From bde41a1f21a88b765807a1c4aceedd2d00344cd5 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 25 Apr 2017 13:45:44 +0100
Subject: [PATCH] Re-introduce rate limits on the firewall
---
src/freedombone-utils-firewall | 25 +++++++++++++++++++++++++
src/freedombone-utils-setup | 3 +++
2 files changed, 28 insertions(+)
diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 481b6158a..3cf55736f 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -482,4 +482,29 @@ function firewall_drop_spoofed_packets {
mark_completed $FUNCNAME
}
+function firewall_rate_limits {
+ if [[ $(is_completed $FUNCNAME) == "1" ]]; then
+ return
+ fi
+
+ # Limit connections per source IP
+ iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
+
+ # Limit RST packets
+ iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
+ iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
+
+ # Limit new TCP connections per second per source IP
+ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
+ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
+
+ # SSH brute-force protection
+ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
+ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
+
+ function_check save_firewall_settings
+ save_firewall_settings
+ mark_completed $FUNCNAME
+}
+
# NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index b4778161d..63c45fb3f 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -567,6 +567,9 @@ function setup_firewall {
function_check firewall_drop_spoofed_packets
firewall_drop_spoofed_packets
+ function_check firewall_rate_limits
+ firewall_rate_limits
+
function_check configure_firewall_for_dns
configure_firewall_for_dns
--
GitLab