summaryrefslogtreecommitdiff
path: root/hosts/vidhar/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-08 18:56:01 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-08 18:56:01 +0100
commitf9d56d3d2c720daf2679e9d03d75332c9d1bb7d5 (patch)
treee13feb71a90b5e42681fab2b07174036463be958 /hosts/vidhar/ruleset.nft
parent1f680ea9c54e78fae80ef00234330b619c584553 (diff)
downloadnixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.gz
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.bz2
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.tar.xz
nixos-f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5.zip
vidhar: nftables...
Diffstat (limited to 'hosts/vidhar/ruleset.nft')
-rw-r--r--hosts/vidhar/ruleset.nft20
1 files changed, 16 insertions, 4 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index f02031b4..a996d914 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,4 +1,9 @@
1table inet filter { 1table inet filter {
2 chain reject-rl {
3 limit rate over 1024 / second burst 1024 packets counter drop
4 }
5
6
2 chain forward { 7 chain forward {
3 type filter hook forward priority filter 8 type filter hook forward priority filter
4 policy drop 9 policy drop
@@ -12,7 +17,10 @@ table inet filter {
12 meta l4proto igmp counter accept 17 meta l4proto igmp counter accept
13 18
14 19
15 log prefix "drop forward: " counter 20 log prefix "reject forward: " counter
21 jump reject-rl
22 meta l4proto tcp counter reject with tcp reset
23 counter reject
16 } 24 }
17 25
18 chain input { 26 chain input {
@@ -21,8 +29,8 @@ table inet filter {
21 29
22 30
23 iifname lo counter accept 31 iifname lo counter accept
24 iif != lo ip daddr 127.0.0.1/8 counter drop 32 iif != lo ip daddr 127.0.0.1/8 counter reject
25 iif != lo ip6 daddr ::1/128 counter drop 33 iif != lo ip6 daddr ::1/128 counter reject
26 34
27 ct state {established, related} counter accept 35 ct state {established, related} counter accept
28 36
@@ -36,7 +44,11 @@ table inet filter {
36 meta l4proto icmp counter accept 44 meta l4proto icmp counter accept
37 meta l4proto igmp counter accept 45 meta l4proto igmp counter accept
38 46
39 log prefix "drop input: " counter 47
48 log prefix "reject input: " counter
49 jump reject-rl
50 meta l4proto tcp counter reject with tcp reset
51 counter reject
40 } 52 }
41 53
42 chain output { 54 chain output {