I have completely revised the script Syn flood protection for FORWARD? - #104 by xxxx all addresses that do not have a recognized connection and exceed the set limits on the Wan port end up on a blacklist ( except icmp there it makes no sense in my opinion ) and completely blocks these ips for the set time. There is now also an exception field for ipv6 addresses/networks (forward_router_IpV6). If someone wants to test it here are the instructions:
- save the script
- transfer it with scp or a Windows replacement to /etc/config/test.sh
- edit the /etc/config/firewall with nano or vim and add there:
config include
option enabled '1'
option type 'script'
option path '/etc/config/test.sh'
option fw4_compatible '1'
- edit /etc/config/test.sh at the top with nano or vim and activate the
desired functions - With fw4 restart the script is activated and loaded every time the firewall is
started or reloaded
Here is the script https://github.com/xxxx81/ddos-drop.sh/tree/testing
If you find any errors or have any suggestions for improvement, you can post them here in the thread.
Update:
- added ip address list with short timeout to make the rules more precise
- most conntrack based rules now use ct status instead of ct state which is
more precise for the rules and seems to be a bit faster - incoming ip addresses that use icmp excessively now go to the timed droplist
( icmp_limit_drop, the value should be higher than icmp_limit )
Update2:
- Recognition modified only the first maximum 3 packets are accepted if they do not trigger the Conntrack status seen-reply the following packets are blocked and if the set limit is exceeded they are put on the block list
- added rule to block outgoing Icmp reply packets in the postrouting hook
- new option ingress_hook_drop added whereby the Ips on the blocklist are immediately blocked in the ingress hook, but when activated it checks whether the ingress hook exists and sees data (in my case the ingress hook exists but does not see any data passing through)