New NTP DDoS target hack

ChangeLog

@@ -2,6 +2,8 @@
 	- Reorder rules, place allow before block to allow overrides
 	- Fixes for conntrack rules for better security (added -o/-i)
 	- Correct some incorrect info in options.default
+	- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
+	  used as a NTP DDoS source.  Not well tested, use at own risk.
 
 1.0 - Brielle Bruns <bruns@2mbit.com>
 	- Minor tweaks to various config files

include/functions

@@ -92,10 +92,6 @@ function iptables_rules_flush {
 		$VER_IPTABLES -F -t $i &>/dev/null
 	done
 	$VER_IPTABLES -X
-	$VER_IPTABLES -t nat -F
-	$VER_IPTABLES -t nat -X
-	$VER_IPTABLES -t mangle -F
-	$VER_IPTABLES -t mangle -X
 	#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
 	#	$VER_IPTABLES -F -t nat &>/dev/null
 	#fi

options.default

@@ -150,7 +150,11 @@ DONTTRACK="127.0.0.1"
 #						I have things going through specific wires for a reason.  This fixes
 #						that and makes it behave as expected.
 #
-HACK_IPV4="NS-IN-DDOS"
+# NTPDDOSRATELIMIT   -  Basic form of rate limiting/blocking on incoming NTP traffic
+#						that may cause local NTP server to be used in a DDoS attack.
+#						Not well tested yet, use at own risk.
+#
+#HACK_IPV4="NS-IN-DDOS"
 
 # IP Ranges to block all traffic incoming/outgoing
 # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS