Enable dropping packets if connections are reopened even after drops, fix timeouts

This commit is contained in:
Alex D. 2022-04-03 18:49:14 +00:00
parent 8f58005433
commit a19423010d
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
3 changed files with 9 additions and 7 deletions

View File

@ -3,7 +3,7 @@
. ../APKBUILD-config.template
pkgver=2022.04.02.08
pkgver=2022.04.03.01
pkgrel=0
options="!check" # check requires root?

View File

@ -1,5 +1,3 @@
ct state invalid counter drop;
ip saddr @blackhole4 update @blackhole4 { ip saddr } counter;
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr } counter;
ip saddr @blackhole4 counter drop;
ip6 saddr @blackhole6 counter drop;
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter drop;
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter drop;

View File

@ -1,5 +1,9 @@
#iifname "eth0" ct state new meter limit4 { ip saddr ct count over 10 } counter reject;
#iifname "eth0" ct state new meter limit6 { ip6 saddr ct count over 10 } counter reject;
iifname "eth0" ct state new meter global4 { ip saddr timeout 2h limit rate over 20/minute burst 60 packets } update @blackhole4 { ip saddr } counter;
iifname "eth0" ct state new meter global6 { ip6 saddr timeout 2h limit rate over 20/minute burst 60 packets } update @blackhole6 { ip6 saddr } counter;
# Ban if connection attempts are still made over the limit
iifname "eth0" ct state new meter ban4 { ip saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole4 { ip saddr timeout 10m } counter drop;
iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 10m limit rate over 1/second burst 30 packets } update @blackhole6 { ip6 saddr timeout 10m } counter drop;
iifname "eth0" ct state new meter drop4 { ip saddr timeout 10m limit rate over 1/second } counter drop;
iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 10m limit rate over 1/second } counter drop;