firewall: Introduce DROP_HOSTILE

Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9e62c0245cd6b8965c94a5e8832f9b7b4cdae850..ebc8168ae7e219c6dea70bbf1e04001f4153fb5d 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -139,6 +139,20 @@ iptables_init() {
        iptables -t nat -N CUSTOMPOSTROUTING
        iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+       # Log and drop any traffic from and to networks known as being hostile, posing
+       # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
+       if [ "$DROPHOSTILE" == "on" ]; then
+               iptables -N DROP_HOSTILE
+               iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
+
+               iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+               iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+               iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
+               iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+
+               iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
+       fi
+
        # P2PBLOCK
        iptables -N P2PBLOCK
        iptables -A INPUT -j P2PBLOCK