turn: add outbound ratelimit

coturn will send 401 when receiving UDP packets with forged source IP.
this can cause a flood of 401s at the victim. the primary concern appears
to be that these packets are quite large compared to handshake packets
below.

TCP is also affected but effects are minimal because they will get
discarded at the connection handshake level.

UDP/TLS (DTLS) has similar handshake mechanism of TCP and effects are
minimal.

https://forum.cloudron.io/topic/13855/reflection-attack-via-stun-turn
https://github.com/coturn/coturn/pull/1588

setup/start/cloudron-firewall.sh

@@ -187,3 +187,15 @@ $ip6tables -t filter -C INPUT -j CLOUDRON_RATELIMIT 2>/dev/null || $ip6tables -t
 # Workaround issue where Docker insists on adding itself first in FORWARD table
 ipxtables -D FORWARD -j CLOUDRON_RATELIMIT || true
 ipxtables -I FORWARD 1 -j CLOUDRON_RATELIMIT
+
+echo "==> Adding cloudron output chain"
+ipxtables -t filter -N CLOUDRON_OUTPUT || true
+ipxtables -t filter -F CLOUDRON_OUTPUT # empty any existing rules
+
+# turn - mitigate reflection/amplification attack with UDP . The 5349 port is DTLS/UDP and not affected. https://github.com/coturn/coturn/pull/1588
+# hashlimit-above is applied _after_ allowing a hashlimit-burst
+sudo iptables -t filter -A CLOUDRON_OUTPUT -p udp --sport 3478 -m hashlimit --hashlimit-name turn-401 --hashlimit-above 10/second --hashlimit-burst 30 --hashlimit-mode dstip -j CLOUDRON_RATELIMIT_LOG
+
+# Add the ouput rate limit chain to output chain
+$iptables -t filter -C OUTPUT -j CLOUDRON_OUTPUT 2>/dev/null || $iptables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT
+$ip6tables -t filter -C INPUT -j CLOUDRON_OUTPUT 2>/dev/null || $ip6tables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT