firewall: Implement generating SYNPROXY rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/firewall/rules.pl

@@ -297,6 +297,9 @@ sub buildrules {
 			$NAT_MODE = uc($$hash{$key}[31]);
 		}
 
+		# Enable SYN flood protection?
+		my $SYN_FLOOD_PROTECTION = 0;
+
 		# Set up time constraints.
 		my @time_options = ();
 		if ($$hash{$key}[18] eq 'ON') {
@@ -370,6 +373,11 @@ sub buildrules {
 			}
 		}
 
+		# DoS Protection
+		if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) {
+			$SYN_FLOOD_PROTECTION = 1;
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols = &get_protocols($hash, $key);
@@ -608,6 +616,10 @@ sub buildrules {
 					}
 					run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
 
+					if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) {
+						run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack");
+					}
+
 					# Handle forwarding rules and add corresponding rules for firewall access.
 					if ($chain eq $CHAIN_FORWARD) {
 						# If the firewall is part of the destination subnet and access to the destination network

src/initscripts/system/firewall

@@ -407,6 +407,10 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT
 
+	# SYN Flood Protection
+	iptables -t raw -N SYN_FLOOD_PROTECT
+	iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT
+
 	# Populate IPsec chains
 	/usr/lib/firewall/ipsec-policy