mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
add rate limited synproxy bypass
This commit is contained in:
parent
ef63ff82d2
commit
14c0128910
@ -43,7 +43,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport 443 notrack accept
|
tcp dport 443 notrack accept
|
||||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +55,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport 443 accept
|
tcp dport 443 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -63,13 +64,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -46,7 +46,8 @@ table inet filter {
|
|||||||
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
|
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
|
||||||
|
|
||||||
tcp dport 443 notrack accept
|
tcp dport 443 notrack accept
|
||||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -57,7 +58,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport 443 accept
|
tcp dport 443 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -66,13 +67,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -43,7 +43,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport { 25, 465, 993 } notrack accept
|
tcp dport { 25, 465, 993 } notrack accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +55,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport { 25, 465, 993 } accept
|
tcp dport { 25, 465, 993 } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -63,13 +64,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -43,7 +43,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport 443 notrack accept
|
tcp dport 443 notrack accept
|
||||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +55,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport 443 accept
|
tcp dport 443 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -63,13 +64,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -45,7 +45,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport { 80, 443 } notrack accept
|
tcp dport { 80, 443 } notrack accept
|
||||||
tcp dport { 22, 7275 } tcp flags syn notrack accept
|
tcp dport { 22, 7275 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 7275 } tcp flags syn counter notrack accept
|
||||||
udp dport 123 notrack accept
|
udp dport 123 notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
@ -58,7 +59,7 @@ table inet filter {
|
|||||||
tcp dport { 80, 443 } accept
|
tcp dport { 80, 443 } accept
|
||||||
udp dport 123 accept
|
udp dport 123 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -67,13 +68,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 7275 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -43,7 +43,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +55,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -63,13 +64,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -48,7 +48,8 @@ table inet filter {
|
|||||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -59,7 +60,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -68,13 +69,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -43,7 +43,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport 443 notrack accept
|
tcp dport 443 notrack accept
|
||||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +55,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport 443 accept
|
tcp dport 443 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -63,13 +64,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
@ -47,7 +47,8 @@ table inet filter {
|
|||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
tcp dport 443 notrack accept
|
tcp dport 443 notrack accept
|
||||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
|
||||||
|
tcp dport { 22, 80 } tcp flags syn counter notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,7 +59,7 @@ table inet filter {
|
|||||||
iif lo goto input-loopback
|
iif lo goto input-loopback
|
||||||
tcp dport 443 accept
|
tcp dport 443 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -67,13 +68,31 @@ table inet filter {
|
|||||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input-new {
|
||||||
|
tcp dport != { 22, 80 } goto graceful-reject
|
||||||
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-established {
|
||||||
|
ct mark 0x1 accept
|
||||||
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
|
ct mark set 0x1 accept
|
||||||
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||||
accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
|
Loading…
Reference in New Issue
Block a user