summaryrefslogtreecommitdiff
path: root/hosts/vidhar/printing/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-04 19:23:36 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-04 19:23:36 +0100
commit29480b6e86ca6057d4151accdb5d4103f1657596 (patch)
treeaad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/printing/ruleset.nft
parent7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff)
downloadnixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip
...
Diffstat (limited to 'hosts/vidhar/printing/ruleset.nft')
-rw-r--r--hosts/vidhar/printing/ruleset.nft185
1 files changed, 185 insertions, 0 deletions
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
new file mode 100644
index 00000000..c3027567
--- /dev/null
+++ b/hosts/vidhar/printing/ruleset.nft
@@ -0,0 +1,185 @@
1define icmp_protos = {ipv6-icmp, icmp, igmp}
2
3table arp filter {
4 limit lim_arp {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7
8 counter arp-rx {}
9 counter arp-tx {}
10
11 counter arp-ratelimit-rx {}
12 counter arp-ratelimit-tx {}
13
14 chain input {
15 type filter hook input priority filter
16 policy accept
17
18 limit name lim_arp counter name arp-ratelimit-rx drop
19
20 counter name arp-rx
21 }
22
23 chain output {
24 type filter hook output priority filter
25 policy accept
26
27 limit name lim_arp counter name arp-ratelimit-tx drop
28
29 counter name arp-tx
30 }
31}
32
33table inet filter {
34 limit lim_reject {
35 rate over 1000/second burst 1000 packets
36 }
37
38 limit lim_icmp {
39 rate over 50 mbytes/second burst 50 mbytes
40 }
41
42 counter invalid-fw {}
43 counter fw-lo {}
44 counter fw-printer {}
45 counter fw-host {}
46
47 counter icmp-ratelimit-fw {}
48
49 counter reject-ratelimit-fw {}
50 counter reject-fw {}
51 counter reject-tcp-fw {}
52 counter reject-icmp-fw {}
53
54 counter drop-fw {}
55
56 counter invalid-rx {}
57
58 counter rx-lo {}
59 counter invalid-local4-rx {}
60 counter invalid-local6-rx {}
61
62 counter icmp-ratelimit-rx {}
63 counter icmp-rx {}
64
65 counter cups-rx {}
66
67 counter established-rx {}
68
69 counter reject-ratelimit-rx {}
70 counter reject-rx {}
71 counter reject-tcp-rx {}
72 counter reject-icmp-rx {}
73
74 counter drop-rx {}
75
76 counter tx-lo {}
77
78 counter icmp-ratelimit-tx {}
79 counter icmp-tx {}
80
81 counter cups-tx {}
82
83 counter tx {}
84
85 chain forward {
86 type filter hook forward priority filter
87 policy drop
88
89
90 ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
91
92
93 iifname lo counter name fw-lo accept
94
95
96 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
97 meta l4proto $icmp_protos counter name icmp-fw accept
98
99
100 iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
101 iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
102 iifname eth0 oifname printer counter fw-host accept
103
104
105 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
106 log level debug prefix "reject forward: " counter name reject-fw
107 meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
108 ct state new counter name reject-icmp-fw reject
109
110
111 counter name drop-fw
112 }
113
114 chain input {
115 type filter hook input priority filter
116 policy drop
117
118
119 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
120
121
122 iifname lo counter name rx-lo accept
123 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
124 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
125
126 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
127 meta l4proto $icmp_protos counter name icmp-rx accept
128
129
130 ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept
131 ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept
132
133 ct state {established, related} counter name established-rx accept
134
135
136 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
137 log level debug prefix "reject input: " counter name reject-rx
138 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
139 ct state new counter name reject-icmp-rx reject
140
141
142 counter name drop-rx
143 }
144
145 chain output {
146 type filter hook output priority filter
147 policy accept
148
149
150 oifname lo counter name tx-lo accept
151
152 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
153 meta l4proto $icmp_protos counter name icmp-tx accept
154
155
156 tcp sport 631 counter name cups-tx accept
157
158
159 counter name tx
160 }
161}
162
163table ip nat {
164 counter host-nat {}
165
166 chain postrouting {
167 type nat hook postrouting priority srcnat
168 policy accept
169
170
171 oifname eth0 counter name host-nat masquerade
172 }
173}
174
175table ip mss_clamp {
176 counter host-mss-clamp {}
177
178 chain postrouting {
179 type filter hook postrouting priority mangle
180 policy accept
181
182
183 oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
184 }
185}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-21 20:05:47 +0000