Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/github_actions/all-actions-d58a5e…
Browse files Browse the repository at this point in the history
…f0ba
  • Loading branch information
mgmgwi authored Jun 24, 2024
2 parents 4b65dea + 0dd6ac6 commit b27aea8
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 44 deletions.
38 changes: 19 additions & 19 deletions run/add_ddos_protection_iptables_rule.sh
Original file line number Diff line number Diff line change
Expand Up @@ -97,15 +97,15 @@ CONN_LOGGING_LEVEL=${6}
source ./ip_tables_utils.sh

add() {
if [ -z ${DELETE} ]; then
if [ -z "${DELETE}" ]; then
return 0
else
return 1
fi
}

delete() {
if [ -n ${DELETE} ]; then
if [ -n "${DELETE}" ]; then
return 0
else
return 1
Expand Down Expand Up @@ -142,7 +142,7 @@ if [ $# -lt 2 ]; then
usage
fi

if [ -n ${TEST_MODE} ]; then
if [ -n "${TEST_MODE}" ]; then
print_settings
exit 0
fi
Expand All @@ -163,35 +163,35 @@ else
fi

# Make sure the previous default logging rule is removed. It causes too much CPU overhead under load.
RULE="${LOG_CHAIN} -j LOG --log-level warning --log-prefix \"connlimit: \""
delete_rule ${RULE}
RULE=("${LOG_CHAIN}" -j LOG --log-level "${CONN_LOGGING_LEVEL}" --log-prefix "connlimit: ")
delete_rule "${RULE[@]}"

# Append a rule that sets log level and log prefix
# Default to no logging unless a logging level is explicitly supplied.
if [ -n ${CONN_LOGGING_LEVEL} ]; then
RULE="${LOG_CHAIN} -j LOG --log-level ${CONN_LOGGING_LEVEL} --log-prefix \"connlimit: \""
${OPERATION} ${RULE}
if [ -n "${CONN_LOGGING_LEVEL}" ]; then
RULE=("${LOG_CHAIN}" -j LOG --log-level "${CONN_LOGGING_LEVEL}" --log-prefix "connlimit: ")
${OPERATION} "${RULE[@]}"
fi

# Append a rule that finally rejects connection
RULE="${LOG_CHAIN} -p tcp -j REJECT --reject-with tcp-reset"
make_last_rule ${RULE}
RULE=("${LOG_CHAIN}" -p tcp -j REJECT --reject-with tcp-reset)
make_last_rule "${RULE[@]}"

# Append a rule to limit the total number of simultaneous client connections
RULE="${IP_TABLES_CHAIN} -p tcp --syn --dport ${DPORT} -m connlimit --connlimit-above ${OVER_ALL_CONN_LIMIT} --connlimit-mask 0 -j ${LOG_CHAIN}"
${OPERATION} ${RULE}
RULE=("${IP_TABLES_CHAIN}" -p tcp --syn --dport "${DPORT}" -m connlimit --connlimit-above "${OVER_ALL_CONN_LIMIT}" --connlimit-mask 0 -j "${LOG_CHAIN}")
${OPERATION} "${RULE[@]}"

# Append a rule to limit the number connections per IP address
RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above ${CONN_LIMIT_PER_IP} --connlimit-mask 32 --connlimit-saddr -j ${LOG_CHAIN}"
${OPERATION} ${RULE}
RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" --tcp-flags "FIN,SYN,RST,ACK" SYN -m connlimit --connlimit-above "${CONN_LIMIT_PER_IP}" --connlimit-mask 32 --connlimit-saddr -j "${LOG_CHAIN}")
${OPERATION} "${RULE[@]}"

# Append rules to rate limit connections
if ((CONN_RATE_LIMIT_LIMIT} > 0)) && ((CONN_RATE_LIMIT_PERIOD > 0)); then
if [ "${CONN_RATE_LIMIT_LIMIT}" -gt "0" ] && [ "${CONN_RATE_LIMIT_PERIOD}" -gt "0" ]; then
echo "Including settings for rate limiting ..."
RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource"
${OPERATION} ${RULE}
RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} -m conntrack --ctstate NEW -m recent --update --seconds ${CONN_RATE_LIMIT_PERIOD} --hitcount ${CONN_RATE_LIMIT_LIMIT} --name DEFAULT --mask 255.255.255.255 --rsource -j ${LOG_CHAIN}"
${OPERATION} ${RULE}
RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource)
${OPERATION} "${RULE[@]}"
RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" -m conntrack --ctstate NEW -m recent --update --seconds "${CONN_RATE_LIMIT_PERIOD}" --hitcount "${CONN_RATE_LIMIT_LIMIT}" --name DEFAULT --mask 255.255.255.255 --rsource -j "${LOG_CHAIN}")
${OPERATION} "${RULE[@]}"
else
echo "Rate limiting is disabled, skipping settings for rate limiting ..."
fi
Expand Down
38 changes: 19 additions & 19 deletions run/ip_tables_utils.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,39 @@

# skip existing rules to avoid duplicates
add_new_rule() {
RULE="$@"
RULE=("$@")

if rule_exists ${RULE}; then
echo "[skip] $RULE already exists"
elif [[ "$RULE" == *"DROP"* ]] || [[ "$RULE" == *"RETURN"* ]] || [[ "$RULE" == *"REJECT"* ]]; then
iptables -A $RULE
echo "[OK] $RULE added to the end of the chain"
if rule_exists "${RULE[@]}"; then
echo "[skip] ${RULE[*]} already exists"
elif [[ "${RULE[*]}" =~ "DROP" ]] || [[ "${RULE[*]}" =~ "RETURN" ]] || [[ "${RULE[*]}" =~ "REJECT" ]]; then
iptables -A "${RULE[@]}"
echo "[OK] ${RULE[*]} added to the end of the chain"
else
iptables -I $RULE
echo "[OK] $RULE added to the beginning of the chain"
iptables -I "${RULE[@]}"
echo "[OK] ${RULE[*]} added to the beginning of the chain"
fi
}

make_last_rule() {
RULE="$@"
delete_rule ${RULE}
iptables -A $RULE
echo "[OK] $RULE added to the end of the chain"
RULE=("$@")
delete_rule "${RULE[@]}"
iptables -A "${RULE[@]}"
echo "[OK] ${RULE[*]} added to the end of the chain"
}

rule_exists() {
RULE="$@"
if iptables -C ${RULE} 2>/dev/null 1>&2; then
RULE=("$@")
if iptables -C "${RULE[@]}" 2>/dev/null 1>&2; then
return 0
fi
return 1
}

delete_rule() {
RULE="$@"
while rule_exists ${RULE}; do
iptables -D $RULE
echo "[OK] $RULE deleted"
RULE=("$@")
while rule_exists "${RULE[@]}"; do
iptables -D "${RULE[@]}"
echo "[OK] ${RULE[*]} deleted"
done
}

Expand All @@ -46,7 +46,7 @@ ip_tables_installed() {
}

ip_tables_persistent_installed() {
if which iptables-save 2>/dev/null 1>&2; then
if dpkg-query -W --showformat='${Status}' iptables-persistent | grep "install ok installed" 2>/dev/null 1>&2; then
return 0
fi
return 1
Expand Down
12 changes: 6 additions & 6 deletions run/set_iptables.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ INTERFACE=$1
echo "INTERFACE=${INTERFACE:=ens18}"

# check if INTERFACE is set to an inet facing interface
if ! ip a | grep inet | grep "$INTERFACE" >/dev/null; then
echo "[ERROR] interface '$INTERFACE' does not seem to be an internet facing interface"
if ! ip a | grep inet | grep "${INTERFACE}" >/dev/null; then
echo "[ERROR] interface '${INTERFACE}' does not seem to be an internet facing interface"
usage
exit 1
fi
Expand All @@ -61,17 +61,17 @@ echo
echo "[...] Setting up iptables white list for ips that may access port ${INTERNAL_PORT} from file ${IP_FILE}"

# 9701 whitelist approach: drop all others INCOMING (-i) connections
add_new_rule $CHAIN -p tcp -i $INTERFACE --dport $INTERNAL_PORT -j DROP
add_new_rule "${CHAIN}" -p tcp -i "${INTERFACE}" --dport "${INTERNAL_PORT}" -j DROP

# 9701 create IP whitelist from file
while read -r IP; do
if [[ "$IP" != "#"* ]] && [[ "$IP" != "" ]]; then
add_new_rule $CHAIN -p tcp --dport $INTERNAL_PORT -s "$IP" -j ACCEPT
add_new_rule "${CHAIN}" -p tcp --dport "${INTERNAL_PORT}" -s "$IP" -j ACCEPT
fi
done <"$IP_FILE"

# make sure, RETURN ist the last rule
make_last_rule $CHAIN -j RETURN
make_last_rule "${CHAIN}" -j RETURN

echo "[OK] Connections to ${INTERNAL_PORT} only allowed from white listed ips."
echo
Expand All @@ -80,7 +80,7 @@ echo "[...] Setting DOS protection on port ${CLI_PORT} via ${CLI_PORT_PROTECTION
$CLI_PORT_PROTECTION_SCRIPT "${CLI_PORT}" "${OVER_ALL_CONN_LIMIT}" "${CONN_LIMIT_PER_IP}" "${CONN_RATE_LIMIT_LIMIT}" "${CONN_RATE_LIMIT_PERIOD}" debug

# make sure, RETURN ist the last rule
make_last_rule $CHAIN -j RETURN
make_last_rule "${CHAIN}" -j RETURN

echo "[OK] Rules for connections on port ${CLI_PORT} set."

Expand Down

0 comments on commit b27aea8

Please sign in to comment.