mirror of
https://git.disroot.org/FollieHiyuki/dotfiles.git
synced 2024-11-25 00:38:23 -05:00
nftables: move rate limit above established connections
This commit is contained in:
FollieHiyuki
parent
7dfc942338
commit
4f17266b0b
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
env:
|
env:
|
||||||
TERM: alacritty
|
TERM: alacritty
|
||||||
|
# TERM: xterm-256color
|
||||||
|
|
||||||
window:
|
window:
|
||||||
padding:
|
padding:
|
||||||
|
|||||||
@ -1,19 +1,31 @@
|
|||||||
#!/sbin/nft -f
|
#!/sbin/nft -f
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------------- #
|
||||||
|
|
||||||
# References:
|
# References:
|
||||||
# https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
|
# https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
|
||||||
# https://wiki.gentoo.org/wiki/Nftables/Examples
|
# https://wiki.gentoo.org/wiki/Nftables/Examples
|
||||||
# https://wiki.archlinux.org/title/Nftables
|
# https://wiki.archlinux.org/title/Nftables
|
||||||
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
|
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
|
||||||
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
|
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
|
||||||
|
# https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/
|
||||||
|
|
||||||
# Libvirt:
|
# Libvirt:
|
||||||
# https://libvirt.org/firewall.html
|
# https://libvirt.org/firewall.html
|
||||||
|
|
||||||
|
# Notes:
|
||||||
|
# - "limit" rules need to be put before "established" connections
|
||||||
|
# - use sets for groups of things (eg. IP, ports, ...)
|
||||||
|
# - explicitly allow IPv6 ICMP if do not have "policy accept" on the outgoing chain
|
||||||
|
# - hook order: ingress -> prerouting -> input/output/forward -> postrouting
|
||||||
|
# - "iif" should be use when possible (for persistent interfaces) since it is faster than "iifname"
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------------- #
|
||||||
|
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
# TCP ports to accept (both IPv4 and IPv6)
|
# TCP ports to accept (both IPv4 and IPv6)
|
||||||
#define ACCEPT_TCP_PORTS = {}
|
#define ACCEPT_TCP_PORTS = { 80, 443, 1965 }
|
||||||
|
|
||||||
# UDP ports to accept (both IPv4 and IPv6)
|
# UDP ports to accept (both IPv4 and IPv6)
|
||||||
#define ACCEPT_UDP_PORTS = {}
|
#define ACCEPT_UDP_PORTS = {}
|
||||||
@ -38,23 +50,15 @@ table inet filter {
|
|||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0; policy drop;
|
type filter hook input priority 0; policy drop;
|
||||||
|
|
||||||
|
# Drop invalid packets early
|
||||||
ct state invalid counter drop
|
ct state invalid counter drop
|
||||||
ct state { established, related } counter accept
|
|
||||||
ct status dnat accept
|
|
||||||
|
|
||||||
iif lo accept
|
# Drop none SYN packets
|
||||||
iif != lo ip daddr 127.0.0.1/8 counter drop
|
#tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
|
||||||
iif != lo ip6 daddr ::1/128 counter drop
|
|
||||||
|
|
||||||
counter jump libvirt_input
|
|
||||||
|
|
||||||
# Reject AUTH to make it fail fast
|
# Reject AUTH to make it fail fast
|
||||||
tcp dport 113 reject with icmpx type port-unreachable
|
tcp dport 113 reject with icmpx type port-unreachable
|
||||||
|
|
||||||
# Accept user-defined ports
|
|
||||||
#tcp dport $ACCEPT_TCP_PORTS counter accept
|
|
||||||
#udp dport $ACCEPT_UDP_PORTS counter accept
|
|
||||||
|
|
||||||
# Rate limit on SSH port
|
# Rate limit on SSH port
|
||||||
#tcp dport ssh ct state new limit rate 6/minute accept
|
#tcp dport ssh ct state new limit rate 6/minute accept
|
||||||
|
|
||||||
@ -62,6 +66,20 @@ table inet filter {
|
|||||||
ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
|
ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
|
||||||
ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
|
ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
|
||||||
|
|
||||||
|
ct state { established, related } counter accept
|
||||||
|
ct status dnat accept
|
||||||
|
|
||||||
|
# Allow loopback from host
|
||||||
|
iif lo accept
|
||||||
|
iif != lo ip daddr 127.0.0.1/8 counter drop
|
||||||
|
iif != lo ip6 daddr ::1/128 counter drop
|
||||||
|
|
||||||
|
counter jump libvirt_input
|
||||||
|
|
||||||
|
# Accept user-defined ports
|
||||||
|
#tcp dport $ACCEPT_TCP_PORTS ct state new counter accept
|
||||||
|
#udp dport $ACCEPT_UDP_PORTS ct state new counter accept
|
||||||
|
|
||||||
# Accept ICMPv4
|
# Accept ICMPv4
|
||||||
ip protocol icmp icmp type {
|
ip protocol icmp icmp type {
|
||||||
echo-reply,
|
echo-reply,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user