summaryrefslogtreecommitdiff
path: root/hosts/surtr/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-04-09 00:12:45 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-04-09 00:12:45 +0200
commitebd289d241a4e87c6e57ee3768d697d610d3699b (patch)
tree30b1c0a27ee94f0208b9b62e3f5f1f58b1c8b6ca /hosts/surtr/ruleset.nft
parente1e238a348d341cdae1fc951e5e5f00b2c0c4743 (diff)
downloadnixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar
nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.gz
nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.bz2
nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.tar.xz
nixos-ebd289d241a4e87c6e57ee3768d697d610d3699b.zip
...
Diffstat (limited to 'hosts/surtr/ruleset.nft')
-rw-r--r--hosts/surtr/ruleset.nft177
1 files changed, 131 insertions, 46 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index b7216948..3701d119 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -5,22 +5,28 @@ table arp filter {
5 rate over 50 mbytes/second burst 50 mbytes 5 rate over 50 mbytes/second burst 50 mbytes
6 } 6 }
7 7
8 counter arp-rx {}
9 counter arp-tx {}
10
11 counter arp-ratelimit-rx {}
12 counter arp-ratelimit-tx {}
13
8 chain input { 14 chain input {
9 type filter hook input priority filter 15 type filter hook input priority filter
10 policy accept 16 policy accept
11 17
12 limit name lim_arp counter drop 18 limit name lim_arp counter name arp-ratelimit-rx drop
13 19
14 counter 20 counter name arp-rx
15 } 21 }
16 22
17 chain output { 23 chain output {
18 type filter hook output priority filter 24 type filter hook output priority filter
19 policy accept 25 policy accept
20 26
21 limit name lim_arp counter drop 27 limit name lim_arp counter name arp-ratelimit-tx drop
22 28
23 counter 29 counter name arp-tx
24 } 30 }
25} 31}
26 32
@@ -33,36 +39,98 @@ table inet filter {
33 rate over 50 mbytes/second burst 50 mbytes 39 rate over 50 mbytes/second burst 50 mbytes
34 } 40 }
35 41
42 counter invalid-fw {}
43 counter fw-lo {}
44 counter fw-bifrost {}
45 counter fw-inet {}
46
47 counter icmp-ratelimit-vpn-fw {}
48 counter icmp-ratelimit-established-fw {}
49 counter icmp-ratelimit-inet-fw {}
50
51 counter icmp-vpn-fw {}
52 counter icmp-established-fw {}
53 counter icmp-inet-fw {}
54
55 counter reject-ratelimit-fw {}
56 counter reject-fw {}
57 counter reject-tcp-fw {}
58 counter reject-icmp-fw {}
59
60 counter invalid-rx {}
61
62 counter rx-lo {}
63 counter invalid-local4-rx {}
64 counter invalid-local6-rx {}
65
66 counter icmp-ratelimit-rx {}
67 counter icmp-rx {}
68
69 counter ssh-rx {}
70 counter mosh-rx {}
71
72 counter wg-rx {}
73 counter yggdrasil-gre-rx {}
74
75 counter dns-rx {}
76 counter http-rx {}
77 counter stun-rx {}
78 counter turn-rx {}
79
80 counter established-rx {}
81
82 counter reject-ratelimit-rx {}
83 counter reject-rx {}
84 counter reject-tcp-rx {}
85 counter reject-icmp-rx {}
86
87 counter drop-rx {}
88
89 counter tx-lo {}
90
91 counter icmp-ratelimit-tx {}
92 counter icmp-tx {}
93
94 counter ssh-tx {}
95 counter mosh-tx {}
96 counter dns-tx {}
97 counter wg-tx {}
98 counter yggdrasil-gre-tx {}
99 counter http-tx {}
100 counter stun-tx {}
101 counter turn-tx {}
102
103 counter tx {}
36 104
37 chain forward { 105 chain forward {
38 type filter hook forward priority filter 106 type filter hook forward priority filter
39 policy drop 107 policy drop
40 108
41 109
42 ct state invalid log level debug prefix "drop invalid forward: " counter drop 110 ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
43 111
44 112
45 iifname lo counter accept 113 iifname lo counter name fw-lo accept
46 114
47 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter drop 115 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop
48 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter accept 116 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter name icmp-vpn-fw accept
49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop 117 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop
50 meta l4proto $icmp_protos ct state {established, related} counter accept 118 meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept
51 meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter drop 119 meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter name icmp-ratelimit-inet-fw drop
52 meta l4proto $icmp_protos oifname bifrost counter accept 120 meta l4proto $icmp_protos oifname bifrost counter name icmp-inet-fw accept
53 121
54 122
55 oifname bifrost counter accept 123 oifname bifrost counter name fw-bifrost accept
56 iifname bifrost oifname ens3 counter accept 124 iifname bifrost oifname ens3 counter name fw-inet accept
57 125
58 126
59 limit name lim_reject log level debug prefix "drop forward: " counter drop 127 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
60 log level debug prefix "reject forward: " counter 128 log level debug prefix "reject forward: " counter name reject-fw
61 meta l4proto tcp ct state new counter reject with tcp reset 129 meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
62 ct state new counter reject 130 ct state new counter name reject-icmp-fw reject
63 131
64 132
65 counter 133 counter name drop-fw
66 } 134 }
67 135
68 chain input { 136 chain input {
@@ -70,42 +138,42 @@ table inet filter {
70 policy drop 138 policy drop
71 139
72 140
73 ct state invalid log level debug prefix "drop invalid input: " counter drop 141 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
74 142
75 143
76 iifname lo counter accept 144 iifname lo counter name rx-lo accept
77 iif != lo ip daddr 127.0.0.1/8 counter reject 145 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
78 iif != lo ip6 daddr ::1/128 counter reject 146 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
79 147
80 meta l4proto $icmp_protos limit name lim_icmp counter drop 148 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
81 meta l4proto $icmp_protos counter accept 149 meta l4proto $icmp_protos counter name icmp-rx accept
82 150
83 tcp dport 22 counter accept 151 tcp dport 22 counter name ssh-rx accept
84 udp dport 60001-61000 counter accept 152 udp dport 60001-61000 counter name mosh-rx accept
85 153
86 meta protocol ip udp dport 51820 counter accept 154 meta protocol ip udp dport 51820 counter name wg-rx accept
87 meta protocol ip6 udp dport {51821, 51822} counter accept 155 meta protocol ip6 udp dport {51821, 51822} counter name wg-rx accept
88 iifname "yggdrasil-wg-*" meta l4proto gre counter accept 156 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
89 157
90 tcp dport 53 counter accept 158 tcp dport 53 counter name dns-rx accept
91 udp dport 53 counter accept 159 udp dport 53 counter name dns-rx accept
92 160
93 tcp dport {80, 443, 8448} counter accept 161 tcp dport {80, 443, 8448} counter name http-rx accept
94 162
95 tcp dport {3478, 5349} counter accept 163 tcp dport {3478, 5349} counter name stun-rx accept
96 udp dport {3478, 5349} counter accept 164 udp dport {3478, 5349} counter name stun-rx accept
97 udp dport 49000-50000 counter accept 165 udp dport 49000-50000 counter name turn-rx accept
98 166
99 ct state {established, related} counter accept 167 ct state {established, related} counter name established-rx accept
100 168
101 169
102 limit name lim_reject log level debug prefix "drop input: " counter drop 170 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
103 log level debug prefix "reject input: " counter 171 log level debug prefix "reject input: " counter name reject-rx
104 meta l4proto tcp ct state new counter reject with tcp reset 172 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
105 ct state new counter reject 173 ct state new counter name reject-icmp-rx reject
106 174
107 175
108 counter 176 counter name drop-rx
109 } 177 }
110 178
111 chain output { 179 chain output {
@@ -113,12 +181,29 @@ table inet filter {
113 policy accept 181 policy accept
114 182
115 183
116 oifname lo counter accept 184 oifname lo counter name tx-lo accept
185
186 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
187 meta l4proto $icmp_protos counter name icmp-tx accept
188
189
190 tcp sport 22 counter name ssh-tx
191 udp sport 60001-61000 counter name mosh-tx
192
193 tcp sport 53 counter name dns-tx
194 udp sport 53 counter name dns-tx
195
196 meta protocol ip udp sport 51820 counter name wg-tx
197 meta protocol ip6 udp sport {51821, 51822} counter name wg-tx
198 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
199
200 tcp sport {80,443,8448} counter name http-tx accept
117 201
118 meta l4proto $icmp_protos limit name lim_icmp counter drop 202 tcp sport {3478, 5349} counter name stun-tx accept
119 meta l4proto $icmp_protos counter accept 203 udp sport {3478, 5349} counter name stun-tx accept
204 udp sport 49000-50000 counter name turn-tx accept
120 205
121 206
122 counter 207 counter name tx
123 } 208 }
124} \ No newline at end of file 209} \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 04:59:47 +0000