HACK_IPV4 Option

master
bbruns 2010-08-24 01:35:36 +00:00
parent d57a599f3c
commit 97dd5fa6f0
3 changed files with 34 additions and 6 deletions

View File

@ -118,3 +118,20 @@ function show_help {
echo -e "\t--help\t\tShows this info"
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
}
# apply_ipv4_hack $HACKS
function apply_ipv4_hack {
display_c YELLOW "Applying IPv4 hack/fix:" N
while [ $# -gt 0 ]; do
case "$1" in
NS-IN-DDOS)
display_c PURPLE " ./NS/IN-DDOS-FIX"
$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
;;
esac
shift
done
}

View File

@ -12,9 +12,9 @@ IP6TABLES=/bin/true
# options you don't want to use, uncomment them to use them.
# Do we want NAT/Conntrack/Forward features?
NAT=1
CONNTRACK=1
FORWARD=1
#NAT=1
#CONNTRACK=1
#FORWARD=1
# Blocking incoming connections by default?
BLOCKINCOMING=1
@ -49,6 +49,15 @@ DONTTRACK="127.0.0.1"
# IP range(s) to forward
ROUTING=$BASEDIR/ipv4-routing
# Hacks to either block specific kinds of attacks or fix problems
#
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
#
HACK_IPV4="NS-IN-DDOS"
#==============
# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
# IP ranges(s) to NAT using SNAT.

View File

@ -136,8 +136,10 @@ if [ "$CLAMPMSS" ]; then
echo -en "\n"
fi
$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
if [ $HACK_IPV4 ]; then
apply_ipv4_hack $HACK_IPV4
fi
if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
display_c YELLOW "Loading custom conntrack rules..."