From 83bcc0b32705a7d97d5c80caa56f723d4f611c5a Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 31 Mar 2024 22:25:38 -0400 Subject: [PATCH] merge synproxy rules --- nftables-network.conf | 3 +-- nftables-ns1.conf | 3 +-- nftables-ns2.conf | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/nftables-network.conf b/nftables-network.conf index e97a5af..8ee5886 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -71,10 +71,9 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 7275 ip saddr @ip-connlimit-supl counter reject with tcp reset tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-supl counter reject with tcp reset - tcp dport 7275 synproxy mss 1460 wscale 7 timestamp sack-perm + tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-loopback { diff --git a/nftables-ns1.conf b/nftables-ns1.conf index f7ec5dd..b07cc8d 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -66,10 +66,9 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-loopback { diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 87e3d6c..8c5da83 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -71,10 +71,9 @@ table inet filter { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset - tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-loopback {