brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Some more minor changes

master
bbruns 2010-08-25 17:43:57 +00:00
parent d73763277d
commit 54bcf6e8e6
4 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/functions
View File

@ -132,8 +132,12 @@ function apply_ipv4_hack {
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
display_c PURPLE " ./NS/IN-DDOS-FIX"
$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
else
display_c RED \nError: could not load $MOD_U32 module into the kernel. Not using fix."
fi
;;
esac
shift

5
include/static
View File

@ -31,4 +31,7 @@ PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
DEFAULT_COLOR="\E[39m"
DEFAULT_COLOR="\E[39m"
# Module names that we may need to load
MOD_U32="xt_u32"

3
options.default
View File

@ -6,6 +6,9 @@ IP6TABLES=/bin/true
#IPTABLES=/sbin/iptables
#IP6TABLES=/sbin/ip6tables
#This is important for loading kernel modules
MODPROBE=/sbin/modprobe
# Don't forget to rename this file to 'options'!
# I'm trying to make this config as simple as possible. Comment out

19
rc.firewall
View File

@ -58,6 +58,25 @@ echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
redistribute it under certain conditions.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
if [ $UID != "0" ]; then
display_c RED "You must be root to run this script."
exit 2
fi
if [ ! -x $IPTABLES ]; then
display_c RED "iptables command not found. Please make sure you have the iptables"
display_c RED "installed (package or source) and you have the IPTABLES option properly"
display_c RED "defined in the 'options' file."
exit 3
fi
if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then
display_c RED "ip6tables command not found. Please make sure you have the iptables"
display_c RED "installed (package or source) and you have the IP6TABLES option properly"
display_c RED "defined in the 'options' file."
exit 3
fi
iptables_rules_flush ipv4