summaryrefslogtreecommitdiff
path: root/hosts/vidhar/ruleset.nft
blob: 0db774cb3eb1e2c41d4399b09c49ed082e2c3e44 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
define icmp_protos = { ipv6-icmp, icmp, igmp }

table arp filter {
  limit lim_arp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
  limit lim_arp_dsl {
    rate over 1400 kbytes/second burst 1400 kbytes
  }

  chain input {
    type filter hook input priority filter
    policy accept

    iifname != dsl limit name lim_arp_local counter drop
    iifname dsl limit name lim_arp_dsl counter drop

    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept

    oifname != dsl limit name lim_arp_local counter drop
    oifname dsl limit name lim_arp_dsl counter drop

    counter
  }
}

table inet filter {
  limit lim_reject {
    rate over 1000/second burst 1000 packets
  }

  limit lim_icmp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
  limit lim_icmp_dsl {
    rate over 1400 kbytes/second burst 1400 kbytes
  }


  chain forward {
    type filter hook forward priority filter
    policy drop


    ct state invalid log prefix "drop invalid forward: " counter drop


    iifname lo counter accept

    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    meta l4proto $icmp_protos counter accept

    iifname eno1 oifname dsl counter accept
    iifname dsl oifname eno1 ct state {established, related} counter accept



    limit name lim_reject log prefix "drop forward: " counter drop
    log prefix "reject forward: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain input {
    type filter hook input priority filter
    policy drop


    ct state invalid log prefix "drop invalid input: " counter drop
    

    iifname lo counter accept
    iif != lo ip daddr 127.0.0.1/8 counter reject
    iif != lo ip6 daddr ::1/128 counter reject

    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    meta l4proto $icmp_protos counter accept

    ct state {established, related} counter accept

    tcp dport 22 counter accept
    meta protocol ip udp dport 51820 counter accept
    udp dport 60000-61000 counter accept

    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept


    limit name lim_reject log prefix "drop input: " counter drop
    log prefix "reject input: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept


    oifname lo counter accept

    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    meta l4proto $icmp_protos counter accept


    counter
  }
}

table ip nat {
  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept


    oifname dsl counter masquerade


    counter
  }
}

table inet mangle {
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept


    oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
    iifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu


    counter
  }
}