From 14c01289104cd08dd83ed7a4dd013f9dffe46bd8 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 10 Apr 2024 09:29:56 -0400 Subject: [PATCH] add rate limited synproxy bypass --- nftables-attestation.conf | 25 ++++++++++++++++++++++--- nftables-discuss.conf | 25 ++++++++++++++++++++++--- nftables-mail.conf | 25 ++++++++++++++++++++++--- nftables-matrix.conf | 25 ++++++++++++++++++++++--- nftables-network.conf | 25 ++++++++++++++++++++++--- nftables-ns1.conf | 25 ++++++++++++++++++++++--- nftables-ns2.conf | 25 ++++++++++++++++++++++--- nftables-social.conf | 25 ++++++++++++++++++++++--- nftables-web.conf | 25 ++++++++++++++++++++++--- 9 files changed, 198 insertions(+), 27 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index d5478ea..8bdd8f8 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -43,7 +43,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport 443 notrack accept - tcp dport { 22, 80 } tcp flags syn notrack accept + tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,7 +55,7 @@ table inet filter { iif lo goto input-loopback tcp dport 443 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -63,13 +64,31 @@ table inet filter { tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 61a31d4..26c0567 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -46,7 +46,8 @@ table inet filter { meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset tcp dport 443 notrack accept - tcp dport { 22, 80 } tcp flags syn notrack accept + tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -57,7 +58,7 @@ table inet filter { iif lo goto input-loopback tcp dport 443 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -66,13 +67,31 @@ table inet filter { tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-mail.conf b/nftables-mail.conf index 50badb7..f135284 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -43,7 +43,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 25, 465, 993 } notrack accept - tcp dport { 22, 80, 443 } tcp flags syn notrack accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,7 +55,7 @@ table inet filter { iif lo goto input-loopback tcp dport { 25, 465, 993 } accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -63,13 +64,31 @@ table inet filter { tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80, 443 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-matrix.conf b/nftables-matrix.conf index e49465f..5a81857 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -43,7 +43,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport 443 notrack accept - tcp dport { 22, 80 } tcp flags syn notrack accept + tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,7 +55,7 @@ table inet filter { iif lo goto input-loopback tcp dport 443 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -63,13 +64,31 @@ table inet filter { tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-network.conf b/nftables-network.conf index 1a20160..d9b9bdc 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -45,7 +45,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 80, 443 } notrack accept - tcp dport { 22, 7275 } tcp flags syn notrack accept + tcp dport { 22, 7275 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 7275 } tcp flags syn counter notrack accept udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -58,7 +59,7 @@ table inet filter { tcp dport { 80, 443 } accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -67,13 +68,31 @@ table inet filter { tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 7275 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-ns1.conf b/nftables-ns1.conf index ce865e7..3859a51 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -43,7 +43,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,7 +55,7 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -63,13 +64,31 @@ table inet filter { tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 86c91dd..204b8c1 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -48,7 +48,8 @@ table inet filter { tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -59,7 +60,7 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -68,13 +69,31 @@ table inet filter { tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-social.conf b/nftables-social.conf index da46813..cd8fb4b 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -43,7 +43,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport 443 notrack accept - tcp dport { 22, 80 } tcp flags syn notrack accept + tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,7 +55,7 @@ table inet filter { iif lo goto input-loopback tcp dport 443 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -63,13 +64,31 @@ table inet filter { tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward { diff --git a/nftables-web.conf b/nftables-web.conf index 167f3cc..7c5c3d9 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -47,7 +47,8 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport 443 notrack accept - tcp dport { 22, 80 } tcp flags syn notrack accept + tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -58,7 +59,7 @@ table inet filter { iif lo goto input-loopback tcp dport 443 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { established : accept, related : accept, new : goto graceful-reject } + ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -67,13 +68,31 @@ table inet filter { tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm } + chain input-new { + tcp dport != { 22, 80 } goto graceful-reject + tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset + tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset + tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + accept + } + + chain input-established { + ct mark 0x1 accept + tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset + tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset + tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + ct mark set 0x1 accept + } + chain input-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset - accept + ct mark set 0x1 accept } chain forward {