reindentation of the file

This commit is contained in:
Jérémy Primard 2024-02-24 20:21:29 +00:00
parent b9704b9b9b
commit 3164a727cc

View file

@ -1,5 +1,5 @@
#!/usr/bin/nft -f #!/usr/bin/nft -f
# vim:set ts=2 sw=2 et: # vim:set ts=4 sw=4 et:
# IPv4/IPv6 Simple & Safe firewall ruleset. # IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
@ -27,18 +27,18 @@ define all_if = { $ext_if, $vict_if, $dmz_if }
table ip6 block_all_ipv6 table ip6 block_all_ipv6
delete table ip6 block_all_ipv6 delete table ip6 block_all_ipv6
table ip6 block_all_ipv6 { table ip6 block_all_ipv6 {
chain block_input { chain block_input {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
} }
chain block_output { chain block_output {
type filter hook output priority filter type filter hook output priority filter
policy drop policy drop
} }
chain block_forward { chain block_forward {
type filter hook forward priority filter type filter hook forward priority filter
policy drop policy drop
} }
} }
@ -46,72 +46,72 @@ table ip6 block_all_ipv6 {
table ip global table ip global
delete table ip global delete table ip global
table ip global { table ip global {
set denylist { set denylist {
type ipv4_addr type ipv4_addr
flags dynamic, timeout flags dynamic, timeout
timeout 2m timeout 2m
} }
chain input { chain input {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
# if somebody sent to many new connections to the gateway, it an attack. # if somebody sent to many new connections to the gateway, it an attack.
ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
ip saddr @denylist drop ip saddr @denylist drop
ct state established accept ct state established accept
iifname $vict_if icmp type echo-request limit rate 5/second accept iifname $vict_if icmp type echo-request limit rate 5/second accept
iifname $vict_if tcp dport 22 accept iifname $vict_if tcp dport 22 accept
iifname lo accept iifname lo accept
}
chain output {
type filter hook output priority filter
policy drop
udp dport 53 limit rate 20/second accept }
tcp dport 80 limit rate 20/second accept chain output {
tcp dport 443 limit rate 20/second accept type filter hook output priority filter
icmp type echo-request limit rate 5/second accept policy drop
oifname $vict_if ct state established accept
# accept to say on the victim interface that the gateway is up. udp dport 53 limit rate 20/second accept
# oifname $vict_if icmp type echo-reply limit rate 5/second accept tcp dport 80 limit rate 20/second accept
oifname lo accept tcp dport 443 limit rate 20/second accept
} icmp type echo-request limit rate 5/second accept
chain forward { oifname $vict_if ct state established accept
type filter hook forward priority filter
policy drop
# Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network # accept to say on the victim interface that the gateway is up.
iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } # oifname $vict_if icmp type echo-reply limit rate 5/second accept
ip saddr @denylist drop oifname lo accept
}
chain forward {
# general authorisations type filter hook forward priority filter
icmp type echo-reply accept policy drop
# dmz interface specific
oifname $dmz_if icmp type echo-request limit rate 5/second accept
oifname $dmz_if tcp dport 80 accept
iifname $dmz_if ct state established tcp sport 80 accept
# external interface specific # Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network
oifname $ext_if icmp type echo-request accept iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
oifname $ext_if udp dport 53 accept ip saddr @denylist drop
iifname $ext_if ct state established udp sport 53 accept
oifname $ext_if tcp dport 80 accept
iifname $ext_if ct state established tcp sport 80 accept
oifname $ext_if tcp dport 443 accept
iifname $ext_if ct state established tcp sport 443 accept
# victim interface specific
iifname $vict_if tcp dport 22 accept # general authorisations
oifname $vict_if ct state established tcp sport 22 accept icmp type echo-reply accept
# block for two minutes everything else that is from the public interface. # dmz interface specific
iifname { $ext_if, $dmz_if } add @denylist { ip saddr } oifname $dmz_if icmp type echo-request limit rate 5/second accept
} oifname $dmz_if tcp dport 80 accept
iifname $dmz_if ct state established tcp sport 80 accept
# external interface specific
oifname $ext_if icmp type echo-request accept
oifname $ext_if udp dport 53 accept
iifname $ext_if ct state established udp sport 53 accept
oifname $ext_if tcp dport 80 accept
iifname $ext_if ct state established tcp sport 80 accept
oifname $ext_if tcp dport 443 accept
iifname $ext_if ct state established tcp sport 443 accept
# victim interface specific
iifname $vict_if tcp dport 22 accept
oifname $vict_if ct state established tcp sport 22 accept
# block for two minutes everything else that is from the public interface.
iifname { $ext_if, $dmz_if } add @denylist { ip saddr }
}
} }