From 5318e64a6469f77980941aed315f0c63ef177d89 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 26 May 2015 03:06:11 +0300 Subject: [PATCH 1/2] Added iptables update command config option --- CHANGELOG.md | 1 + app/controllers/epp_controller.rb | 5 +++++ config/application-example.yml | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f60b8956..ee85debb5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ 25.05.2015 +* Added iptables counter commant to application-example.yml * Add update application.yml with correct `sk_digi_doc_service_endpoint` 22.05.2015 diff --git a/app/controllers/epp_controller.rb b/app/controllers/epp_controller.rb index 0b4da0427..9f30d2e8a 100644 --- a/app/controllers/epp_controller.rb +++ b/app/controllers/epp_controller.rb @@ -98,6 +98,7 @@ class EppController < ApplicationController @response = render_to_string(*args) render xml: @response write_to_epp_log + iptables_counter_update end # VALIDATION @@ -282,4 +283,8 @@ class EppController < ApplicationController end # rubocop: enable Metrics/PerceivedComplexity # rubocop: enable Metrics/CyclomaticComplexity + + def iptables_counter_update + `ENV['iptables_counter_update_command']` if ENV['iptables_counter_update_command'].present? + end end diff --git a/config/application-example.yml b/config/application-example.yml index dae4555fb..050216cee 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -9,6 +9,7 @@ legal_documents_dir: 'import/legal_documents' # Example: 'Admin, EPP, REPP' will have name 'Admin, EPP, REPP - production' at New Relic. new_relic_app_name: 'Admin, EPP, REPP, Registrar, Registrant' + # You can use `rake secret` to generate a secure secret key. # Your secret key is used for verifying the integrity of signed cookies. # If you change this key, all old signed cookies will become invalid! @@ -29,6 +30,9 @@ webclient_cert_common_name: 'webclient' # and returns 2306 "Parameter value policy error" contact_org_enabled: 'false' +# Firewall countrer update command +# iptables_counter_update_command: '' + # DEPP server configuration (both for Registrar/Registrant servers) show_ds_data_fields: 'false' default_nameservers_count: '2' From cb136ee5aebb23aebc1c47a30a9ff55bbbf2aa4c Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 26 May 2015 08:04:14 +0300 Subject: [PATCH 2/2] Use rcheck instead update --- doc/debian_build_doc.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/debian_build_doc.md b/doc/debian_build_doc.md index e2e604d92..c2d40f56c 100644 --- a/doc/debian_build_doc.md +++ b/doc/debian_build_doc.md @@ -64,10 +64,10 @@ IPT=/sbin/iptables SECONDS=60 # Max connections per IP BLOCKCOUNT=100 -# default action can be DROP or REJECT +# default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` #### EPP @@ -80,10 +80,10 @@ IPT=/sbin/iptables SECONDS=60 # Max connections per IP BLOCKCOUNT=100 -# default action can be DROP or REJECT +# default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` #### Whois @@ -96,9 +96,9 @@ IPT=/sbin/iptables SECONDS=60 # Max connections per IP BLOCKCOUNT=100 -# default action can be DROP or REJECT +# default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ````