New NTP DDoS target hack

ChangeLog

@@ -2,8 +2,6 @@
 	- Reorder rules, place allow before block to allow overrides
 	- Fixes for conntrack rules for better security (added -o/-i)
 	- Correct some incorrect info in options.default
-	- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
-	  used as a NTP DDoS source.  Not well tested, use at own risk.
 
 1.0 - Brielle Bruns <bruns@2mbit.com>
 	- Minor tweaks to various config files

bin/firewall-sosdg

@@ -203,8 +203,9 @@ if [ "$IPTABLES_MULTIPORT" ]; then
 fi
 
 # Trying to better clean up some of my code, so lets try using a blackhole target
-$IPTABLES -N BLACKHOLE
+$IPTABLES -N BLACKHOLE-IN
-$IPTABLES -A BLACKHOLE -j DROP
+$IPTABLES -N BLACKHOLE-OUT
+
 
 
 $IPTABLES -A INPUT -i lo -j ACCEPT

include/functions

@@ -160,17 +160,6 @@ function apply_ipv4_hack {
 				fi
 			done
 		;;
-		NTPDDOSRATELIMIT)
-			# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
-			# pashdown@xmission.com
-			$IPTABLES -N NTP
-			$IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource
-			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
-					ntpv4 --rsource -j BLACKHOLE
-			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
-					ntpv4blackhole --rsource -j DROP
-			$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
-			$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
 		esac
 		shift
 	done

options.default

@@ -150,10 +150,6 @@ DONTTRACK="127.0.0.1"
 #						I have things going through specific wires for a reason.  This fixes
 #						that and makes it behave as expected.
 #
-# NTPDDOSRATELIMIT   -  Basic form of rate limiting/blocking on incoming NTP traffic
-#						that may cause local NTP server to be used in a DDoS attack.
-#						Not well tested yet, use at own risk.
-#
 #HACK_IPV4="NS-IN-DDOS"
 
 # IP Ranges to block all traffic incoming/outgoing