|
|
@@ -482,4 +482,29 @@ function firewall_drop_spoofed_packets {
|
|
482
|
482
|
mark_completed $FUNCNAME
|
|
483
|
483
|
}
|
|
484
|
484
|
|
|
|
485
|
+function firewall_rate_limits {
|
|
|
486
|
+ if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
|
|
487
|
+ return
|
|
|
488
|
+ fi
|
|
|
489
|
+
|
|
|
490
|
+ # Limit connections per source IP
|
|
|
491
|
+ iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
|
|
|
492
|
+
|
|
|
493
|
+ # Limit RST packets
|
|
|
494
|
+ iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
|
|
495
|
+ iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
|
|
496
|
+
|
|
|
497
|
+ # Limit new TCP connections per second per source IP
|
|
|
498
|
+ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
|
|
499
|
+ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
|
|
500
|
+
|
|
|
501
|
+ # SSH brute-force protection
|
|
|
502
|
+ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
|
|
|
503
|
+ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
|
|
|
504
|
+
|
|
|
505
|
+ function_check save_firewall_settings
|
|
|
506
|
+ save_firewall_settings
|
|
|
507
|
+ mark_completed $FUNCNAME
|
|
|
508
|
+}
|
|
|
509
|
+
|
|
485
|
510
|
# NOTE: deliberately no exit 0
|
Bob Mottram
8 年之前