-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnft.load.soekris.sh
executable file
·120 lines (81 loc) · 2.73 KB
/
nft.load.soekris.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash
#
# last modified 2021.11.24
#
set -o nounset
set -o errexit
#set -o noclobber
set -o noglob
#WORLD="enp5s0"
#MEDIALAN="br0"
#GUESTW="enp11s0"
NFT=$(which nft)
NFTRULES="/etc/firewall/nft.nelly.soekris"
NFTFLUSHED="/etc/firewall/nft_flushed"
############################ start ###################################
case "$1" in
start)
############################ proc-settings ###########################
### activate forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
### Max. 500/second (5/Jiffie)
echo 10 > /proc/sys/net/ipv4/icmp_ratelimit
echo 10 > /proc/sys/net/ipv6/icmp/ratelimit
### ram and ram-timing for IP-de/-fragmentation
#echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
#echo 262144 > /proc/sys/net/ipv6/ip6frag_high_thresh
echo 196608 > /proc/sys/net/ipv6/ip6frag_low_thresh
echo 30 > /proc/sys/net/ipv6/ip6frag_time
### TCP-FIN-Timeout protection against DoS-attacks
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
### max 3 answers to a TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
### repeat TCP-packets max 15x
echo 15 > /proc/sys/net/ipv4/tcp_retries2
### disable source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv6/conf/all/accept_source_route
### ignore bogus icmp_errors
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### deactivate source redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
### deactivate source route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv6/conf/all/accept_source_route
### load ruleset
${NFT} -f ${NFTRULES}
;;
############################ stop ####################################
stop)
echo "stopping firewall"
### deactivate forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
### backup ruleset
echo "flush ruleset" > ${NFTRULES}_bak_$(date -I)
${NFT} list ruleset >> ${NFTRULES}_bak_$(date -I)
### flush ruleset
${NFT} -f ${NFTFLUSHED}
;;
############################ reload ##################################
reload)
echo "reloading firewall"
### backup ruleset
echo "flush ruleset" > ${NFTRULES}_bak_$(date -I)
${NFT} list ruleset >> ${NFTRULES}_bak_$(date -I)
### reload ruleset
${NFT} -f ${NFTRULES}_bak_$(date -I)
;;
############################ syntax ##################################
*)
echo "unknown argument"
echo "syntax is: $0 {start|stop|reload}"
exit 1
;;
esac
exit 0