From e1483ff2214541c2ad3f2f99770ed41544bb8721 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 31 Dec 2021 16:42:52 +0100
Subject: vidhar: ...

---
 hosts/vidhar/network/ruleset.nft | 159 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 159 insertions(+)
 create mode 100644 hosts/vidhar/network/ruleset.nft

(limited to 'hosts/vidhar/network')

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
new file mode 100644
index 00000000..57ac2716
--- /dev/null
+++ b/hosts/vidhar/network/ruleset.nft
@@ -0,0 +1,159 @@
+define icmp_protos = { ipv6-icmp, icmp, igmp }
+
+table arp filter {
+  limit lim_arp_local {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  limit lim_arp_dsl {
+    rate over 1400 kbytes/second burst 1400 kbytes
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    iifname != dsl limit name lim_arp_local counter drop
+    iifname dsl limit name lim_arp_dsl counter drop
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    oifname != dsl limit name lim_arp_local counter drop
+    oifname dsl limit name lim_arp_dsl counter drop
+
+    counter
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp_local {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  limit lim_icmp_dsl {
+    rate over 1400 kbytes/second burst 1400 kbytes
+  }
+
+
+  chain forward_icmp_accept {
+    oifname dsl limit name lim_icmp_dsl counter drop
+    iifname dsl limit name lim_icmp_dsl counter drop
+    oifname != dsl limit name lim_icmp_local counter drop
+    iifname != dsl limit name lim_icmp_local counter drop
+    counter accept
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log prefix "drop invalid forward: " counter drop
+
+
+    iifname lo counter accept
+
+    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
+
+    iifname lan oifname dsl counter accept
+    iifname dsl oifname lan ct state {established, related} counter accept
+
+
+
+    limit name lim_reject log prefix "drop forward: " counter drop
+    log prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log prefix "drop invalid input: " counter drop
+    
+
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+
+    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
+    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
+    meta l4proto $icmp_protos counter accept
+
+    tcp dport 22 counter accept
+    udp dport 60001-61000 counter accept
+
+    iifname lan tcp dport 53 counter accept
+    iifname lan udp dport 53 counter accept
+
+    meta protocol ip udp dport 51820 counter accept
+    meta protocol ip6 udp dport 51821 counter accept
+    iifname "yggdrasil-wg-*" meta l4proto gre counter accept
+
+    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
+
+    iifname mgmt udp dport 123 counter accept
+
+    iifname {lan, mgmt} udp dport 67 counter accept
+
+    iifname lan udp dport { 137, 138, 3702 } counter accept
+    iifname lan tcp dport { 445, 139, 5357 } counter accept
+
+    ct state {established, related} counter accept
+
+
+    limit name lim_reject log prefix "drop input: " counter drop
+    log prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter accept
+
+    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
+    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
+    meta l4proto $icmp_protos counter accept
+
+
+    counter
+  }
+}
+
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+
+
+    oifname dsl counter masquerade
+  }
+}
+
+table ip mss_clamp {
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+
+
+    oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3