DivestOS/Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch

From a93c335e6eaed29e1537c63514b8bd94a79ba552 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 12:30:56 -0400
Subject: [PATCH] Harden network via iptables

Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b
---
 server/CommandListener.cpp | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index b16da18..5247878 100755
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -230,6 +230,41 @@ CommandListener::CommandListener() :
     createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
     createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
 
+
+    //Drop invalid packets
+    execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    //Credit: https://javapipe.com/iptables46-ddos-protection
+    //Drop TCP packets that are new and are not SYN
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
+    //Drop SYN packets with suspicious MSS value
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
+    execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
+    //Drop packets with bogus TCP flags
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
+    //Drop spoofed packets
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
+    //Drop fragments
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
+    //Limit connections per source IP
+    execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "32", "!", "-i", "lo", "-j", "REJECT", NULL);
+
+
     // Let each module setup their child chains
     setupOemIptablesHook();
 
-- 
2.13.2
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`From a93c335e6eaed29e1537c63514b8bd94a79ba552 Mon Sep 17 00:00:00 2001`
Improved network hardening 2017-06-28 08:20:24 -04:00			`From: Tad <tad@spotco.us>`
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`Date: Wed, 28 Jun 2017 12:30:56 -0400`
Improved network hardening 2017-06-28 08:20:24 -04:00			`Subject: [PATCH] Harden network via iptables`

Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`Change-Id: I42392ed3dcd7d2f42c312bb36f65ccb12914d13b`
Improved network hardening 2017-06-28 08:20:24 -04:00			`---`
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`server/CommandListener.cpp \| 35 +++++++++++++++++++++++++++++++++++`
			`1 file changed, 35 insertions(+)`
Improved network hardening 2017-06-28 08:20:24 -04:00
			`diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp`
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`index b16da18..5247878 100755`
Improved network hardening 2017-06-28 08:20:24 -04:00			`--- a/server/CommandListener.cpp`
			`+++ b/server/CommandListener.cpp`
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`@@ -230,6 +230,41 @@ CommandListener::CommandListener() :`
Improved network hardening 2017-06-28 08:20:24 -04:00			`createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);`
			`createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);`

			`+`
			`+ //Drop invalid packets`
Renable network hardening, fix tethering 2017-06-28 12:31:45 -04:00			`+ execIptables(V4V6, "-w", "-I", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-I", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-I", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);`
Fix network hardening 2017-06-28 09:25:59 -04:00			`+ //Credit: https://javapipe.com/iptables46-ddos-protection`
Improved network hardening 2017-06-28 08:20:24 -04:00			`+ //Drop TCP packets that are new and are not SYN`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);`
			`+ //Drop SYN packets with suspicious MSS value`
			`+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);`
			`+ execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);`
			`+ //Drop packets with bogus TCP flags`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);`
			`+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);`
			`+ //Drop spoofed packets`
			`+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);`
			`+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);`
			`+ //Drop fragments`
			`+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);`
			`+ //Limit connections per source IP`
Fix network hardening 2017-06-28 09:25:59 -04:00			`+ execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "32", "!", "-i", "lo", "-j", "REJECT", NULL);`
Improved network hardening 2017-06-28 08:20:24 -04:00			`+`
			`+`
			`// Let each module setup their child chains`
			`setupOemIptablesHook();`

			`--`
			`2.13.2`