• Your recent searches
Captive-Portal
1 match

 view release on metacpan or  search on metacpan

templates/orig/firewall/filter.tt  view on Meta::CPAN 

#----------------------------------------------------------------------------------------
#----------------------------------------------------------------------------------------
# filter chains
#----------------------------------------------------------------------------------------
#----------------------------------------------------------------------------------------

#----------------------------------------------------------------------------------------
# FORWARD chain
#

# block 6to4 and ISATAP tunnels
iptables -t filter -A FORWARD -p 41 -j DROP

# forward INCOMING traffic to active clients, got MARKER 2 in mangle table
iptables -t filter -A FORWARD ! -i [%- capture_if -%] -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD ! -i [%- capture_if -%] -j REJECT --reject-with icmp-net-prohibited

# forward OUTGOING all marked traffic from the clients, got MARKER 1 in mangle table
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT

# speed up tcp connections by negative responses
iptables -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset

# REJECT ALL other
iptables -t filter -A FORWARD -j REJECT --reject-with icmp-net-prohibited

#----------------------------------------------------------------------------------------
# INPUT chain, mainly used to throttle incomming connections to tcp port 80
# and the redirect port. Could also be used for the https, but then with
# a reasonable burst in order to deliver html, css and images
#

# never block loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT

[% IF throttle -%]

[% UNLESS throttle_ports;    THROW 'throttle_ports undefined in config_file';    END %]
[% UNLESS throttle_seconds;  THROW 'throttle_seconds undefined in config_file';  END %]
[% UNLESS throttle_hitcount; THROW 'throttle_hitcount undefined in config_file'; END %]

# don't throttle already established connections, helps also with http keep-alives
iptables -t filter -A INPUT -p tcp ! --syn -j ACCEPT

#
# ATTENTION: if enabled this will fill you kernel log ring buffer
# use it just for debugging
#
# LOG targets which get dropped by the next rule
# iptables -t filter -A INPUT -p tcp --syn \
#    -m multiport --dports [%- throttle_ports.join(',') -%] \
#    -m recent --name capo_throttle --rcheck \
#    --seconds [%- throttle_seconds -%] --hitcount [%- throttle_hitcount -%] \
#    -m limit --limit 4/minute -j LOG --log-prefix CAPO_THROTTLE:

# throttle/drop new connections
iptables -t filter -A INPUT -p tcp --syn \
    -m multiport --dports [%- throttle_ports.join(',') -%] \
    -m recent --name capo_throttle --rcheck \
    --seconds [%- throttle_seconds -%] --hitcount [%- throttle_hitcount -%] -j DROP

# at last accept new connections but set/update the recent table
iptables -t filter -A INPUT -p tcp --syn \
    -m multiport --dports [%- throttle_ports.join(',') -%] \
    -m recent --name capo_throttle --set -j ACCEPT

[%- END %]

# vim: sw=2 ft=sh



( run in 3.810 seconds using v1.01-cache-2.11-cpan-8f98c5d2c55 )