firewall: Add proper logging prefix for conntrack INVALID hits

author Peter Müller <peter.mueller@ipfire.org>

Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)

committer Peter Müller <peter.mueller@ipfire.org>

Fri, 18 Feb 2022 22:30:10 +0000 (22:30 +0000)
author Peter Müller <peter.mueller@ipfire.org>
Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)
committer Peter Müller <peter.mueller@ipfire.org>
Fri, 18 Feb 2022 22:30:10 +0000 (22:30 +0000)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall

index 2ae6157aa0a0cdd5b636430b407d3c4adad639bd..5fef07a00f4b49f9a1d0205928916d6668cc546f 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -121,9 +121,13 @@ iptables_init() {
         iptables -A FORWARD -p tcp -j BADTCP
  
         # Connection tracking chains
+       iptables -N CTINVALID
+       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
+
         iptables -N CONNTRACK
         iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
+       iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
         iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
  
         # Restore any connection marks
author	Peter Müller <peter.mueller@ipfire.org>
	Thu, 17 Feb 2022 20:16:02 +0000 (20:16 +0000)
committer	Peter Müller <peter.mueller@ipfire.org>
	Fri, 18 Feb 2022 22:30:10 +0000 (22:30 +0000)