Hi!
How to prevent abuse of guest zones?
//edit new approach
Make use of extra option and hashlimit module
/etc/config/firewall
config rule
option name 'Guest-Accept-Input-DNS'
option family 'ipv4'
option proto 'tcpudp'
option src 'guest'
option dest_ip 'x.x.x.x'
option dest_port '53'
option extra '-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name guest_input_dns'
option target 'ACCEPT'
config rule
option name 'Guest-Accept-Input-DHCP'
option family 'ipv4'
option proto 'udp'
option src 'guest'
option dest_port '67'
option extra '-m hashlimit --hashlimit-upto 1/sec --hashlimit-mode srcip --hashlimit-name guest_input_dhcp'
option target 'ACCEPT'
config rule
option name 'Guest-Accept-Input-IGMP'
option family 'ipv4'
option proto 'igmp'
option src 'guest'
option extra '-m hashlimit --hashlimit-upto 1/sec --hashlimit-mode srcip --hashlimit-name guest_input_igmp '
option target 'ACCEPT'
config rule
option name 'Guest-Accept-Input-ICMP-Echo-Request'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'guest'
option dest_ip 'x.x.x.x'
option extra '-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-name guest_input_icmp --hashlimit-htable-expire 30000 '
option target 'ACCEPT'
config rule
option name 'Guest-Accept-Forward-SSDP-To-Lan'
option family 'ipv4'
option proto 'udp'
option src 'guest'
option dest 'lan'
option dest_ip '239.255.255.250'
option dest_port '1900'
option extra '-m hashlimit --hashlimit-upto 1/sec --hashlimit-mode srcip --hashlimit-name guest_forward_ssdp'
option target 'ACCEPT'
config rule
option name 'Guest-Accept-Forward-HTTP-To-Lan'
option family 'ipv4'
option proto 'tcp'
option src 'guest'
option dest 'lan'
option dest_ip 'x.x.x.x'
option dest_port '80'
option extra '-m connlimit --connlimit-upto 20 --connlimit-mask 32 --connlimit-saddr'
option target 'ACCEPT'
/etc/firewall.user
$IPT -t filter -N RATE_LIMIT_FORWARD
$IPT -t filter -N RATE_LIMIT_REJ
$IPT -t filter -F RATE_LIMIT_FORWARD
$IPT -t filter -F RATE_LIMIT_REJ
$IPT -t filter -A forwarding_rule -o eth1 -j RATE_LIMIT_FORWARD
$IPT -t filter -A RATE_LIMIT_REJ -m limit --limit 20/min -j LOG --log-prefix "IPTables-Rejected: "
$IPT -t filter -A RATE_LIMIT_REJ -j reject
### Split global max connection limit over zones
$IPT -t filter -A RATE_LIMIT_FORWARD -i br-lan -s 10.0.0.0/24 -m connlimit --connlimit-above 8192 --connlimit-mask 24 --connlimit-saddr -j RATE_LIMIT_REJ
$IPT -t filter -A RATE_LIMIT_FORWARD -i br-isolated -s 10.0.1.0/24 -m connlimit --connlimit-above 8192 --connlimit-mask 24 --connlimit-saddr -j RATE_LIMIT_REJ
### Max 1000 Connections per Host
$IPT -t filter -A RATE_LIMIT_FORWARD -m connlimit --connlimit-above 1000 --connlimit-mask 32 --connlimit-saddr -j RATE_LIMIT_REJ
## Limit outgoing icmp requests per sec
$IPT -t filter -A RATE_LIMIT_FORWARD -p icmp -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-name all_forward_icmp_to_wan --hashlimit-htable-expire 30000 -j RATE_LIMIT_REJ
What are "good" values here?
The rules that enforce connection/packets per sec globally, maybe also add dstport to it?