mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
nftables: use default drop in prerouting-raw table
This commit is contained in:
parent
bab3f0c14a
commit
c99b8d0b47
@ -25,6 +25,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -39,6 +40,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -39,6 +40,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,6 +37,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -51,6 +52,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -39,6 +40,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,6 +33,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -48,6 +49,8 @@ table inet filter {
|
|||||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
udp dport 123 notrack accept
|
udp dport 123 notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -41,6 +42,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -35,6 +35,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -53,6 +54,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,6 +25,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -39,6 +40,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -35,6 +35,7 @@ table inet filter {
|
|||||||
|
|
||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
policy drop
|
||||||
|
|
||||||
# drop packets without a reverse path (strict reverse path filtering)
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
fib saddr . iif oif missing counter drop
|
fib saddr . iif oif missing counter drop
|
||||||
@ -49,6 +50,7 @@ table inet filter {
|
|||||||
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
|
||||||
|
|
||||||
|
meta l4proto { tcp, udp } accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user