#!/usr/sbin/nft -f flush ruleset # Forward Syncthing relay traffic from port {{ ports['syncthing_relaysrv'] }} to 22067 table inet nat { chain prerouting { type nat hook prerouting priority dstnat; iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067 } } table inet filter { set blackhole_ipv4 { type ipv4_addr timeout 30s flags dynamic } set blackhole_ipv6 { type ipv6_addr timeout 30s flags dynamic } chain input { type filter hook input priority 0; policy drop; iif lo accept # Block all IPs in blackhole ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop ct state invalid drop ct state { established, related } accept # Prevent DDoS # Rate limiting meta nfproto ipv4 meter ratelimit4 \ { ip saddr limit rate over 50/second burst 5 packets } \ add @blackhole_ipv4 { ip saddr } meta nfproto ipv6 meter ratelimit6 \ { ip6 saddr limit rate over 50/second burst 5 packets } \ add @blackhole_ipv6 { ip6 saddr } # Max concurrent connections meta nfproto ipv4 meter connlimit4 \ { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } meta nfproto ipv6 meter connlimit6 \ { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } # Allow ICMP meta l4proto icmp accept meta l4proto ipv6-icmp accept # HTTP/S tcp dport { http, https } accept # SSH tcp dport 995 accept # Syncthing tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept udp dport {{ ports['syncthing_udp'] }} accept # Coturn tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; # Don't waste resources responding to blocked IPs ip daddr @blackhole_ipv4 reject ip6 daddr @blackhole_ipv6 reject } }