define icmp_protos = { ipv6-icmp, icmp, igmp } table inet filter { limit lim_reject { rate over 1000/second burst 1000 packets } limit lim_icmp_local { rate over 50 mbytes/second burst 50 mbytes } limit lim_icmp_dsl { rate over 1400 kbytes/second burst 1400 kbytes } chain forward { type filter hook forward priority filter policy drop ct state invalid log prefix "drop invalid forward: " counter drop iifname lo counter accept oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop meta l4proto $icmp_protos counter accept iifname eno1 oifname dsl counter accept iifname dsl oifname eno1 ct state {established, related} counter accept limit name lim_reject log prefix "drop forward: " counter drop log prefix "reject forward: " counter meta l4proto tcp ct state new counter reject with tcp reset ct state new counter reject counter } chain input { type filter hook input priority filter policy drop ct state invalid log prefix "drop invalid input: " counter drop iifname lo counter accept iif != lo ip daddr 127.0.0.1/8 counter reject iif != lo ip6 daddr ::1/128 counter reject iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop meta l4proto $icmp_protos counter accept ct state {established, related} counter accept tcp dport 22 counter accept meta protocol ip udp dport 51820 counter accept udp dport 60000-61000 counter accept iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept limit name lim_reject log prefix "drop input: " counter drop log prefix "reject input: " counter meta l4proto tcp ct state new counter reject with tcp reset ct state new counter reject counter } chain output { type filter hook output priority filter policy accept oifname lo counter accept oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop meta l4proto $icmp_protos counter accept counter } } table ip nat { chain postrouting { type nat hook postrouting priority srcnat policy accept oifname dsl counter masquerade counter } } table inet mangle { chain postrouting { type filter hook postrouting priority mangle policy accept oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu counter } }