update nftables
This commit is contained in:
parent
712c87c530
commit
7e86c93941
62
host/nftables/nftables.exterior.rules
Normal file
62
host/nftables/nftables.exterior.rules
Normal file
@ -0,0 +1,62 @@
|
||||
table ip hybrid {
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 0; policy accept;
|
||||
oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
|
||||
}
|
||||
|
||||
chain PREROUTING {
|
||||
iif "WAN" tcp dport { 6667, 6697 } counter dnat 100.64.48.10 comment "general access leaf";
|
||||
iif "WAN" tcp dport { 6668, 6698 } counter dnat 100.64.48.18 comment "proxy dmz access leaf";
|
||||
iif "WAN" tcp dport { 7777 } counter dnat 100.64.48.14:6667 comment "edge uplink hub";
|
||||
iif "WAN" tcp dport { 7797 } counter dnat 100.64.48.14:6697 comment "TLS edge uplink hub";
|
||||
iif "WAN" tcp dport { 6666 } counter dnat 100.64.48.22:6667 comment "oper bouncer";
|
||||
iif "WAN" tcp dport { 6696 } counter dnat 100.64.48.22:6667 comment "TLS oper bouncer";
|
||||
}
|
||||
}
|
||||
|
||||
table inet filter {
|
||||
chain INVALID {
|
||||
limit rate 2/second burst 3 packets counter log prefix "NFBAD: " comment "invalid logged";
|
||||
counter drop comment "invalid dropped";
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on INPUT chain";
|
||||
iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "anything in via loop-back";
|
||||
ct state {established, related} counter accept comment "related/established in to docker host";
|
||||
tcp dport 22 counter accept comment "SSH to host";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NF_IN: " comment "input unmatched log";
|
||||
counter drop comment "input dropped";
|
||||
}
|
||||
|
||||
chain ct_fwd {
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress";
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on FORWARD chain";
|
||||
ct state { established, related } jump ct_fwd comment "jump to CT forward chain";
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
|
||||
ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed";
|
||||
ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)";
|
||||
ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log";
|
||||
counter drop comment "forward dropped";
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
}
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
table inet hybrid {
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 0; policy accept;
|
||||
oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients"
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy accept;
|
||||
ct state {established, related} counter accept comment "related/established in to docker host";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)";
|
||||
}
|
||||
|
||||
chain ct_fwd {
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress";
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0; policy accept;
|
||||
ct state {established, related} jump ct_fwd;
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
|
||||
ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed";
|
||||
ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)";
|
||||
ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)";
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy accept;
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
}
|
||||
}
|
56
host/nftables/nftables.top_site.rules
Normal file
56
host/nftables/nftables.top_site.rules
Normal file
@ -0,0 +1,56 @@
|
||||
table ip hybrid {
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 0; policy accept;
|
||||
oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
|
||||
}
|
||||
|
||||
chain PREROUTING {
|
||||
}
|
||||
}
|
||||
|
||||
table inet filter {
|
||||
chain INVALID {
|
||||
limit rate 2/second burst 3 packets counter log prefix "NFBAD: " comment "invalid logged";
|
||||
counter drop comment "invalid dropped";
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on INPUT chain";
|
||||
iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "anything in via loop-back";
|
||||
ct state {established, related} counter accept comment "related/established in to docker host";
|
||||
tcp dport 22 counter accept comment "SSH to host";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NF_IN: " comment "input unmatched log";
|
||||
counter drop comment "input dropped";
|
||||
}
|
||||
|
||||
chain ct_fwd {
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress";
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on FORWARD chain";
|
||||
ct state { established, related } jump ct_fwd comment "jump to CT forward chain";
|
||||
ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
|
||||
ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
|
||||
ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
|
||||
ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed";
|
||||
ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)";
|
||||
ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log";
|
||||
counter drop comment "forward dropped";
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user