webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add custom XDP SYNPROXY chain

Browse Source 
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.

To list the custom chain evaluation order for example:

iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    INSYNPROXY  all  --  anywhere             anywhere
2    IPSBYPASS  all  --  anywhere             anywhere             mark match 0xc0000000/0xc0000000
3    BADTCP     tcp  --  anywhere             anywhere
4    CUSTOMINPUT  all  --  anywhere             anywhere
5    HOSTILE    all  --  anywhere             anywhere
6    BLOCKLISTIN !icmp --  anywhere             anywhere
7    GUARDIAN   all  --  anywhere             anywhere
8    OVPNBLOCK  all  --  anywhere             anywhere
9    IPS_INPUT  all  --  anywhere             anywhere             mark match 0x0/0xc0000000
10   IPTVINPUT  all  --  anywhere             anywhere
11   ICMPINPUT  all  --  anywhere             anywhere
12   LOOPBACK   all  --  anywhere             anywhere
13   CAPTIVE_PORTAL  all  --  anywhere             anywhere
14   CONNTRACK  all  --  anywhere             anywhere
15   DHCPGREENINPUT  all  --  anywhere             anywhere
16   TOR_INPUT  all  --  anywhere             anywhere
17   LOCATIONBLOCK  all  --  anywhere             anywhere
18   IPSECINPUT  all  --  anywhere             anywhere
19   GUIINPUT   all  --  anywhere             anywhere
20   WIRELESSINPUT  all  --  anywhere             anywhere             ctstate NEW
21   OVPNINPUT  all  --  anywhere             anywhere
22   INPUTFW    all  --  anywhere             anywhere
23   REDINPUT   all  --  anywhere             anywhere
24   POLICYIN   all  --  anywhere             anywhere

iptables -t raw -L PREROUTING --line-numbers

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    RAWSYNPROXY  all  --  anywhere             anywhere

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2024-03-15 00:27:07 +00:00
parent baf1d4a604
commit 1f16691715
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/initscripts/system/firewall
View File

@@ -70,6 +70,12 @@ iptables_init() {
modprobe nf_log_ipv4
sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
# XDP SYNPROXY Chain, needs to be first chain in INPUT as the chain order matters
iptables -t raw -N RAWSYNPROXY
iptables -t raw -A PREROUTING -j RAWSYNPROXY
iptables -N INSYNPROXY
iptables -A INPUT -j INSYNPROXY
# IPS Bypass Chain which stores the BYPASS bit in connection tracking
iptables -N IPSBYPASS
iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"