mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-12-15 08:29:00 -05:00
nftables: move listening ports to constants
This commit is contained in:
Daniel Micay
parent
d923bc7e24
commit
78bd96f4ae
10 changed files with 139 additions and 106 deletions
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
|
@ -46,7 +49,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -60,7 +63,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -72,16 +75,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -90,8 +93,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -100,8 +103,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
|
@ -49,7 +52,7 @@ table inet filter {
|
|||
meta nfproto ipv6 tcp dport {80, 443} drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -63,7 +66,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -75,16 +78,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -93,8 +96,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -103,8 +106,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 25, 80, 443, 465, 993 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
|
@ -58,7 +61,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -72,7 +75,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -84,16 +87,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -102,8 +105,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -112,8 +115,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
|
@ -46,7 +49,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -60,7 +63,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -72,16 +75,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -90,8 +93,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -100,8 +103,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443, 7275 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
define udp-ports = 123
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
51.222.159.116, # 0.grapheneos.network
|
||||
|
|
@ -48,9 +52,9 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
udp dport 123 notrack accept
|
||||
udp dport $udp-ports notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -64,7 +68,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -76,16 +80,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -94,8 +98,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -104,8 +108,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -119,7 +123,7 @@ table inet filter {
|
|||
|
||||
oif lo goto output-raw-loopback
|
||||
skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
|
||||
udp sport 123 notrack accept
|
||||
udp sport $udp-ports notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 53, 80, 443, 853 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
define udp-ports = 53
|
||||
|
||||
define ip-anycast = 185.187.152.9
|
||||
define ip6-anycast = 2a05:b0c4:1::8
|
||||
|
||||
|
|
@ -50,13 +54,13 @@ table inet filter {
|
|||
# ordered after accepting loopback to permit using external IPs via loopback
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
udp dport 53 notrack accept
|
||||
udp dport $udp-ports notrack accept
|
||||
|
||||
tcp dport 22 ip daddr $ip-anycast drop
|
||||
tcp dport 22 ip6 daddr $ip6-anycast drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -70,7 +74,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -82,16 +86,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -100,8 +104,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -110,8 +114,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -125,7 +129,7 @@ table inet filter {
|
|||
|
||||
oif lo goto output-raw-loopback
|
||||
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject
|
||||
udp sport 53 notrack accept
|
||||
udp sport $udp-ports notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 53, 80, 443, 853 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
define udp-ports = 53
|
||||
|
||||
define ip-anycast = 198.251.90.93
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
|
|
@ -49,12 +53,12 @@ table inet filter {
|
|||
# ordered after accepting loopback to permit using external IPs via loopback
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
udp dport 53 notrack accept
|
||||
udp dport $udp-ports notrack accept
|
||||
|
||||
tcp dport 22 ip daddr $ip-anycast drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -68,7 +72,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -80,16 +84,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -98,8 +102,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -108,8 +112,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -123,7 +127,7 @@ table inet filter {
|
|||
|
||||
oif lo goto output-raw-loopback
|
||||
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate } counter goto graceful-reject
|
||||
udp sport 53 notrack accept
|
||||
udp sport $udp-ports notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
45.90.185.33, # 0.releases.grapheneos.org
|
||||
|
|
@ -82,7 +85,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -96,7 +99,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -108,16 +111,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -126,8 +129,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -136,8 +139,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
|
@ -46,7 +49,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -60,7 +63,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -72,16 +75,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -90,8 +93,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -100,8 +103,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define tcp-ports = { 80, 443 }
|
||||
define tcp-ports-full = { 22, $tcp-ports }
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
51.222.156.101, # 0.grapheneos.org
|
||||
|
|
@ -48,7 +51,7 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
|
||||
|
||||
meta l4proto { tcp, udp } accept
|
||||
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
|
||||
|
|
@ -62,7 +65,7 @@ table inet filter {
|
|||
ip dscp set cs0
|
||||
ip6 dscp set cs0
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
tcp dport $tcp-ports-full goto input-tcp-service
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
|
|
@ -74,16 +77,16 @@ table inet filter {
|
|||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-tcp-service-new {
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
|
@ -92,8 +95,8 @@ table inet filter {
|
|||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
@ -102,8 +105,8 @@ table inet filter {
|
|||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue