simplify synproxy-based connection limit rules

2024-04-05 13:36:09 -04:00 · 2024-04-05 13:36:09 -04:00 · cf274f34d7
parent c1756f5809
commit cf274f34d7
9 changed files with 45 additions and 36 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -72,10 +72,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -75,10 +75,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -72,10 +72,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 80, 443 } tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport { 80, 443 } tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -72,10 +72,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -77,10 +77,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 7275 tcp flags syn add @ip-connlimit-supl { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 7275 tcp flags syn add @ip6-connlimit-supl { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 7275 add @ip-connlimit-supl { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 7275 add @ip6-connlimit-supl { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -72,10 +72,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
-        tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
+        tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
        accept
    }

--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -77,10 +77,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
-        tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
+        tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
        accept
    }

--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -72,10 +72,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -76,10 +76,11 @@ table inet filter {
    }

    chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp flags != syn accept
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 80 add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 80 add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }