Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
tBKwtWS
/
netfilter-config
1
0
Çatalla 0
Dosyalar
Dal: vps.h0v1n8
Dallar Biçim İmleri
netfilter-confi...
/
nftables.test.rules

nftables.test.rules 5.5 KB
Kalıcı Bağlantı Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 
  1. #!/usr/sbin/nft -f
    2. 

  2. 

  3. # Well known ports      0:1023
    4. 

  4. # Registered ports      1024:49151
    5. 

  5. # Goldielocks zone      32768:65535
    6. 

  6. # Dynamic/Private       49152:65535
    7. 

  7. #
    8. 

  8. # WAN			86.83.121.29
    9. 

  9. # vps			185.66.250.42
    10. 

  10. # tor-exit		185.87.185.45
    11. 

  11. 

  12. # To preent double enries when loading rules when rule smight already be present.
    13. 

  13. flush ruleset
    14. 

  14. 

  15. # IPv6 specific
    16. 

  16. #add table ip6 filter
    17. 

  17. #add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
    18. 

  18. #add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
    19. 

  19. #add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
    20. 

  20. #add chain ip6 filter clutter
    21. 

  21. 

  22. # inet = IPv4 & IPv6 combined
    23. 

  23. add table inet filter
    24. 

  24. add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
    25. 

  25. add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
    26. 

  26. add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
    27. 

  27. add chain inet filter clutter
    28. 

  28. 

  29. # Local loopback
    30. 

  30. add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
    31. 

  31. add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
    32. 

  32. add rule inet filter INPUT iifname "lo" counter accept
    33. 

  33. add rule inet filter OUTPUT oifname "lo" counter accept
    34. 

  34. 

  35. # Active connections
    36. 

  36. add rule inet filter INPUT ct state related,established counter accept
    37. 

  37. add rule inet filter OUTPUT ct state related,established counter accept
    38. 

  38. 

  39. # ICMPv6 accept neighbour discovery otherwise IPv6 connectivity breaks | Accept dynamic IPv6 configuration (DHCP) | Accept sending of listenerreport
    40. 

  40. add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    41. 

  41. add rule inet filter OUTPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request, mld2-listener-report } accept # mld2-listener-report does not seem to work, TYPE 143 is not filtered out.
    42. 

  42. add rule inet filter OUTPUT icmpv6 type { mld2-listener-report } accept	# Workaround for mld2-listener-report from the previous line
    43. 

  43. 

  44. # ICMP ping
    45. 

  45. add rule inet filter OUTPUT icmp type echo-request counter accept
    46. 

  46. 

  47. # SSH
    48. 

  48. add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
    49. 

  49. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept
    50. 

  50. 

  51. # WHOIS
    52. 

  52. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept
    53. 

  53. 

  54. # DNS
    55. 

  55. add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
    56. 

  56. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
    57. 

  57. add rule inet filter INPUT meter DNSTHROTTLE_UDP_INGRESS { ip saddr and 255.255.255.0 timeout 60s limit rate 30/minute burst 10 packets} udp sport 1024-65535 udp dport 53 counter accept
    58. 

  58. add rule inet filter INPUT meter DNSTHROTTLE_TCP_INGRESS { ip saddr and 255.255.255.0 timeout 60s limit rate 30/minute burst 10 packets} tcp sport 32768-65535 tcp dport 53 counter accept
    59. 

  59. #add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
    60. 

  60. #add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept
    61. 

  61. 

  62. # DHCP client
    63. 

  63. add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
    64. 

  64. add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept
    65. 

  65. 

  66. # HTTP(s)
    67. 

  67. add rule inet filter INPUT tcp dport 80 counter accept
    68. 

  68. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
    69. 

  69. add rule inet filter INPUT tcp dport 443 counter accept
    70. 

  70. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept
    71. 

  71. 

  72. # NTP
    73. 

  73. add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept
    74. 

  74. 

  75. # Privoxy
    76. 

  76. add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"
    77. 

  77. 

  78. # OpenPGP HTTP Key servers
    79. 

  79. add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"
    80. 

  80. 

  81. # Traceroute
    82. 

  82. add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"
    83. 

  83. 

  84. # Attacks, crawls, scans, etc to clutter chain
    85. 

  85. add rule inet filter INPUT ip protocol icmp counter jump clutter
    86. 

  86. add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
    87. 

  87. add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
    88. 

  88. add rule inet filter INPUT tcp dport 23 counter jump clutter
    89. 

  89. add rule inet filter INPUT udp dport 53 counter jump clutter
    90. 

  90. add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
    91. 

  91. add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
    92. 

  92. add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
    93. 

  93. add rule inet filter INPUT udp dport 5060 counter jump clutter
    94. 

  94. add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"
    95. 

  95. 

  96. # Log & drop
    97. 

  97. add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter dropped: " level debug
    98. 

  98. add rule inet filter INPUT counter drop
    99. 

  99. add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "netfilter forward dropped: " level debug
    100. 

  100. add rule inet filter FORWARD counter drop
    101. 

  101. add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter rejected: " level debug
    102. 

  102. add rule inet filter OUTPUT counter reject
    103. 

  103. add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "netfilter clutter dropped: " level debug
    104. 

  104. add rule inet filter clutter counter drop
    105.