vidhar: nftables...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 18:56:01 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 18:56:01 +0100
commit: f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5 (patch)
tree: e13feb71a90b5e42681fab2b07174036463be958
parent: 1f680ea9c54e78fae80ef00234330b619c584553 (diff)
download: nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.gz
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.bz2
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.xz
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.zip
1 files changed, 16 insertions, 4 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index f02031b4..a996d914 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,4 +1,9 @@
 table inet filter {
+  chain reject-rl {
+    limit rate over 1024 / second burst 1024 packets counter drop
+  }
  chain forward {
    type filter hook forward priority filter
    policy drop
@@ -12,7 +17,10 @@ table inet filter {
    meta l4proto igmp counter accept
-    log prefix "drop forward: " counter
+    log prefix "reject forward: " counter
+    jump reject-rl
+    meta l4proto tcp counter reject with tcp reset
+    counter reject
  }
  chain input {
@@ -21,8 +29,8 @@ table inet filter {
    iifname lo counter accept
-    iif != lo ip daddr 127.0.0.1/8 counter drop
+    iif != lo ip daddr 127.0.0.1/8 counter reject
-    iif != lo ip6 daddr ::1/128 counter drop
+    iif != lo ip6 daddr ::1/128 counter reject
    ct state {established, related} counter accept
@@ -36,7 +44,11 @@ table inet filter {
    meta l4proto icmp counter accept
    meta l4proto igmp counter accept
-    log prefix "drop input: " counter
+    log prefix "reject input: " counter
+    jump reject-rl
+    meta l4proto tcp counter reject with tcp reset
+    counter reject
  }
  chain output {
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 18:56:01 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 18:56:01 +0100
commit	f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5 (patch)
tree	e13feb71a90b5e42681fab2b07174036463be958
parent	1f680ea9c54e78fae80ef00234330b619c584553 (diff)
download	nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.gz nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.bz2 nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.xz nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.zip

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index f02031b4..a996d914 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft
@@ -1,4 +1,9 @@
1	table inet filter {	1	table inet filter {
		2	chain reject-rl {
		3	limit rate over 1024 / second burst 1024 packets counter drop
		4	}
		5
		6
2	chain forward {	7	chain forward {
3	type filter hook forward priority filter	8	type filter hook forward priority filter
4	policy drop	9	policy drop
@@ -12,7 +17,10 @@ table inet filter {
12	meta l4proto igmp counter accept	17	meta l4proto igmp counter accept
13		18
14		19
15	log prefix "drop forward: " counter	20	log prefix "reject forward: " counter
		21	jump reject-rl
		22	meta l4proto tcp counter reject with tcp reset
		23	counter reject
16	}	24	}
17		25
18	chain input {	26	chain input {
@@ -21,8 +29,8 @@ table inet filter {
21		29
22		30
23	iifname lo counter accept	31	iifname lo counter accept
24	iif != lo ip daddr 127.0.0.1/8 counter drop	32	iif != lo ip daddr 127.0.0.1/8 counter reject
25	iif != lo ip6 daddr ::1/128 counter drop	33	iif != lo ip6 daddr ::1/128 counter reject
26		34
27	ct state {established, related} counter accept	35	ct state {established, related} counter accept
28		36
@@ -36,7 +44,11 @@ table inet filter {
36	meta l4proto icmp counter accept	44	meta l4proto icmp counter accept
37	meta l4proto igmp counter accept	45	meta l4proto igmp counter accept
38		46
39	log prefix "drop input: " counter	47
		48	log prefix "reject input: " counter
		49	jump reject-rl
		50	meta l4proto tcp counter reject with tcp reset
		51	counter reject
40	}	52	}
41		53
42	chain output {	54	chain output {