view release on metacpan or  search on metacpan

templates/orig/firewall/filter.tt  view on Meta::CPAN

# never block loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT

[% IF throttle -%]

[% UNLESS throttle_ports;    THROW 'throttle_ports undefined in config_file';    END %]
[% UNLESS throttle_seconds;  THROW 'throttle_seconds undefined in config_file';  END %]
[% UNLESS throttle_hitcount; THROW 'throttle_hitcount undefined in config_file'; END %]

# don't throttle already established connections, helps also with http keep-alives
iptables -t filter -A INPUT -p tcp ! --syn -j ACCEPT

#
# ATTENTION: if enabled this will fill you kernel log ring buffer
# use it just for debugging
#
# LOG targets which get dropped by the next rule
# iptables -t filter -A INPUT -p tcp --syn \
#    -m multiport --dports [%- throttle_ports.join(',') -%] \
#    -m recent --name capo_throttle --rcheck \