From 3164a727ccb594d3c449dfc5ce1ba457e1701bfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Primard?= Date: Sat, 24 Feb 2024 20:21:29 +0000 Subject: [PATCH] reindentation of the file --- nftables.conf | 144 +++++++++++++++++++++++++------------------------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/nftables.conf b/nftables.conf index bf5132e..f050daa 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,5 +1,5 @@ #!/usr/bin/nft -f -# vim:set ts=2 sw=2 et: +# vim:set ts=4 sw=4 et: # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. @@ -27,18 +27,18 @@ define all_if = { $ext_if, $vict_if, $dmz_if } table ip6 block_all_ipv6 delete table ip6 block_all_ipv6 table ip6 block_all_ipv6 { - chain block_input { - type filter hook input priority filter - policy drop - } - chain block_output { - type filter hook output priority filter - policy drop - } - chain block_forward { - type filter hook forward priority filter - policy drop - } + chain block_input { + type filter hook input priority filter + policy drop + } + chain block_output { + type filter hook output priority filter + policy drop + } + chain block_forward { + type filter hook forward priority filter + policy drop + } } @@ -46,72 +46,72 @@ table ip6 block_all_ipv6 { table ip global delete table ip global table ip global { - set denylist { - type ipv4_addr - flags dynamic, timeout - timeout 2m - } - chain input { - type filter hook input priority filter - policy drop + set denylist { + type ipv4_addr + flags dynamic, timeout + timeout 2m + } + chain input { + type filter hook input priority filter + policy drop - # if somebody sent to many new connections to the gateway, it an attack. - ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } - ip saddr @denylist drop + # if somebody sent to many new connections to the gateway, it an attack. + ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } + ip saddr @denylist drop - ct state established accept - iifname $vict_if icmp type echo-request limit rate 5/second accept - iifname $vict_if tcp dport 22 accept - iifname lo accept - - } - chain output { - type filter hook output priority filter - policy drop + ct state established accept + iifname $vict_if icmp type echo-request limit rate 5/second accept + iifname $vict_if tcp dport 22 accept + iifname lo accept - udp dport 53 limit rate 20/second accept - tcp dport 80 limit rate 20/second accept - tcp dport 443 limit rate 20/second accept - icmp type echo-request limit rate 5/second accept - oifname $vict_if ct state established accept + } + chain output { + type filter hook output priority filter + policy drop - # accept to say on the victim interface that the gateway is up. - # oifname $vict_if icmp type echo-reply limit rate 5/second accept - oifname lo accept - } - chain forward { - type filter hook forward priority filter - policy drop + udp dport 53 limit rate 20/second accept + tcp dport 80 limit rate 20/second accept + tcp dport 443 limit rate 20/second accept + icmp type echo-request limit rate 5/second accept + oifname $vict_if ct state established accept - # Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network - iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } - ip saddr @denylist drop - - - # general authorisations - icmp type echo-reply accept - - # dmz interface specific - oifname $dmz_if icmp type echo-request limit rate 5/second accept - oifname $dmz_if tcp dport 80 accept - iifname $dmz_if ct state established tcp sport 80 accept + # accept to say on the victim interface that the gateway is up. + # oifname $vict_if icmp type echo-reply limit rate 5/second accept + oifname lo accept + } + chain forward { + type filter hook forward priority filter + policy drop - # external interface specific - oifname $ext_if icmp type echo-request accept - oifname $ext_if udp dport 53 accept - iifname $ext_if ct state established udp sport 53 accept - oifname $ext_if tcp dport 80 accept - iifname $ext_if ct state established tcp sport 80 accept - oifname $ext_if tcp dport 443 accept - iifname $ext_if ct state established tcp sport 443 accept + # Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network + iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } + ip saddr @denylist drop - # victim interface specific - iifname $vict_if tcp dport 22 accept - oifname $vict_if ct state established tcp sport 22 accept - - # block for two minutes everything else that is from the public interface. - iifname { $ext_if, $dmz_if } add @denylist { ip saddr } - } + + # general authorisations + icmp type echo-reply accept + + # dmz interface specific + oifname $dmz_if icmp type echo-request limit rate 5/second accept + oifname $dmz_if tcp dport 80 accept + iifname $dmz_if ct state established tcp sport 80 accept + + # external interface specific + oifname $ext_if icmp type echo-request accept + oifname $ext_if udp dport 53 accept + iifname $ext_if ct state established udp sport 53 accept + oifname $ext_if tcp dport 80 accept + iifname $ext_if ct state established tcp sport 80 accept + oifname $ext_if tcp dport 443 accept + iifname $ext_if ct state established tcp sport 443 accept + + # victim interface specific + iifname $vict_if tcp dport 22 accept + oifname $vict_if ct state established tcp sport 22 accept + + # block for two minutes everything else that is from the public interface. + iifname { $ext_if, $dmz_if } add @denylist { ip saddr } + } }