enable = true;
ruleset = lib.mkBefore ''
table inet filter {
+ set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
+ #set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
+ chain ping-flood {
+ add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
+ #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: "
+ counter drop
+ }
+ chain check-ping {
+ ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
+ #ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
+ }
+ chain smurf {
+ add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
+ #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: "
+ counter drop
+ }
+ chain check-broadcast {
+ #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
+ fib saddr type broadcast counter goto smurf
+ ip saddr 224.0.0.0/4 counter goto smurf
+ }
+ chain bogus-tcp {
+ add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
+ #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
+ counter drop
+ }
+ chain syn-flood {
+ add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
+ #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: "
+ counter drop
+ }
+ chain check-tcp {
+ tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
+ tcp flags & (ack|fin) == fin counter goto bogus-tcp
+ tcp flags & (ack|psh) == psh counter goto bogus-tcp
+ tcp flags & (ack|urg) == urg counter goto bogus-tcp
+ tcp flags & (fin|ack) == fin counter goto bogus-tcp
+ tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
+ tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
+ tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
+ tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
+ tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
+ tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
+ tcp flags == (fin|urg|psh) counter goto bogus-tcp
+ tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
+ tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
+
+ ct state new tcp flags != syn counter goto bogus-tcp
+ tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
+ tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
+ }
+ chain spoofing {
+ add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "spoofing: "
+ counter drop
+ }
+ chain check-public {
+ ip saddr 0.0.0.0/8 counter goto spoofing
+ ip saddr 10.0.0.0/8 counter goto spoofing
+ ip saddr 127.0.0.0/8 counter goto spoofing
+ ip saddr 169.254.0.0/16 counter goto spoofing
+ ip saddr 172.16.0.0/12 counter goto spoofing
+ ip saddr 192.0.2.0/24 counter goto spoofing
+ ip saddr 192.168.0.0/16 counter goto spoofing
+ ip saddr 224.0.0.0/3 counter goto spoofing
+ ip saddr 240.0.0.0/5 counter goto spoofing
+ }
chain net2fw {
+ jump check-public
# Some .nix append rules here with: add rule inet filter net2fw ...
}
chain fw2net {
- tcp dport {80,443} counter accept comment "HTTP"
+ tcp dport { 80, 443 } counter accept comment "HTTP"
udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
tcp dport 9418 counter accept comment "Git"
-
+
# Some .nix append rules here with: add rule inet filter fw2net ...
}
chain lan2fw {
chain input {
type filter hook input priority 0
policy drop
-
+
iifname lo accept
-
+
+ jump check-tcp
+ jump check-ping
+ jump check-broadcast
+
# accept traffic already established
- ct state {established, related} accept
+ ct state { established, related } accept
ct state invalid drop
-
+
# admin services
tcp dport 22 counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
-
+
+ # ICMP
+ ip protocol icmp icmp type echo-request counter accept
+ ip protocol icmp icmp type destination-unreachable counter accept
+ ip protocol icmp icmp type router-solicitation counter accept
+ ip protocol icmp icmp type router-advertisement counter accept
+ ip protocol icmp icmp type time-exceeded counter accept
+ ip protocol icmp icmp type parameter-problem counter accept
+ ip protocol icmp log level warn prefix "net2fw: icmpv: " counter accept
+ #ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept
+
+ #ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-reduction counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report counter accept
+ #ip6 nexthdr ipv6-icmp log level warn prefix "net2fw: icmpv6: " counter accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, mld-listener-report, mld-listener-reduction, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept
+
# ICMP
- #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
- ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
-
- # allow "ping"
- #ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
+ #ip6 nexthdr ipv6-icmp icmpv6 type echo-request accept
# Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
}
oifname lo accept
- ct state {related,established} accept
+ ct state { established, related } accept
ct state invalid drop
icmp type echo-request counter accept comment "Ping"
sourcephile / git / sourcephile-nix.git / blobdiff