make firewall compartible with 'iptables-nf'.
This commit is contained in:
@@ -991,6 +991,24 @@ $ipt -A OUTPUT -o lo -j ACCEPT
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Already established connections
|
||||
# ---
|
||||
|
||||
echononl "\tAccept already established connections.."
|
||||
|
||||
$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
$ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# ---
|
||||
@@ -1057,43 +1075,91 @@ if $limit_connections_per_source_IP ; then
|
||||
fi
|
||||
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
|
||||
|
||||
$ipt -A INPUT -p tcp --syn \
|
||||
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
|
||||
-j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
|
||||
|
||||
fi
|
||||
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
|
||||
|
||||
$ipt -A INPUT -p tcp --syn \
|
||||
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
|
||||
-j REJECT --reject-with tcp-reset
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
#
|
||||
#
|
||||
# ---
|
||||
# - Limit RST packets
|
||||
# ---
|
||||
|
||||
echononl "\tLimit RST packets"
|
||||
if $limit_rst_packets ; then
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||
fi
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
# ---
|
||||
# Ersatzlos gestrichen
|
||||
# ---
|
||||
echo_skipped
|
||||
|
||||
|
||||
#if $limit_rst_packets ; then
|
||||
#
|
||||
# $ipt -A INPUT -p tcp --tcp-flags RST RST \
|
||||
# -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||
#
|
||||
# if $log_rejected || $log_all ; then
|
||||
# $ipt -A INPUT -p tcp --tcp-flags RST RST \
|
||||
# -m limit --limit 2/s --limit-burst 2 \
|
||||
# -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||
# fi
|
||||
# $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
||||
# echo_done
|
||||
#else
|
||||
# echo_skipped
|
||||
#fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit new TCP connections per second per source IP
|
||||
# ---
|
||||
|
||||
echononl "\tLimit new TCP connections per second per source IP"
|
||||
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
||||
echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)"
|
||||
|
||||
if $limit_new_tcp_connections_per_seconds_per_source_IP \
|
||||
&& [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then
|
||||
|
||||
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
||||
|
||||
# Rate-Limit für neue SYNs auf 443 pro IP
|
||||
$ipt -A INPUT -p tcp --syn \
|
||||
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
|
||||
-m hashlimit --hashlimit-name syn_multi_v4 \
|
||||
--hashlimit 30/second --hashlimit-burst 60 \
|
||||
--hashlimit-mode srcip --hashlimit-srcmask 32 \
|
||||
-j ACCEPT
|
||||
|
||||
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
|
||||
|
||||
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
|
||||
|
||||
# rate-limited logging für Überschreiter
|
||||
$ipt -A INPUT -p tcp --syn \
|
||||
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
|
||||
-m hashlimit --hashlimit-name syn_multi_v4_log \
|
||||
--hashlimit 2/second --hashlimit-burst 10 \
|
||||
--hashlimit-mode srcip --hashlimit-srcmask 32 \
|
||||
-j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):"
|
||||
|
||||
fi
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
||||
|
||||
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
||||
|
||||
$ipt -A INPUT -p tcp --syn -m multiport --dports $limit_new_tcp_connections_per_seconds_ports -j DROP
|
||||
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
@@ -1284,21 +1350,6 @@ fi
|
||||
echo
|
||||
|
||||
|
||||
# ---
|
||||
# - Already established connections
|
||||
# ---
|
||||
|
||||
echononl "\tAccept already established connections.."
|
||||
|
||||
$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - LOG CGI script Traffic out
|
||||
# ---
|
||||
|
||||
Reference in New Issue
Block a user