firewall: Add proper logging prefix for conntrack INVALID hits

author Peter Müller <peter.mueller@ipfire.org>

Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)

committer Arne Fitzenreiter <arne_f@ipfire.org>

Sat, 19 Feb 2022 08:06:36 +0000 (08:06 +0000)
author Peter Müller <peter.mueller@ipfire.org>
Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)
committer Arne Fitzenreiter <arne_f@ipfire.org>
Sat, 19 Feb 2022 08:06:36 +0000 (08:06 +0000)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall

index fc355cd5d41deef8fed18f64ae298ed64560ee07..2f4b4e30ed48ab4f409eb18da870309589254675 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -119,9 +119,13 @@ iptables_init() {
         iptables -A FORWARD -p tcp -j BADTCP
  
         # Connection tracking chains
+       iptables -N CTINVALID
+       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
+
         iptables -N CONNTRACK
         iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
         iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
  
         # Restore any connection marks
author	Peter Müller <peter.mueller@ipfire.org>
	Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Sat, 19 Feb 2022 08:06:36 +0000 (08:06 +0000)