net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
+
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.icmp_ratemask = 88089
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
+my @log_limit_options = &make_log_limit_options();
+
# MAIN
&main();
}
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT '");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address");
push(@nat_options, @destination_options);
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT '");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
}
# Insert firewall rule.
if ($LOG && !$NAT) {
- run("$IPTABLES -A $chain @options -j LOG");
+ run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options -j $target");
}
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
}
}
+
+sub make_log_limit_options {
+ my @options = ("-m", "limit");
+
+ # Maybe we should get this from the configuration.
+ my $limit = 10;
+
+ # We limit log messages to $limit messages per minute.
+ push(@options, ("--limit", "$limit/min"));
+
+ # And we allow bursts of 2x $limit.
+ push(@options, ("--limit-burst", $limit * 2));
+
+ return @options;
+}
my $val=shift;
my $hash=shift;
if($optionsfw{'SHOWCOLORS'} eq 'on'){
+ # Don't colourise MAC addresses
+ if (&General::validmac($val)) {
+ $tdcolor = "";
+ return;
+ }
+
#custom Hosts
if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
foreach my $key (sort keys %$hash){