summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:36:29 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:36:29 +0100
commitdb1993a6835a4de3d3cfb41b8444f6b9535f7443 (patch)
treef4047ba327cde119311c7d01c0cb11f71b58a61b
parentf6490f4b566d25be5b6ab7236a12747038f4560b (diff)
downloadnixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar
nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.gz
nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.bz2
nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.xz
nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.zip
vidhar: nftables...
-rw-r--r--hosts/vidhar/ruleset.nft25
1 files changed, 15 insertions, 10 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 4df37a9d..ca2eb2fc 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,13 +1,15 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp }
2
1table inet filter { 3table inet filter {
2 limit lim_reject { 4 limit lim_reject {
3 rate over 1000/second burst 1000 packets 5 rate over 1000/second burst 1000 packets
4 } 6 }
5 7
6 limit lim_icmp_local { 8 limit lim_icmp_local {
7 rate 50 mbytes/second burst 50 mbytes 9 rate over 50 mbytes/second burst 50 mbytes
8 } 10 }
9 limit lim_icmp_dsl { 11 limit lim_icmp_dsl {
10 rate 1400 kbytes/second burst 1400 kbytes 12 rate over 1400 kbytes/second burst 1400 kbytes
11 } 13 }
12 14
13 15
@@ -21,11 +23,13 @@ table inet filter {
21 23
22 iifname lo counter accept 24 iifname lo counter accept
23 25
26 oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
27 oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
28 meta l4proto $imp_protos counter accept
29
24 iifname eno1 oifname dsl counter accept 30 iifname eno1 oifname dsl counter accept
25 iifname dsl oifname eno1 ct state {established, related} counter accept 31 iifname dsl oifname eno1 ct state {established, related} counter accept
26 32
27 oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
28 oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
29 33
30 34
31 limit name lim_reject log prefix "drop forward: " counter drop 35 limit name lim_reject log prefix "drop forward: " counter drop
@@ -49,6 +53,10 @@ table inet filter {
49 iif != lo ip daddr 127.0.0.1/8 counter reject 53 iif != lo ip daddr 127.0.0.1/8 counter reject
50 iif != lo ip6 daddr ::1/128 counter reject 54 iif != lo ip6 daddr ::1/128 counter reject
51 55
56 iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
57 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
58 meta l4proto $imp_protos counter accept
59
52 ct state {established, related} counter accept 60 ct state {established, related} counter accept
53 61
54 tcp dport 22 counter accept 62 tcp dport 22 counter accept
@@ -57,9 +65,6 @@ table inet filter {
57 65
58 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept 66 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
59 67
60 iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
61 iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
62
63 68
64 limit name lim_reject log prefix "drop input: " counter drop 69 limit name lim_reject log prefix "drop input: " counter drop
65 log prefix "reject input: " counter 70 log prefix "reject input: " counter
@@ -77,9 +82,9 @@ table inet filter {
77 82
78 oifname lo counter accept 83 oifname lo counter accept
79 84
80 oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept 85 oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
81 oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept 86 oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
82 meta l4proto { ipv6-icmp, icmp, igmp } counter drop 87 meta l4proto $icmp_protos counter accept
83 88
84 89
85 counter 90 counter