webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 03:33:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

iptables: Only jump into BADTCP for TCP packets.

Browse Source 
This saves us from evaluating lots of rules for non-TCP
packets.
This commit is contained in:
Michael Tremer
2013-07-08 15:17:56 +02:00
parent b85d2a9819
commit c0359d6dfb
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/initscripts/init.d/firewall
View File

@@ -70,13 +70,13 @@ iptables_init() {
# NEW TCP without SYN # NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
/sbin/iptables -A INPUT -p tcp -j BADTCP
/sbin/iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chain # Connection tracking chain
/sbin/iptables -N CONNTRACK /sbin/iptables -N CONNTRACK
/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
# Fix for braindead ISP's # Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu