vps/roles/nftables/templates/nftables.conf

89 lines
2.4 KiB
Text
Raw Normal View History

2023-11-22 08:26:10 +01:00
#!/usr/sbin/nft -f
flush ruleset
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067
2024-03-16 13:49:47 +01:00
iif eth0 tcp dport 25 redirect to :{{ ports['mailserver_smtp'] }}
iif eth0 tcp dport 465 redirect to :{{ ports['mailserver_smtps'] }}
iif eth0 tcp dport 993 redirect to :{{ ports['mailserver_imaps'] }}
}
}
2023-11-22 08:26:10 +01:00
table inet filter {
2024-02-23 11:32:00 +01:00
set blackhole_ipv4 {
type ipv4_addr
timeout 30s
flags dynamic
}
set blackhole_ipv6 {
type ipv6_addr
timeout 30s
flags dynamic
}
2023-11-22 08:26:10 +01:00
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
2023-11-29 08:32:08 +01:00
2024-02-23 11:32:00 +01:00
# Block all IPs in blackhole
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
2023-11-22 08:26:10 +01:00
ct state invalid drop
2023-11-29 08:32:08 +01:00
ct state { established, related } accept
2024-02-17 19:01:04 +01:00
2024-02-23 11:32:00 +01:00
# Prevent DDoS
# Rate limiting
meta nfproto ipv4 meter ratelimit4 \
2024-02-25 19:28:21 +01:00
{ ip saddr limit rate over 50/second burst 10 packets } \
add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter ratelimit6 \
2024-02-25 19:28:21 +01:00
{ ip6 saddr limit rate over 50/second burst 10 packets } \
add @blackhole_ipv6 { ip6 saddr }
2024-02-23 11:32:00 +01:00
# Max concurrent connections
meta nfproto ipv4 meter connlimit4 \
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter connlimit6 \
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
2024-02-23 11:32:00 +01:00
2024-02-17 19:01:04 +01:00
# Allow ICMP
2024-02-23 11:32:00 +01:00
meta l4proto icmp accept
meta l4proto ipv6-icmp accept
2023-11-22 08:26:10 +01:00
2024-02-17 19:01:04 +01:00
# HTTP/S
2024-02-23 11:32:00 +01:00
tcp dport { http, https } accept
2023-11-22 08:26:10 +01:00
# SSH
2024-03-16 13:49:47 +01:00
tcp dport ssh accept
# SMTP/IMAP
tcp dport { {{ ports['mailserver_smtp'] }}, {{ ports['mailserver_smtps'] }}, {{ ports['mailserver_imaps'] }} } accept
2023-11-22 08:26:10 +01:00
2024-02-17 19:01:04 +01:00
# Syncthing
2024-02-23 11:32:00 +01:00
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept
udp dport {{ ports['syncthing_udp'] }} accept
2024-02-17 19:01:04 +01:00
# Coturn
2024-02-23 11:32:00 +01:00
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept
2023-12-08 12:22:33 +01:00
2023-11-22 08:26:10 +01:00
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
2024-02-23 11:32:00 +01:00
# Don't waste resources responding to blocked IPs
ip daddr @blackhole_ipv4 reject
ip6 daddr @blackhole_ipv6 reject
2023-11-22 08:26:10 +01:00
}
}