From 8e94cdcd3b96776cd9954b14e978a560e22613da Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 9 Jul 2019 20:17:53 +0200 Subject: [PATCH] Add support or blocking UPnP traffic (in and out). --- conf/logging_ipv4.conf | 4 +++- conf/logging_ipv6.conf | 3 ++- conf/main_ipv4.conf.sample | 18 ++++++++++++++++ conf/main_ipv6.conf.sample | 18 ++++++++++++++++ ip6t-firewall-gateway | 43 ++++++++++++++++++++++++++++++++++++++ ipt-firewall-gateway | 42 +++++++++++++++++++++++++++++++++++++ 6 files changed, 126 insertions(+), 2 deletions(-) diff --git a/conf/logging_ipv4.conf b/conf/logging_ipv4.conf index 8867def..3971545 100644 --- a/conf/logging_ipv4.conf +++ b/conf/logging_ipv4.conf @@ -27,7 +27,9 @@ log_spoofed=false log_spoofed_out=false log_to_lo=false log_not_wanted=false -log_blocked=false +log_blocked_ip=false +log_blocked_if=false +log_upnp=false log_unprotected=false log_prohibited=false log_voip=false diff --git a/conf/logging_ipv6.conf b/conf/logging_ipv6.conf index 5c04e42..a3267ed 100644 --- a/conf/logging_ipv6.conf +++ b/conf/logging_ipv6.conf @@ -27,7 +27,8 @@ log_spoofed=false log_spoofed_out=false log_to_lo=false log_not_wanted=false -log_blocked=false +log_blocked_ip=false +log_blocked_if=false log_unprotected=false log_prohibited=false log_voip=false diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 1be7990..84a975a 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -29,6 +29,24 @@ blocked_ifs="" +# ============= +# --- Block UPnP Ports +# ============= + +# - block_upnp_traffic_in +# - +# - Block UPnP traffic (extern) in +# +block_upnp_traffic_in=true + +# - block_upnp_traffic_out +# - +# - Block UPnP traffic (extern) out +# +block_upnp_traffic_out=true + + + # ============= # --- Interfaces not firewalled # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index f67565b..4c425e1 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -29,6 +29,24 @@ blocked_ifs="" +# ============= +# --- Block UPnP Ports +# ============= + +# - block_upnp_traffic_in +# - +# - Block UPnP traffic (extern) in +# +block_upnp_traffic_in=true + +# - block_upnp_traffic_out +# - +# - Block UPnP traffic (extern) out +# +block_upnp_traffic_out=true + + + # ============= # --- Interfaces not firewalled # ============= diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d97575b..6f3a27d 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -325,6 +325,49 @@ done echo_done # Block IPs / Networks / Interfaces.. +# --- +# - Block UPnP Ports +# --- + +echononl "\tBlock UPnP Traffic (extern in).." + +if $block_upnp_traffic_in ; then + for _dev in ${ext_if_arr[@]} ; do + if $log_upnp || $log_all ; then + $ip6t -A INPUT -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ip6t -A INPUT -i $_dev -p udp --dport 1900 -j DROP + + if $kernel_activate_forwarding ; then + $ip6t -A FORWARD -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ip6t -A FORWARD -i $_dev -p udp --dport 1900 -j DROP + done + echo_done +else + echo_skipped +fi + +echononl "\tBlock UPnP Traffic (extern out).." + +if $block_upnp_traffic_out ; then + for _dev in ${ext_if_arr[@]} ; do + if $log_upnp || $log_all ; then + $ip6t -A OUTPUT -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ip6t -A OUTPUT -o $_dev -p udp --dport 1900 -j DROP + + if $kernel_activate_forwarding ; then + $ip6t -A FORWARD -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ip6t -A FORWARD -o $_dev -p udp --dport 1900 -j DROP + done + echo_done +else + echo_skipped +fi + + # --- # - Allow Forwarding certain private Addresses # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 08b9657..9499398 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -610,6 +610,48 @@ done echo_done # Block IPs / Networks / Interfaces.. +# --- +# - Block UPnP Ports +# --- + +echononl "\tBlock UPnP Traffic (extern in).." + +if $block_upnp_traffic_in ; then + for _dev in ${ext_if_arr[@]} ; do + if $log_upnp || $log_all ; then + $ipt -A INPUT -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ipt -A INPUT -i $_dev -p udp --dport 1900 -j DROP + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ipt -A FORWARD -i $_dev -p udp --dport 1900 -j DROP + done + echo_done +else + echo_skipped +fi + +echononl "\tBlock UPnP Traffic (extern out).." + +if $block_upnp_traffic_out ; then + for _dev in ${ext_if_arr[@]} ; do + if $log_upnp || $log_all ; then + $ipt -A OUTPUT -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ipt -A OUTPUT -o $_dev -p udp --dport 1900 -j DROP + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " + fi + $ipt -A FORWARD -o $_dev -p udp --dport 1900 -j DROP + done + echo_done +else + echo_skipped +fi + # --- # - Block IPs/Netwoks reading from file 'ban_ipv4.list'"