diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-07-20 12:44:20 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-07-20 12:44:20 +0000 |
commit | cd6133557143232dce14ab87378b2a9ca5386cf2 (patch) | |
tree | a2fdf1f11edb1a9d6e4a85aff7920a9e360045be /awall | |
parent | 1ecedaa711dad375e088fef8cbb09f805e60a894 (diff) | |
download | awall-cd6133557143232dce14ab87378b2a9ca5386cf2.tar.bz2 awall-cd6133557143232dce14ab87378b2a9ca5386cf2.tar.xz |
support for TARPIT targetv0.2.3
automatic logging, handling of non-TCP packets, and connection tracking bypass
Diffstat (limited to 'awall')
-rw-r--r-- | awall/modules/filter.lua | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index cde2112..c04f74e 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -77,6 +77,8 @@ function Filter:trules() extrarules('dnat', {['ip-range']=dnataddr, out=nil}) end + if self.action == 'tarpit' then extrarules('no-track') end + awall.util.extend(res, model.Rule.trules(self)) return res @@ -132,10 +134,11 @@ classes = {{'filter', Filter}, defrules = {pre={}, ['post-filter']={}} +local limitedlog = '-m limit --limit 1/second -j LOG' + for i, family in ipairs({'inet', 'inet6'}) do for i, target in ipairs({'drop', 'reject'}) do - for i, opts in ipairs({'-m limit --limit 1/second -j LOG', - '-j '..string.upper(target)}) do + for i, opts in ipairs({limitedlog, '-j '..string.upper(target)}) do table.insert(defrules.pre, {family=family, table='filter', @@ -144,6 +147,11 @@ for i, family in ipairs({'inet', 'inet6'}) do end end + for i, opts in ipairs({limitedlog, '-p tcp -j TARPIT', '-j DROP'}) do + table.insert(defrules.pre, + {family=family, table='filter', chain='tarpit', opts=opts}) + end + for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do table.insert(defrules.pre, {family=family, |