From e1483ff2214541c2ad3f2f99770ed41544bb8721 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 31 Dec 2021 16:42:52 +0100 Subject: vidhar: ... --- hosts/vidhar/network/ruleset.nft | 159 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 hosts/vidhar/network/ruleset.nft (limited to 'hosts/vidhar/network/ruleset.nft') diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft new file mode 100644 index 00000000..57ac2716 --- /dev/null +++ b/hosts/vidhar/network/ruleset.nft @@ -0,0 +1,159 @@ +define icmp_protos = { ipv6-icmp, icmp, igmp } + +table arp filter { + limit lim_arp_local { + rate over 50 mbytes/second burst 50 mbytes + } + limit lim_arp_dsl { + rate over 1400 kbytes/second burst 1400 kbytes + } + + chain input { + type filter hook input priority filter + policy accept + + iifname != dsl limit name lim_arp_local counter drop + iifname dsl limit name lim_arp_dsl counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + oifname != dsl limit name lim_arp_local counter drop + oifname dsl limit name lim_arp_dsl counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp_local { + rate over 50 mbytes/second burst 50 mbytes + } + limit lim_icmp_dsl { + rate over 1400 kbytes/second burst 1400 kbytes + } + + + chain forward_icmp_accept { + oifname dsl limit name lim_icmp_dsl counter drop + iifname dsl limit name lim_icmp_dsl counter drop + oifname != dsl limit name lim_icmp_local counter drop + iifname != dsl limit name lim_icmp_local counter drop + counter accept + } + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept + + iifname lan oifname dsl counter accept + iifname dsl oifname lan ct state {established, related} counter accept + + + + limit name lim_reject log prefix "drop forward: " counter drop + log prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60001-61000 counter accept + + iifname lan tcp dport 53 counter accept + iifname lan udp dport 53 counter accept + + meta protocol ip udp dport 51820 counter accept + meta protocol ip6 udp dport 51821 counter accept + iifname "yggdrasil-wg-*" meta l4proto gre counter accept + + iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept + + iifname mgmt udp dport 123 counter accept + + iifname {lan, mgmt} udp dport 67 counter accept + + iifname lan udp dport { 137, 138, 3702 } counter accept + iifname lan tcp dport { 445, 139, 5357 } counter accept + + ct state {established, related} counter accept + + + limit name lim_reject log prefix "drop input: " counter drop + log prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} + +table ip nat { + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + + oifname dsl counter masquerade + } +} + +table ip mss_clamp { + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + + oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu + } +} \ No newline at end of file -- cgit v1.2.3