Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add rate limited synproxy bypass

This commit is contained in:
Daniel Micay 2024-04-10 09:29:56 -04:00
parent ef63ff82d2
commit 14c0128910
9 changed files with 198 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
nftables-attestation.conf
View File

@ -43,7 +43,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -54,7 +55,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -63,13 +64,31 @@ table inet filter {
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-discuss.conf
View File

@ -46,7 +46,8 @@ table inet filter {
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -57,7 +58,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -66,13 +67,31 @@ table inet filter {
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-mail.conf
View File

@ -43,7 +43,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 25, 465, 993 } notrack accept
tcp dport { 22, 80, 443 } tcp flags syn notrack accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -54,7 +55,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport { 25, 465, 993 } accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -63,13 +64,31 @@ table inet filter {
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-matrix.conf
View File

@ -43,7 +43,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -54,7 +55,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -63,13 +64,31 @@ table inet filter {
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-network.conf
View File

@ -45,7 +45,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept
tcp dport { 22, 7275 } tcp flags syn notrack accept
tcp dport { 22, 7275 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 7275 } tcp flags syn counter notrack accept
udp dport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -58,7 +59,7 @@ table inet filter {
tcp dport { 80, 443 } accept
udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -67,13 +68,31 @@ table inet filter {
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 7275 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-ns1.conf
View File

@ -43,7 +43,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -54,7 +55,7 @@ table inet filter {
iif lo goto input-loopback
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -63,13 +64,31 @@ table inet filter {
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-ns2.conf
View File

@ -48,7 +48,8 @@ table inet filter {
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -59,7 +60,7 @@ table inet filter {
iif lo goto input-loopback
udp dport 53 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -68,13 +69,31 @@ table inet filter {
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-social.conf
View File

@ -43,7 +43,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -54,7 +55,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -63,13 +64,31 @@ table inet filter {
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {

25
nftables-web.conf
View File

@ -47,7 +47,8 @@ table inet filter {
fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
@ -58,7 +59,7 @@ table inet filter {
iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
@ -67,13 +68,31 @@ table inet filter {
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
}
chain input-new {
tcp dport != { 22, 80 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept
}
chain input-established {
ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept
}
chain input-loopback {
tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept
ct mark set 0x1 accept
}
chain forward {