nftables: Add blackhole

This commit is contained in:
Viyurz 2024-02-23 11:32:00 +01:00
parent 5d1d316450
commit 1408698d53
Signed by: Viyurz
SSH key fingerprint: SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8

View file

@ -11,31 +11,55 @@ table inet nat {
} }
table inet filter { table inet filter {
set blackhole_ipv4 {
type ipv4_addr
timeout 30s
flags dynamic
}
set blackhole_ipv6 {
type ipv6_addr
timeout 30s
flags dynamic
}
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
iif lo accept iif lo accept
# Block all IPs in blackhole
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
ct state invalid drop ct state invalid drop
ct state { established, related } accept ct state { established, related } accept
# Prevent DDoS
# Rate limiting
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
# Max concurrent connections
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
# Allow ICMP # Allow ICMP
meta l4proto icmp limit rate 1/second accept meta l4proto icmp accept
meta l4proto ipv6-icmp limit rate 1/second accept meta l4proto ipv6-icmp accept
# HTTP/S # HTTP/S
tcp dport { http, https } limit rate 5/second accept tcp dport { http, https } accept
# SSH # SSH
tcp dport 995 limit rate 15/minute accept tcp dport 995 accept
# Syncthing # Syncthing
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept
udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept udp dport {{ ports['syncthing_udp'] }} accept
# Coturn # Coturn
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept
} }
@ -45,5 +69,9 @@ table inet filter {
chain output { chain output {
type filter hook output priority 0; policy accept; type filter hook output priority 0; policy accept;
# Don't waste resources responding to blocked IPs
ip daddr @blackhole_ipv4 reject
ip6 daddr @blackhole_ipv6 reject
} }
} }