diff mbox series

[3/6] firewall: Enable SYNPROXY for untracked packets

Message ID 20240418211144.3318938-3-michael.tremer@ipfire.org
State New
Headers
Series [1/6] firewall: Split CONNTRACK chain |

Commit Message

Michael Tremer April 18, 2024, 9:11 p.m. UTC 
  This enables some DoS protection using SYNPROXY which will complete a
SYN handshake with the client before the connection is being forwarded.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 054d58c01..1250b9ff4 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -46,6 +46,20 @@  IPS_BYPASS_MASK="0x40000000"
 
 IPSET_DB_DIR="/var/lib/location/ipset"
 
+SYNPROXY_OPTIONS=(
+	# Allow clients to use Selective ACKs
+	"--sack-perm"
+
+	# Allow TCP Timestamps
+	#"--timestamp"
+
+	# Window Scaling
+	"--wscale" "9"
+
+	# Maximum Segment Size
+	"--mss" "1460"
+)
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -151,6 +165,8 @@  iptables_init() {
 
 	iptables -N CTINPUT
 	iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
+		-p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
 	iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT