1 files changed, 115 insertions, 0 deletions
diff --git a/files/files/etc/ruleset.nft b/files/files/etc/ruleset.nft
new file mode 100644
index 0000000..7767eb6
--- /dev/null
+++ b/files/files/etc/ruleset.nft
@@ -0,0 +1,115 @@
+define icmp_protos = { ipv6-icmp, icmp, igmp }
+table inet filter {
+  counter icmp-ratelimit-fw {}
+  counter icmp-fw {}
+  counter invalid-fw {}
+  counter fw-lo {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+  counter ssh-rx {}
+  counter prometheus-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+  counter ssh-tx {}
+  counter prometheus-tx {}
+  counter tx {}
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+    iifname lo counter name fw-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
+    meta l4proto $icmp_protos counter name icmp-fw accept
+    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+    iifname mgmt tcp dport 22 counter name ssh-rx accept
+    iifname mgmt tcp dport 9100 counter name prometheus-rx accept
+    ct state {established, related} counter name established-rx accept
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+  }
+  chain output {
+    type filter hook output priority filter
+    oifname lo counter name tx-lo accept
+    
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    tcp sport 22 counter name ssh-tx
+    tcp sport 9100 counter name prometheus-tx
+    counter name tx
+  }
+}
+\ No newline at end of file

diff --git a/files/files/etc/ruleset.nft b/files/files/etc/ruleset.nft new file mode 100644 index 0000000..7767eb6 --- /dev/null +++ b/files/files/etc/ruleset.nft
@@ -0,0 +1,115 @@
	1	define icmp_protos = { ipv6-icmp, icmp, igmp }
	2
	3	table inet filter {
	4	counter icmp-ratelimit-fw {}
	5
	6	counter icmp-fw {}
	7
	8	counter invalid-fw {}
	9	counter fw-lo {}
	10
	11	counter reject-ratelimit-fw {}
	12	counter reject-fw {}
	13	counter reject-tcp-fw {}
	14	counter reject-icmp-fw {}
	15
	16
	17	counter invalid-rx {}
	18	counter rx-lo {}
	19	counter invalid-local4-rx {}
	20	counter invalid-local6-rx {}
	21
	22	counter icmp-ratelimit-rx {}
	23	counter icmp-rx {}
	24
	25	counter ssh-rx {}
	26	counter prometheus-rx {}
	27
	28	counter established-rx {}
	29
	30	counter reject-ratelimit-rx {}
	31	counter reject-rx {}
	32	counter reject-tcp-rx {}
	33	counter reject-icmp-rx {}
	34
	35
	36	counter tx-lo {}
	37
	38	counter icmp-ratelimit-tx {}
	39	counter icmp-tx {}
	40
	41	counter ssh-tx {}
	42	counter prometheus-tx {}
	43
	44	counter tx {}
	45
	46
	47	chain forward {
	48	type filter hook forward priority filter
	49	policy drop
	50
	51
	52	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
	53
	54
	55	iifname lo counter name fw-lo accept
	56
	57
	58	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
	59	meta l4proto $icmp_protos counter name icmp-fw accept
	60
	61
	62	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
	63	log level debug prefix "reject forward: " counter name reject-fw
	64	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
	65	ct state new counter name reject-icmp-fw reject
	66	}
	67
	68	chain input {
	69	type filter hook input priority filter
	70	policy drop
	71
	72
	73	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
	74
	75
	76	iifname lo counter name rx-lo accept
	77	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
	78	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
	79
	80
	81	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
	82	meta l4proto $icmp_protos counter name icmp-rx accept
	83
	84
	85	iifname mgmt tcp dport 22 counter name ssh-rx accept
	86	iifname mgmt tcp dport 9100 counter name prometheus-rx accept
	87
	88
	89	ct state {established, related} counter name established-rx accept
	90
	91
	92	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
	93	log level debug prefix "reject input: " counter name reject-rx
	94	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
	95	ct state new counter name reject-icmp-rx reject
	96	}
	97
	98	chain output {
	99	type filter hook output priority filter
	100
	101
	102	oifname lo counter name tx-lo accept
	103
	104
	105	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
	106	meta l4proto $icmp_protos counter name icmp-tx accept
	107
	108
	109	tcp sport 22 counter name ssh-tx
	110	tcp sport 9100 counter name prometheus-tx
	111
	112
	113	counter name tx
	114	}
	115	} \ No newline at end of file