nftables: Add blackhole
This commit is contained in:
parent
5d1d316450
commit
1408698d53
1 changed files with 36 additions and 8 deletions
|
@ -11,31 +11,55 @@ table inet nat {
|
||||||
}
|
}
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
set blackhole_ipv4 {
|
||||||
|
type ipv4_addr
|
||||||
|
timeout 30s
|
||||||
|
flags dynamic
|
||||||
|
}
|
||||||
|
|
||||||
|
set blackhole_ipv6 {
|
||||||
|
type ipv6_addr
|
||||||
|
timeout 30s
|
||||||
|
flags dynamic
|
||||||
|
}
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0; policy drop;
|
type filter hook input priority 0; policy drop;
|
||||||
|
|
||||||
iif lo accept
|
iif lo accept
|
||||||
|
|
||||||
|
# Block all IPs in blackhole
|
||||||
|
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
|
||||||
|
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
|
||||||
|
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
ct state { established, related } accept
|
ct state { established, related } accept
|
||||||
|
|
||||||
|
# Prevent DDoS
|
||||||
|
# Rate limiting
|
||||||
|
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
|
||||||
|
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
|
||||||
|
# Max concurrent connections
|
||||||
|
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
||||||
|
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
||||||
|
|
||||||
# Allow ICMP
|
# Allow ICMP
|
||||||
meta l4proto icmp limit rate 1/second accept
|
meta l4proto icmp accept
|
||||||
meta l4proto ipv6-icmp limit rate 1/second accept
|
meta l4proto ipv6-icmp accept
|
||||||
|
|
||||||
# HTTP/S
|
# HTTP/S
|
||||||
tcp dport { http, https } limit rate 5/second accept
|
tcp dport { http, https } accept
|
||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
tcp dport 995 limit rate 15/minute accept
|
tcp dport 995 accept
|
||||||
|
|
||||||
# Syncthing
|
# Syncthing
|
||||||
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
|
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept
|
||||||
udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept
|
udp dport {{ ports['syncthing_udp'] }} accept
|
||||||
|
|
||||||
# Coturn
|
# Coturn
|
||||||
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept
|
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept
|
||||||
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept
|
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -45,5 +69,9 @@ table inet filter {
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0; policy accept;
|
type filter hook output priority 0; policy accept;
|
||||||
|
|
||||||
|
# Don't waste resources responding to blocked IPs
|
||||||
|
ip daddr @blackhole_ipv4 reject
|
||||||
|
ip6 daddr @blackhole_ipv6 reject
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue