From 8fb715dcdfe1256c248e1a95c1eec8aabc79681e Mon Sep 17 00:00:00 2001 From: Ansible Admin Date: Wed, 27 Jan 2016 11:45:13 +0100 Subject: [PATCH] =?UTF-8?q?Workaround=20against=20"nf=5Fconntrack=20?= =?UTF-8?q?=E2=80=A6=20dropping=20packets=20error"=20and=20"Denial=20of=20?= =?UTF-8?q?Service"=20attacks=20from=20internal=20network?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- files/sn_startup.exit.sh.j2 | 11 +++++++++++ files/sn_startup.sh.j2 | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/files/sn_startup.exit.sh.j2 b/files/sn_startup.exit.sh.j2 index ba45058..f99fcc8 100644 --- a/files/sn_startup.exit.sh.j2 +++ b/files/sn_startup.exit.sh.j2 @@ -1,4 +1,5 @@ #!/bin/sh +# Version 1.7 curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} @@ -53,6 +54,16 @@ done sleep 5 +# Fixing the nf_conntrack … dropping packets error +# hashsize = nf_conntrack_max / 4 +sysctl -w net.netfilter.nf_conntrack_max=131072 +echo 32768 > /sys/module/nf_conntrack/parameters/hashsize + +# Against Denial of Service attacks from internal network +# Check with: sysctl -a | grep conntrack | grep timeout +sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240 +sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000 + # restart bird /bin/systemctl start bird /bin/systemctl start bird6 diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2 index a637274..276e10e 100644 --- a/files/sn_startup.sh.j2 +++ b/files/sn_startup.sh.j2 @@ -1,4 +1,5 @@ #!/bin/sh +# Version 1.7 curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} @@ -48,6 +49,16 @@ done sleep 5 +# Fixing the nf_conntrack … dropping packets error +# hashsize = nf_conntrack_max / 4 +sysctl -w net.netfilter.nf_conntrack_max=131072 +echo 32768 > /sys/module/nf_conntrack/parameters/hashsize + +# Against Denial of Service attacks from internal network +# Check with: sysctl -a | grep conntrack | grep timeout +sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240 +sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000 + # Start tunneldigger /bin/systemctl restart tunneldigger /bin/systemctl enable tunneldigger