-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathdefault-rules.nft
63 lines (55 loc) · 4.23 KB
/
default-rules.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
table inet yuki {
chain ingress {
# meta nftrace set 1 # For "nft monitor trace" (debugging)
# ⚙️ Basic configuration
type filter hook ingress device __IFACE__ priority -450; # Ingress hook with the highest possible priority for the highest speed.
counter # Count how many packets arrive here.
# 🔍 Main ruleset
ip ttl != 1-128 counter drop # TTL Filter.
ip frag-off & 0x1fff != 0 counter drop # Fragmented Packets filter, can be too aggressive in some cases.
ip length < 20 counter drop # IP packets with a length of less than 20 bytes aren't valid.
udp length < 9 counter drop # Filter out empty / too small UDP packets.
ip hdrlength != 5 counter drop # IP header is usually only 20 bytes in size, so we filter out packets with any other sizes. Don't use on routers.
ip id > 65535 counter drop # If the IP ID is more than 65535, the packet isn't valid and we safely can drop it.
ip version != 4 counter drop # Receiving a packet which IP version isn't 4 being on an IPv4 network is strange, right? (you can keep it even if you use IPv6, BTW.)
tcp option maxseg size != 536-8960 log counter drop # MSS Filter (compatible with Jumbo Frames).
ip dscp != { cs0, cs1, cs2, cs3, cs4, cs5, cs6, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43 } counter drop # Shouldn't be used on routers! Basically it filters out packets with any incorrect/uncommon DSCP values.
ip protocol != { tcp, udp, icmp } counter drop # Allow only known, widely used protocols; drop others.
tcp flags syn tcp window { 0-100, 512, 5840, 16384 } counter drop # Drop TCP SYN packets with invalid window sizes.
tcp urgptr != 0 counter drop # Drop TCP packets whose urgent pointer value isn't zero.
tcp flags != syn tcp ackseq 0 counter drop # Drop non-SYN packets with an ack-sequence value of zero.
tcp sequence 0 counter drop # Drop all TCP packets with a sequence number of zero.
}
chain prerouting {
# meta nftrace set 1 # For "nft monitor trace" (debugging)
# ⚙️ Basic configuration
type filter hook prerouting priority -150; policy drop; # Prerouting hook with the mangle priority for higher-level packet filtering stuff.
iif "lo" counter accept # Don't filter the loopback interface. (for performance reasons)
counter # Count how many packets arrive here.
fib saddr . iif oif eq 0 counter drop # Strict RP-filter.
fib saddr type != { unicast, local, multicast, broadcast } counter drop # If the packet's source IP address type ain't listed here then it gets dropped.
ct state vmap { invalid : drop, established : accept, related : accept } # Allow only legitimate stuff.
counter # Count how many packets pass through the previous three rules.
# ⏱️ TCP Rate-limits
tcp flags syn limit rate over 2/second counter drop
tcp flags syn,ack limit rate over 2/second counter drop
tcp flags rst limit rate over 2/second counter drop
tcp flags rst,ack limit rate over 2/second counter drop
# ⏱️ UDP Stateful Rate-limits
ip protocol udp ct state new limit rate over 100/second counter drop # For UDP packets with the 'new' state.
ip protocol udp ct state { established, related } limit rate over 1000/second counter drop # For UDP packets with the 'established' or 'related' state, i.e. after your server responded to a UDP packet.
# 🔍 Other rules
tcp flags syn tcp sport != 1024-65535 counter drop # TCP SYN packets with source-port of less than 1024 aren't valid.
ct state established ct status != assured counter drop # Drop packets in an already established connection that conntrack doesn't like.
ct status { snat, expected } counter drop # If you're not doing NAT stuff and not using protocols that require helpers [FTP is an example], this rule will be nice.
tcp flags != syn ct state new counter drop # Filter out most of the TCP junk that could pass through the previous rules.
# ⏱️ ICMP Rate-limits
icmp type echo-request limit rate 1/second burst 2 packets counter accept
icmp type parameter-problem limit rate 15/minute counter accept
icmp type { echo-reply, timestamp-reply, address-mask-reply } limit rate 15/minute counter accept
icmp type { destination-unreachable, time-exceeded } limit rate 2/second counter accept
goto user-ruleset
}
chain user-ruleset {
}
}