openstack
/
fuel-library
Code Issues Proposed changes

Add few ddos protection rules to iptables 

Change-Id: I771cfdf7db9acd0c4de7fba8b775f66166c0b461
Partial-Bug: 1509986
This commit is contained in:
Oleksiy Molchanov 2016-10-24 16:23:12 +03:00
parent 6d0326ce34
commit 0fb99f1ca7
1 changed files with 141 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
deployment/puppet/osnailyfacter/manifests/firewall/firewall.pp
View File

@ -553,4 +553,145 @@ class osnailyfacter::firewall::firewall {
}
}
# Additional ddos-protection rules
if $assign_to_all_nodes or member($roles, 'primary-controller') or member($roles, 'controller') {
firewall {'010 block invalid packets':
chain => 'PREROUTING',
table => 'mangle',
proto => 'all',
ctstate => 'INVALID',
action => 'drop',
}
firewall {'020 block not-syn new packets':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
ctstate => 'NEW',
tcp_flags => '! SYN,RST,ACK,FIN SYN',
action => 'drop',
}
firewall {'030 block uncommon mss values':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
ctstate => 'NEW',
mss => '! 536:65535',
action => 'drop',
}
firewall {'040 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG NONE',
action => 'drop',
}
firewall {'050 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'FIN,SYN FIN,SYN',
action => 'drop',
}
firewall {'060 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'SYN,RST SYN,RST',
action => 'drop',
}
firewall {'070 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'SYN,FIN SYN,FIN',
action => 'drop',
}
firewall {'080 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'FIN,RST FIN,RST',
action => 'drop',
}
firewall {'090 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'FIN,ACK FIN',
action => 'drop',
}
firewall {'100 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ACK,URG URG',
action => 'drop',
}
firewall {'110 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ACK,FIN FIN',
action => 'drop',
}
firewall {'120 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ACK,PSH PSH',
action => 'drop',
}
firewall {'130 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ALL ALL',
action => 'drop',
}
firewall {'140 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ALL NONE',
action => 'drop',
}
firewall {'150 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ALL FIN,PSH,URG',
action => 'drop',
}
firewall {'160 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ALL SYN,FIN,PSH,URG',
action => 'drop',
}
firewall {'170 block packets with bogus tcp flags':
chain => 'PREROUTING',
table => 'mangle',
proto => 'tcp',
tcp_flags => 'ALL SYN,RST,ACK,FIN,URG',
action => 'drop',
}
}
}