diff --git a/nftables-attestation.conf b/nftables-attestation.conf index fa828f0..934cac2 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 3c2e248..1a8e156 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 0722cb8..dd81b0a 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 3664400..90163e2 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index bd3b595..0036286 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -66,10 +66,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -78,7 +78,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -86,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -95,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index b434f21..46473f5 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -65,10 +65,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -77,7 +77,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -85,7 +85,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,7 +94,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 448db7e..e5f4faf 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -70,10 +70,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -90,7 +90,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -99,7 +99,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 234e9e3..a948f39 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 815f165..e8b7d6a 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -66,10 +66,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -78,7 +78,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -86,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -95,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset