established,related accept # Allow established connections nft add rule ip filter output tcp dport 21 accept # FTP-Client nft add rule ip filter output tcp dport 25 accept # SMTP nft add rule ip filter output tcp dport 53 accept # DNS lookup nft add rule ip filter output udp dport 53 accept # DNS lookup nft add rule ip filter output tcp dport 80 accept # HTTP nft add rule ip filter output tcp dport 443 accept # HTTPS,OpenVPN (443->Router >>> VPNServer->55554) nft add rule ip filter output tcp dport 110 accept # POP3 nft add rule ip filter output udp dport 123 accept # ntp nft add rule ip filter output tcp dport 143 accept # Mail nft add rule ip filter output tcp dport 445 accept # CIFS nft add rule ip filter output tcp dport 465 accept # SMTP (TLS/SSL) nft add rule ip filter output tcp dport 587 accept # SMTP nft add rule ip filter output tcp dport 631 accept # cups nft add rule ip filter output tcp dport 993 accept # IMAPS (TLS/SSL) nft add rule ip filter output tcp dport 995 accept # POP3S (TLS/SSL) nft add rule ip filter output tcp dport 5232 accept # radicale nft add rule ip filter output tcp dport 5901 accept # VNC-Tightviewer nft add rule ip filter output tcp dport 55551 accept # SSH nft add rule ip filter output tcp dport 55552 accept # VNC nft add rule ip filter output udp dport 55553 accept # OpenVPN nft add rule ip filter output counter reject with icmp type admin-prohibited } #================================================================================================================= SetOutboundV6() { nft add rule ip6 filter output oifname lo accept # Similar to V4 nft add rule ip6 filter output meta l4proto ipv6-icmp accept nft add rule ip6 filter output pkttype { broadcast, multicast } accept nft add rule ip6 filter output ct state established,related accept nft add rule ip6 filter output tcp dport 21 accept nft add rule ip6 filter output tcp dport 25 accept nft add rule ip6 filter output tcp dport 53 accept nft add rule ip6 filter output udp dport 53 accept nft add rule ip6 filter output tcp dport 80 accept nft add rule ip6 filter output tcp dport 443 accept nft add rule ip6 filter output tcp dport 110 accept nft add rule ip6 filter output udp dport 123 accept nft add rule ip6 filter output tcp dport 143 accept nft add rule ip6 filter output tcp dport 445 accept nft add rule ip6 filter output tcp dport 465 accept nft add rule ip6 filter output tcp dport 587 accept nft add rule ip6 filter output tcp dport 631 accept nft add rule ip6 filter output tcp dport 993 accept nft add rule ip6 filter output tcp dport 995 accept nft add rule ip6 filter output tcp dport 5232 accept nft add rule ip6 filter output tcp dport 5901 accept nft add rule ip6 filter output tcp dport 55551 accept nft add rule ip6 filter output tcp dport 55552 accept nft add rule ip6 filter output udp dport 55553 accept nft add rule ip6 filter output counter reject with icmpv6 type admin-prohibited } #================================================================================================================= SetForwardV4() { nft add rule ip filter forward ct state related,established accept # Allow established connections nft add rule ip filter forward counter drop } #================================================================================================================= SetForwardV6() { nft add rule ip6 filter forward ct state related,established accept # Similar to V4 nft add rule ip6 filter forward counter drop } #================================================================================================================= nft flush ruleset if [ -z "$1" ] || [ "$1" == "4" ]; then # "" = both, only IPv4? GetNetw 4 if [ $? -eq 0 ]; then ipv4_netw="$ipv4_lan" nft add table ip filter nft add chain ip filter forward "{ type filter hook forward priority 0; counter; }" nft add chain ip filter input "{ type filter hook input priority 0; counter; }" nft add chain ip filter output "{ type filter hook output priority 0; counter; }" SetInboundV4 SetOutboundV4 SetForwardV4 fi fi if [ -z "$1" ] || [ "$1" == "6" ]; then GetNetw 6 if [ $? -eq 0 ]; then ipv6_netw="{ $ipv6_lan, fd00::/16, fe80::/16 }" nft add table ip6 filter nft add chain ip6 filter forward "{ type filter hook forward priority 0; counter; }" nft add chain ip6 filter input "{ type filter hook input priority 0; counter; }" nft add chain ip6 filter output "{ type filter hook output priority 0; counter; }" SetInboundV6 SetOutboundV6 SetForwardV6 fi fi #----------------------------------------------------------------------------------------------------------------- echo "netfilter successfully activated after $(($(date +%s)-tStart)) seconds" | systemd-cat -t "thlu:$(basename $0)" -p "info" exit 0 #----------------------------------------------------------------------------------------------------------------- # Temporary validity: echo "Paketfilter ist aktiv!" sleep 2 $0 list read -t 180 -p "180 Sekunden aktiver Paketfilter. ENTER zum Beenden oder warten..." $0 flush $0 list exit 0 #================================================================================================================= #EOFsecurity/usr/local/bin/netfilter.server0000644000175000017500000004054013676334026020211 0ustar thomasthomas#!/bin/bash #================================================================================================================= # Description: Server-Netfilter # Version: 7.2.1 # Date: 23.06.2020 # Written by: TomL*thlu.de # Licence: GNU General Public License 3 # Usage: netfilter Set Netfilter IPv4 and IPv6 # netfilter { 4 | 6 } Set Netfilter IPv4 or IPv6 # netfilter flush Flush Netfilter # netfilter list List all rules #================================================================================================================= # 10.0.1.0/24 LAN 10. 0. 1. 0. # 00001010 00000000 00000001 00000000 # # 10.0.8.0/24 VPN-UDP 00001010 00000000 00001000 00000000 # 10.0.9.0/24 VPN_TCP 00001010 00000000 00001001 00000000 # 10.0.8.0/23 ^^^^^^^^ ^^^^^^^^ ^^^^^^^ #================================================================================================================= PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH [ "$1" == "flush" ] && nft flush ruleset && echo "netfilter flushed!" | systemd-cat -t "thlu:$(basename $0)" -p "warning" [ "$1" == "list" ] && nft -nn list ruleset [ -n "$1" ] && [ ! "$1" == "4" ] && [ ! "$1" == "6" ] && exit 0 echo "netfilter started!" | systemd-cat -t "thlu:$(basename $0)" -p "info" modprobe nf_conntrack modprobe nf_conntrack_ftp # FTP Application-Layer-Getway #modprobe br_netfilter # enable Bridge-Filter sysctl -w net.netfilter.nf_conntrack_helper=1 >/dev/null ipv4="" ipv6="" ipv4_lan="127.0.0.0/8" ipv6_lan="::1/128" ipv4_vpn="10.0.8.0/23" ipv6_vpn="fd00:10:0:8::/63" ipv4_netw="" ipv6_netw="" interface="" tStart=$(date +%s) tEnd=$(date +%s) timeout=85 #================================================================================================================= # Determine Network Site-Id's for IPv4+6 with waitstates (slaac may take some time) GetNetw() { tTmp=$(date +%s) NetwStack=$1 ip="" while [ $timeout -gt 0 ]; do interface=$(ip route 2>/dev/null | grep default -m 1 | awk -F ' ' '{ print $5 }') if [ -n "$interface" ]; then ip=$(ip -$NetwStack -o addr show $interface | grep -v "deprecated\|^fd00" | grep "scope global" -m 1 | cut -d\ -f 7 | cut -d/ -f 1) [ -n "$ip" ] && break fi (( timeout-- )) sleep 1 done tEnd=$(date +%s) if [ -z "$ip" ]; then echo "netfilter check NIC: terminated with error. IPv$NetwStack is not configured after $((tEnd-tTmp)) seconds waiting." | systemd-cat -t "thlu:$(basename $0)" -p "err" return 1 else [ $NetwStack -eq 4 ] && ipv4_lan=$(echo $ip | cut -d'.' -f1-3)".0/24" && ipv4=$ip [ $NetwStack -eq 6 ] && ipv6_lan=$(echo $ip | cut -d':' -f1-4)"::/64" && ipv6=$ip echo "netfilter check NIC: $((tEnd-tTmp)) seconds waiting until IPv$NetwStack on $interface is configured" | systemd-cat -t "thlu:$(basename $0)" -p "info" fi return 0 } #================================================================================================================= SetInboundV4() { nft add rule ip filter input ip saddr @blackhole counter log prefix \"Temp.banned IP: \" drop # Temporarily banned IPs nft add rule ip filter input ct state invalid counter drop # Drop non-conforming packets (malformed headers, etc.) nft add rule ip filter input iifname lo accept # Allow loopback traffic # check martians = hack? flood? nft add rule ip filter input ct state new ip saddr != $ipv4_netw limit rate over 1/minute set add ip saddr @blackhole nft add rule ip filter input icmp type echo-request ip saddr != $ipv4_netw limit rate over 10/minute set add ip saddr @blackhole nft add rule ip filter input ip protocol icmp ip saddr == $ipv4_netw accept # Allow local icmp nft add rule ip filter input pkttype { broadcast, multicast } ip saddr == $ipv4_netw accept # Allow local *cast-messages nft add rule ip filter input ct state established,related accept # Allow established connections nft add rule ip filter input tcp dport 25 ip saddr $ipv4_netw accept # SMTP # nft add rule ip filter input tcp dport 80 ip saddr $ipv4_netw accept # HTTP # nft add rule ip filter input tcp dport 443 ip saddr $ipv4_netw accept # HTTPS nft add rule ip filter input tcp dport 143 ip saddr $ipv4_netw accept # IMAP nft add rule ip filter input tcp dport 445 ip saddr $ipv4_netw accept # CIFS (smbd) nft add rule ip filter input tcp dport 631 ip saddr $ipv4_netw accept # Cups nft add rule ip filter input tcp dport 993 ip saddr $ipv4_netw accept # IMAPS (TLS/SSL) nft add rule ip filter input tcp dport 5232 ip saddr $ipv4_netw accept # Radicale nft add rule ip filter input tcp dport 55551 ip saddr $ipv4_netw accept # SSH nft add rule ip filter input tcp dport 55552 ip saddr $ipv4_netw accept # VNC/RDT nft add rule ip filter input udp dport 55553 accept # OpenVPN UDP nft add rule ip filter input tcp dport 55554 accept # OpenVPN TCP (Router->443 >>> VPNServer->55554) nft add rule ip filter input ip protocol tcp counter reject with tcp reset # TCP RST=Close TCP-Connect properly nft add rule ip filter input counter reject with icmp type port-unreachable # reject all other traffic } #================================================================================================================= SetInboundV6() { nft add rule ip6 filter input ip6 saddr @blackhole counter log prefix \"Temp.banned IP: \" drop # Similar to V4 nft add rule ip6 filter input ct state invalid counter drop nft add rule ip6 filter input iifname lo accept nft add rule ip6 filter input ct state new ip6 saddr != $ipv6_netw limit rate over 1/minute set add ip6 saddr @blackhole nft add rule ip6 filter input icmpv6 type echo-request ip6 saddr != $ipv6_netw limit rate over 10/minute set add ip6 saddr @blackhole nft add rule ip6 filter input meta l4proto ipv6-icmp ip6 saddr == $ipv6_netw accept nft add rule ip6 filter input pkttype { broadcast, multicast } ip6 saddr == $ipv6_netw accept nft add rule ip6 filter input ct state established,related accept nft add rule ip6 filter input tcp dport 25 ip6 saddr $ipv6_netw accept # nft add rule ip6 filter input tcp dport 80 ip6 saddr $ipv6_netw accept # nft add rule ip6 filter input tcp dport 443 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 143 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 445 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 631 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 993 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 5232 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 55551 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input tcp dport 55552 ip6 saddr $ipv6_netw accept nft add rule ip6 filter input udp dport 55553 accept nft add rule ip6 filter input tcp dport 55554 accept nft add rule ip6 filter input meta l4proto tcp counter reject with tcp reset nft add rule ip6 filter input counter reject with icmpv6 type port-unreachable } #================================================================================================================= SetOutboundV4() { nft add rule ip filter output oifname lo accept # Allow loopback traffic nft add rule ip filter output ip protocol icmp accept # Allow outgoing icmp nft add rule ip filter output pkttype { broadcast, multicast } accept # Allow outgoing packet-types nft add rule ip filter output ct state established,related accept # Allow established connections nft add rule ip filter output tcp dport 21 accept # FTP-Client nft add rule ip filter output tcp dport 25 accept # SMTP nft add rule ip filter output tcp dport 53 accept # DNS lookup nft add rule ip filter output udp dport 53 accept # DNS lookup nft add rule ip filter output udp dport 123 accept # ntp nft add rule ip filter output tcp dport 465 accept # SMTPS (TLS/SSL) nft add rule ip filter output tcp dport 515 accept # Line-Printer-Daemon (Netprinter) nft add rule ip filter output tcp dport 587 accept # SMTP nft add rule ip filter output tcp dport 995 accept # POP3S (TLS/SSL) nft add rule ip filter output counter reject with icmp type admin-prohibited } #================================================================================================================= SetOutboundV6() { nft add rule ip6 filter output oifname lo accept # Similar to V4 nft add rule ip6 filter output meta l4proto ipv6-icmp accept nft add rule ip6 filter output pkttype { broadcast, multicast } accept nft add rule ip6 filter output ct state established,related accept nft add rule ip6 filter output tcp dport 21 accept nft add rule ip6 filter output tcp dport 25 accept nft add rule ip6 filter output tcp dport 53 accept nft add rule ip6 filter output udp dport 53 accept nft add rule ip6 filter output udp dport 123 accept nft add rule ip6 filter output tcp dport 465 accept nft add rule ip6 filter output tcp dport 515 accept nft add rule ip6 filter output tcp dport 587 accept nft add rule ip6 filter output tcp dport 995 accept nft add rule ip6 filter output counter reject with icmpv6 type admin-prohibited } #================================================================================================================= SetForwardV4() { nft add rule ip filter forward ct state related,established accept # Allow established connections # nft add rule ip filter forward iifname tun* ip saddr $ipv4_vpn ip daddr == $ipv4_lan accept # Allow traffic from VPN-Client to access LAN # nft add rule ip filter forward iifname tun* ip saddr $ipv4_vpn ip daddr != $ipv4_lan accept # - to access WWW nft add rule ip filter forward iifname tun* ip saddr $ipv4_vpn accept # - to access LAN and WWW nft add rule ip filter forward counter drop #----------------------------------------------------------------------------------------------------------------- nft add rule ip filter postrouting oifname $interface ip saddr $ipv4_vpn masquerade # Masquerade traffic from VPN to Output-Interface } #================================================================================================================= SetForwardV6() { nft add rule ip6 filter forward ct state related,established accept # Similar to V4 nft add rule ip6 filter forward iifname tun* ip6 saddr $ipv6_vpn accept nft add rule ip6 filter forward counter drop #----------------------------------------------------------------------------------------------------------------- nft add rule ip6 filter postrouting oifname $interface ip6 saddr $ipv6_vpn masquerade } #================================================================================================================= # Blacklisting predefined IPs in /usr/local/bin/netfilter-reject-ip SetBlacklist() { Blacklist="$(dirname $0)/netfilter-reject-ip" [[ "$1" =~ "4" ]] && nft add rule ip filter blacklisted log prefix \"Blacklisted IP: \" drop [[ "$1" =~ "6" ]] && nft add rule ip6 filter blacklisted log prefix \"Blacklisted IP: \" drop if [[ -s "${Blacklist}" ]]; then while read ip; do [ -n "$ip" ] && ip=${ip%#*} if [ -n "$ip" ]; then [[ "$1" =~ "4" ]] && [[ "$ip" =~ "." ]] && nft add rule ip filter raw ip saddr $ip counter goto blacklisted [[ "$1" =~ "6" ]] && [[ "$ip" =~ ":" ]] && nft add rule ip6 filter raw ip6 saddr $ip counter goto blacklisted fi done < <(cat "${Blacklist}"; echo "") fi } #================================================================================================================= nft flush ruleset if [ -z "$1" ] || [ "$1" == "4" ]; then # "" = both, only IPv4? GetNetw 4 if [ $? -eq 0 ]; then ipv4_netw="{ $ipv4_lan, $ipv4_vpn }" nft add table ip filter nft add chain ip filter raw "{ type filter hook prerouting priority -300; counter;}" nft add chain ip filter prerouting "{ type nat hook prerouting priority -100; counter;}" nft add chain ip filter input "{ type filter hook input priority 0; counter;}" nft add chain ip filter output "{ type filter hook output priority 0; counter;}" nft add chain ip filter forward "{ type filter hook forward priority 0; counter;}" nft add chain ip filter postrouting "{ type nat hook postrouting priority 100; counter;}" nft add chain ip filter blacklisted nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; timeout 60m; gc-interval 1m; size 1000; }" SetInboundV4 SetOutboundV4 SetForwardV4 SetBlacklist "4" fi fi if [ -z "$1" ] || [ "$1" == "6" ]; then GetNetw 6 if [ $? -eq 0 ]; then ipv6_netw="{ $ipv6_lan, $ipv6_vpn, fd00::/16, fe80::/16 }" nft add table ip6 filter nft add chain ip6 filter raw "{ type filter hook prerouting priority -300; counter;}" nft add chain ip6 filter prerouting "{ type nat hook prerouting priority -100; counter;}" nft add chain ip6 filter input "{ type filter hook input priority 0; counter;}" nft add chain ip6 filter output "{ type filter hook output priority 0; counter;}" nft add chain ip6 filter forward "{ type filter hook forward priority 0; counter;}" nft add chain ip6 filter postrouting "{ type nat hook postrouting priority 100; counter;}" nft add chain ip6 filter blacklisted nft add set ip6 filter blackhole "{ type ipv6_addr; flags timeout; timeout 60m; gc-interval 1m; size 1000; }" SetInboundV6 SetOutboundV6 SetForwardV6 SetBlacklist "6" fi fi #----------------------------------------------------------------------------------------------------------------- echo "netfilter successfully activated after $(($(date +%s)-tStart)) seconds" | systemd-cat -t "thlu:$(basename $0)" -p "info" exit 0 #----------------------------------------------------------------------------------------------------------------- # Temporary validity: echo "Paketfilter ist aktiv!" sleep 2 $0 list read -t 180 -p "180 Sekunden aktiver Paketfilter. ENTER zum Beenden oder warten..." $0 flush $0 list exit 0 #================================================================================================================= #EOFsecurity/usr/local/bin/netfilter.mobile0000644000175000017500000000526413575735201020154 0ustar thomasthomas#!/bin/bash #================================================================================================================= # Description: Netfilter IPv4+6 for mobile PCs when connecting to unknown access points # Version: 2.0 # Date: 11.12.2019 # Written by: TomL*thlu.de # Licence: GNU General Public License 3 # Usage: netfilter Set Netfilter IPv4/IPv4 via inet-family # netfilter flush Flush Netfilter # netfilter list List all rules #================================================================================================================= PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH [ "$1" == "flush" ] && nft flush ruleset && exit 0 [ "$1" == "list" ] && nft list ruleset && exit 0 modprobe nf_conntrack sysctl -w net.netfilter.nf_conntrack_helper=1 >/dev/null #----------------------------------------------------------------------------------------------------------------- nft flush ruleset nft add table inet filter nft add chain inet filter raw "{ type filter hook prerouting priority -300; counter; }" nft add chain inet filter forward "{ type filter hook forward priority 0; policy drop; counter; }" nft add chain inet filter input "{ type filter hook input priority 0; policy drop; counter; }" nft add chain inet filter output "{ type filter hook output priority 0; policy drop; counter; }" nft add rule inet filter raw meta l4proto tcp ct state new ip daddr == 10.0.0.0/16 drop nft add rule inet filter raw meta l4proto tcp ct state new ip6 daddr == { fd00:10:0::/48, 2000::/3, fe80::/16 } drop nft add rule inet filter forward ct state related,established accept nft add rule inet filter forward counter drop nft add rule inet filter input ct state invalid counter drop nft add rule inet filter input iifname lo accept nft add rule inet filter input ct state established,related accept nft add rule inet filter input counter reject nft add rule inet filter output ct state established,related accept nft add rule inet filter output ip protocol icmp accept nft add rule inet filter output tcp dport 53 accept # DNS lookup nft add rule inet filter output udp dport 53 accept # DNS lookup nft add rule inet filter output tcp dport 80 accept # HTTP nft add rule inet filter output tcp dport 443 accept # HTTPS,OpenVPN (443->Router >>> VPNServer->63002) nft add rule inet filter output udp dport 55553 accept # OpenVPN nft add rule inet filter output counter reject exit 0 #================================================================================================================= #EOFsecurity/usr/local/bin/ReadMe0000644000175000017500000000751613552065566016056 0ustar thomasthomas# Einrichten der Bash-Programm-Scripte: # # /usr/local/bin/is-new-isp-prefix Prüft auf neuen IPv6-Prefix, also nur für Dualstack- oder DS-Lite-Anschlüsse relevant # /usr/local/bin/netfilter.server Paketfilter für den Server im LAN # /usr/local/bin/netfilter.client PF für Client-PCs im LAN # /usr/local/bin/netfilter.mobile PF für mobile PC mit wechselnden Accesspoints # /usr/local/bin/netfilter.vm PF für VirtualMachines ohne Zugang zu LAN-Ressourcen #========================================================================================================================================== 1. Für Debian Stretch empfehle ich den Install der aktuelleren nftables-Version aus den Backports sources-list: deb http://ftp.debian.org/debian/ stretch-backports main contrib non-free Terminal: apt install -t stretch-backports nftables 2. Paketfilter einrichten # Filterscript auswählen und einrichten, z.B. mv /usr/local/bin/netfilter.client /usr/local/bin/netfilter chown root:root /usr/local/bin/netfilter chmod 755 /usr/local/bin/netfilter # Script starten und kontrollieren netfilter list # anzeige der gesetzten regeln: ist leer netfilter oder netfilter { 4 | 6 } # netfilter starten netfilter list # regeln vorhanden netfilter flush # alle Regeln löschen netfilter list # ist wieder leer # Achtung: # Der Paketfilter wird letztlich durch die Service-Unit gestartet, deswegen ist hier # flush die letzte Aktion 3. netfilter-reject-ip Achtung: Die Beispieldatei enthält ungültige IP-Adressen mit Segmenten > 255. Bitte entfernen und entweder durch gültige ersetzen oder leer lassen!!! 4. Prüfen auf neuen ISP-Prefix nach Zwangstrennung # Bei einem reinen IPv4-DSL-Anschluss hat is-new-isp-prefix keine Verwendung, ansonsten chown root:root /usr/local/bin/is-new-isp-prefix chmod 755 /usr/local/bin/is-new-isp-prefix # Im aktuellen Bespiel sendet mir is-new-isp-prefix eine Email mit dem aktuellen # Prefix zu, wenn das Script einen neuen ISP-Prefix festgestellt hat. Mit dieser Angabe # und dem nur mir bekannten 2 Teil der IPv6-Adresse, der MAC des Servers, kann ich # manuell und unabhängig von einem DynDNS-Dienst meinen Server erreichen.... so ist # das zumindest für die Zukunft geplant. # Wenn eine Mail mit dem Inhalt des neuen ISP-Prefix gesendet werden soll, müssen die 2 # folgenden Variablen gesetzt werden. Wenn die Mailfunktion genutzt werden soll, muss # natürlich ein Mailserver installiert sein, wie zum Beispiel postfix, exim oder die # kleine und effektive Alternative msmtp. Das Script arbeitet derzeit mit einem passenden # sendmail-Statement für Postfix. Wird ein anderer Mailserver verwendet, muss das Statement # ggf. entsprechend angepasst werden. mailfrom="" mailto="" # z.B.: mailfrom="server@toml.de" mailto="thomas@toml.de" # Der folgende Crontab-Eintrag im root-Crontab startet das Script immer 5 Minuten vor der # vollen Stunde. Das hängt damit zusammen, dass hier zur vollen Stunde unterschiedliche Jobs # starten, die natürlich nicht durch alte Paketfilter-Einstellungen geblockt werden sollen. 55 * * * * /usr/local/bin/is-new-isp-prefix # Andere Anforderungen können anderen Zeiten erfordern. Ein ungültiger Prefix führt schlimmstenfalls # dazu, dass bis zur Aktualisierung durch is-new-isp-prefix gewisse Services nicht mehr via IPv6 # erreichbar sind. In einem Dualstack-Netz ist das unkritisch, bei einem DS-Lite-Netz würde ich einen # kürzeren Zyklus wählen... z.B. alle 5 Minuten. security/usr/local/bin/netfilter.vm0000644000175000017500000001152613676337426017336 0ustar thomasthomas#!/bin/bash #================================================================================================================= # Description: Netfilter for a dubious-surfing-VM, to prevent access to home-network and local web-ressources # Version: 2.0.1 # Date: 23.06.2020 # Written by: TomL*thlu.de # Licence: GNU General Public License 3 # Usage: netfilter Set Netfilter IPv4/6 # netfilter flush Flush Netfilter # netfilter list List all rules #================================================================================================================= PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH [ "$1" == "flush" ] && nft flush ruleset && echo "netfilter flushed!" | systemd-cat -t "thlu:$(basename $0)" -p "warning" [ "$1" == "list" ] && nft -nn list ruleset [ -n "$1" ] && exit 0 echo "netfilter started!" | systemd-cat -t "thlu:$(basename $0)" -p "info" modprobe nf_conntrack sysctl -w net.netfilter.nf_conntrack_helper=1 >/dev/null ipv4="" ipv6="" ipv4_lan="127.0.0.0/8" ipv6_lan="::1/128" ipv4_netw="" ipv6_netw="" interface="" tStart=$(date +%s) tEnd=$(date +%s) timeout=85 #================================================================================================================= # Determine Network Site-Id's for IPv4+6 with waitstates (slaac may take some time) GetNetw() { tTmp=$(date +%s) NetwStack=$1 ip="" while [ $timeout -gt 0 ]; do interface=$(ip route 2>/dev/null | grep default -m 1 | awk -F ' ' '{ print $5 }') if [ -n "$interface" ]; then ip=$(ip -$NetwStack -o addr show $interface | grep -v "deprecated\|^fd00" | grep "scope global" -m 1 | cut -d\ -f 7 | cut -d/ -f 1) [ -n "$ip" ] && break fi (( timeout-- )) sleep 1 done tEnd=$(date +%s) if [ -z "$ip" ]; then echo "netfilter check NIC: terminated with error. IPv$NetwStack is not configured after $((tEnd-tTmp)) seconds waiting." | systemd-cat -t "thlu:$(basename $0)" -p "err" return 1 else [ $NetwStack -eq 4 ] && ipv4_lan=$(echo $ip | cut -d'.' -f1-3)".0/24" && ipv4=$ip [ $NetwStack -eq 6 ] && ipv6_lan=$(echo $ip | cut -d':' -f1-4)"::/64" && ipv6=$ip echo "netfilter check NIC: $((tEnd-tTmp)) seconds waiting until IPv$NetwStack on $interface is configured" | systemd-cat -t "thlu:$(basename $0)" -p "info" fi return 0 } #================================================================================================================= GetNetw 4 GetNetw 6 ipv4_netw="{ $ipv4_lan }" ipv6_netw="{ $ipv6_lan, fd00::/16, fe80::/16 }" #----------------------------------------------------------------------------------------------------------------- nft flush ruleset nft add table inet filter nft add chain inet filter input "{ type filter hook input priority 0; policy drop; counter; }" nft add chain inet filter output "{ type filter hook output priority 0; policy drop; counter; }" nft add chain inet filter forward "{ type filter hook forward priority 0; policy drop; counter; }" nft add rule inet filter input iifname lo accept nft add rule inet filter input ct state invalid counter drop nft add rule inet filter input icmp type echo-request limit rate over 10/minute counter reject with icmp type host-unreachable nft add rule inet filter input icmpv6 type echo-request limit rate over 10/minute counter reject with icmpv6 type addr-unreachable nft add rule inet filter input ip protocol icmp ip saddr == $ipv4_netw accept nft add rule inet filter input meta l4proto ipv6-icmp ip6 daddr == $ipv6_netw accept nft add rule inet filter input pkttype { broadcast, multicast } accept nft add rule inet filter input ct state established,related accept nft add rule inet filter input counter reject with icmp type host-unreachable nft add rule inet filter output ct state established,related accept nft add rule inet filter output pkttype { broadcast, multicast } accept nft add rule inet filter output ip protocol icmp ip daddr != $ipv4_netw accept nft add rule inet filter output meta l4proto ipv6-icmp ip6 daddr != $ipv6_netw accept nft add rule inet filter output tcp dport 53 accept nft add rule inet filter output udp dport 53 accept nft add rule inet filter output tcp dport { 80, 443 } ip daddr != $ipv4_netw accept nft add rule inet filter output tcp dport { 80, 443 } ip6 daddr != $ipv6_netw accept nft add rule inet filter output counter reject with icmp type admin-prohibited nft add rule inet filter forward ct state related,established accept nft add rule inet filter forward counter drop echo "netfilter successfully activated after $(($(date +%s)-tStart)) seconds" | systemd-cat -t "thlu:$(basename $0)" -p "info" exit 0 #================================================================================================================= #EOF