From 4b6a730276ddf6605ee89ec0878c7c4482a64cde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toralf=20F=C3=B6rster?= Date: Wed, 10 Jul 2024 21:52:49 +0200 Subject: [PATCH] add the length check rule, hard coded with ALLOW to get statistic numbers --- ipv4-rules.sh | 7 +++++-- ipv6-rules.sh | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ipv4-rules.sh b/ipv4-rules.sh index 8129063..8a5901c 100755 --- a/ipv4-rules.sh +++ b/ipv4-rules.sh @@ -22,7 +22,10 @@ function addCommon() { $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $jump $ipt -A INPUT -m conntrack --ctstate INVALID -j $jump - # do not touch established connections + for relay in $*; do + relay_2_ip_and_port + $ipt -A INPUT -p tcp --dst $orip --dport $orport -m length --length 40:60 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || break + done $ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ssh @@ -252,7 +255,7 @@ start) trap bailOut INT QUIT TERM EXIT clearRules setSysctlValues - addCommon + addCommon ${*:-${CONFIGURED_RELAYS:-$(getConfiguredRelays)}} addHetzner additionalServices addTor ${*:-${CONFIGURED_RELAYS:-$(getConfiguredRelays)}} diff --git a/ipv6-rules.sh b/ipv6-rules.sh index 153466e..6231b92 100755 --- a/ipv6-rules.sh +++ b/ipv6-rules.sh @@ -29,7 +29,10 @@ function addCommon() { $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $jump $ipt -A INPUT -m conntrack --ctstate INVALID -j $jump - # do not touch established connections + for relay in $*; do + relay_2_ip_and_port + $ipt -A INPUT -p tcp --dst $orip --dport $orport -m length --length 40:60 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || break + done $ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ssh @@ -236,7 +239,7 @@ case $action in start) trap bailOut INT QUIT TERM EXIT clearRules - addCommon + addCommon ${*:-${CONFIGURED_RELAYS6:-$(getConfiguredRelays6)}} addHetzner additionalServices addTor ${*:-${CONFIGURED_RELAYS6:-$(getConfiguredRelays6)}}