diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 712f76e..405302e 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 34d8124..c71ca31 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 2d4dfb3..57e8c2a 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 9b7f897..616eaca 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-network.conf b/nftables-network.conf index 3037651..6b4b6b1 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -46,8 +46,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept + udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 369db40..5949099 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -45,8 +45,11 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index d6f6579..1030516 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -50,8 +50,11 @@ table inet filter { tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-social.conf b/nftables-social.conf index f33770b..65cb180 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-web.conf b/nftables-web.conf index d3fc294..a7e2f75 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -48,8 +48,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept }