add a limit on the number of new connections per second to prevent hosts on the lan...

SVN-Revision: 6229

diff --git a/openwrt/package/iptables/files/firewall.init b/openwrt/package/iptables/files/firewall.init
index 71e503613576ddc5186abe9566d62b87c44b1c38..7f161c9967e5108f460270fa1e7e2e786ea898d5 100755 (executable)
--- a/openwrt/package/iptables/files/firewall.init
+++ b/openwrt/package/iptables/files/firewall.init
@@ -19,6 +19,7 @@ iptables -N output_rule
 iptables -N forwarding_rule
 iptables -N forwarding_wan
 
+iptables -t nat -N NEW
 iptables -t nat -N prerouting_wan
 iptables -t nat -N prerouting_rule
 iptables -t nat -N postrouting_rule
@@ -95,12 +96,16 @@ iptables -A LAN_ACCEPT -j ACCEPT
   # uses the default -P DROP
 
 ### MASQ
+  iptables -t nat -A PREROUTING -m state --state NEW -j NEW
   iptables -t nat -A PREROUTING -j prerouting_rule
   iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan
 
   iptables -t nat -A POSTROUTING -j postrouting_rule
   iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
 
+  iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
+       iptables -t nat -A NEW -j DROP
+
 ## USER RULES
 [ -f /etc/firewall.user ] && . /etc/firewall.user
 [ -e /etc/config/firewall ] && {

diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm
index 3c25bd2741953d87d2cf7fa77c89b1be362eb75e..d1bfc8e6dca3ed5c9200e44710aa7b764b48c797 100644 (file)
--- a/openwrt/target/linux/linux-2.4/config/brcm
+++ b/openwrt/target/linux/linux-2.4/config/brcm
@@ -363,7 +363,7 @@ CONFIG_IP_NF_H323=m
 CONFIG_IP_NF_RTSP=m
 CONFIG_IP_NF_QUEUE=m
 CONFIG_IP_NF_IPTABLES=y
-CONFIG_IP_NF_MATCH_LIMIT=m
+CONFIG_IP_NF_MATCH_LIMIT=y
 CONFIG_IP_NF_MATCH_MAC=m
 CONFIG_IP_NF_MATCH_PKTTYPE=m
 CONFIG_IP_NF_MATCH_MARK=y