vps/roles/nftables/templates/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

# Forward Syncthing relay traffic from port {{ ports['syncthing_relaysrv'] }} to 22067
table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;
        iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067
    }
}

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		
		ct state invalid drop
		ct state { established, related } accept
	
		# Allow ICMP
		meta l4proto icmp limit rate 1/second accept
		meta l4proto ipv6-icmp limit rate 1/second accept

		# HTTP/S
		tcp dport { http, https } limit rate 5/second accept

		# SSH
		tcp dport 995 limit rate 15/minute accept

		# Syncthing
		tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
		udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept

		# Coturn
		tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept
		udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept

	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
fjeaj 2023-11-22 08:26:10 +01:00			`#!/usr/sbin/nft -f`

			`flush ruleset`

Syncthing: Add relaysrv with nftables forwarding to unprivileged port. 2024-02-19 11:03:16 +01:00			`# Forward Syncthing relay traffic from port {{ ports['syncthing_relaysrv'] }} to 22067`
			`table inet nat {`
			`chain prerouting {`
			`type nat hook prerouting priority dstnat;`
			`iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067`
			`}`
			`}`

fjeaj 2023-11-22 08:26:10 +01:00			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`iif lo accept`
Maj nftables 2023-11-29 08:32:08 +01:00
fjeaj 2023-11-22 08:26:10 +01:00			`ct state invalid drop`
Maj nftables 2023-11-29 08:32:08 +01:00			`ct state { established, related } accept`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00
			`# Allow ICMP`
			`meta l4proto icmp limit rate 1/second accept`
			`meta l4proto ipv6-icmp limit rate 1/second accept`
fjeaj 2023-11-22 08:26:10 +01:00
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`# HTTP/S`
			`tcp dport { http, https } limit rate 5/second accept`
nftables: Reorder rules + lowered rates 2023-11-29 20:00:29 +01:00
fjeaj 2023-11-22 08:26:10 +01:00			`# SSH`
Maj nftables 2023-11-29 08:32:08 +01:00			`tcp dport 995 limit rate 15/minute accept`
fjeaj 2023-11-22 08:26:10 +01:00
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`# Syncthing`
Syncthing: Add relaysrv with nftables forwarding to unprivileged port. 2024-02-19 11:03:16 +01:00			`tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept`

			`# Coturn`
			`tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept`
			`udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept`
add coturn 2023-12-08 12:22:33 +01:00
fjeaj 2023-11-22 08:26:10 +01:00			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy accept;`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`