verita84/firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Your Name 2024-09-24 22:43:29 -06:00
parent 7c4ff30532
commit e4a4c4dd8a
2 changed files with 25 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
firewall.sh
View File

@ -191,7 +191,7 @@ start() {
$NFT insert rule filter input iif docker0 accept
#HTTP Rate Limit
rateLimit $HTTP_LIMIT
bash $MODULES/module-rate-limit.sh $HTTP_LIMIT
else
virtualization
@ -275,25 +275,6 @@ stop() {
message "Stopping Firewall"
}
rateLimit() {
HANDLE=($(nft -n -a list ruleset | grep "ct state 0x8 tcp dport" | grep -E '80|443' | grep handle | cut -d '#' -f2 | cut -d ' ' -f3))
for i in "${HANDLE[@]}"; do
if [[ "$i" == *":"* ]]; then
$NFT delete rule ip6 filter input handle $i &>/dev/null
else
$NFT delete rule filter input handle $i &>/dev/null
fi
done
echo "Setting Rate Limit to : $1"
echo
$NFT add rule ip6 filter input ct state new tcp dport 443 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip6 filter input ct state new tcp dport 80 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 443 update @http_ratelimit { ip saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 80 update @http_ratelimit { ip saddr limit rate $1/second } accept
}
forgive() {
IP=($(redis-cli --raw SMEMBERS tmp_block | sort -u))
echo $IP
@ -305,7 +286,7 @@ forgive() {
echo "Clearing old $TMP_BLOCK"
redis-cli DEL tmp_blocked
rateLimit $HTTP_LIMIT
bash $MODULES/module-rate-limit.sh $HTTP_LIMIT
}
watch() {
@ -347,9 +328,9 @@ watch() {
BLOCK_CHECK=$(redis-cli --raw SMEMBERS tmp_block)
if [[ "$BLOCK_CHECK" == *"empty"* || "$BLOCK_CHECK" == "" ]]; then
rateLimit $HTTP_LIMIT
bash $MODULES/module-rate-limit.sh $HTTP_LIMIT
else
rateLimit $RATE_LIMITED_HTTP
bash $MODULES/module-rate-limit.sh $RATE_LIMITED_HTTP
fi
}

21
modules/module-rate-limit.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
NFT='/usr/bin/nft'
HANDLE=($($NFT -n -a list ruleset | grep "ct state 0x8 tcp dport" | grep -E '80|443' | grep handle | cut -d '#' -f2 | cut -d ' ' -f3))
for i in "${HANDLE[@]}"; do
if [[ "$i" == *":"* ]]; then
$NFT delete rule ip6 filter input handle $i &>/dev/null
else
$NFT delete rule filter input handle $i &>/dev/null
fi
done
echo "Setting Rate Limit to : $1"
echo
$NFT add rule ip6 filter input ct state new tcp dport 443 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip6 filter input ct state new tcp dport 80 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 443 update @http_ratelimit { ip saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 80 update @http_ratelimit { ip saddr limit rate $1/second } accept