/bratwurst

Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
executable file 146 lines (115 sloc) 3.52 KB
#!/usr/sbin/nft -f
flush table inet filter;
define icmpv6_ll = {
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
}
define icmpv6_new = {
echo-request,
}
define icmpv6_related = {
destination-unreachable,
packet-too-big,
time-exceeded,
echo-reply,
}
define icmpv6_bad = {
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
nd-redirect,
router-renumbering,
}
define icmpv4_new = {
echo-request,
timestamp-request,
address-mask-request,
}
define icmpv4_related = {
echo-reply,
destination-unreachable,
time-exceeded,
parameter-problem,
timestamp-reply,
address-mask-reply,
}
define icmpv4_bad = {
source-quench,
5, # HACK: nft cannot parse 'redirect'
info-request,
info-reply
}
# http://www.spinics.net/lists/netfilter/msg55433.html
table inet filter {
chain icmpv6_packet {
meta nfproto ipv6 icmpv6 type $icmpv6_ll ip6 hoplimit 255 accept;
meta nfproto ipv6 icmpv6 type $icmpv6_new limit rate 10/second accept;
meta nfproto ipv6 icmpv6 type $icmpv6_new counter drop;
meta nfproto ipv6 icmpv6 type $icmpv6_related ct state established,related accept;
meta nfproto ipv6 icmpv6 type $icmpv6_related counter drop;
meta nfproto ipv6 icmpv6 type $icmpv6_bad limit rate 10/minute log prefix "bad icmp: ";
meta nfproto ipv6 icmpv6 type $icmpv6_bad counter drop;
limit rate 10/minute log prefix "unknown icmp: ";
counter drop;
}
chain icmpv4_packet {
meta nfproto ipv4 icmp type $icmpv4_new limit rate 10/second accept;
meta nfproto ipv4 icmp type $icmpv4_new counter drop;
meta nfproto ipv4 icmp type $icmpv4_related ct state established,related accept;
meta nfproto ipv4 icmp type $icmpv4_related counter drop;
meta nfproto ipv4 icmp type $icmpv4_bad limit rate 10/minute log prefix "bad icmp: ";
meta nfproto ipv4 icmp type $icmpv4_bad counter drop;
limit rate 10/minute log prefix "unknown icmp: ";
counter drop;
}
chain input {
type filter hook input priority 0;
iif lo accept;
# ULA<->ULA only
ip6 saddr fc00::/7 ip6 daddr fc00::/7 accept;
ip6 saddr fc00::/7 reject with icmpv6 type addr-unreachable;
# https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering
# http://tools.ietf.org/html/rfc4890
ip6 nexthdr icmpv6 jump icmpv6_packet
ip protocol icmp jump icmpv4_packet
ct state established,related counter accept;
ct state invalid counter drop;
iif br0 accept;
# 6to4
ip saddr 192.88.99.1 ip protocol 41 counter accept;
# dhcpv6
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept;
# dns
udp dport 53 ct state new limit rate 5/second accept;
tcp dport 53 ct state new limit rate 5/second accept;
# ssh
tcp dport 22 ct state new limit rate 10/minute accept;
counter limit rate 10/minute reject;
counter drop;
}
chain forward {
type filter hook forward priority 0;
# ULA<->ULA only
ip6 saddr fc00::/7 ip6 daddr fc00::/7 accept;
ip6 saddr fc00::/7 reject with icmpv6 type addr-unreachable;
# clients should not try to use 6to4 themselves
ip daddr 192.88.99.1 reject with icmp type host-unreachable;
# https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering
# http://tools.ietf.org/html/rfc4890
ip6 nexthdr icmpv6 jump icmpv6_packet
ip protocol icmp jump icmpv4_packet
ct state established,related counter accept;
ct state invalid counter drop;
iif br0 accept;
# ssh
tcp dport 22 ct state new limit rate 10/minute accept;
counter limit rate 10/minute reject;
counter drop;
}
chain output {
type filter hook output priority 0;
counter accept;
}
}