firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make firewall compartible with 'iptables-nf'.

Browse Source
This commit is contained in:
Christoph
2026-01-11 00:31:22 +01:00
parent 63889b0dc9
commit a37b2c185b
4 changed files with 168 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
conf/main_ipv4.conf.sample
View File

@@ -782,12 +782,18 @@ per_IP_connection_limit=$default_per_IP_connection_limit
# - Limit RST packets # - Limit RST packets
# - # -
limit_rst_packets=true # - REMOVED
# -
#limit_rst_packets=false
# - Limit new TCP connections per second per source IP # - Limit new TCP connections per second per source IP
# - # -
limit_new_tcp_connections_per_seconds_per_source_IP=true limit_new_tcp_connections_per_seconds_per_source_IP=true
# comma separated list of ports
#
#limit_new_tcp_connections_per_seconds_ports="25,80,110,143,443,465,995"
# ------------- # -------------
# --- Router ? # --- Router ?

8
conf/main_ipv6.conf.sample
View File

@@ -796,12 +796,18 @@ per_IP_connection_limit=$default_per_IP_connection_limit
# - Limit RST packets # - Limit RST packets
# - # -
limit_rst_packets=true # - REMOVED
# -
#limit_rst_packets=false
# - Limit new TCP connections per second per source IP # - Limit new TCP connections per second per source IP
# - # -
limit_new_tcp_connections_per_seconds_per_source_IP=true limit_new_tcp_connections_per_seconds_per_source_IP=true
# comma separated list of ports
#
#limit_new_tcp_connections_per_seconds_ports="25,80,110,143,443,465,995"
# ------------- # -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # --- Kernel related - Adjust Kernel Parameters (Security/Tuning)

100
ip6t-firewall-server
View File

@@ -841,6 +841,24 @@ $ip6t -A OUTPUT -o lo -j ACCEPT
echo_done echo_done
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ip6t -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ip6t -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ip6t -A INPUT -m conntrack --ctstate INVALID -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEP
fi
echo_done
# --- # ---
# - Protection against syn-flooding # - Protection against syn-flooding
# --- # ---
@@ -907,9 +925,17 @@ if $limit_connections_per_source_IP ; then
fi fi
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
$ip6t -A INPUT -p tcp --syn \
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 128 --connlimit-saddr \
-j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
fi fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
$ip6t -A INPUT -p tcp --syn \
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 128 --connlimit-saddr \
-j REJECT --reject-with tcp-reset
echo_done echo_done
else else
echo_skipped echo_skipped
@@ -921,27 +947,54 @@ fi
# --- # ---
echononl "\tLimit RST packets" echononl "\tLimit RST packets"
if $limit_rst_packets ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT # ---
if $log_rejected || $log_all ; then # Ersatzlos gestrichen
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " # ---
fi echo_skipped
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done #if $limit_rst_packets ; then
else # $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
echo_skipped # if $log_rejected || $log_all ; then
fi # $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
# fi
# $ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
# echo_done
#else
# echo_skipped
#fi
# --- # ---
# - Limit new TCP connections per second per source IP # - Limit new TCP connections per second per source IP
# --- # ---
echononl "\tLimit new TCP connections per second per source IP" echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)"
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT if $limit_new_tcp_connections_per_seconds_per_source_IP \
&& [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then
#$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
# Rate-Limit für neue SYNs auf 443 pro IP
$ip6t -A INPUT -p tcp --syn \
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
-m hashlimit --hashlimit-name syn_multi_v4 \
--hashlimit 30/second --hashlimit-burst 60 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
#$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
# rate-limited logging für Überschreiter
$ip6t -A INPUT -p tcp --syn \
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
-m hashlimit --hashlimit-name syn_multi_v4_log \
--hashlimit 2/second --hashlimit-burst 10 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):"
fi fi
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done echo_done
@@ -1133,21 +1186,6 @@ fi
echo echo
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# --- # ---
# - LOG CGI script Traffic out # - LOG CGI script Traffic out
# --- # ---

119
ipt-firewall-server
View File

@@ -991,6 +991,24 @@ $ipt -A OUTPUT -o lo -j ACCEPT
echo_done echo_done
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# --- # ---
# - Protection against syn-flooding # - Protection against syn-flooding
# --- # ---
@@ -1057,43 +1075,91 @@ if $limit_connections_per_source_IP ; then
fi fi
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
$ipt -A INPUT -p tcp --syn \
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
-j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
fi fi
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
$ipt -A INPUT -p tcp --syn \
-m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
-j REJECT --reject-with tcp-reset
echo_done echo_done
else else
echo_skipped echo_skipped
fi fi
#
#
# --- # ---
# - Limit RST packets # - Limit RST packets
# --- # ---
echononl "\tLimit RST packets" echononl "\tLimit RST packets"
if $limit_rst_packets ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT # ---
if $log_rejected || $log_all ; then # Ersatzlos gestrichen
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " # ---
fi echo_skipped
$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done
else #if $limit_rst_packets ; then
echo_skipped #
fi # $ipt -A INPUT -p tcp --tcp-flags RST RST \
# -m limit --limit 2/s --limit-burst 2 -j ACCEPT
#
# if $log_rejected || $log_all ; then
# $ipt -A INPUT -p tcp --tcp-flags RST RST \
# -m limit --limit 2/s --limit-burst 2 \
# -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
# fi
# $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
# echo_done
#else
# echo_skipped
#fi
# --- # ---
# - Limit new TCP connections per second per source IP # - Limit new TCP connections per second per source IP
# --- # ---
echononl "\tLimit new TCP connections per second per source IP" echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)"
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT if $limit_new_tcp_connections_per_seconds_per_source_IP \
&& [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
# Rate-Limit für neue SYNs auf 443 pro IP
$ipt -A INPUT -p tcp --syn \
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
-m hashlimit --hashlimit-name syn_multi_v4 \
--hashlimit 30/second --hashlimit-burst 60 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
# rate-limited logging für Überschreiter
$ipt -A INPUT -p tcp --syn \
-m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
-m hashlimit --hashlimit-name syn_multi_v4_log \
--hashlimit 2/second --hashlimit-burst 10 \
--hashlimit-mode srcip --hashlimit-srcmask 32 \
-j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):"
fi fi
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
#$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
$ipt -A INPUT -p tcp --syn -m multiport --dports $limit_new_tcp_connections_per_seconds_ports -j DROP
echo_done echo_done
else else
echo_skipped echo_skipped
@@ -1284,21 +1350,6 @@ fi
echo echo
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# --- # ---
# - LOG CGI script Traffic out # - LOG CGI script Traffic out
# --- # ---