diff --git a/etc/nftables/nftables-attestation.conf b/etc/nftables/nftables-attestation.conf index 92f0349..a27fced 100644 --- a/etc/nftables/nftables-attestation.conf +++ b/etc/nftables/nftables-attestation.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, } @@ -46,7 +49,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -60,7 +63,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -72,16 +75,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -90,8 +93,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -100,8 +103,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-discuss.conf b/etc/nftables/nftables-discuss.conf index e48a542..b39cc6d 100644 --- a/etc/nftables/nftables-discuss.conf +++ b/etc/nftables/nftables-discuss.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, } @@ -49,7 +52,7 @@ table inet filter { meta nfproto ipv6 tcp dport {80, 443} drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -63,7 +66,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -75,16 +78,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -93,8 +96,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -103,8 +106,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-mail.conf b/etc/nftables/nftables-mail.conf index 822bfa8..ee9166d 100644 --- a/etc/nftables/nftables-mail.conf +++ b/etc/nftables/nftables-mail.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 25, 80, 443, 465, 993 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, } @@ -58,7 +61,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -72,7 +75,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -84,16 +87,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -102,8 +105,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -112,8 +115,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf index a28a8fd..cebf23a 100644 --- a/etc/nftables/nftables-matrix.conf +++ b/etc/nftables/nftables-matrix.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, } @@ -46,7 +49,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -60,7 +63,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -72,16 +75,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -90,8 +93,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -100,8 +103,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf index 28b5e01..7b3f5f9 100644 --- a/etc/nftables/nftables-network.conf +++ b/etc/nftables/nftables-network.conf @@ -3,6 +3,10 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443, 7275 } + define tcp-ports-full = { 22, $tcp-ports } + define udp-ports = 123 + define ip-allowlist-ssh = { {{ssh_ipv4}}, 51.222.159.116, # 0.grapheneos.network @@ -48,9 +52,9 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept - udp dport 123 notrack accept + udp dport $udp-ports notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -64,7 +68,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443, 7275 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -76,16 +80,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -94,8 +98,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -104,8 +108,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -119,7 +123,7 @@ table inet filter { oif lo goto output-raw-loopback skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject - udp sport 123 notrack accept + udp sport $udp-ports notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf index 5b789cc..c0d6521 100644 --- a/etc/nftables/nftables-ns1.conf +++ b/etc/nftables/nftables-ns1.conf @@ -3,6 +3,10 @@ flush ruleset table inet filter { + define tcp-ports = { 53, 80, 443, 853 } + define tcp-ports-full = { 22, $tcp-ports } + define udp-ports = 53 + define ip-anycast = 185.187.152.9 define ip6-anycast = 2a05:b0c4:1::8 @@ -50,13 +54,13 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop - udp dport 53 notrack accept + udp dport $udp-ports notrack accept tcp dport 22 ip daddr $ip-anycast drop tcp dport 22 ip6 daddr $ip6-anycast drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -70,7 +74,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -82,16 +86,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -100,8 +104,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset ct mark set 0x1 accept } @@ -110,8 +114,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset ct mark set 0x1 accept } @@ -125,7 +129,7 @@ table inet filter { oif lo goto output-raw-loopback skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject - udp sport 53 notrack accept + udp sport $udp-ports notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf index ab72fb0..e4a22cd 100644 --- a/etc/nftables/nftables-ns2.conf +++ b/etc/nftables/nftables-ns2.conf @@ -3,6 +3,10 @@ flush ruleset table inet filter { + define tcp-ports = { 53, 80, 443, 853 } + define tcp-ports-full = { 22, $tcp-ports } + define udp-ports = 53 + define ip-anycast = 198.251.90.93 define ip-allowlist-ssh = { @@ -49,12 +53,12 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop - udp dport 53 notrack accept + udp dport $udp-ports notrack accept tcp dport 22 ip daddr $ip-anycast drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -68,7 +72,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -80,16 +84,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -98,8 +102,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset ct mark set 0x1 accept } @@ -108,8 +112,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset ct mark set 0x1 accept } @@ -123,7 +127,7 @@ table inet filter { oif lo goto output-raw-loopback skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate } counter goto graceful-reject - udp sport 53 notrack accept + udp sport $udp-ports notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/etc/nftables/nftables-releases.conf b/etc/nftables/nftables-releases.conf index 1b19725..bfbec6b 100644 --- a/etc/nftables/nftables-releases.conf +++ b/etc/nftables/nftables-releases.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, 45.90.185.33, # 0.releases.grapheneos.org @@ -82,7 +85,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -96,7 +99,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -108,16 +111,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -126,8 +129,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -136,8 +139,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-social.conf b/etc/nftables/nftables-social.conf index 4d00b5a..08cd774 100644 --- a/etc/nftables/nftables-social.conf +++ b/etc/nftables/nftables-social.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, } @@ -46,7 +49,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -60,7 +63,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -72,16 +75,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -90,8 +93,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -100,8 +103,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf index 27ac7a0..9b13fda 100644 --- a/etc/nftables/nftables-web.conf +++ b/etc/nftables/nftables-web.conf @@ -3,6 +3,9 @@ flush ruleset table inet filter { + define tcp-ports = { 80, 443 } + define tcp-ports-full = { 22, $tcp-ports } + define ip-allowlist-ssh = { {{ssh_ipv4}}, 51.222.156.101, # 0.grapheneos.org @@ -48,7 +51,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion - tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept + tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept meta l4proto { tcp, udp } accept icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept @@ -62,7 +65,7 @@ table inet filter { ip dscp set cs0 ip6 dscp set cs0 - tcp dport { 22, 80, 443 } goto input-tcp-service + tcp dport $tcp-ports-full goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } } @@ -74,16 +77,16 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset - tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport $tcp-ports ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset accept } @@ -92,8 +95,8 @@ table inet filter { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept } @@ -102,8 +105,8 @@ table inet filter { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset - tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset + tcp dport $tcp-ports add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset ct mark set 0x1 accept }