summaryrefslogtreecommitdiff
path: root/hosts/surtr/ruleset.nft
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/ruleset.nft')
-rw-r--r--hosts/surtr/ruleset.nft109
1 files changed, 109 insertions, 0 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
new file mode 100644
index 00000000..f353d855
--- /dev/null
+++ b/hosts/surtr/ruleset.nft
@@ -0,0 +1,109 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp }
2
3table arp filter {
4 limit lim_arp_local {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7 limit lim_arp_dsl {
8 rate over 1400 kbytes/second burst 1400 kbytes
9 }
10
11 chain input {
12 type filter hook input priority filter
13 policy accept
14
15 iifname != dsl limit name lim_arp_local counter drop
16 iifname dsl limit name lim_arp_dsl counter drop
17
18 counter
19 }
20
21 chain output {
22 type filter hook output priority filter
23 policy accept
24
25 oifname != dsl limit name lim_arp_local counter drop
26 oifname dsl limit name lim_arp_dsl counter drop
27
28 counter
29 }
30}
31
32table inet filter {
33 limit lim_reject {
34 rate over 1000/second burst 1000 packets
35 }
36
37 limit lim_icmp {
38 rate over 50 mbytes/second burst 50 mbytes
39 }
40
41
42 chain forward {
43 type filter hook forward priority filter
44 policy drop
45
46
47 ct state invalid log prefix "drop invalid forward: " counter drop
48
49
50 iifname lo counter accept
51
52 meta l4proto $icmp_protos limit name lim_icmp counter drop
53 meta l4proto $icmp_protos counter accept
54
55
56 limit name lim_reject log prefix "drop forward: " counter drop
57 log prefix "reject forward: " counter
58 meta l4proto tcp ct state new counter reject with tcp reset
59 ct state new counter reject
60
61
62 counter
63 }
64
65 chain input {
66 type filter hook input priority filter
67 policy drop
68
69
70 ct state invalid log prefix "drop invalid input: " counter drop
71
72
73 iifname lo counter accept
74 iif != lo ip daddr 127.0.0.1/8 counter reject
75 iif != lo ip6 daddr ::1/128 counter reject
76
77 meta l4proto $icmp_protos limit name lim_icmp counter drop
78 meta l4proto $icmp_protos counter accept
79
80 ct state {established, related} counter accept
81
82 tcp dport 22 counter accept
83 meta protocol ip udp dport {51820, 51821} counter accept
84 udp dport 60000-61000 counter accept
85
86
87 limit name lim_reject log prefix "drop input: " counter drop
88 log prefix "reject input: " counter
89 meta l4proto tcp ct state new counter reject with tcp reset
90 ct state new counter reject
91
92
93 counter
94 }
95
96 chain output {
97 type filter hook output priority filter
98 policy accept
99
100
101 oifname lo counter accept
102
103 meta l4proto $icmp_protos limit name lim_icmp counter drop
104 meta l4proto $icmp_protos counter accept
105
106
107 counter
108 }
109} \ No newline at end of file