firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for MatterMost (MM) service.

Browse Source
This commit is contained in:
Christoph
2023-01-24 17:42:27 +01:00
parent 9f016b1776
commit 486789c6b5
6 changed files with 273 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
ip6t-firewall-server
View File

@ -740,13 +740,17 @@ echo_done
echo
echononl "\tProtection against syn-flooding"
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
if $protection_against_syn_flooding ; then
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi
$ip6t -A syn-flood -j DROP
echo_done
else
echo_skipped
fi
$ip6t -A syn-flood -j DROP
echo_done
# ---
@ -754,13 +758,17 @@ echo_done
# ---
echononl "\tProtection against port scanning"
$ip6t -N port-scanning
$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then
$ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
if $protection_against_port_scanning ; then
$ip6t -N port-scanning
$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then
$ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
fi
$ip6t -A port-scanning -j DROP
echo_done
else
echo_skipped
fi
$ip6t -A port-scanning -j DROP
echo_done
# ---
@ -768,12 +776,16 @@ echo_done
# ---
echononl "\tProtection against SSH brute-force attacks"
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
if $protection_against_ssh_brute_force_attacks ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
fi
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done
else
echo_skipped
fi
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done
# ---
@ -781,11 +793,15 @@ echo_done
# ---
echononl "\tLimit connections per source IP"
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
if $limit_connections_per_source_IP ; then
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done
else
echo_skipped
fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done
# ---
@ -793,12 +809,16 @@ echo_done
# ---
echononl "\tLimit RST packets"
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
if $limit_rst_packets ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
fi
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done
else
echo_skipped
fi
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done
# ---
@ -806,12 +826,16 @@ echo_done
# ---
echononl "\tLimit new TCP connections per second per source IP"
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
fi
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done
else
echo_skipped
fi
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done
# ---
@ -1747,6 +1771,33 @@ else
fi
# ---
# - Mattermost Service
# ---
echononl "\t\tMattermost (MM) Service"
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mm_server_ip_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mm_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - FTP out only"
# ---