2023-11-22 08:26:10 +01:00
|
|
|
#!/usr/sbin/nft -f
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
|
|
|
|
iif lo accept
|
2023-11-29 08:32:08 +01:00
|
|
|
|
2023-11-22 08:26:10 +01:00
|
|
|
ct state invalid drop
|
2023-11-29 08:32:08 +01:00
|
|
|
ct state { established, related } accept
|
2024-02-17 19:01:04 +01:00
|
|
|
|
|
|
|
# Allow ICMP
|
|
|
|
meta l4proto icmp limit rate 1/second accept
|
|
|
|
meta l4proto ipv6-icmp limit rate 1/second accept
|
2023-11-22 08:26:10 +01:00
|
|
|
|
2024-02-17 19:01:04 +01:00
|
|
|
# HTTP/S
|
|
|
|
tcp dport { http, https } limit rate 5/second accept
|
2023-11-29 20:00:29 +01:00
|
|
|
|
2023-11-22 08:26:10 +01:00
|
|
|
# SSH
|
2023-11-29 08:32:08 +01:00
|
|
|
tcp dport 995 limit rate 15/minute accept
|
2023-11-22 08:26:10 +01:00
|
|
|
|
2024-02-17 19:01:04 +01:00
|
|
|
# Syncthing
|
|
|
|
tcp dport {{ ports['syncthing_tcp'] }} limit rate 5/second accept
|
|
|
|
udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept
|
|
|
|
|
|
|
|
# Coturn
|
|
|
|
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept
|
|
|
|
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept
|
2023-12-08 12:22:33 +01:00
|
|
|
|
2023-11-22 08:26:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0; policy accept;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0; policy accept;
|
|
|
|
}
|
|
|
|
}
|