| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 |
- #!/usr/sbin/nft -f
- # Well known ports 0:1023
- # Registered ports 1024:49151
- # Goldielocks zone 32768:65535
- # Dynamic/Private 49152:65535
- #
- # WAN 86.83.121.29
- # vps 185.66.250.42
- # tor-exit 185.87.185.45
- # To preent double enries when loading rules when rule smight already be present.
- flush ruleset
- # IPv6 specific
- #add table ip6 filter
- #add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
- #add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
- #add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
- #add chain ip6 filter clutter
- # inet = IPv4 & IPv6 combined
- add table inet filter
- add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
- add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
- add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
- add chain inet filter clutter
- # Local loopback
- add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
- add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
- add rule inet filter INPUT iifname "lo" counter accept
- add rule inet filter OUTPUT oifname "lo" counter accept
- # Active connections
- add rule inet filter INPUT ct state related,established counter accept
- add rule inet filter OUTPUT ct state related,established counter accept
- # ICMPv6 accept neighbour discovery otherwise IPv6 connectivity breaks | Accept dynamic IPv6 configuration (DHCP) | Accept sending of listenerreport
- add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
- add rule inet filter OUTPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request, mld2-listener-report } accept # mld2-listener-report does not seem to work, TYPE 143 is not filtered out.
- add rule inet filter OUTPUT icmpv6 type { mld2-listener-report } accept # Workaround for mld2-listener-report from the previous line
- # ICMP ping
- add rule inet filter OUTPUT icmp type echo-request counter accept
- # SSH
- add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept
- # WHOIS
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept
- # DNS
- add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
- add rule inet filter INPUT meter DNSTHROTTLE_UDP_INGRESS { ip saddr and 255.255.255.0 timeout 60s limit rate 30/minute burst 10 packets} udp sport 1024-65535 udp dport 53 counter accept
- add rule inet filter INPUT meter DNSTHROTTLE_TCP_INGRESS { ip saddr and 255.255.255.0 timeout 60s limit rate 30/minute burst 10 packets} tcp sport 32768-65535 tcp dport 53 counter accept
- #add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
- #add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept
- # DHCP client
- add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
- add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept
- # HTTP(s)
- add rule inet filter INPUT tcp dport 80 counter accept
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
- add rule inet filter INPUT tcp dport 443 counter accept
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept
- # NTP
- add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept
- # Privoxy
- add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"
- # OpenPGP HTTP Key servers
- add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"
- # Traceroute
- add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"
- # Attacks, crawls, scans, etc to clutter chain
- add rule inet filter INPUT ip protocol icmp counter jump clutter
- add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
- add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
- add rule inet filter INPUT tcp dport 23 counter jump clutter
- add rule inet filter INPUT udp dport 53 counter jump clutter
- add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
- add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
- add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
- add rule inet filter INPUT udp dport 5060 counter jump clutter
- add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"
- # Log & drop
- add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter dropped: " level debug
- add rule inet filter INPUT counter drop
- add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "netfilter forward dropped: " level debug
- add rule inet filter FORWARD counter drop
- add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter rejected: " level debug
- add rule inet filter OUTPUT counter reject
- add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "netfilter clutter dropped: " level debug
- add rule inet filter clutter counter drop
|
