From: Peter Müller <peter.mueller@ipfire.org>
Date: Sat, 18 Dec 2021 13:48:17 +0000 (+0100)
Subject: firewall: Log and drop spoofed loopback packets
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a36cd34eac2d1624720eb86e2f3c6985ae184e20;p=people%2Fmfischer%2Fipfire-2.x.git

firewall: Log and drop spoofed loopback packets

Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index cc5baa2924..1c62c6e2cd 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -80,6 +80,14 @@ iptables_init() {
 	fi
 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
 
+	# Log and subsequently drop spoofed packets or "martians", arriving from sources
+	# on interfaces where we don't expect them
+	iptables -N SPOOFED_MARTIAN
+	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
+		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
+	fi
+	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
+
 	# Chain to contain all the rules relating to bad TCP flags
 	iptables -N BADTCP
 
@@ -177,14 +185,18 @@ iptables_init() {
 	iptables -A INPUT -j ICMPINPUT
 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
-	# Accept everything on loopback
+	# Accept everything on loopback if source/destination is loopback space...
 	iptables -N LOOPBACK
-	iptables -A LOOPBACK -i lo -j ACCEPT
-	iptables -A LOOPBACK -o lo -j ACCEPT
+	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
+	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
+
+	# ... and drop everything else on the loopback interface, since no other traffic should appear there
+	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
 
-	# Filter all packets with loopback addresses on non-loopback interfaces.
-	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
-	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
+	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
 
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j LOOPBACK