mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-08 13:27:52 -05:00
nftables: rename tcp service chains
This commit is contained in:
parent
3d886dea43
commit
edbf50a3da
@ -62,10 +62,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -74,7 +74,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -91,7 +91,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -62,10 +62,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -74,7 +74,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -91,7 +91,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -62,10 +62,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -74,7 +74,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -91,7 +91,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -62,10 +62,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -74,7 +74,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -91,7 +91,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -66,10 +66,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -78,7 +78,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -86,7 +86,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -95,7 +95,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -65,10 +65,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -77,7 +77,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -85,7 +85,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -94,7 +94,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -70,10 +70,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -90,7 +90,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -99,7 +99,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -62,10 +62,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -74,7 +74,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -82,7 +82,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -91,7 +91,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
@ -66,10 +66,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-tcp-service {
|
chain input-tcp-service {
|
||||||
iif lo goto input-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
@ -78,7 +78,7 @@ table inet filter {
|
|||||||
synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
@ -86,7 +86,7 @@ table inet filter {
|
|||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
@ -95,7 +95,7 @@ table inet filter {
|
|||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
Loading…
Reference in New Issue
Block a user