|
new file 100644
|
|
|
table filter {
|
|
|
chain INPUT {
|
|
|
policy DROP;
|
|
|
interface lo ACCEPT;
|
|
|
# Make sure not to allow flooding via ICMP ping packages by sending them
|
|
|
# to flood chain before state module kicks in.
|
|
|
proto icmp icmp-type echo-request jump flood;
|
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
# For TCP packages we perform floods checks after state module took care
|
|
|
# of established and related connections.
|
|
|
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
|
|
|
# Accept some common incoming connections.
|
|
|
proto icmp icmp-type echo-request ACCEPT;
|
|
|
proto tcp dport 22 ACCEPT;
|
|
|
}
|
|
|
|
|
|
# The flood chain is used for controlling the rate of the incoming connections.
|
|
|
chain flood {
|
|
|
# Rate-limit the ping requests.
|
|
|
proto icmp icmp-type echo-request {
|
|
|
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
|
|
|
hashlimit-mode srcip hashlimit-name icmp RETURN;
|
|
|
DROP;
|
|
|
}
|
|
|
# Rate-limit the TCP connections.
|
|
|
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
|
|
|
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
|
|
|
hashlimit-mode srcip hashlimit-name icmp RETURN;
|
|
|
LOG;
|
|
|
DROP;
|
|
|
}
|
|
|
}
|
|
|
|
|
|
}
|