diff --git a/nftables-attestation.conf b/nftables-attestation.conf index cd83df7..fa828f0 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index a449097..3c2e248 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 8277c02..0722cb8 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 25, 80, 443, 465, 993 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 25, 80, 443, 465, 993 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 1bdbc1f..3664400 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 57ce349..bd3b595 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -58,9 +58,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443, 7275 } goto input-tcp-service + iif lo accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -69,12 +75,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443, 7275 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -83,8 +87,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443, 7275 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,8 +96,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443, 7275 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index fe1f439..b434f21 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -57,9 +57,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -68,12 +74,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,8 +86,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -93,8 +95,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index e84820b..448db7e 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -62,9 +62,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -73,12 +79,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -87,8 +91,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -98,8 +100,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 23ceac2..234e9e3 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index bcd5428..815f165 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -59,8 +59,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -69,12 +75,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -83,8 +87,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,8 +96,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset