-
Notifications
You must be signed in to change notification settings - Fork 296
/
nftables.conf
222 lines (206 loc) · 8.17 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
table ip filter {
set rate_limit {
type ipv4_addr
size 65535
flags dynamic
}
set connection_limit {
type ipv4_addr
size 65535
flags dynamic
}
set local_networks {
type ipv4_addr
flags interval
elements = {
10.0.0.0/8,
172.16.0.0/12,
192.168.0.0/16
}
}
chain metrics_proxy {
ct state { new } add @rate_limit { ip saddr limit rate over 100/minute } drop comment "Maximum 100 connections per minute"
ct state { new } add @connection_limit { ip saddr ct count over 2 } drop comment "No more than 2 connections per source at a time"
accept
}
chain INPUT {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct state { invalid } drop
ct state { established, related } accept
icmp type destination-unreachable accept
icmp type source-quench accept
icmp type time-exceeded accept
icmp type parameter-problem accept
icmp type echo-request accept
icmp type echo-reply accept
ip saddr @local_networks ct state { new } tcp dport { 22 } accept
ip saddr @local_networks ct state { new } udp dport { 67 } accept
tcp dport { 42372 } goto metrics_proxy
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct state { invalid } drop
ct state { established, related } accept
icmp type destination-unreachable accept
icmp type source-quench accept
icmp type time-exceeded accept
icmp type parameter-problem accept
icmp type echo-request accept
icmp type echo-reply accept
ip daddr { 0.0.0.0/0 } ct state { new } tcp dport { 53 } accept
ip daddr { 0.0.0.0/0 } ct state { new } udp dport { 53 } accept
ip daddr { 0.0.0.0/0 } ct state { new } udp dport { 123 } accept
ip daddr { 0.0.0.0/0 } ct state { new } tcp dport { 80, 443 } accept
}
}
table ip6 filter {
set rate_limit {
type ipv6_addr
size 65535
flags dynamic
}
set connection_limit {
type ipv6_addr
size 65535
flags dynamic
}
set dfinity_dcs {
type ipv6_addr
flags interval
elements = {
2604:1380:4601:6200::/56, # AM6 Equinix boundary
2001:920:401a:1708::/64, # AN1
2607:f758:1220::/64, # AT1
2604:3fc0:2001::/48, # AT2
2604:7e00:30:3::/64, # AW1
2001:438:fffd:11c::/64, # BC1
2600:c0d:3002:4::/64, # BO1
2001:920:401a:1710::/64, # BR1
2001:920:401a:1706::/64, # BR2
2a04:9dc0:0:108::/64, # BU1
2607:f6f0:3004::/48, # CH1-old
2602:fb2b:120::/48, # CH1 InfraDC prefix
2604:7e00:50::/64, # CH2
2607:ff70:3:2::/64, # CH3
2604:1380:4641:6100::/56, # DA11 Equinix boundary
2600:3000:6100:200::/64, # DL1
2604:6800:258:1::/64, # DM1 InfraDC annex
2600:3000:1300:1300::/64, # DN1
2001:470:1:c76::/64, # FM1
2001:4d78:40d::/48, # FR1-old
2602:fb2b:110::/48, # FR1 InfraDC prefix
2001:4d78:400:10a::/64, # FR2
2604:1380:4091:3000::/56, # FR2 Equinix boundary
2a0f:cd00:2::/56, # GE1
2a00:fa0:3::/48, # GE2
2604:b900:4001:76::/64, # HU1
2600:2c01:21::/64, # JV1
2a02:800:2:2003::/64, # LJ1
2a0b:21c0:4003:2::/64, # LN1
2600:3006:1400:1500::/64, # LV1
2a00:fc0:5000:300::/64, # MB1
2001:1900:2100:2827::/64, # MM1
2a0b:21c0:b002:2::/64, # MR1
2a01:138:900a::/48, # MU1
2607:f1d0:10:1::/64, # NY1
2604:3fc0:3002::/48, # OR1
2610:190:6000:1::/64, # PH1
2600:3004:1200:1200::/56, # PL1
2600:c00:2:100::/64, # SE1 InfraDC annex
2602:fb2b:100::/48, # SF1 InfraDC prefix
2401:3f00:1000:24::/64, # SG1
2604:1380:40e1:4700::/56, # SG1 Equinix boundary
2401:3f00:1000:22::/64, # SG2
2401:3f00:1000:23::/64, # SG3
2600:c02:b002:15::/64, # SJ1
2610:190:df01:5::/64, # ST1
2604:1380:45e1:a600::/56, # SV15 Equinix boundary
2607:f758:c300::/64, # TP1
2602:ffe4:801:16::/64, # TY1
2602:ffe4:801:17::/64, # TY2
2602:ffe4:801:18::/64, # TY3
2a00:fb01:400::/55, # ZH1
2a00:fb01:400:100::/64, # ZH2
2a02:418:3002::/48, # ZH3
2a02:41b:300e::/48, # ZH4
2a01:2a8:a13d::/48, # ZH5
2a01:2a8:a13c::/48, # ZH6
2a01:2a8:a13e::/48, # ZH7
fd00:2:1:1::/64 # Private prefix used by [Ref A]
} # comment "DFINITY operated DC's"
# [Ref A]
# ic/testnet/tests/pipeline/pipeline.yml
# ic/ic-os/guestos/rootfs/opt/ic/share/ic.json5.template
# ic/ic-os/guestos/tests/vmtools.py
# ic/ic-os/guestos/tests/Readme.md
# This is used by the qemu-system instances spawned inside of the docker gitlab-runner to allow multiple deterministic dynamic on-the-fly VM "test" nodes for running automated tests. Each docker namespace has its own IP network stack so many of these can be running in parallel at the same time between different runs and they will not interfere with each other as a result.
# Why "Ref A"? nftables config syntax disallows newlines and comments between the last line of a set and the closing brace.
auto-merge # Prevent "Conflicting Intervals" errors
}
set telemetry_clients {
type ipv6_addr
flags interval
elements = {
2607:f6f0:3004::/48, # CH1-old
2602:fb2b:120::/48, # CH1 InfraDC prefix
2001:4d78:40d::/48, # FR1-old
2602:fb2b:110::/48, # FR1 InfraDC prefix
2602:fb2b:100::/48 # SF1 InfraDC prefix
} # comment "Telemetry infrastructure"
}
set node_providers { # comment "Node provider allowlist. Filled out dynamically."
type ipv6_addr
flags interval
}
chain metrics_proxy {
ct state { new } add @rate_limit { ip6 saddr limit rate over 100/minute } comment "Maximum 100 connections per minute"
ct state { new } add @connection_limit { ip6 saddr ct count over 2 } drop comment "No more than 2 connections per source at a time"
accept
}
chain INPUT {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct state { invalid } drop
ct state { established, related } accept
icmpv6 type destination-unreachable accept
icmpv6 type packet-too-big accept
icmpv6 type time-exceeded accept
icmpv6 type parameter-problem accept
icmpv6 type echo-request accept
icmpv6 type echo-reply accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-neighbor-advert accept
ip6 saddr @dfinity_dcs ct state { new } tcp dport { 22, 9100, 19531 } accept
ip6 saddr @telemetry_clients ct state { new } tcp dport { 9100, 19531, 19100 } accept
ip6 saddr @node_providers ct state { new } tcp dport { 22, 9100, 19531 } accept
tcp dport { 42372 } goto metrics_proxy
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct state { invalid } drop
ct state { established, related } accept
icmpv6 type destination-unreachable accept
icmpv6 type packet-too-big accept
icmpv6 type time-exceeded accept
icmpv6 type parameter-problem accept
icmpv6 type echo-request accept
icmpv6 type echo-reply accept
icmpv6 type nd-router-solicit accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-neighbor-advert accept
ip6 daddr { ::/0 } ct state { new } tcp dport { 53 } accept
ip6 daddr { ::/0 } ct state { new } udp dport { 53 } accept
ip6 daddr { ::/0 } ct state { new } udp dport { 123 } accept
ip6 daddr { ::/0 } ct state { new } tcp dport { 80, 8080, 443 } accept
}
}