Compare commits
3 Commits
d369f159a9
...
ee62868a7b
Author | SHA1 | Date |
---|---|---|
Daniel Micay | ee62868a7b | |
Daniel Micay | 965bc4f951 | |
Daniel Micay | 5ba6cbd3d1 |
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -59,16 +59,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -56,17 +56,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 123 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -49,17 +49,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -61,17 +61,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
|
||||
iif lo accept
|
||||
udp dport 53 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -47,16 +47,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
|
@ -57,16 +57,14 @@ table inet filter {
|
|||
policy drop
|
||||
|
||||
tcp dport { 22, 80, 443 } goto input-tcp-service
|
||||
iif lo accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { new : drop, established : accept, related : accept }
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
|
||||
}
|
||||
|
||||
chain input-tcp-service {
|
||||
iif lo goto input-tcp-service-loopback
|
||||
|
||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
||||
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
|
|
Loading…
Reference in New Issue