diff options
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft new file mode 100644 index 00000000..57ac2716 --- /dev/null +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -0,0 +1,159 @@ | |||
1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | ||
2 | |||
3 | table arp filter { | ||
4 | limit lim_arp_local { | ||
5 | rate over 50 mbytes/second burst 50 mbytes | ||
6 | } | ||
7 | limit lim_arp_dsl { | ||
8 | rate over 1400 kbytes/second burst 1400 kbytes | ||
9 | } | ||
10 | |||
11 | chain input { | ||
12 | type filter hook input priority filter | ||
13 | policy accept | ||
14 | |||
15 | iifname != dsl limit name lim_arp_local counter drop | ||
16 | iifname dsl limit name lim_arp_dsl counter drop | ||
17 | |||
18 | counter | ||
19 | } | ||
20 | |||
21 | chain output { | ||
22 | type filter hook output priority filter | ||
23 | policy accept | ||
24 | |||
25 | oifname != dsl limit name lim_arp_local counter drop | ||
26 | oifname dsl limit name lim_arp_dsl counter drop | ||
27 | |||
28 | counter | ||
29 | } | ||
30 | } | ||
31 | |||
32 | table inet filter { | ||
33 | limit lim_reject { | ||
34 | rate over 1000/second burst 1000 packets | ||
35 | } | ||
36 | |||
37 | limit lim_icmp_local { | ||
38 | rate over 50 mbytes/second burst 50 mbytes | ||
39 | } | ||
40 | limit lim_icmp_dsl { | ||
41 | rate over 1400 kbytes/second burst 1400 kbytes | ||
42 | } | ||
43 | |||
44 | |||
45 | chain forward_icmp_accept { | ||
46 | oifname dsl limit name lim_icmp_dsl counter drop | ||
47 | iifname dsl limit name lim_icmp_dsl counter drop | ||
48 | oifname != dsl limit name lim_icmp_local counter drop | ||
49 | iifname != dsl limit name lim_icmp_local counter drop | ||
50 | counter accept | ||
51 | } | ||
52 | chain forward { | ||
53 | type filter hook forward priority filter | ||
54 | policy drop | ||
55 | |||
56 | |||
57 | ct state invalid log prefix "drop invalid forward: " counter drop | ||
58 | |||
59 | |||
60 | iifname lo counter accept | ||
61 | |||
62 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept | ||
63 | |||
64 | iifname lan oifname dsl counter accept | ||
65 | iifname dsl oifname lan ct state {established, related} counter accept | ||
66 | |||
67 | |||
68 | |||
69 | limit name lim_reject log prefix "drop forward: " counter drop | ||
70 | log prefix "reject forward: " counter | ||
71 | meta l4proto tcp ct state new counter reject with tcp reset | ||
72 | ct state new counter reject | ||
73 | |||
74 | |||
75 | counter | ||
76 | } | ||
77 | |||
78 | chain input { | ||
79 | type filter hook input priority filter | ||
80 | policy drop | ||
81 | |||
82 | |||
83 | ct state invalid log prefix "drop invalid input: " counter drop | ||
84 | |||
85 | |||
86 | iifname lo counter accept | ||
87 | iif != lo ip daddr 127.0.0.1/8 counter reject | ||
88 | iif != lo ip6 daddr ::1/128 counter reject | ||
89 | |||
90 | iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | ||
91 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
92 | meta l4proto $icmp_protos counter accept | ||
93 | |||
94 | tcp dport 22 counter accept | ||
95 | udp dport 60001-61000 counter accept | ||
96 | |||
97 | iifname lan tcp dport 53 counter accept | ||
98 | iifname lan udp dport 53 counter accept | ||
99 | |||
100 | meta protocol ip udp dport 51820 counter accept | ||
101 | meta protocol ip6 udp dport 51821 counter accept | ||
102 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept | ||
103 | |||
104 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept | ||
105 | |||
106 | iifname mgmt udp dport 123 counter accept | ||
107 | |||
108 | iifname {lan, mgmt} udp dport 67 counter accept | ||
109 | |||
110 | iifname lan udp dport { 137, 138, 3702 } counter accept | ||
111 | iifname lan tcp dport { 445, 139, 5357 } counter accept | ||
112 | |||
113 | ct state {established, related} counter accept | ||
114 | |||
115 | |||
116 | limit name lim_reject log prefix "drop input: " counter drop | ||
117 | log prefix "reject input: " counter | ||
118 | meta l4proto tcp ct state new counter reject with tcp reset | ||
119 | ct state new counter reject | ||
120 | |||
121 | |||
122 | counter | ||
123 | } | ||
124 | |||
125 | chain output { | ||
126 | type filter hook output priority filter | ||
127 | policy accept | ||
128 | |||
129 | |||
130 | oifname lo counter accept | ||
131 | |||
132 | oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop | ||
133 | oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop | ||
134 | meta l4proto $icmp_protos counter accept | ||
135 | |||
136 | |||
137 | counter | ||
138 | } | ||
139 | } | ||
140 | |||
141 | table ip nat { | ||
142 | chain postrouting { | ||
143 | type nat hook postrouting priority srcnat | ||
144 | policy accept | ||
145 | |||
146 | |||
147 | oifname dsl counter masquerade | ||
148 | } | ||
149 | } | ||
150 | |||
151 | table ip mss_clamp { | ||
152 | chain postrouting { | ||
153 | type filter hook postrouting priority mangle | ||
154 | policy accept | ||
155 | |||
156 | |||
157 | oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu | ||
158 | } | ||
159 | } \ No newline at end of file | ||