[Lug-nuts] Re: Firewalls

On 10/25/22 02:27, Gary wrote: Martians. You should exclude martians. Here's a starter set: IPTABLES="$(which iptables) --wait " IP6TABLES="$(which ip6tables) --wait " # Log and filter martians/bogons (BCP 38) (TODO: improve efficiency with hash:ip ipsets ?) $IPTABLES -A INPUT -s 10.0.0.0/8         -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian PRIV RFC 1918' $IPTABLES -A INPUT -s 10.0.0.0/8                                                  -j DROP                                -m comment --comment 'martian PRIV RFC 1918' $IPTABLES -A INPUT -s 192.168.0.0/24     -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian PRIV RFC 1918' $IPTABLES -A INPUT -s 192.168.0.0/24                                              -j DROP                                -m comment --comment 'martian PRIV RFC 1918' $IPTABLES -A INPUT -s 127.0.0.0/8        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian LOOPBACK' $IPTABLES -A INPUT -s 127.0.0.0/8                                                 -j DROP                                -m comment --comment 'martian LOOPBACK' $IPTABLES -A INPUT -s 192.0.2.0/24       -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 192.0.2.0/24                                                -j DROP                                -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 192.31.196.0/24    -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian AS112 Blackhole' $IPTABLES -A INPUT -s 192.31.196.0/24                                             -j DROP                                -m comment --comment 'martian AS112 Blackhole' $IPTABLES -A INPUT -s 198.18.0.0/15      -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian NETBENCH RFC2544' $IPTABLES -A INPUT -s 198.18.0.0/15                                               -j DROP                                -m comment --comment 'martian NETBENCH RFC2544' $IPTABLES -A INPUT -s 198.51.100.0/24    -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 198.51.100.0/24                                             -j DROP                                -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 203.0.113.0/24     -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 203.0.113.0/24                                              -j DROP                                -m comment --comment 'martian TESTNET RFC5737' $IPTABLES -A INPUT -s 233.252.0.0/24     -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian TESTNET RFC5774' $IPTABLES -A INPUT -s 233.252.0.0/24                                              -j DROP                                -m comment --comment 'martian TESTNET RFC5774' $IPTABLES -A INPUT -s 255.255.255.255/32 -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian LTD BCAST RFC 919' $IPTABLES -A INPUT -s 255.255.255.255/32                                          -j DROP                                -m comment --comment 'martian LTD BCAST RFC 919' # IPv6 Martians list 2019-05-12 courtesy Job Snijders via "whois -h whois.ripe.net fltr-martian-v6" $IP6TABLES -A INPUT -s 0000::/8        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian loopback, unspecified, v4-mapped' $IP6TABLES -A INPUT -s 0000::/8        -j DROP -m comment --comment 'martian loopback, unspecified, v4-mapped' $IP6TABLES -A INPUT -s 0064:ff9b::/96  -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian IPv4-IPv6 Translat. [RFC6052]' $IP6TABLES -A INPUT -s 0064:ff9b::/96  -j DROP -m comment --comment 'martian IPv4-IPv6 Translat. [RFC6052]' $IP6TABLES -A INPUT -s 0100::/8        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian reserved for Discard-Only Address Block [RFC6666]' $IP6TABLES -A INPUT -s 0100::/8        -j DROP -m comment --comment 'martian reserved for Discard-Only Address Block [RFC6666]' $IP6TABLES -A INPUT -s 0200::/7        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4048]' $IP6TABLES -A INPUT -s 0200::/7        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4048]' $IP6TABLES -A INPUT -s 0400::/6        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 0400::/6        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 0800::/5        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 0800::/5        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 1000::/4        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 1000::/4        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 2001::/32       -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Teredo prefix [RFC4380]' $IP6TABLES -A INPUT -s 2001::/32       -j DROP -m comment --comment 'martian Teredo prefix [RFC4380]' $IP6TABLES -A INPUT -s 2001:0002::/48  -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Benchmarking [RFC5180]' $IP6TABLES -A INPUT -s 2001:0002::/48  -j DROP -m comment --comment 'martian Benchmarking [RFC5180]' $IP6TABLES -A INPUT -s 2001:0003::/32  -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Automatic Multicast Tunneling [RFC7450]' $IP6TABLES -A INPUT -s 2001:0003::/32  -j DROP -m comment --comment 'martian Automatic Multicast Tunneling [RFC7450]' $IP6TABLES -A INPUT -s 2001:10::/28    -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Deprecated ORCHID [RFC4843]' $IP6TABLES -A INPUT -s 2001:10::/28    -j DROP -m comment --comment 'martian Deprecated ORCHID [RFC4843]' $IP6TABLES -A INPUT -s 2001:20::/28    -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian ORCHIDv2 [RFC7343]' $IP6TABLES -A INPUT -s 2001:20::/28    -j DROP -m comment --comment 'martian ORCHIDv2 [RFC7343]' $IP6TABLES -A INPUT -s 2001:db8::/32   -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian NON-ROUTABLE range to be used for documentation purpose [RFC3849]' $IP6TABLES -A INPUT -s 2001:db8::/32   -j DROP -m comment --comment 'martian NON-ROUTABLE range to be used for documentation purpose [RFC3849]' $IP6TABLES -A INPUT -s 2002::/16       -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian 6to4 prefix [RFC3068]' $IP6TABLES -A INPUT -s 2002::/16       -j DROP -m comment --comment 'martian 6to4 prefix [RFC3068]' $IP6TABLES -A INPUT -s 3ffe::/16       -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian used for the 6bone but was returned [RFC5156]' $IP6TABLES -A INPUT -s 3ffe::/16       -j DROP -m comment --comment 'martian used for the 6bone but was returned [RFC5156]' $IP6TABLES -A INPUT -s 4000::/3        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 4000::/3        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 5f00::/8        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian used for the 6bone but was returned [RFC5156]' $IP6TABLES -A INPUT -s 5f00::/8        -j DROP -m comment --comment 'martian used for the 6bone but was returned [RFC5156]' $IP6TABLES -A INPUT -s 6000::/3        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 6000::/3        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 8000::/3        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s 8000::/3        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s a000::/3        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s a000::/3        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s c000::/3        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291' $IP6TABLES -A INPUT -s c000::/3        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291' $IP6TABLES -A INPUT -s e000::/4        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s e000::/4        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s f000::/5        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s f000::/5        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s f800::/6        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s f800::/6        -j DROP -m comment --comment 'martian Reserved by IETF [RFC4291]' $IP6TABLES -A INPUT -s fc00::/7        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Unique Local Unicast [RFC4193]' $IP6TABLES -A INPUT -s fc00::/7        -j DROP -m comment --comment 'martian Unique Local Unicast [RFC4193]' $IP6TABLES -A INPUT -s fec0::/10       -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Reserved by IETF [RFC3879]' $IP6TABLES -A INPUT -s fec0::/10       -j DROP -m comment --comment 'martian Reserved by IETF [RFC3879]' $IP6TABLES -A INPUT -s ff00::/8        -m limit --limit 10/minute -j LOG --log-prefix 'FW_DROP_MARTIAN ' --log-level 4 -m comment --comment 'martian Multicast [RFC4291]' $IP6TABLES -A INPUT -s ff00::/8        -j DROP -m comment --comment 'martian Multicast [RFC4291]'