From db1993a6835a4de3d3cfb41b8444f6b9535f7443 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 9 Dec 2021 09:36:29 +0100 Subject: vidhar: nftables... --- hosts/vidhar/ruleset.nft | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 4df37a9d..ca2eb2fc 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft @@ -1,13 +1,15 @@ +define icmp_protos = { ipv6-icmp, icmp, igmp } + table inet filter { limit lim_reject { rate over 1000/second burst 1000 packets } limit lim_icmp_local { - rate 50 mbytes/second burst 50 mbytes + rate over 50 mbytes/second burst 50 mbytes } limit lim_icmp_dsl { - rate 1400 kbytes/second burst 1400 kbytes + rate over 1400 kbytes/second burst 1400 kbytes } @@ -21,11 +23,13 @@ table inet filter { iifname lo counter accept + oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + meta l4proto $imp_protos counter accept + iifname eno1 oifname dsl counter accept iifname dsl oifname eno1 ct state {established, related} counter accept - oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept - oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept limit name lim_reject log prefix "drop forward: " counter drop @@ -49,6 +53,10 @@ table inet filter { iif != lo ip daddr 127.0.0.1/8 counter reject iif != lo ip6 daddr ::1/128 counter reject + iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + meta l4proto $imp_protos counter accept + ct state {established, related} counter accept tcp dport 22 counter accept @@ -57,9 +65,6 @@ table inet filter { iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept - iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept - iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept - limit name lim_reject log prefix "drop input: " counter drop log prefix "reject input: " counter @@ -77,9 +82,9 @@ table inet filter { oifname lo counter accept - oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept - oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept - meta l4proto { ipv6-icmp, icmp, igmp } counter drop + oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + meta l4proto $icmp_protos counter accept counter -- cgit v1.2.3