fix

2024-09-24 11:50:24 -06:00 · 2024-09-24 11:50:24 -06:00 · 64b9d828d5
commit 64b9d828d5
parent 3bc706e771
4 changed files with 965 additions and 51 deletions
--- a/firewall.sh
+++ b/firewall.sh
@ -69,8 +69,8 @@ ipBlockParser() {

 portOpenParser() {
 	if [[ "$1" == "443" || "$1" == "80" ]]; then
-		$NFT add rule ip filter input ct state new tcp dport $1 update @http_ratelimit { ip saddr limit rate 15/second } accept
-		$NFT add rule ip6 filter input ct state new tcp dport $1 update @http_ratelimit { ip6 saddr limit rate 15/second } accept
+		$NFT add rule ip filter input ct state new tcp dport $1 update @http_ratelimit { ip saddr limit rate 10/second } accept
+		$NFT add rule ip6 filter input ct state new tcp dport $1 update @http_ratelimit { ip6 saddr limit rate 10/second } accept
 	else
 		$NFT add rule ip filter input position 0 tcp dport $1 accept
 		$NFT add rule ip filter input position 0 udp dport $1 accept
@ -270,7 +270,6 @@ forgive() {
 	for i in "${IP[@]}"; do
 		HANDLE=$(nft -n -a list ruleset | grep $i | grep handle | cut -d '#' -f2 | cut -d ' ' -f3)
 		echo "Removing: $i Handle: $HANDLE"
-		echo $NFT delete rule ip filter input handle $HANDLE
 		ipDeleteParser $HANDLE
 		redis-cli SREM tmp_block $i
 	done
@ -306,7 +305,7 @@ module-akkoma() {

 module-get-spam() {
 	GET_SPAM=$(grep $2 $ACCESS | grep -E "GET / HTTP" | wc -l)
-	if [[ "$GET_SPAM" -gt 5 ]]; then
+	if [[ "$GET_SPAM" -gt 10 ]]; then
 		ipBlockParser "$1"
 		redis-cli SADD tmp_block $i
 		message "GET Spam Attack! $1"
--- a/ipv4-filter.nft
+++ b/ipv4-filter.nft
@ -1,5 +1,5 @@
 table filter {
-	set http_ratelimit { type ipv4_addr; timeout 2s; flags dynamic; }
+	set http_ratelimit { type ipv4_addr; timeout 1s; flags dynamic; }
 	chain input		{ type filter hook input priority 0;policy drop;}
 	chain forward		{ type filter hook forward priority 0; }
 	chain output		{ type filter hook output priority 0;  }
--- a/ipv6-filter.nft
+++ b/ipv6-filter.nft
@ -1,5 +1,5 @@
 table ip6 filter {
-	set http_ratelimit { type ipv6_addr; timeout 2s; flags dynamic; }
+	set http_ratelimit { type ipv6_addr; timeout 1s; flags dynamic; }
 	chain input		{ type filter hook input priority 0; policy drop;}
 	chain forward		{ type filter hook forward priority 0; drop;}
 	chain output		{ type filter hook output priority 0; drop; }
--- a/nft.rules
+++ b/nft.rules