From ebd289d241a4e87c6e57ee3768d697d610d3699b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 9 Apr 2022 00:12:45 +0200 Subject: ... --- hosts/surtr/ruleset.nft | 177 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 131 insertions(+), 46 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index b7216948..3701d119 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -5,22 +5,28 @@ table arp filter { rate over 50 mbytes/second burst 50 mbytes } + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-rx {} + counter arp-ratelimit-tx {} + chain input { type filter hook input priority filter policy accept - limit name lim_arp counter drop + limit name lim_arp counter name arp-ratelimit-rx drop - counter + counter name arp-rx } chain output { type filter hook output priority filter policy accept - limit name lim_arp counter drop + limit name lim_arp counter name arp-ratelimit-tx drop - counter + counter name arp-tx } } @@ -33,36 +39,98 @@ table inet filter { rate over 50 mbytes/second burst 50 mbytes } + counter invalid-fw {} + counter fw-lo {} + counter fw-bifrost {} + counter fw-inet {} + + counter icmp-ratelimit-vpn-fw {} + counter icmp-ratelimit-established-fw {} + counter icmp-ratelimit-inet-fw {} + + counter icmp-vpn-fw {} + counter icmp-established-fw {} + counter icmp-inet-fw {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + counter invalid-rx {} + + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-rx {} + counter icmp-rx {} + + counter ssh-rx {} + counter mosh-rx {} + + counter wg-rx {} + counter yggdrasil-gre-rx {} + + counter dns-rx {} + counter http-rx {} + counter stun-rx {} + counter turn-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + counter drop-rx {} + + counter tx-lo {} + + counter icmp-ratelimit-tx {} + counter icmp-tx {} + + counter ssh-tx {} + counter mosh-tx {} + counter dns-tx {} + counter wg-tx {} + counter yggdrasil-gre-tx {} + counter http-tx {} + counter stun-tx {} + counter turn-tx {} + + counter tx {} chain forward { type filter hook forward priority filter policy drop - ct state invalid log level debug prefix "drop invalid forward: " counter drop + ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop - iifname lo counter accept + iifname lo counter name fw-lo accept - meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter drop - meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter accept - meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop - meta l4proto $icmp_protos ct state {established, related} counter accept - meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter drop - meta l4proto $icmp_protos oifname bifrost counter accept + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter name icmp-vpn-fw accept + meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop + meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept + meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter name icmp-ratelimit-inet-fw drop + meta l4proto $icmp_protos oifname bifrost counter name icmp-inet-fw accept - oifname bifrost counter accept - iifname bifrost oifname ens3 counter accept + oifname bifrost counter name fw-bifrost accept + iifname bifrost oifname ens3 counter name fw-inet accept - limit name lim_reject log level debug prefix "drop forward: " counter drop - log level debug prefix "reject forward: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop + log level debug prefix "reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject - counter + counter name drop-fw } chain input { @@ -70,42 +138,42 @@ table inet filter { policy drop - ct state invalid log level debug prefix "drop invalid input: " counter drop + ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop - iifname lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter reject - iif != lo ip6 daddr ::1/128 counter reject + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept - tcp dport 22 counter accept - udp dport 60001-61000 counter accept + tcp dport 22 counter name ssh-rx accept + udp dport 60001-61000 counter name mosh-rx accept - meta protocol ip udp dport 51820 counter accept - meta protocol ip6 udp dport {51821, 51822} counter accept - iifname "yggdrasil-wg-*" meta l4proto gre counter accept + meta protocol ip udp dport 51820 counter name wg-rx accept + meta protocol ip6 udp dport {51821, 51822} counter name wg-rx accept + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - tcp dport 53 counter accept - udp dport 53 counter accept + tcp dport 53 counter name dns-rx accept + udp dport 53 counter name dns-rx accept - tcp dport {80, 443, 8448} counter accept + tcp dport {80, 443, 8448} counter name http-rx accept - tcp dport {3478, 5349} counter accept - udp dport {3478, 5349} counter accept - udp dport 49000-50000 counter accept + tcp dport {3478, 5349} counter name stun-rx accept + udp dport {3478, 5349} counter name stun-rx accept + udp dport 49000-50000 counter name turn-rx accept - ct state {established, related} counter accept + ct state {established, related} counter name established-rx accept - limit name lim_reject log level debug prefix "drop input: " counter drop - log level debug prefix "reject input: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject + limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject - counter + counter name drop-rx } chain output { @@ -113,12 +181,29 @@ table inet filter { policy accept - oifname lo counter accept + oifname lo counter name tx-lo accept + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 22 counter name ssh-tx + udp sport 60001-61000 counter name mosh-tx + + tcp sport 53 counter name dns-tx + udp sport 53 counter name dns-tx + + meta protocol ip udp sport 51820 counter name wg-tx + meta protocol ip6 udp sport {51821, 51822} counter name wg-tx + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx + + tcp sport {80,443,8448} counter name http-tx accept - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept + tcp sport {3478, 5349} counter name stun-tx accept + udp sport {3478, 5349} counter name stun-tx accept + udp sport 49000-50000 counter name turn-tx accept - counter + counter name tx } } \ No newline at end of file -- cgit v1.2.3