reindentation of the file
This commit is contained in:
parent
b9704b9b9b
commit
3164a727cc
1 changed files with 72 additions and 72 deletions
144
nftables.conf
144
nftables.conf
|
@ -1,5 +1,5 @@
|
||||||
#!/usr/bin/nft -f
|
#!/usr/bin/nft -f
|
||||||
# vim:set ts=2 sw=2 et:
|
# vim:set ts=4 sw=4 et:
|
||||||
|
|
||||||
# IPv4/IPv6 Simple & Safe firewall ruleset.
|
# IPv4/IPv6 Simple & Safe firewall ruleset.
|
||||||
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
|
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
|
||||||
|
@ -27,18 +27,18 @@ define all_if = { $ext_if, $vict_if, $dmz_if }
|
||||||
table ip6 block_all_ipv6
|
table ip6 block_all_ipv6
|
||||||
delete table ip6 block_all_ipv6
|
delete table ip6 block_all_ipv6
|
||||||
table ip6 block_all_ipv6 {
|
table ip6 block_all_ipv6 {
|
||||||
chain block_input {
|
chain block_input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
chain block_output {
|
chain block_output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
chain block_forward {
|
chain block_forward {
|
||||||
type filter hook forward priority filter
|
type filter hook forward priority filter
|
||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -46,72 +46,72 @@ table ip6 block_all_ipv6 {
|
||||||
table ip global
|
table ip global
|
||||||
delete table ip global
|
delete table ip global
|
||||||
table ip global {
|
table ip global {
|
||||||
set denylist {
|
set denylist {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic, timeout
|
flags dynamic, timeout
|
||||||
timeout 2m
|
timeout 2m
|
||||||
}
|
}
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
# if somebody sent to many new connections to the gateway, it an attack.
|
# if somebody sent to many new connections to the gateway, it an attack.
|
||||||
ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
|
ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
|
||||||
ip saddr @denylist drop
|
ip saddr @denylist drop
|
||||||
|
|
||||||
ct state established accept
|
ct state established accept
|
||||||
iifname $vict_if icmp type echo-request limit rate 5/second accept
|
iifname $vict_if icmp type echo-request limit rate 5/second accept
|
||||||
iifname $vict_if tcp dport 22 accept
|
iifname $vict_if tcp dport 22 accept
|
||||||
iifname lo accept
|
iifname lo accept
|
||||||
|
|
||||||
}
|
|
||||||
chain output {
|
|
||||||
type filter hook output priority filter
|
|
||||||
policy drop
|
|
||||||
|
|
||||||
udp dport 53 limit rate 20/second accept
|
}
|
||||||
tcp dport 80 limit rate 20/second accept
|
chain output {
|
||||||
tcp dport 443 limit rate 20/second accept
|
type filter hook output priority filter
|
||||||
icmp type echo-request limit rate 5/second accept
|
policy drop
|
||||||
oifname $vict_if ct state established accept
|
|
||||||
|
|
||||||
# accept to say on the victim interface that the gateway is up.
|
udp dport 53 limit rate 20/second accept
|
||||||
# oifname $vict_if icmp type echo-reply limit rate 5/second accept
|
tcp dport 80 limit rate 20/second accept
|
||||||
oifname lo accept
|
tcp dport 443 limit rate 20/second accept
|
||||||
}
|
icmp type echo-request limit rate 5/second accept
|
||||||
chain forward {
|
oifname $vict_if ct state established accept
|
||||||
type filter hook forward priority filter
|
|
||||||
policy drop
|
|
||||||
|
|
||||||
# Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network
|
# accept to say on the victim interface that the gateway is up.
|
||||||
iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
|
# oifname $vict_if icmp type echo-reply limit rate 5/second accept
|
||||||
ip saddr @denylist drop
|
oifname lo accept
|
||||||
|
}
|
||||||
|
chain forward {
|
||||||
# general authorisations
|
type filter hook forward priority filter
|
||||||
icmp type echo-reply accept
|
policy drop
|
||||||
|
|
||||||
# dmz interface specific
|
|
||||||
oifname $dmz_if icmp type echo-request limit rate 5/second accept
|
|
||||||
oifname $dmz_if tcp dport 80 accept
|
|
||||||
iifname $dmz_if ct state established tcp sport 80 accept
|
|
||||||
|
|
||||||
# external interface specific
|
# Block temporarly ip addresses that attemps more than 10 tcp connection per minutes from external network
|
||||||
oifname $ext_if icmp type echo-request accept
|
iifname $ext_if ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
|
||||||
oifname $ext_if udp dport 53 accept
|
ip saddr @denylist drop
|
||||||
iifname $ext_if ct state established udp sport 53 accept
|
|
||||||
oifname $ext_if tcp dport 80 accept
|
|
||||||
iifname $ext_if ct state established tcp sport 80 accept
|
|
||||||
oifname $ext_if tcp dport 443 accept
|
|
||||||
iifname $ext_if ct state established tcp sport 443 accept
|
|
||||||
|
|
||||||
# victim interface specific
|
|
||||||
iifname $vict_if tcp dport 22 accept
|
# general authorisations
|
||||||
oifname $vict_if ct state established tcp sport 22 accept
|
icmp type echo-reply accept
|
||||||
|
|
||||||
# block for two minutes everything else that is from the public interface.
|
# dmz interface specific
|
||||||
iifname { $ext_if, $dmz_if } add @denylist { ip saddr }
|
oifname $dmz_if icmp type echo-request limit rate 5/second accept
|
||||||
}
|
oifname $dmz_if tcp dport 80 accept
|
||||||
|
iifname $dmz_if ct state established tcp sport 80 accept
|
||||||
|
|
||||||
|
# external interface specific
|
||||||
|
oifname $ext_if icmp type echo-request accept
|
||||||
|
oifname $ext_if udp dport 53 accept
|
||||||
|
iifname $ext_if ct state established udp sport 53 accept
|
||||||
|
oifname $ext_if tcp dport 80 accept
|
||||||
|
iifname $ext_if ct state established tcp sport 80 accept
|
||||||
|
oifname $ext_if tcp dport 443 accept
|
||||||
|
iifname $ext_if ct state established tcp sport 443 accept
|
||||||
|
|
||||||
|
# victim interface specific
|
||||||
|
iifname $vict_if tcp dport 22 accept
|
||||||
|
oifname $vict_if ct state established tcp sport 22 accept
|
||||||
|
|
||||||
|
# block for two minutes everything else that is from the public interface.
|
||||||
|
iifname { $ext_if, $dmz_if } add @denylist { ip saddr }
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue