vps/nftables.conf.mako

91 lines
2.5 KiB
Text
Raw Normal View History

#!/usr/sbin/nft -f
flush ruleset
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iif eth0 tcp dport ${env['ports']['syncthing_relaysrv']} redirect to :22067
iif eth0 tcp dport 25 redirect to :${env['ports']['mailserver_smtp']}
iif eth0 tcp dport 465 redirect to :${env['ports']['mailserver_smtps']}
iif eth0 tcp dport 993 redirect to :${env['ports']['mailserver_imaps']}
}
}
table inet filter {
set blackhole_ipv4 {
type ipv4_addr
timeout 30s
flags dynamic
}
set blackhole_ipv6 {
type ipv6_addr
timeout 30s
flags dynamic
}
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
# Block all IPs in blackhole
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
ct state invalid drop
ct state { established, related } accept
<%text>
# Prevent DDoS
# Rate limiting
meta nfproto ipv4 meter ratelimit4 \
{ ip saddr limit rate over 75/second burst 15 packets } \
add @blackhole_ipv4 { ip saddr } counter
meta nfproto ipv6 meter ratelimit6 \
{ ip6 saddr limit rate over 75/second burst 15 packets } \
add @blackhole_ipv6 { ip6 saddr } counter
# Max concurrent connections
meta nfproto ipv4 meter connlimit4 \
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } counter
meta nfproto ipv6 meter connlimit6 \
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } counter
</%text>
# Allow ICMP
meta l4proto icmp accept
meta l4proto ipv6-icmp accept
# HTTP/S
tcp dport { http, https } accept
# SSH
tcp dport ssh accept
# SMTP/IMAP
tcp dport { ${env['ports']['mailserver_smtp']}, ${env['ports']['mailserver_smtps']}, ${env['ports']['mailserver_imaps']} } accept
# Syncthing
tcp dport { ${env['ports']['syncthing_tcp']}, 22067 } accept
udp dport ${env['ports']['syncthing_udp']} accept
# Coturn
tcp dport { ${env['ports']['coturn_listening']}, ${env['ports']['coturn_tls_listening']} } accept
udp dport { ${env['ports']['coturn_listening']}, ${env['ports']['coturn_tls_listening']}, ${env['ports']['coturn_relay_min']}-${env['ports']['coturn_relay_max']} } accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
# Don't waste resources responding to blocked IPs
ip daddr @blackhole_ipv4 reject
ip6 daddr @blackhole_ipv6 reject
}
}