Compare commits
3 Commits
9b366ad059
...
b21ea0a23f
Author | SHA1 | Date |
---|---|---|
Daniel Micay | b21ea0a23f | |
Daniel Micay | b38736ca74 | |
Daniel Micay | 14c0128910 |
|
@ -42,8 +42,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -52,24 +52,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -81,7 +98,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
@ -42,11 +42,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
# IPv6 interacts badly with IP-based spam filtering
|
||||
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
|
||||
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -55,24 +52,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -84,7 +98,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
@ -42,8 +42,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 25, 465, 993 } notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -52,24 +52,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 25, 465, 993 } accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -81,7 +98,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 25, 465, 993 } notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
@ -42,8 +42,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -52,24 +52,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -81,7 +98,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
@ -44,8 +44,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport { 22, 7275 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
||||
udp dport 123 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
@ -55,25 +55,42 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
udp dport 123 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -85,7 +102,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
udp sport 123 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
|
|
@ -43,7 +43,8 @@ table inet filter {
|
|||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
udp dport 53 notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -54,7 +55,7 @@ table inet filter {
|
|||
iif lo goto input-loopback
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
@ -63,13 +64,31 @@ table inet filter {
|
|||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
accept
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
|
|
@ -48,7 +48,8 @@ table inet filter {
|
|||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||
|
||||
udp dport 53 notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -59,7 +60,7 @@ table inet filter {
|
|||
iif lo goto input-loopback
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
@ -68,13 +69,31 @@ table inet filter {
|
|||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
||||
tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
||||
accept
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
|
|
@ -42,8 +42,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -52,24 +52,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -81,7 +98,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
|
@ -46,8 +46,8 @@ table inet filter {
|
|||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
@ -56,24 +56,41 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-new {
|
||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
chain input-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
@ -85,7 +102,6 @@ table inet filter {
|
|||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue