1 files changed, 189 insertions, 0 deletions
diff --git a/hosts/surtr/vpn/ruleset.nft b/hosts/surtr/vpn/ruleset.nft
new file mode 100644
index 00000000..3cdb7a8a
--- /dev/null
+++ b/hosts/surtr/vpn/ruleset.nft
@@ -0,0 +1,189 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter arp-rx {}
+  counter arp-tx {}
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-rx drop
+    counter name arp-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-tx drop
+    counter name arp-tx
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter invalid-fw {}
+  counter fw-lo {}
+  counter fw-vpn {}
+  counter fw-upstream {}
+  counter icmp-ratelimit-upstream-fw {}
+  counter icmp-ratelimit-vpn-fw {}
+  counter icmp-ratelimit-established-fw {}
+  counter icmp-upstream-fw {}
+  counter icmp-vpn-fw {}
+  counter icmp-established-fw {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter drop-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+  counter wg-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter drop-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+  counter wg-tx {}
+  counter tx {}
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "vpn: drop invalid forward: " counter name invalid-fw drop
+    iifname lo counter name fw-lo accept
+    meta l4proto $icmp_protos iifname upstream limit name lim_icmp counter name icmp-ratelimit-upstream-fw drop
+    meta l4proto $icmp_protos iifname upstream counter name icmp-upstream-fw accept
+    meta l4proto $icmp_protos iifname vpn limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop
+    meta l4proto $icmp_protos iifname vpn counter name icmp-vpn-fw accept
+    meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop
+    meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept
+    iifname upstream oifname vpn ct state {established, related} counter name fw-vpn accept
+    iifname vpn oifname upstream counter name fw-upstream accept
+    limit name lim_reject log level debug prefix "vpn: drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "vpn: reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+    counter name drop-fw
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "vpn: drop invalid input: " counter name invalid-rx drop
+    
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+    udp dport 51820 counter name wg-rx accept
+    ct state {established, related} counter name established-rx accept
+    limit name lim_reject log level debug prefix "vpn: drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "vpn: reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+    counter name drop-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter name tx-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    udp sport 51820 counter name wg-tx
+    
+    counter name tx
+  }
+}
+table inet nat {
+  counter nat {}
+  
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    iifname vpn counter name nat masquerade
+  }
+}
+table ip mss_clamp {
+  counter mss-clamp {}
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    iifname vpn oifname upstream tcp flags & (syn|rst) == syn counter name mss-clamp tcp option maxseg size set rt mtu
+  }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/vpn/ruleset.nft b/hosts/surtr/vpn/ruleset.nft new file mode 100644 index 00000000..3cdb7a8a --- /dev/null +++ b/hosts/surtr/vpn/ruleset.nft
@@ -0,0 +1,189 @@
	1	define icmp_protos = {ipv6-icmp, icmp, igmp}
	2
	3	table arp filter {
	4	limit lim_arp {
	5	rate over 50 mbytes/second burst 50 mbytes
	6	}
	7
	8	counter arp-rx {}
	9	counter arp-tx {}
	10
	11	counter arp-ratelimit-rx {}
	12	counter arp-ratelimit-tx {}
	13
	14	chain input {
	15	type filter hook input priority filter
	16	policy accept
	17
	18	limit name lim_arp counter name arp-ratelimit-rx drop
	19
	20	counter name arp-rx
	21	}
	22
	23	chain output {
	24	type filter hook output priority filter
	25	policy accept
	26
	27	limit name lim_arp counter name arp-ratelimit-tx drop
	28
	29	counter name arp-tx
	30	}
	31	}
	32
	33	table inet filter {
	34	limit lim_reject {
	35	rate over 1000/second burst 1000 packets
	36	}
	37
	38	limit lim_icmp {
	39	rate over 50 mbytes/second burst 50 mbytes
	40	}
	41
	42	counter invalid-fw {}
	43	counter fw-lo {}
	44	counter fw-vpn {}
	45	counter fw-upstream {}
	46
	47	counter icmp-ratelimit-upstream-fw {}
	48	counter icmp-ratelimit-vpn-fw {}
	49	counter icmp-ratelimit-established-fw {}
	50
	51	counter icmp-upstream-fw {}
	52	counter icmp-vpn-fw {}
	53	counter icmp-established-fw {}
	54
	55	counter reject-ratelimit-fw {}
	56	counter reject-fw {}
	57	counter reject-tcp-fw {}
	58	counter reject-icmp-fw {}
	59
	60	counter drop-fw {}
	61
	62	counter invalid-rx {}
	63
	64	counter rx-lo {}
	65	counter invalid-local4-rx {}
	66	counter invalid-local6-rx {}
	67
	68	counter icmp-ratelimit-rx {}
	69	counter icmp-rx {}
	70
	71	counter wg-rx {}
	72
	73	counter established-rx {}
	74
	75	counter reject-ratelimit-rx {}
	76	counter reject-rx {}
	77	counter reject-tcp-rx {}
	78	counter reject-icmp-rx {}
	79
	80	counter drop-rx {}
	81
	82	counter tx-lo {}
	83
	84	counter icmp-ratelimit-tx {}
	85	counter icmp-tx {}
	86
	87	counter wg-tx {}
	88
	89	counter tx {}
	90
	91	chain forward {
	92	type filter hook forward priority filter
	93	policy drop
	94
	95
	96	ct state invalid log level debug prefix "vpn: drop invalid forward: " counter name invalid-fw drop
	97
	98
	99	iifname lo counter name fw-lo accept
	100
	101	meta l4proto $icmp_protos iifname upstream limit name lim_icmp counter name icmp-ratelimit-upstream-fw drop
	102	meta l4proto $icmp_protos iifname upstream counter name icmp-upstream-fw accept
	103	meta l4proto $icmp_protos iifname vpn limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop
	104	meta l4proto $icmp_protos iifname vpn counter name icmp-vpn-fw accept
	105	meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop
	106	meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept
	107
	108
	109	iifname upstream oifname vpn ct state {established, related} counter name fw-vpn accept
	110	iifname vpn oifname upstream counter name fw-upstream accept
	111
	112
	113	limit name lim_reject log level debug prefix "vpn: drop forward: " counter name reject-ratelimit-fw drop
	114	log level debug prefix "vpn: reject forward: " counter name reject-fw
	115	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
	116	ct state new counter name reject-icmp-fw reject
	117
	118
	119	counter name drop-fw
	120	}
	121
	122	chain input {
	123	type filter hook input priority filter
	124	policy drop
	125
	126
	127	ct state invalid log level debug prefix "vpn: drop invalid input: " counter name invalid-rx drop
	128
	129
	130	iifname lo counter name rx-lo accept
	131	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
	132	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
	133
	134	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
	135	meta l4proto $icmp_protos counter name icmp-rx accept
	136
	137	udp dport 51820 counter name wg-rx accept
	138
	139	ct state {established, related} counter name established-rx accept
	140
	141
	142	limit name lim_reject log level debug prefix "vpn: drop input: " counter name reject-ratelimit-rx drop
	143	log level debug prefix "vpn: reject input: " counter name reject-rx
	144	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
	145	ct state new counter name reject-icmp-rx reject
	146
	147
	148	counter name drop-rx
	149	}
	150
	151	chain output {
	152	type filter hook output priority filter
	153	policy accept
	154
	155
	156	oifname lo counter name tx-lo accept
	157
	158	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
	159	meta l4proto $icmp_protos counter name icmp-tx accept
	160
	161
	162	udp sport 51820 counter name wg-tx
	163
	164
	165	counter name tx
	166	}
	167	}
	168
	169	table inet nat {
	170	counter nat {}
	171
	172	chain postrouting {
	173	type nat hook postrouting priority srcnat
	174	policy accept
	175
	176	iifname vpn counter name nat masquerade
	177	}
	178	}
	179
	180	table ip mss_clamp {
	181	counter mss-clamp {}
	182
	183	chain postrouting {
	184	type filter hook postrouting priority mangle
	185	policy accept
	186
	187	iifname vpn oifname upstream tcp flags & (syn\|rst) == syn counter name mss-clamp tcp option maxseg size set rt mtu
	188	}
	189	} \ No newline at end of file