ポートスキャン対策はINPUTチェーンでやる

nexryai · Jun 11, 2024 · f868b22 · f868b22
1 parent a799b1b
commit f868b22
Showing 1 changed file with 33 additions and 32 deletions.
diff --git a/internal/render/render.go b/internal/render/render.go
@@ -106,8 +106,20 @@ func GenRulesFromConfig(cfg *config.Config) []string {
 		MkBaseInputRules(true, true, false),
 		MkAllowLoopbackInterface())
 
-	var alwaysDenyIP []string
-	alwaysDenyIP = append(alwaysDenyIP, cfg.Security.AlwaysDenyIP...)
+	// 不正なパケットとポートスキャンをブロック
+	rules = append(rules, MkDropInvalid())
+	if !cfg.Security.DisablePortScanProtection {
+		rules = append(rules, MkBlockTcpXmas(), MkBlockTcpNull(), MkBlockTcpMss())
+	} else {
+		log.MsgWarn("Port scan protection is DISABLED!")
+	}
+
+	if !cfg.Security.DisableIpFragmentsBlock {
+		rules = append(rules, MkBlockIPFragments())
+	}
+
+	// AlwaysDenyIPとAlwaysDenyASNのCIDRを格納する
+	alwaysDenyIP := cfg.Security.AlwaysDenyIP
 
 	// alwaysDenyASNをIPのCIDRに変換
 	for _, denyASN := range cfg.Security.AlwaysDenyASN {
@@ -314,42 +326,31 @@ func GenRulesFromConfig(cfg *config.Config) []string {
 	}
 
 	// PREROUTINGチェーン
-	rules = append(rules, MkChainStart("prerouting"))
-
-	if cfg.Router.ConfigAsRouter {
-		rules = append(rules, MkBaseRoutingRule("prerouting"))
-	} else if len(cfg.Nat) != 0 {
-		rules = append(rules, MkBaseNatRule())
-	}
-
-	// 不正なパケットととりあえず全部弾くべき攻撃を遮断
-	// inputチェーンよりpreroutingの方が優先されるのでここに入れる
-	rules = append(rules, MkDropInvalid())
-	if !cfg.Security.DisablePortScanProtection {
-		rules = append(rules, MkBlockTcpXmas(), MkBlockTcpNull(), MkBlockTcpMss())
-	} else {
-		log.MsgWarn("Port scan protection is DISABLED!")
-	}
+	if cfg.Router.ConfigAsRouter || len(cfg.Nat) != 0 {
+		rules = append(rules, MkChainStart("prerouting"))
 
-	if !cfg.Security.DisableIpFragmentsBlock {
-		rules = append(rules, MkBlockIPFragments())
-	}
+		if cfg.Router.ConfigAsRouter {
+			rules = append(rules, MkBaseRoutingRule("prerouting"))
+		} else if len(cfg.Nat) != 0 {
+			rules = append(rules, MkBaseNatRule())
+		}
 
-	if cfg.Router.ForceDNS != "" {
-		for _, lanInterface := range cfg.Router.LANInterfaces {
-			rules = append(rules, MkForceDNS(cfg.Router.ForceDNS, lanInterface, "udp"))
-			rules = append(rules, MkForceDNS(cfg.Router.ForceDNS, lanInterface, "tcp"))
+		if cfg.Router.ForceDNS != "" {
+			for _, lanInterface := range cfg.Router.LANInterfaces {
+				rules = append(rules, MkForceDNS(cfg.Router.ForceDNS, lanInterface, "udp"))
+				rules = append(rules, MkForceDNS(cfg.Router.ForceDNS, lanInterface, "tcp"))
+			}
 		}
-	}
 
-	// ポート転送有効時のNAT構成
-	if len(cfg.Nat) != 0 {
-		for _, r := range cfg.Nat {
-			rules = append(rules, MkNat(&r))
+		// ポート転送有効時のNAT構成
+		if len(cfg.Nat) != 0 {
+			for _, r := range cfg.Nat {
+				rules = append(rules, MkNat(&r))
+			}
 		}
-	}
 
-	rules = append(rules, MkChainEnd())
+		rules = append(rules, MkChainEnd())
+	}
 
 	// SYN-flood対策
 	rules = append(rules, MkChainStart("syn-flood"),