Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-01-26 07:15:57 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improved network hardening

Browse Source
This commit is contained in:
Tad 2017-06-28 08:20:24 -04:00
parent e343f5b465
commit 82be2c12f5
5 changed files with 177 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Patches/LineageOS-14.1/android_system_core/0001-Hardening.patch → Patches/LineageOS-14.1/android_system_core/0001-Harden_Mounts.patch
View File

@ -1,13 +1,13 @@
From f744a5628bbc7c97065b9355282c97d4c4cb1d60 Mon Sep 17 00:00:00 2001
From 77d7a0338ceecd3aa08f51f615cb22e3687b4c7e Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 29 May 2017 20:13:03 -0400
Subject: [PATCH] Harden mounts and network
Date: Wed, 28 Jun 2017 07:54:49 -0400
Subject: [PATCH] Harden mounts
Change-Id: I56e8371048f83f429009c3024f8aff99c9952d9c
Change-Id: I46e3fc4ac896a509ab8ca90ae4ce09b820da434b
---
init/init.cpp | 6 +++---
rootdir/init.rc | 16 ++++++++++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
init/init.cpp | 6 +++---
rootdir/init.rc | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/init/init.cpp b/init/init.cpp
index 7a370596e..35bf44a7b 100755
@ -28,7 +28,7 @@ index 7a370596e..35bf44a7b 100755
// We must have some place other than / to create the device nodes for
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 671c6b71f..a5da76318 100644
index 31b4e3566..da2071b15 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -126,6 +126,7 @@ on init
@ -39,28 +39,6 @@ index 671c6b71f..a5da76318 100644
write /proc/sys/kernel/kptr_restrict 2
write /proc/sys/vm/mmap_min_addr 32768
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
@@ -144,6 +145,21 @@ on init
write /proc/sys/net/ipv4/conf/all/accept_redirects 0
write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # IPv4 hardening
+ #
+ # reverse path filtering is done with netfilter for consistency with IPv6
+ write /proc/sys/net/ipv4/tcp_rfc1337 1
+ write /proc/sys/net/ipv4/conf/all/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv4/conf/all/send_redirects 0
+ write /proc/sys/net/ipv4/conf/default/send_redirects 0
+
+ # IPv6 hardening
+ write /proc/sys/net/ipv6/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
--
2.13.0
2.13.2

72
Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch Normal file
View File

@ -0,0 +1,72 @@
From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 08:03:36 -0400
Subject: [PATCH] Harden IPv4/6
Credit: https://serverfault.com/a/811826
Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/
Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
---
rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/rootdir/init.rc b/rootdir/init.rc
index da2071b15..5676edbff 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -141,9 +141,47 @@ on init
# set fwmark on accepted sockets
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
- # disable icmp redirects
- write /proc/sys/net/ipv4/conf/all/accept_redirects 0
- write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # network hardening
+ write /proc/net/net/ipv4/conf/all/accept_redirects 0
+ write /proc/net/net/ipv4/conf/all/accept_source_route 0
+ write /proc/net/net/ipv4/conf/all/log_martians 1
+ write /proc/net/net/ipv4/conf/all/rp_filter 1
+ write /proc/net/net/ipv4/conf/all/secure_redirects 0
+ write /proc/net/net/ipv4/conf/all/send_redirects 0
+ write /proc/net/net/ipv4/conf/default/accept_redirects 0
+ write /proc/net/net/ipv4/conf/default/accept_source_route 0
+ write /proc/net/net/ipv4/conf/default/log_martians 1
+ write /proc/net/net/ipv4/conf/default/rp_filter 1
+ write /proc/net/net/ipv4/conf/default/secure_redirects 0
+ write /proc/net/net/ipv4/conf/default/send_redirects 0
+ write /proc/net/net/ipv4/icmp_echo_ignore_all 0
+ write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
+ write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
+ write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
+ write /proc/net/net/ipv4/ip_forward 0
+ write /proc/net/net/ipv4/tcp_rfc1337 1
+ write /proc/net/net/ipv4/tcp_syncookies 1
+ write /proc/net/net/ipv4/tcp_timestamps 1
+ write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/all/accept_redirects 0
+ write /proc/net/net/ipv6/conf/all/autoconf 0
+ write /proc/net/net/ipv6/conf/all/dad_transmits 0
+ write /proc/net/net/ipv6/conf/all/max_addresses 1
+ write /proc/net/net/ipv6/conf/all/router_solicitations 0
+ write /proc/net/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/default/accept_redirects 0
+ write /proc/net/net/ipv6/conf/default/autoconf 0
+ write /proc/net/net/ipv6/conf/default/dad_transmits 0
+ write /proc/net/net/ipv6/conf/default/max_addresses 1
+ write /proc/net/net/ipv6/conf/default/router_solicitations 0
+ write /proc/net/net/ipv6/conf/default/use_tempaddr 2
+ write /proc/net/net/netfilter/nf_conntrack_max 500000
+ write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
--
2.13.2

93
Patches/LineageOS-14.1/android_system_netd/0001-Harden_Network.patch Normal file
View File

@ -0,0 +1,93 @@
From f705d1c7cae38ca9070f24ff5c076b06ab827244 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 08:19:00 -0400
Subject: [PATCH] Harden network via iptables
Change-Id: I37eca1211768b9d3aa63fa59a40112e35c5e8c62
---
server/CommandListener.cpp | 69 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index b16da18..6aca8aa 100755
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -230,6 +230,75 @@ CommandListener::CommandListener() :
createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
+
+ //Drop incoming, drop routed, and allow outgoing
+ execIptables(V4V6, "-w", "-P", "INPUT", "DROP", NULL);
+ execIptables(V4V6, "-w", "-P", "FORWARD", "DROP", NULL);
+ execIptables(V4V6, "-w", "-P", "OUTPUT", "ACCEPT", NULL);
+ //Drop invalid packets
+ execIptables(V4V6, "-w", "-A", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-A", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-A", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ //Drop TCP packets that are new and are not SYN
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
+ //Drop SYN packets with suspicious MSS value
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
+ execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
+ //Drop packets with bogus TCP flags
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
+ //Drop spoofed packets
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
+ //Drop fragments
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
+ //Limit connections per source IP
+ execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "64", "!", "-i", "lo", "-j", "REJECT", NULL);
+ //Allow certain ICMP types
+ execIptables(V4, "-w", "-A", "INPUT", "-p", "icmp", "--icmp-type", "0", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT", NULL);
+ execIptables(V4, "-w", "-A", "INPUT", "-p", "icmp", "--icmp-type", "3", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT", NULL);
+ execIptables(V4, "-w", "-A", "INPUT", "-p", "icmp", "--icmp-type", "8", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT", NULL);
+ execIptables(V4, "-w", "-A", "INPUT", "-p", "icmp", "--icmp-type", "11", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "1", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "2", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "3", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "4", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "128", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "133", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "134", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "135", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "136", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "137", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "141", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "142", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "130", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "131", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "132", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "143", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "148", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-p", "ipv6-icmp", "--icmpv6-type", "149", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "151", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "152", "-j", "ACCEPT", NULL);
+ execIptables(V6, "-w", "-A", "INPUT", "-s", "fe80::/10", "-p", "ipv6-icmp", "--icmpv6-type", "153", "-j", "ACCEPT", NULL);
+ //Allow related/existing connections
+ execIptables(V4V6, "-w", "-A", "INPUT", "-i", "lo", "-j", "ACCEPT", NULL);
+ execIptables(V4V6, "-w", "-A", "OUTPUT", "-o", "lo", "-j", "ACCEPT", NULL);
+ execIptables(V4V6, "-w", "-A", "INPUT", "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT", NULL);
+ execIptables(V4V6, "-w", "-A", "OUTPUT", "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT", NULL);
+
+
// Let each module setup their child chains
setupOemIptablesHook();
--
2.13.2

52
Patches/LineageOS-14.1/android_system_netd/0001-iptables.patch
View File

@ -1,52 +0,0 @@
From 3ce5afa60fe949d5f4a272ebaed92bf24aad0b11 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 27 Jun 2017 23:18:10 -0400
Subject: [PATCH] Network hardening via iptables
Change-Id: I3a3d36af792641522e74ce45b0de3fa7ff791d58
---
server/CommandListener.cpp | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index b16da18..7f5e99d 100755
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -230,6 +230,34 @@ CommandListener::CommandListener() :
createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
+
+ //Credit: https://javapipe.com/iptables-ddos-protection
+ execIptables(V4V6, "-w", "-A", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-A", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-A", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
+ execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
+ execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
+ execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "64", "!", "-i", "lo", "-j", "REJECT", NULL);
+
+
// Let each module setup their child chains
setupOemIptablesHook();
--
2.13.2

5
Scripts/LAOS-14.1_Patches.sh
View File

@ -154,10 +154,11 @@ patch -p1 < $patches"android_packages_inputmethods_LatinIME/0001-Voice.patch" #R
enter "system/core"
cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
patch -p1 < $patches"android_system_core/0001-Hardening.patch" #Misc hardening
patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid
patch -p1 < $patches"android_system_core/0002-Harden_Network.patch" #Harden network via sysctls
enter "system/netd"
patch -p1 < $patches"android_system_netd/0001-iptables.patch"; #Network hardening via iptables
patch -p1 < $patches"android_system_netd/0001-Harden_Network.patch"; #Harden network via iptables
enter "vendor/cm"
awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used