From 1f0101786a8c3eb9767132bf5317672b3cf9d16c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 13 Dec 2021 18:05:08 +0100 Subject: surtr: nftables --- hosts/surtr/default.nix | 6 +++ hosts/surtr/ruleset.nft | 109 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 hosts/surtr/ruleset.nft (limited to 'hosts/surtr') diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 028ae832..61d28f22 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -64,6 +64,12 @@ ]; }; + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + firewall = { enable = true; allowPing = true; diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft new file mode 100644 index 00000000..f353d855 --- /dev/null +++ b/hosts/surtr/ruleset.nft @@ -0,0 +1,109 @@ +define icmp_protos = { ipv6-icmp, icmp, igmp } + +table arp filter { + limit lim_arp_local { + rate over 50 mbytes/second burst 50 mbytes + } + limit lim_arp_dsl { + rate over 1400 kbytes/second burst 1400 kbytes + } + + chain input { + type filter hook input priority filter + policy accept + + iifname != dsl limit name lim_arp_local counter drop + iifname dsl limit name lim_arp_dsl counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + oifname != dsl limit name lim_arp_local counter drop + oifname dsl limit name lim_arp_dsl counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + limit name lim_reject log prefix "drop forward: " counter drop + log prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + ct state {established, related} counter accept + + tcp dport 22 counter accept + meta protocol ip udp dport {51820, 51821} counter accept + udp dport 60000-61000 counter accept + + + limit name lim_reject log prefix "drop input: " counter drop + log prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file -- cgit v1.2.3