enable nftables-based DDoS protection for all TCP services

Now that the usage of synproxy is gated behind a SYN packet rate limit,
we can expand this to all our TCP services to have always enabled DDoS
protection instead of needing to deploy a stricter set of rules when the
servers are under attack. This is far better because there isn't always
a system administrator available to handle an ongoing attack.

We already used per-IP connection limits in nginx across the board but
those limits are applied far too late after a TLS connection has been
established and headers are sent rather than before. Using IPv6 /64
blocks means this is much more aggressive for IPv6, but many clients
will fall back to IPv4 due to the happy eyeballs approach. The nginx
limits are still useful due to HTTP/2 multiplexing and we'll need to
think over how to address IPv6 there.
This commit is contained in:
Daniel Micay 2024-04-10 12:54:58 -04:00
parent 14c0128910
commit b38736ca74
7 changed files with 84 additions and 108 deletions

View File

@ -42,9 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -53,23 +52,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80 } goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -77,8 +75,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -86,8 +84,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -100,7 +98,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -42,12 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# IPv6 interacts badly with IP-based spam filtering tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
tcp dport 443 notrack accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -56,23 +52,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80 } goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -80,8 +75,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -89,8 +84,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -103,7 +98,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -42,9 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 25, 465, 993 } notrack accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -53,23 +52,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 25, 465, 993 } accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -77,8 +75,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -86,8 +84,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -100,7 +98,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 25, 465, 993 } notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -42,9 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -53,23 +52,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80 } goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -77,8 +75,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -86,8 +84,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -100,7 +98,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -44,9 +44,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 7275 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
tcp dport { 22, 7275 } tcp flags syn counter notrack accept
udp dport 123 notrack accept udp dport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -56,24 +55,23 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept
udp dport 123 accept udp dport 123 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 7275 } goto graceful-reject tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -81,8 +79,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -90,8 +88,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -104,7 +102,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept
udp sport 123 notrack accept udp sport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -42,9 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -53,23 +52,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80 } goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -77,8 +75,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -86,8 +84,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -100,7 +98,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }

View File

@ -46,9 +46,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport 443 notrack accept tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
tcp dport { 22, 80 } tcp flags syn counter notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -57,23 +56,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { new : goto input-new, established : goto input-established, related : accept } ct state vmap { new : goto input-new, established : goto input-established, related : accept }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-new { chain input-new {
tcp dport != { 22, 80 } goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
accept accept
} }
@ -81,8 +79,8 @@ table inet filter {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -90,8 +88,8 @@ table inet filter {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
} }
@ -104,7 +102,6 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }