diff --git a/Shorewall/Limit b/Shorewall/Limit new file mode 100644 index 000000000..3e7e68d60 --- /dev/null +++ b/Shorewall/Limit @@ -0,0 +1,22 @@ +# +# Shorewall version 3.0 -- Extension Script to create Limit action. +# +# /usr/share/shorewall/Limit +############################################################################## + +set -- $(separate_list $TAG) + +[ $# -eq 3 ] || fatal_error "Rule must include ,, as the log tag" + +run_iptables -A $CHAIN -m recent --name $1 --set + +if [ -n "$LEVEL" ]; then + run_iptables -N $CHAIN% + log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A + run_iptables -A $CHAIN% -j DROP + run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN% +else + run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP +fi + +run_iptables -A $CHAIN -j ACCEPT diff --git a/Shorewall/action.Limit b/Shorewall/action.Limit new file mode 100644 index 000000000..251985021 --- /dev/null +++ b/Shorewall/action.Limit @@ -0,0 +1,29 @@ +# +# Shorewall version 3.0 - Limit Action +# +# /usr/share/shorewall/action.Limit +# +# Invoke this action as follows: +# +# Limit::,, +# +# Where: +# +# = none, if you don't want rejected packets dropped +# = A log level otherwise. +# = The name you want to assign to the +# 'recent set' that tracks this rate +# / = The rate at which you are willing to accept +# connections +# Example: +# Limit:info:SSHA,3,60 Logs at the info level, uses a recent set +# named "SSHA" and accepts connections at a +# maximum rate of 3/minute. +# +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT +# +# This action has no rules. It is created entirely by the Limit extension +# script /usr/share/shorewall/Limit +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 9ae215dc4..f3e666895 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -23,6 +23,7 @@ # ############################################################################### #ACTION -Drop:DROP # Common Action for DROP policy -Reject:REJECT # Common Action for REJECT policy +Drop:DROP # Common Action for DROP policy +Reject:REJECT # Common Action for REJECT policy +Limit # Limit the rate of connections from each individual IP #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 3cfb0f715..56470a0b9 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,8 @@ Changes in 3.0.4 1) Console-friendly version of shorewall.conf. +2) Add 'Limit' as a standard action. + Changes in 3.0.3 1) Implement "shorewall show macros" diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 94e7a1b32..66a80b538 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -577,6 +577,9 @@ for f in action.* ; do echo echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" done + +install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0600 +echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit" # # Install the Macro files # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 3005600e7..19a70a892 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -911,15 +911,15 @@ case "$1" in report_capabilities ;; actions) - echo "allowBcast #Silently Allow Broadcast/multicast" - echo "dropBcast #Silently Drop Broadcast/multicast" - echo "dropNotSyn #Silently Drop Non-syn TCP packets" - echo "rejNotSyn #Silently Reject Non-syn TCP packets" - echo "dropInvalid #Silently Drop packets that are in the INVALID conntrack state" - echo "allowInvalid #Accept packets that are in the INVALID conntrack state." - echo "allowoutUPnP #Allow traffic from local command 'upnpd'" - echo "allowinUPnP #Allow UPnP inbound (to firewall) traffic" - echo "forwardUPnP #Allow traffic that upnpd has redirected from" + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowoutUPnP # Allow traffic from local command 'upnpd'" + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$' ;; macros) diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 61c095ed4..193e1780e 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -106,11 +106,13 @@ fi %attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /usr/share/shorewall/actions.std %attr(0600,root,root) /usr/share/shorewall/action.Drop +%attr(0600,root,root) /usr/share/shorewall/action.Limit %attr(0600,root,root) /usr/share/shorewall/action.Reject %attr(0600,root,root) /usr/share/shorewall/action.template %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help +%attr(0600,root,root) /usr/share/shorewall/Limit %attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs %attr(0600,root,root) /usr/share/shorewall/macro.Amanda %attr(0600,root,root) /usr/share/shorewall/macro.Auth @@ -146,7 +148,7 @@ fi %attr(0600,root,root) /usr/share/shorewall/macro.SVN %attr(0600,root,root) /usr/share/shorewall/macro.Syslog %attr(0600,root,root) /usr/share/shorewall/macro.Telnet -%attr(0600,root,root) /usr/share/shorewall/macro.template +%attr(0600,root,root) /usr/share/shorewall/macro.template% %attr(0600,root,root) /usr/share/shorewall/macro.Trcrt %attr(0600,root,root) /usr/share/shorewall/macro.VNC %attr(0600,root,root) /usr/share/shorewall/macro.VNCL @@ -158,6 +160,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Thu Dec 15 2005 Tom Eastep tom@shorewall.net +- Add Limit action * Mon Dec 12 2005 Tom Eastep tom@shorewall.net - Updated to 3.0.3-1 * Tue Nov 22 2005 Tom Eastep tom@shorewall.net