-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.nft
63 lines (57 loc) · 2.32 KB
/
server.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
table inet filter {
map input_vmap {
type inet_proto : verdict
elements = { tcp : jump TCP, udp : jump UDP }
}
set web {
type inet_service
flags interval
}
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept comment "Accept any localhost traffic"
iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
ct state invalid log prefix "Invalid-Input: " level info flags all counter packets 95 bytes 6479 drop comment "Drop invalid connections"
icmp type echo-request limit rate 20 bytes/second burst 500 bytes counter packets 17 bytes 2040 accept comment "No ping floods"
icmp type echo-request drop comment "No ping floods"
ct state { established, related } counter packets 172135 bytes 99807569 accept comment "Accept traffic originated from us"
icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP"
meta l4proto vmap @input_vmap
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
tcp sport 22 accept
tcp sport @web counter accept comment "Accept web server"
udp dport 53 accept
# tcp sport 53 accept
ip protocol icmp icmp type echo-request counter accept
tcp dport 22 accept
oif "lo" log prefix "lo: " level info flags all accept comment "Accept any localhost traffic"
ip protocol icmp icmp type echo-reply accept
tcp dport {80, 443} accept
# for nfs
tcp sport 2049 accept
udp sport 2049 accept
tcp sport @web counter packets 0 bytes 0 accept comment "Accept web server"
}
chain TCP {
tcp dport 22 ct state new limit rate 15/minute log prefix "New SSH connection: " counter accept comment "Avoid brute force on SSH"
tcp dport @web counter accept comment "Accept web server"
tcp dport 5900 accept comment "Accept vnc"
# tcp dport 53 accept
tcp sport 22 accept
tcp sport {80, 443} accept
# for nfs
#tcp dport 2049 accept
tcp dport @web counter packets 0 bytes 0 accept comment "Accept web server"
}
chain UDP {
udp sport 53 accept
# for nfs
#udp dport 2049 accept
}
}