firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changing rules for protection against several ddos attacks.

Browse Source
This commit is contained in:
Christoph
2020-10-28 20:57:08 +01:00
parent 498b34741c
commit bcdee40228
7 changed files with 494 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
ipt-firewall-server
View File

@ -647,243 +647,298 @@ fi
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."
echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m"
# ---
# - Protection against syn-flooding
# - Drop invalid packets
# ---
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
echononl "\tDrop invalid packets"
if $log_invalid_packets|| $log_all ; then
$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:"
fi
$ipt -A syn-flood -j DROP
$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
echo_done
# ---
# - Drop Fragments
# ---
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too
for _dev in ${ext_if_arr[@]} ; do
if $log_fragments || $log_all ; then
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
fi
fi
$ipt -A INPUT -i $_dev -f -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j DROP
fi
done
# ---
# - drop new packages without syn flag
# Drop TCP packets that are new and are not SYN
# ---
echononl "\tDrop TCP packets that are new and are not SYN"
if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi
$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
echo_done
# ---
# - Drop SYN packets with suspicious MSS value
# ---
echononl "\tDrop SYN packets with suspicious MSS value"
if $log_syn_with_suspicious_mss || $log_all ; then
$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:"
fi
$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
echo_done
# ---
# - drop invalid packages
# - Block packets with bogus TCP flags
# ---
if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
fi
fi
$ipt -A INPUT -m state --state INVALID -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j DROP
echononl "\tBlock packets with bogus TCP flags"
if $log_invalid_flags || $log_all ; then
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
echo_done
# ---
# - ungewöhnliche Flags verwerfen
# - Block spoofed (own ip) packets
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi
fi
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
# ---
# - Refuse private addresses on extern interfaces
# ---
# Refuse spoofed packets pretending to be from your IP address.
echononl "\tBlock spoofed (own ip) packets"
if $log_spoofed || $log_all ; then
# input
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
fi
$ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j DROP
fi
$ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP
done
echo_done
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
# ---
# - Block spoofed (private/reserved) packets
# ---
echononl "\tBlock spoofed (private/reserved) packets"
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
#
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
fi
fi
# Refuse packets claiming to be from a Class A private network.
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
# Retfuse packets claiming to be from a Class C private network.
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
if $kernel_activate_forwarding ; then
# Refuse packets claiming to be from a Class A private network.
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
# Refuse packets claiming to be from a Class C private network.
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix link local block: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix TEST-NET-1: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix THIS NET: "
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
fi
done
if $log_spoofed || $log_all ; then
/sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi
# ---
# - Refuse packets claiming to be to the loopback interface.
# ---
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
for _dev in ${ext_if_arr[@]} ; do
if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
fi
fi
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
fi
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j DROP
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j DROP
done
/sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j DROP
echo_done
# ---
# - Drop fragments in all chains
# ---
echononl "\tDrop fragments in all chains"
if $log_fragments || $log_all ; then
/sbin/iptables -t mangle -A PREROUTING -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
fi
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
echo_done
# ---
# - Drop ICMP all ICMP traffic (you usually don't need this protocol)
# ---
echononl "\tDrop all ICMP traffic.."
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
if $log_rejected || $log_all ; then
$ipt -t mangle -A PREROUTING -p icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
fi
$ipt -t mangle -A PREROUTING -p icmp -j DROP
echo_done
fi
echo_skipped
# ---
# - Don't allow spoofing from that server
# ---
echo ""
echononl "\tDon't allow spoofing out from this server"
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed_out || $log_all ; then
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
$ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
$ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
$ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
$ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
fi
fi
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j DROP
$ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j DROP
$ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j DROP
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
$ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j DROP
$ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j DROP
$ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j DROP
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
fi
done
echo_done
# ---
# - Protection against syn-flooding
# ---
echo
echononl "\tProtection against syn-flooding"
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
fi
$ipt -A syn-flood -j DROP
echo_done
# ---
# - Protection against port scanning
# ---
echononl "\tProtection against port scanning"
$ipt -N port-scanning
$ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then
$ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
fi
$ipt -A port-scanning -j DROP
echo_done
# ---
# - Protection against SSH brute-force attacks
# ---
echononl "\tProtection against SSH brute-force attacks"
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
fi
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done
# ---
# - Limit connections per source IP
# ---
echononl "\tLimit connections per source IP"
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
fi
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done
# ---
# - Limit RST packets
# ---
echononl "\tLimit RST packets"
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
fi
$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done
# ---
# - Limit new TCP connections per second per source IP
# ---
echononl "\tLimit new TCP connections per second per source IP"
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
fi
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done
# ---
# - Use SYNPROXY on all ports (disables connection limiting rule)
# ---
#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)"
#$ipt -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
#$ipt -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
#echo_done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------
@ -2447,11 +2502,11 @@ if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
fi
echo_done
else