summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-31 16:42:52 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-31 16:42:52 +0100
commite1483ff2214541c2ad3f2f99770ed41544bb8721 (patch)
tree0259ce13ad3b5085d9a3b18c1e9c9f2dd1085d17 /hosts/vidhar/network/ruleset.nft
parent7b8d19d10892eddd7cdaa1e9384185a0a6d64dae (diff)
downloadnixos-e1483ff2214541c2ad3f2f99770ed41544bb8721.tar
nixos-e1483ff2214541c2ad3f2f99770ed41544bb8721.tar.gz
nixos-e1483ff2214541c2ad3f2f99770ed41544bb8721.tar.bz2
nixos-e1483ff2214541c2ad3f2f99770ed41544bb8721.tar.xz
nixos-e1483ff2214541c2ad3f2f99770ed41544bb8721.zip
vidhar: ...
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft159
1 files changed, 159 insertions, 0 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
new file mode 100644
index 00000000..57ac2716
--- /dev/null
+++ b/hosts/vidhar/network/ruleset.nft
@@ -0,0 +1,159 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp }
2
3table arp filter {
4 limit lim_arp_local {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7 limit lim_arp_dsl {
8 rate over 1400 kbytes/second burst 1400 kbytes
9 }
10
11 chain input {
12 type filter hook input priority filter
13 policy accept
14
15 iifname != dsl limit name lim_arp_local counter drop
16 iifname dsl limit name lim_arp_dsl counter drop
17
18 counter
19 }
20
21 chain output {
22 type filter hook output priority filter
23 policy accept
24
25 oifname != dsl limit name lim_arp_local counter drop
26 oifname dsl limit name lim_arp_dsl counter drop
27
28 counter
29 }
30}
31
32table inet filter {
33 limit lim_reject {
34 rate over 1000/second burst 1000 packets
35 }
36
37 limit lim_icmp_local {
38 rate over 50 mbytes/second burst 50 mbytes
39 }
40 limit lim_icmp_dsl {
41 rate over 1400 kbytes/second burst 1400 kbytes
42 }
43
44
45 chain forward_icmp_accept {
46 oifname dsl limit name lim_icmp_dsl counter drop
47 iifname dsl limit name lim_icmp_dsl counter drop
48 oifname != dsl limit name lim_icmp_local counter drop
49 iifname != dsl limit name lim_icmp_local counter drop
50 counter accept
51 }
52 chain forward {
53 type filter hook forward priority filter
54 policy drop
55
56
57 ct state invalid log prefix "drop invalid forward: " counter drop
58
59
60 iifname lo counter accept
61
62 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
63
64 iifname lan oifname dsl counter accept
65 iifname dsl oifname lan ct state {established, related} counter accept
66
67
68
69 limit name lim_reject log prefix "drop forward: " counter drop
70 log prefix "reject forward: " counter
71 meta l4proto tcp ct state new counter reject with tcp reset
72 ct state new counter reject
73
74
75 counter
76 }
77
78 chain input {
79 type filter hook input priority filter
80 policy drop
81
82
83 ct state invalid log prefix "drop invalid input: " counter drop
84
85
86 iifname lo counter accept
87 iif != lo ip daddr 127.0.0.1/8 counter reject
88 iif != lo ip6 daddr ::1/128 counter reject
89
90 iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
91 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
92 meta l4proto $icmp_protos counter accept
93
94 tcp dport 22 counter accept
95 udp dport 60001-61000 counter accept
96
97 iifname lan tcp dport 53 counter accept
98 iifname lan udp dport 53 counter accept
99
100 meta protocol ip udp dport 51820 counter accept
101 meta protocol ip6 udp dport 51821 counter accept
102 iifname "yggdrasil-wg-*" meta l4proto gre counter accept
103
104 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
105
106 iifname mgmt udp dport 123 counter accept
107
108 iifname {lan, mgmt} udp dport 67 counter accept
109
110 iifname lan udp dport { 137, 138, 3702 } counter accept
111 iifname lan tcp dport { 445, 139, 5357 } counter accept
112
113 ct state {established, related} counter accept
114
115
116 limit name lim_reject log prefix "drop input: " counter drop
117 log prefix "reject input: " counter
118 meta l4proto tcp ct state new counter reject with tcp reset
119 ct state new counter reject
120
121
122 counter
123 }
124
125 chain output {
126 type filter hook output priority filter
127 policy accept
128
129
130 oifname lo counter accept
131
132 oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
133 oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
134 meta l4proto $icmp_protos counter accept
135
136
137 counter
138 }
139}
140
141table ip nat {
142 chain postrouting {
143 type nat hook postrouting priority srcnat
144 policy accept
145
146
147 oifname dsl counter masquerade
148 }
149}
150
151table ip mss_clamp {
152 chain postrouting {
153 type filter hook postrouting priority mangle
154 policy accept
155
156
157 oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
158 }
159} \ No newline at end of file