From 99ea4478e124550e70654db04a0bff46fa3a99b0 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 30 Jan 2007 08:53:51 +0000 Subject: [PATCH] add a limit on the number of new connections per second to prevent hosts on the lan from being able to fill the conntrack table in just a few seconds SVN-Revision: 6229 --- openwrt/package/iptables/files/firewall.init | 5 +++++ openwrt/target/linux/linux-2.4/config/brcm | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/openwrt/package/iptables/files/firewall.init b/openwrt/package/iptables/files/firewall.init index 71e5036135..7f161c9967 100755 --- a/openwrt/package/iptables/files/firewall.init +++ b/openwrt/package/iptables/files/firewall.init @@ -19,6 +19,7 @@ iptables -N output_rule iptables -N forwarding_rule iptables -N forwarding_wan +iptables -t nat -N NEW iptables -t nat -N prerouting_wan iptables -t nat -N prerouting_rule iptables -t nat -N postrouting_rule @@ -95,12 +96,16 @@ iptables -A LAN_ACCEPT -j ACCEPT # uses the default -P DROP ### MASQ + iptables -t nat -A PREROUTING -m state --state NEW -j NEW iptables -t nat -A PREROUTING -j prerouting_rule iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan iptables -t nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE + iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \ + iptables -t nat -A NEW -j DROP + ## USER RULES [ -f /etc/firewall.user ] && . /etc/firewall.user [ -e /etc/config/firewall ] && { diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm index 3c25bd2741..d1bfc8e6dc 100644 --- a/openwrt/target/linux/linux-2.4/config/brcm +++ b/openwrt/target/linux/linux-2.4/config/brcm @@ -363,7 +363,7 @@ CONFIG_IP_NF_H323=m CONFIG_IP_NF_RTSP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_MATCH_LIMIT=m +CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=y -- 2.30.2