Update of /cvsroot/routingtools/tools/rc.d
In directory sc8-pr-cvs1:/tmp/cvs-serv2398/rc.d
Modified Files:
firewall
Log Message:
- tuned reject icmp messages
- added a connection rate limiter
- ability to block hostile hosts/nets
Index: firewall
===================================================================
RCS file: /cvsroot/routingtools/tools/rc.d/firewall,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -d -r1.25 -r1.26
*** firewall 23 Sep 2003 09:43:11 -0000 1.25
--- firewall 12 Nov 2003 23:18:35 -0000 1.26
***************
*** 68,78 ****
$IPTABLES -A LogDrop -j DROP
$IPTABLES -N LogReject
$IPTABLES -A LogReject -m limit -j LOG --log-prefix "Spy packet from local: "
! $IPTABLES -A LogReject -j REJECT --reject-with icmp-host-unreachable
$IPTABLES -N LogForward
$IPTABLES -A LogForward -m limit -j LOG --log-prefix "Rejecting from inside: "
! $IPTABLES -A LogForward -j REJECT --reject-with icmp-host-prohibited
echo -e "$rc_done"
--- 68,86 ----
$IPTABLES -A LogDrop -j DROP
+ $IPTABLES -N LogHostile
+ $IPTABLES -A LogHostile -m limit -j LOG --log-prefix "Hostile host: "
+ $IPTABLES -A LogHostile -j DROP
+
$IPTABLES -N LogReject
$IPTABLES -A LogReject -m limit -j LOG --log-prefix "Spy packet from local: "
! $IPTABLES -A LogReject -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -N LogForward
$IPTABLES -A LogForward -m limit -j LOG --log-prefix "Rejecting from inside: "
! $IPTABLES -A LogForward -j REJECT --reject-with icmp-net-unreachable
!
! $IPTABLES -N LogRate
! $IPTABLES -A LogRate -j LOG --log-prefix "Rate exceeded: "
! $IPTABLES -A LogRate -j REJECT --reject-with icmp-port-unreachable
echo -e "$rc_done"
***************
*** 149,152 ****
--- 157,178 ----
echo -e "$rc_done"
+ # create connection rate limiter
+
+ echo -n " rate limiter "
+
+ $IPTABLES -N RateLimiter
+
+ for suffix in $FW_RATES; do
+ eval FW_RATE=\$FW_RATE$suffix
+ echo $FW_RATE | if read port rate burst; then
+ $IPTABLES -A RateLimiter -m limit --limit $rate --limit-burst $burst -p tcp --dport $port -j RETURN
+ $IPTABLES -A RateLimiter -p tcp --dport $port -j LogRate
+ fi
+ done
+
+ $IPTABLES -A RateLimiter -j RETURN
+
+ echo -e "$rc_done"
+
# create packet filter
***************
*** 164,167 ****
--- 190,199 ----
$IPTABLES -A Block -m unclean -j LogDrop
+ for host in $FW_HOSTILE; do
+ $IPTABLES -A Block -s $host -j LogHostile
+ done
+
+ $IPTABLES -A Block -m state --state NEW -p tcp -j RateLimiter
+
for port in $FW_REJECT_TCPPORTS; do
$IPTABLES -A Block -p tcp --dport $port -j REJECT
***************
*** 263,267 ****
$IPTABLES -t nat -F OUTPUT
! for chain in Policy Block SpyBlock LogDrop LogReject LogForward LogUnknown; do
$IPTABLES -F $chain
$IPTABLES -X $chain
--- 295,299 ----
$IPTABLES -t nat -F OUTPUT
! for chain in Policy Block SpyBlock RateLimiter LogDrop LogReject LogForward LogUnknown LogRate LogHostile; do
$IPTABLES -F $chain
$IPTABLES -X $chain
***************
*** 312,315 ****
--- 344,352 ----
#
# $Log$
+ # Revision 1.26 2003/11/12 23:18:35 hurikhan
+ # - tuned reject icmp messages
+ # - added a connection rate limiter
+ # - ability to block hostile hosts/nets
+ #
# Revision 1.25 2003/09/23 09:43:11 hurikhan
# - added mss clamping to forwarding rules to make big packets passing the
|
