From 6b9ef23305521b01b73e65f4eb9ccf2a895245d4 Mon Sep 17 00:00:00 2001 From: Sven Göthel Date: Mon, 3 Jun 2024 08:31:09 +0200 Subject: firewall: rate-limit drop on bad-bots --- .../02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure index f6b1ad1..e104598 100755 --- a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure +++ b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure @@ -36,6 +36,7 @@ elif [ "$action" = "stop" ] ; then $IPTABLES -F acl_srv_shared $IPTABLES -F acl_srv_email $IPTABLES -F acl_srv_login_sec + $IPTABLES -F log_and_drop $IPTABLES -F INPUT $IPTABLES -F FORWARD @@ -45,6 +46,7 @@ elif [ "$action" = "stop" ] ; then $IPTABLES -X acl_srv_shared $IPTABLES -X acl_srv_email $IPTABLES -X acl_srv_login_sec + $IPTABLES -X log_and_drop $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT @@ -96,6 +98,7 @@ elif [ "$action" = "start" ] ; then $IPTABLES -N acl_srv_shared $IPTABLES -N acl_srv_email $IPTABLES -N acl_srv_login_sec + $IPTABLES -N log_and_drop ################################################################### ################################################################### @@ -160,9 +163,12 @@ elif [ "$action" = "start" ] ; then # acl_extern_ # + $IPTABLES -p all -A log_and_drop -m limit --limit 1/s -j LOG --log-level debug --log-prefix "FW4-FWD: drop acl_ext input " + $IPTABLES -p all -A log_and_drop -j DROP + ipaddr_file=$(dirname $0)/badbots_ipaddr.txt for ipaddr in `awk -e ' { i=index($1,"#"); if ( 0 == i ) { print $1; } } ' $ipaddr_file` ; do - $IPTABLES -p all -A acl_external_input -s $ipaddr -j RETURN + $IPTABLES -p all -A acl_external_input -s $ipaddr -j log_and_drop done # -- cgit v1.2.3