-
Notifications
You must be signed in to change notification settings - Fork 63
/
Copy pathetc.nftables.conf
107 lines (91 loc) · 4.48 KB
/
etc.nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/sbin/nft -f
# Please replace ens33 to interface name of your device
define int_if = ens33
# If there are multiple net interface, example:
# define int_if = {ens33, ens36}
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip protocol tcp ct state established counter packets 0 bytes 0 accept
ip protocol udp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state established counter packets 0 bytes 0 accept
ip protocol icmp ct state related counter packets 0 bytes 0 accept
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject
iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject
icmp type source-quench counter packets 0 bytes 0 accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept
udp dport ntp ct state new counter packets 0 bytes 0 accept
udp dport bootpc ct state new counter packets 0 bytes 0 accept
tcp dport http ct state new counter packets 0 bytes 0 accept
icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
counter packets 0 bytes 0 log
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
ip protocol tcp ct state established,new counter packets 0 bytes 0 accept
ip protocol udp ct state established,new counter packets 0 bytes 0 accept
ip protocol icmp ct state established,new counter packets 0 bytes 0 accept
icmp type echo-request counter packets 0 bytes 0 accept
icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept
}
chain LOGDROP {
counter packets 0 bytes 0 log
counter packets 0 bytes 0 drop
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}