blob: 2f8e7b578513f3cea035437a02d0b2559db1e985 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
define icmp_protos = { ipv6-icmp, icmp, igmp }
table arp filter {
limit lim_arp_local {
rate over 50 mbytes/second burst 50 mbytes
}
limit lim_arp_dsl {
rate over 1400 kbytes/second burst 1400 kbytes
}
chain input {
type filter hook input priority filter
policy accept
iifname != dsl limit name lim_arp_local counter drop
iifname dsl limit name lim_arp_dsl counter drop
counter
}
chain output {
type filter hook output priority filter
policy accept
oifname != dsl limit name lim_arp_local counter drop
oifname dsl limit name lim_arp_dsl counter drop
counter
}
}
table inet filter {
limit lim_reject {
rate over 1000/second burst 1000 packets
}
limit lim_icmp_local {
rate over 50 mbytes/second burst 50 mbytes
}
limit lim_icmp_dsl {
rate over 1400 kbytes/second burst 1400 kbytes
}
chain forward_icmp_accept {
oifname dsl limit name lim_icmp_dsl counter drop
iifname dsl limit name lim_icmp_dsl counter drop
oifname != dsl limit name lim_icmp_local counter drop
iifname != dsl limit name lim_icmp_local counter drop
counter accept
}
chain forward {
type filter hook forward priority filter
policy drop
ct state invalid log prefix "drop invalid forward: " counter drop
iifname lo counter accept
oifname {eno1, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
iifname eno1 oifname dsl counter accept
iifname dsl oifname eno1 ct state {established, related} counter accept
limit name lim_reject log prefix "drop forward: " counter drop
log prefix "reject forward: " counter
meta l4proto tcp ct state new counter reject with tcp reset
ct state new counter reject
counter
}
chain input {
type filter hook input priority filter
policy drop
ct state invalid log prefix "drop invalid input: " counter drop
iifname lo counter accept
iif != lo ip daddr 127.0.0.1/8 counter reject
iif != lo ip6 daddr ::1/128 counter reject
iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
meta l4proto $icmp_protos counter accept
tcp dport 22 counter accept
udp dport 60001-61000 counter accept
iifname eno1 tcp dport 53 counter accept
iifname eno1 udp dport 53 counter accept
meta protocol ip udp dport 51820 counter accept
meta protocol ip6 udp dport 51821 counter accept
iifname "yggdrasil-wg-*" meta l4proto gre counter accept
iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
iifname mgmt udp dport 123 counter accept
iifname {eno1, mgmt} udp dport 67 counter accept
iifname eno1 udp dport { 137, 138, 3702 } counter accept
iifname eno1 tcp dport { 445, 139, 5357 } counter accept
ct state {established, related} counter accept
limit name lim_reject log prefix "drop input: " counter drop
log prefix "reject input: " counter
meta l4proto tcp ct state new counter reject with tcp reset
ct state new counter reject
counter
}
chain output {
type filter hook output priority filter
policy accept
oifname lo counter accept
oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
meta l4proto $icmp_protos counter accept
counter
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat
policy accept
oifname dsl counter masquerade
}
}
table ip mss_clamp {
chain postrouting {
type filter hook postrouting priority mangle
policy accept
oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
}
}
|
