Add few ddos protection rules to iptables
Change-Id: I771cfdf7db9acd0c4de7fba8b775f66166c0b461 Partial-Bug: 1509986
This commit is contained in:
parent
6d0326ce34
commit
0fb99f1ca7
|
@ -553,4 +553,145 @@ class osnailyfacter::firewall::firewall {
|
|||
}
|
||||
}
|
||||
|
||||
# Additional ddos-protection rules
|
||||
if $assign_to_all_nodes or member($roles, 'primary-controller') or member($roles, 'controller') {
|
||||
firewall {'010 block invalid packets':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'all',
|
||||
ctstate => 'INVALID',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'020 block not-syn new packets':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
ctstate => 'NEW',
|
||||
tcp_flags => '! SYN,RST,ACK,FIN SYN',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'030 block uncommon mss values':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
ctstate => 'NEW',
|
||||
mss => '! 536:65535',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'040 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG NONE',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'050 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'FIN,SYN FIN,SYN',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'060 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'SYN,RST SYN,RST',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'070 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'SYN,FIN SYN,FIN',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'080 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'FIN,RST FIN,RST',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'090 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'FIN,ACK FIN',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'100 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ACK,URG URG',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'110 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ACK,FIN FIN',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'120 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ACK,PSH PSH',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'130 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ALL ALL',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'140 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ALL NONE',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'150 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ALL FIN,PSH,URG',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'160 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ALL SYN,FIN,PSH,URG',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
firewall {'170 block packets with bogus tcp flags':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'tcp',
|
||||
tcp_flags => 'ALL SYN,RST,ACK,FIN,URG',
|
||||
action => 'drop',
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue