nftables: Add blackhole
This commit is contained in:
parent
5d1d316450
commit
1408698d53
SSH key fingerprint:
SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8
1 changed files with 36 additions and 8 deletions
|
|
@ -11,31 +11,55 @@ table inet nat {
|
|||
}
|
||||
|
||||
table inet filter {
|
||||
set blackhole_ipv4 {
|
||||
type ipv4_addr
|
||||
timeout 30s
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set blackhole_ipv6 {
|
||||
type ipv6_addr
|
||||
timeout 30s
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
iif lo accept
|
||||
|
||||
# Block all IPs in blackhole
|
||||
ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
|
||||
ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
|
||||
|
||||
ct state invalid drop
|
||||
ct state { established, related } accept
|
||||
|
||||
# Prevent DDoS
|
||||
# Rate limiting
|
||||
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
|
||||
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
|
||||
# Max concurrent connections
|
||||
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
||||
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
||||
|
||||
# Allow ICMP
|
||||
meta l4proto icmp limit rate 1/second accept
|
||||
meta l4proto ipv6-icmp limit rate 1/second accept
|
||||
meta l4proto icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
|
||||
# HTTP/S
|
||||
tcp dport { http, https } limit rate 5/second accept
|
||||
tcp dport { http, https } accept
|
||||
|
||||
# SSH
|
||||
tcp dport 995 limit rate 15/minute accept
|
||||
tcp dport 995 accept
|
||||
|
||||
# Syncthing
|
||||
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
|
||||
udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept
|
||||
tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept
|
||||
udp dport {{ ports['syncthing_udp'] }} accept
|
||||
|
||||
# Coturn
|
||||
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept
|
||||
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept
|
||||
tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept
|
||||
udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -45,5 +69,9 @@ table inet filter {
|
|||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy accept;
|
||||
|
||||
# Don't waste resources responding to blocked IPs
|
||||
ip daddr @blackhole_ipv4 reject
|
||||
ip6 daddr @blackhole_ipv6 reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue