-
Notifications
You must be signed in to change notification settings - Fork 296
/
nftables.conf
132 lines (115 loc) · 3.32 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/sbin/nft -f
flush ruleset
define icmp_v4_types_accept = {
destination-unreachable,
time-exceeded,
parameter-problem,
echo-request,
echo-reply,
}
define icmp_v6_in_types_accept = {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
echo-request,
echo-reply,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
}
define icmp_v6_out_types_accept = {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
echo-request,
echo-reply,
nd-router-solicit,
nd-neighbor-solicit,
nd-neighbor-advert,
}
define ipv6_monitoring_tcp_ports = {
9100, # node-exporter
9313, # prober
9314, # icx-proxy
9315, # prober-wallets-exporter
9316, # vector-nginx
9317, # vector
9318, # denylist-updater
9321, # certificate-issuer
9322, # certificate-syncer
9323, # danted (socks proxy)
9324, # ic-boundary
}
# Defines `ipv6_system_replica_ips`
include "/run/ic-node/etc/nftables/system_replicas.ruleset"
# Defines `ipv6_replica_ips`, `ipv4_http_ips`, `ipv6_http_ips`, `ipv6_debug_ips`, and `ipv6_monitoring_ips`
include "/run/ic-node/etc/nftables/defs.ruleset"
define ipv6_monitoring_debug_ips = {
$ipv6_monitoring_ips,
$ipv6_debug_ips,
}
define ipv6_socks_saddr_ips = {
$ipv6_system_replica_ips,
}
table ip filter {
set crowdsec {
type ipv4_addr
size 262144
flags timeout
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ip saddr @crowdsec tcp dport { http, https, $canary_proxy_port } drop
icmp type $icmp_v4_types_accept accept
ct state invalid drop
ct state { established, related } accept
ip saddr $ipv4_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
icmp type $icmp_v4_types_accept accept
ct state invalid drop
ct state { established, related } accept
ct state new tcp dport { domain, http, https, 8080 } accept
ct state new udp dport { domain, ntp } accept
meta skuid socks ct state new tcp dport 1-65535 accept
}
}
table ip6 filter {
set crowdsec6 {
type ipv6_addr
size 262144
flags timeout
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ip6 saddr @crowdsec6 tcp dport { http, https, $canary_proxy_port } drop
icmpv6 type $icmp_v6_in_types_accept accept
ct state invalid drop
ct state { established, related } accept
ip6 saddr $ipv6_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
ip6 saddr $ipv6_debug_ips ct state new tcp dport { ssh, 19532 } accept
ip6 saddr $ipv6_socks_saddr_ips ct state new tcp dport socks accept
ip6 saddr $ipv6_monitoring_debug_ips ct state new tcp dport $ipv6_monitoring_tcp_ports accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
icmpv6 type $icmp_v6_out_types_accept accept
ct state invalid drop
ct state { established, related } accept
ct state new tcp dport { domain, http, https, 8080 } accept
ct state new udp dport { domain, ntp } accept
}
}