diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index d553c10..bca3e57 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -25,6 +25,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -39,6 +40,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index b446f50..e939936 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -25,6 +25,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -39,6 +40,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 90a555c..e3ddc3d 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -37,6 +37,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -51,6 +52,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index af0fa24..b6028dd 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -25,6 +25,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -39,6 +40,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index 3b17041..a5b3d62 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -33,6 +33,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -48,6 +49,8 @@ table inet filter { tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept udp dport 123 notrack accept + + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index d7468d3..96a1ab3 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -25,6 +25,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -41,6 +42,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 5eb7a95..ff0dc17 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -35,6 +35,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -53,6 +54,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 9e3345e..5a337c6 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -25,6 +25,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -39,6 +40,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index 40e9ad0..a37e05b 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -35,6 +35,7 @@ table inet filter { chain prerouting-raw { type filter hook prerouting priority raw + policy drop # drop packets without a reverse path (strict reverse path filtering) fib saddr . iif oif missing counter drop @@ -49,6 +50,7 @@ table inet filter { # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept + meta l4proto { tcp, udp } accept meta l4proto { icmp, ipv6-icmp } notrack accept }