diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 6b88670..2e3222f 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -782,12 +782,18 @@ per_IP_connection_limit=$default_per_IP_connection_limit # - Limit RST packets # - -limit_rst_packets=true +# - REMOVED +# - +#limit_rst_packets=false # - Limit new TCP connections per second per source IP # - limit_new_tcp_connections_per_seconds_per_source_IP=true +# comma separated list of ports +# +#limit_new_tcp_connections_per_seconds_ports="25,80,110,143,443,465,995" + # ------------- # --- Router ? diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index ec5e87a..cf9b176 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -796,12 +796,18 @@ per_IP_connection_limit=$default_per_IP_connection_limit # - Limit RST packets # - -limit_rst_packets=true +# - REMOVED +# - +#limit_rst_packets=false # - Limit new TCP connections per second per source IP # - limit_new_tcp_connections_per_seconds_per_source_IP=true +# comma separated list of ports +# +#limit_new_tcp_connections_per_seconds_ports="25,80,110,143,443,465,995" + # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 9ba852d..4a7b6ce 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -841,6 +841,24 @@ $ip6t -A OUTPUT -o lo -j ACCEPT echo_done +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ip6t -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +$ip6t -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +$ip6t -A INPUT -m conntrack --ctstate INVALID -j DROP + +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEP +fi + +echo_done + + # --- # - Protection against syn-flooding # --- @@ -907,9 +925,17 @@ if $limit_connections_per_source_IP ; then fi if $log_rejected || $log_all ; then - $ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: " + + $ip6t -A INPUT -p tcp --syn \ + -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 128 --connlimit-saddr \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" + fi - $ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset + + $ip6t -A INPUT -p tcp --syn \ + -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 128 --connlimit-saddr \ + -j REJECT --reject-with tcp-reset + echo_done else echo_skipped @@ -921,27 +947,54 @@ fi # --- echononl "\tLimit RST packets" -if $limit_rst_packets ; then - $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT - if $log_rejected || $log_all ; then - $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " - fi - $ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP - echo_done -else - echo_skipped -fi + +# --- +# Ersatzlos gestrichen +# --- +echo_skipped + +#if $limit_rst_packets ; then +# $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT +# if $log_rejected || $log_all ; then +# $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " +# fi +# $ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP +# echo_done +#else +# echo_skipped +#fi # --- # - Limit new TCP connections per second per source IP # --- -echononl "\tLimit new TCP connections per second per source IP" -if $limit_new_tcp_connections_per_seconds_per_source_IP ; then - $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)" + +if $limit_new_tcp_connections_per_seconds_per_source_IP \ + && [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then + + #$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT + + # Rate-Limit für neue SYNs auf 443 pro IP + $ip6t -A INPUT -p tcp --syn \ + -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ + -m hashlimit --hashlimit-name syn_multi_v4 \ + --hashlimit 30/second --hashlimit-burst 60 \ + --hashlimit-mode srcip --hashlimit-srcmask 32 \ + -j ACCEPT + if $log_rejected || $log_all ; then - $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " + + #$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " + + # rate-limited logging für Überschreiter + $ip6t -A INPUT -p tcp --syn \ + -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ + -m hashlimit --hashlimit-name syn_multi_v4_log \ + --hashlimit 2/second --hashlimit-burst 10 \ + --hashlimit-mode srcip --hashlimit-srcmask 32 \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):" fi $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP echo_done @@ -1133,21 +1186,6 @@ fi echo -# --- -# - Already established connections -# --- - -echononl "\tAccept already established connections.." - -$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -fi - -echo_done - - # --- # - LOG CGI script Traffic out # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index 9c62c90..83449c9 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -991,6 +991,24 @@ $ipt -A OUTPUT -o lo -j ACCEPT echo_done +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +$ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP + +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + + # --- # - Protection against syn-flooding # --- @@ -1057,43 +1075,91 @@ if $limit_connections_per_source_IP ; then fi if $log_rejected || $log_all ; then - $ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" + + $ipt -A INPUT -p tcp --syn \ + -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" + fi - $ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset + + $ipt -A INPUT -p tcp --syn \ + -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ + -j REJECT --reject-with tcp-reset + echo_done else echo_skipped fi - - +# +# # --- # - Limit RST packets # --- echononl "\tLimit RST packets" -if $limit_rst_packets ; then - $ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT - if $log_rejected || $log_all ; then - $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " - fi - $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP - echo_done -else - echo_skipped -fi + +# --- +# Ersatzlos gestrichen +# --- +echo_skipped + + +#if $limit_rst_packets ; then +# +# $ipt -A INPUT -p tcp --tcp-flags RST RST \ +# -m limit --limit 2/s --limit-burst 2 -j ACCEPT +# +# if $log_rejected || $log_all ; then +# $ipt -A INPUT -p tcp --tcp-flags RST RST \ +# -m limit --limit 2/s --limit-burst 2 \ +# -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " +# fi +# $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP +# echo_done +#else +# echo_skipped +#fi # --- # - Limit new TCP connections per second per source IP # --- -echononl "\tLimit new TCP connections per second per source IP" -if $limit_new_tcp_connections_per_seconds_per_source_IP ; then - $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)" + +if $limit_new_tcp_connections_per_seconds_per_source_IP \ + && [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then + + #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT + + # Rate-Limit für neue SYNs auf 443 pro IP + $ipt -A INPUT -p tcp --syn \ + -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ + -m hashlimit --hashlimit-name syn_multi_v4 \ + --hashlimit 30/second --hashlimit-burst 60 \ + --hashlimit-mode srcip --hashlimit-srcmask 32 \ + -j ACCEPT + + if $log_rejected || $log_all ; then - $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " + + #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " + + # rate-limited logging für Überschreiter + $ipt -A INPUT -p tcp --syn \ + -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ + -m hashlimit --hashlimit-name syn_multi_v4_log \ + --hashlimit 2/second --hashlimit-burst 10 \ + --hashlimit-mode srcip --hashlimit-srcmask 32 \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):" + fi - $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP + + #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP + + $ipt -A INPUT -p tcp --syn -m multiport --dports $limit_new_tcp_connections_per_seconds_ports -j DROP + + echo_done else echo_skipped @@ -1284,21 +1350,6 @@ fi echo -# --- -# - Already established connections -# --- - -echononl "\tAccept already established connections.." - -$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -fi - -echo_done - - # --- # - LOG CGI script Traffic out # ---