[Routingtools-cvs] tools/rc.d firewall,1.25,1.26

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/routingtools/tools/rc.d
In directory sc8-pr-cvs1:/tmp/cvs-serv2398/rc.d

Modified Files:
	firewall 
Log Message:
- tuned reject icmp messages
- added a connection rate limiter
- ability to block hostile hosts/nets


Index: firewall
===================================================================
RCS file: /cvsroot/routingtools/tools/rc.d/firewall,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -d -r1.25 -r1.26
*** firewall	23 Sep 2003 09:43:11 -0000	1.25
--- firewall	12 Nov 2003 23:18:35 -0000	1.26
***************
*** 68,78 ****
  			$IPTABLES -A LogDrop          -j DROP
  
  			$IPTABLES -N LogReject
  			$IPTABLES -A LogReject -m limit -j LOG --log-prefix "Spy packet from local: "
! 			$IPTABLES -A LogReject          -j REJECT --reject-with icmp-host-unreachable
  
  			$IPTABLES -N LogForward
  			$IPTABLES -A LogForward -m limit -j LOG --log-prefix "Rejecting from inside: "
! 			$IPTABLES -A LogForward          -j REJECT --reject-with icmp-host-prohibited
  
  			echo -e "$rc_done"
--- 68,86 ----
  			$IPTABLES -A LogDrop          -j DROP
  
+ 			$IPTABLES -N LogHostile
+ 			$IPTABLES -A LogHostile -m limit -j LOG --log-prefix "Hostile host: "
+ 			$IPTABLES -A LogHostile          -j DROP
+ 
  			$IPTABLES -N LogReject
  			$IPTABLES -A LogReject -m limit -j LOG --log-prefix "Spy packet from local: "
! 			$IPTABLES -A LogReject          -j REJECT --reject-with icmp-host-prohibited
  
  			$IPTABLES -N LogForward
  			$IPTABLES -A LogForward -m limit -j LOG --log-prefix "Rejecting from inside: "
! 			$IPTABLES -A LogForward          -j REJECT --reject-with icmp-net-unreachable
! 
! 			$IPTABLES -N LogRate
! 			$IPTABLES -A LogRate -j LOG --log-prefix "Rate exceeded: "
! 			$IPTABLES -A LogRate -j REJECT --reject-with icmp-port-unreachable
  
  			echo -e "$rc_done"
***************
*** 149,152 ****
--- 157,178 ----
  			echo -e "$rc_done"
  
+ 			# create connection rate limiter
+ 
+ 			echo -n "  rate limiter "
+ 
+ 			$IPTABLES -N RateLimiter
+ 
+ 			for suffix in $FW_RATES; do
+ 				eval FW_RATE=\$FW_RATE$suffix
+ 				echo $FW_RATE | if read port rate burst; then
+ 					$IPTABLES -A RateLimiter -m limit --limit $rate --limit-burst $burst -p tcp --dport $port -j RETURN
+ 					$IPTABLES -A RateLimiter                                             -p tcp --dport $port -j LogRate
+ 				fi
+ 			done
+ 
+ 			$IPTABLES -A RateLimiter -j RETURN
+ 
+ 			echo -e "$rc_done"
+ 
  			# create packet filter
  
***************
*** 164,167 ****
--- 190,199 ----
  			$IPTABLES -A Block -m unclean                           -j LogDrop
  
+ 			for host in $FW_HOSTILE; do
+ 				$IPTABLES -A Block -s $host -j LogHostile
+ 			done
+ 
+ 			$IPTABLES -A Block -m state --state NEW -p tcp -j RateLimiter
+ 
  			for port in $FW_REJECT_TCPPORTS; do
  				$IPTABLES -A Block -p tcp --dport $port -j REJECT
***************
*** 263,267 ****
  			$IPTABLES -t nat -F OUTPUT
  
! 			for chain in Policy Block SpyBlock LogDrop LogReject LogForward LogUnknown; do
  				$IPTABLES -F $chain
  				$IPTABLES -X $chain
--- 295,299 ----
  			$IPTABLES -t nat -F OUTPUT
  
! 			for chain in Policy Block SpyBlock RateLimiter LogDrop LogReject LogForward LogUnknown LogRate LogHostile; do
  				$IPTABLES -F $chain
  				$IPTABLES -X $chain
***************
*** 312,315 ****
--- 344,352 ----
  #
  # $Log$
+ # Revision 1.26  2003/11/12 23:18:35  hurikhan
+ # - tuned reject icmp messages
+ # - added a connection rate limiter
+ # - ability to block hostile hosts/nets
+ #
  # Revision 1.25  2003/09/23 09:43:11  hurikhan
  # - added mss clamping to forwarding rules to make big packets passing the