diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-09 09:36:29 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-09 09:36:29 +0100 |
commit | db1993a6835a4de3d3cfb41b8444f6b9535f7443 (patch) | |
tree | f4047ba327cde119311c7d01c0cb11f71b58a61b | |
parent | f6490f4b566d25be5b6ab7236a12747038f4560b (diff) | |
download | nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.gz nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.bz2 nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.tar.xz nixos-db1993a6835a4de3d3cfb41b8444f6b9535f7443.zip |
vidhar: nftables...
-rw-r--r-- | hosts/vidhar/ruleset.nft | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 4df37a9d..ca2eb2fc 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
@@ -1,13 +1,15 @@ | |||
1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | ||
2 | |||
1 | table inet filter { | 3 | table inet filter { |
2 | limit lim_reject { | 4 | limit lim_reject { |
3 | rate over 1000/second burst 1000 packets | 5 | rate over 1000/second burst 1000 packets |
4 | } | 6 | } |
5 | 7 | ||
6 | limit lim_icmp_local { | 8 | limit lim_icmp_local { |
7 | rate 50 mbytes/second burst 50 mbytes | 9 | rate over 50 mbytes/second burst 50 mbytes |
8 | } | 10 | } |
9 | limit lim_icmp_dsl { | 11 | limit lim_icmp_dsl { |
10 | rate 1400 kbytes/second burst 1400 kbytes | 12 | rate over 1400 kbytes/second burst 1400 kbytes |
11 | } | 13 | } |
12 | 14 | ||
13 | 15 | ||
@@ -21,11 +23,13 @@ table inet filter { | |||
21 | 23 | ||
22 | iifname lo counter accept | 24 | iifname lo counter accept |
23 | 25 | ||
26 | oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
27 | oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | ||
28 | meta l4proto $imp_protos counter accept | ||
29 | |||
24 | iifname eno1 oifname dsl counter accept | 30 | iifname eno1 oifname dsl counter accept |
25 | iifname dsl oifname eno1 ct state {established, related} counter accept | 31 | iifname dsl oifname eno1 ct state {established, related} counter accept |
26 | 32 | ||
27 | oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept | ||
28 | oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept | ||
29 | 33 | ||
30 | 34 | ||
31 | limit name lim_reject log prefix "drop forward: " counter drop | 35 | limit name lim_reject log prefix "drop forward: " counter drop |
@@ -49,6 +53,10 @@ table inet filter { | |||
49 | iif != lo ip daddr 127.0.0.1/8 counter reject | 53 | iif != lo ip daddr 127.0.0.1/8 counter reject |
50 | iif != lo ip6 daddr ::1/128 counter reject | 54 | iif != lo ip6 daddr ::1/128 counter reject |
51 | 55 | ||
56 | iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | ||
57 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
58 | meta l4proto $imp_protos counter accept | ||
59 | |||
52 | ct state {established, related} counter accept | 60 | ct state {established, related} counter accept |
53 | 61 | ||
54 | tcp dport 22 counter accept | 62 | tcp dport 22 counter accept |
@@ -57,9 +65,6 @@ table inet filter { | |||
57 | 65 | ||
58 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept | 66 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept |
59 | 67 | ||
60 | iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept | ||
61 | iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept | ||
62 | |||
63 | 68 | ||
64 | limit name lim_reject log prefix "drop input: " counter drop | 69 | limit name lim_reject log prefix "drop input: " counter drop |
65 | log prefix "reject input: " counter | 70 | log prefix "reject input: " counter |
@@ -77,9 +82,9 @@ table inet filter { | |||
77 | 82 | ||
78 | oifname lo counter accept | 83 | oifname lo counter accept |
79 | 84 | ||
80 | oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept | 85 | oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop |
81 | oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept | 86 | oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop |
82 | meta l4proto { ipv6-icmp, icmp, igmp } counter drop | 87 | meta l4proto $icmp_protos counter accept |
83 | 88 | ||
84 | 89 | ||
85 | counter | 90 | counter |