66 lines
1.5 KiB
Text
66 lines
1.5 KiB
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
set blackhole_ipv4 {
|
|
type ipv4_addr
|
|
timeout 1m
|
|
flags dynamic
|
|
}
|
|
|
|
set blackhole_ipv6 {
|
|
type ipv6_addr
|
|
timeout 1m
|
|
flags dynamic
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
iif lo accept
|
|
|
|
# Block all IPs in blackhole
|
|
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
|
|
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
|
|
|
|
ct state invalid drop
|
|
ct state { established, related } accept
|
|
|
|
# Prevent DDoS
|
|
# Rate limiting
|
|
meta nfproto ipv4 meter ratelimit4 \
|
|
{ ip saddr limit rate over 50/second burst 10 packets } \
|
|
add @blackhole_ipv4 { ip saddr }
|
|
meta nfproto ipv6 meter ratelimit6 \
|
|
{ ip6 saddr limit rate over 50/second burst 10 packets } \
|
|
add @blackhole_ipv6 { ip6 saddr }
|
|
# Max concurrent connections
|
|
meta nfproto ipv4 meter connlimit4 \
|
|
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
|
meta nfproto ipv6 meter connlimit6 \
|
|
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
|
|
|
# Allow ICMP
|
|
meta l4proto icmp accept
|
|
meta l4proto ipv6-icmp accept
|
|
|
|
# SSH
|
|
tcp dport ssh accept
|
|
|
|
# ARK
|
|
udp dport { 7777, 7778, 27015 } accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
|
|
# Don't waste resources responding to blocked IPs
|
|
ip daddr @blackhole_ipv4 reject
|
|
ip6 daddr @blackhole_ipv6 reject
|
|
}
|
|
}
|