From e1483ff2214541c2ad3f2f99770ed41544bb8721 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 31 Dec 2021 16:42:52 +0100 Subject: vidhar: ... --- hosts/vidhar/network/ruleset.nft | 159 +++++++++++++++++++++++++++++++++++++++ hosts/vidhar/ruleset.nft | 159 --------------------------------------- 2 files changed, 159 insertions(+), 159 deletions(-) create mode 100644 hosts/vidhar/network/ruleset.nft delete mode 100644 hosts/vidhar/ruleset.nft (limited to 'hosts') diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft new file mode 100644 index 00000000..57ac2716 --- /dev/null +++ b/hosts/vidhar/network/ruleset.nft @@ -0,0 +1,159 @@ +define icmp_protos = { ipv6-icmp, icmp, igmp } + +table arp filter { + limit lim_arp_local { + rate over 50 mbytes/second burst 50 mbytes + } + limit lim_arp_dsl { + rate over 1400 kbytes/second burst 1400 kbytes + } + + chain input { + type filter hook input priority filter + policy accept + + iifname != dsl limit name lim_arp_local counter drop + iifname dsl limit name lim_arp_dsl counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + oifname != dsl limit name lim_arp_local counter drop + oifname dsl limit name lim_arp_dsl counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp_local { + rate over 50 mbytes/second burst 50 mbytes + } + limit lim_icmp_dsl { + rate over 1400 kbytes/second burst 1400 kbytes + } + + + chain forward_icmp_accept { + oifname dsl limit name lim_icmp_dsl counter drop + iifname dsl limit name lim_icmp_dsl counter drop + oifname != dsl limit name lim_icmp_local counter drop + iifname != dsl limit name lim_icmp_local counter drop + counter accept + } + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept + + iifname lan oifname dsl counter accept + iifname dsl oifname lan ct state {established, related} counter accept + + + + limit name lim_reject log prefix "drop forward: " counter drop + log prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60001-61000 counter accept + + iifname lan tcp dport 53 counter accept + iifname lan udp dport 53 counter accept + + meta protocol ip udp dport 51820 counter accept + meta protocol ip6 udp dport 51821 counter accept + iifname "yggdrasil-wg-*" meta l4proto gre counter accept + + iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept + + iifname mgmt udp dport 123 counter accept + + iifname {lan, mgmt} udp dport 67 counter accept + + iifname lan udp dport { 137, 138, 3702 } counter accept + iifname lan tcp dport { 445, 139, 5357 } counter accept + + ct state {established, related} counter accept + + + limit name lim_reject log prefix "drop input: " counter drop + log prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop + oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} + +table ip nat { + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + + oifname dsl counter masquerade + } +} + +table ip mss_clamp { + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + + oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu + } +} \ No newline at end of file diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft deleted file mode 100644 index 57ac2716..00000000 --- a/hosts/vidhar/ruleset.nft +++ /dev/null @@ -1,159 +0,0 @@ -define icmp_protos = { ipv6-icmp, icmp, igmp } - -table arp filter { - limit lim_arp_local { - rate over 50 mbytes/second burst 50 mbytes - } - limit lim_arp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes - } - - chain input { - type filter hook input priority filter - policy accept - - iifname != dsl limit name lim_arp_local counter drop - iifname dsl limit name lim_arp_dsl counter drop - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - oifname != dsl limit name lim_arp_local counter drop - oifname dsl limit name lim_arp_dsl counter drop - - counter - } -} - -table inet filter { - limit lim_reject { - rate over 1000/second burst 1000 packets - } - - limit lim_icmp_local { - rate over 50 mbytes/second burst 50 mbytes - } - limit lim_icmp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes - } - - - chain forward_icmp_accept { - oifname dsl limit name lim_icmp_dsl counter drop - iifname dsl limit name lim_icmp_dsl counter drop - oifname != dsl limit name lim_icmp_local counter drop - iifname != dsl limit name lim_icmp_local counter drop - counter accept - } - chain forward { - type filter hook forward priority filter - policy drop - - - ct state invalid log prefix "drop invalid forward: " counter drop - - - iifname lo counter accept - - oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept - - iifname lan oifname dsl counter accept - iifname dsl oifname lan ct state {established, related} counter accept - - - - limit name lim_reject log prefix "drop forward: " counter drop - log prefix "reject forward: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain input { - type filter hook input priority filter - policy drop - - - ct state invalid log prefix "drop invalid input: " counter drop - - - iifname lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter reject - iif != lo ip6 daddr ::1/128 counter reject - - iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - meta l4proto $icmp_protos counter accept - - tcp dport 22 counter accept - udp dport 60001-61000 counter accept - - iifname lan tcp dport 53 counter accept - iifname lan udp dport 53 counter accept - - meta protocol ip udp dport 51820 counter accept - meta protocol ip6 udp dport 51821 counter accept - iifname "yggdrasil-wg-*" meta l4proto gre counter accept - - iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept - - iifname mgmt udp dport 123 counter accept - - iifname {lan, mgmt} udp dport 67 counter accept - - iifname lan udp dport { 137, 138, 3702 } counter accept - iifname lan tcp dport { 445, 139, 5357 } counter accept - - ct state {established, related} counter accept - - - limit name lim_reject log prefix "drop input: " counter drop - log prefix "reject input: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - - oifname lo counter accept - - oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - meta l4proto $icmp_protos counter accept - - - counter - } -} - -table ip nat { - chain postrouting { - type nat hook postrouting priority srcnat - policy accept - - - oifname dsl counter masquerade - } -} - -table ip mss_clamp { - chain postrouting { - type filter hook postrouting priority mangle - policy accept - - - oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu - } -} \ No newline at end of file -- cgit v1.2.3