Compare commits
7 Commits
b21ea0a23f
...
edbf50a3da
| Author | SHA1 | Date |
|---|---|---|
Daniel Micay
|
edbf50a3da | |
|
Daniel Micay
|
3d886dea43 | |
|
Daniel Micay
|
b152574da8 | |
|
Daniel Micay
|
832a430954 | |
|
Daniel Micay
|
8f047de0c3 | |
|
Daniel Micay
|
26a58b2492 | |
|
Daniel Micay
|
ecd14bddff |
|
|
@ -40,10 +40,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,19 +55,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -71,7 +82,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -80,7 +91,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -40,10 +40,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,19 +55,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -71,7 +82,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -80,7 +91,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -40,10 +40,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
|
tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,19 +55,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -71,7 +82,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -80,7 +91,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -40,10 +40,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,19 +55,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -71,7 +82,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -80,7 +91,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -42,10 +42,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
udp dport 123 notrack accept
|
udp dport 123 notrack accept
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
@ -54,20 +58,27 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 123 accept
|
udp dport 123 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -75,7 +86,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -84,7 +95,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -40,11 +40,16 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -52,20 +57,27 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -73,7 +85,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -82,7 +94,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -42,14 +42,19 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
# reject SSH packets via anycast IP
|
# reject SSH packets via anycast IP
|
||||||
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
|
||||||
|
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -57,20 +62,27 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -78,7 +90,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -87,7 +99,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -40,10 +40,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,19 +55,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -71,7 +82,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -80,7 +91,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
|
|
@ -44,10 +44,14 @@ table inet filter {
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
|
|
||||||
# drop packets to address not configured on incoming interface (strong host model)
|
# drop packets to address not configured on incoming interface (strong host model)
|
||||||
|
#
|
||||||
|
# ordered after accepting loopback to permit using external IPs via loopback
|
||||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||||
|
|
||||||
|
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
|
||||||
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -55,19 +59,26 @@ table inet filter {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
iif lo goto input-loopback
|
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||||
|
iif lo accept
|
||||||
meta l4proto { icmp, ipv6-icmp } accept
|
meta l4proto { icmp, ipv6-icmp } accept
|
||||||
ct state vmap { new : goto input-new, established : goto input-established, related : accept }
|
ct state vmap { new : goto graceful-reject, established : accept, related : accept }
|
||||||
|
}
|
||||||
|
|
||||||
|
chain input-tcp-service {
|
||||||
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
|
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
||||||
tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-tcp-service-new {
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
||||||
|
|
@ -75,7 +86,7 @@ table inet filter {
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-established {
|
chain input-tcp-service-established {
|
||||||
ct mark 0x1 accept
|
ct mark 0x1 accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
@ -84,7 +95,7 @@ table inet filter {
|
||||||
ct mark set 0x1 accept
|
ct mark set 0x1 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input-loopback {
|
chain input-tcp-service-loopback {
|
||||||
tcp flags != syn accept
|
tcp flags != syn accept
|
||||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue