diff --git a/nftables-ns1.conf b/nftables-ns1.conf index aa6c9f4..f7ec5dd 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -21,12 +21,12 @@ table inet filter { flags dynamic } - set ip-connlimit-dns { + set ip-connlimit-main { type ipv4_addr flags dynamic } - set ip6-connlimit-dns { + set ip6-connlimit-main { type ipv6_addr flags dynamic } @@ -43,8 +43,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept - tcp dport { 80, 443 } notrack accept - tcp dport { 22, 53, 853 } tcp flags syn notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -53,7 +52,6 @@ table inet filter { oif lo notrack accept udp sport 53 notrack accept - tcp sport { 80, 443 } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -63,23 +61,22 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept - tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm - tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset - tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset - tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 954035f..87e3d6c 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -23,12 +23,12 @@ table inet filter { flags dynamic } - set ip-connlimit-dns { + set ip-connlimit-main { type ipv4_addr flags dynamic } - set ip6-connlimit-dns { + set ip6-connlimit-main { type ipv6_addr flags dynamic } @@ -48,8 +48,7 @@ table inet filter { tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept - tcp dport { 80, 443 } notrack accept - tcp dport { 22, 53, 853 } tcp flags syn notrack accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -58,7 +57,6 @@ table inet filter { oif lo notrack accept udp sport 53 notrack accept - tcp sport { 80, 443 } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -68,23 +66,22 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept - tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm - tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset - tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset - tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset - tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset - tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset + tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset accept }