Last active
November 5, 2023 11:52
-
-
Save paigeadelethompson/01ca6cc9f5bdfcaa97aaa21b89be8f3f to your computer and use it in GitHub Desktop.
nftables jul 19 2023
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
flush ruleset | |
table inet filter { # handle 127 | |
synproxy default-synproxy { # handle 37 | |
mss 1460 | |
wscale 7 | |
timestamp sack-perm | |
} | |
synproxy identd-synproxy { # handle 38 | |
mss 1460 | |
wscale 9 | |
timestamp sack-perm | |
} | |
synproxy ircd-synproxy { # handle 39 | |
mss 1460 | |
wscale 10 | |
timestamp sack-perm | |
} | |
synproxy ssh-synproxy { # handle 40 | |
mss 1460 | |
wscale 10 | |
timestamp | |
} | |
limit udp_in_log_lim { # handle 41 | |
rate 32/minute | |
} | |
limit udp_forward_log_lim { # handle 42 | |
rate 32/minute | |
} | |
limit udp_out_log_lim { # handle 43 | |
rate 32/minute | |
} | |
limit tcp_in_log_lim { # handle 44 | |
rate 32/minute | |
} | |
limit tcp_forward_log_lim { # handle 45 | |
rate 32/minute | |
} | |
limit tcp_out_log_lim { # handle 46 | |
rate 32/minute | |
} | |
limit tcp_rst_out_log_lim { # handle 47 | |
rate 32/minute | |
} | |
limit igmp_in_log_lim { # handle 48 | |
rate 32/minute | |
} | |
limit igmp_out_log_lim { # handle 49 | |
rate 32/minute | |
} | |
limit icmp_in_log_lim { # handle 50 | |
rate 32/minute | |
} | |
limit icmp_out_log_lim { # handle 51 | |
rate 32/minute | |
} | |
limit icmp_forward_log_lim { # handle 52 | |
rate 32/minute | |
} | |
limit wont_forward_log_lim { # handle 53 | |
rate 32/minute | |
} | |
limit dropped_host_log_lim { # handle 54 | |
rate 32/minute | |
} | |
limit bogon_log_lim { # handle 55 | |
rate 32/minute | |
} | |
map synproxy_in_ports { # handle 56 | |
type inet_service : synproxy | |
flags interval | |
elements = { "ssh" : "default-synproxy", "auth" : "identd-synproxy", "ircs-u" : "ircd-synproxy" } | |
} | |
map synproxy_forward_ports { # handle 57 | |
type inet_service : synproxy | |
flags interval | |
} | |
map unrestrict_out_by_user_id4 { # handle 58 | |
typeof ip saddr . ip daddr . meta skuid : verdict | |
flags interval | |
elements = { 0.0.0.0/0 . 0.0.0.0/0 . "debian-tor" : accept } | |
} | |
map unrestrict_out_by_user_id6 { # handle 59 | |
typeof ip6 saddr . ip6 daddr . meta skuid : verdict | |
flags interval | |
} | |
map unrestrict_out_by_src_dest_network4 { # handle 60 | |
type ipv4_addr . ipv4_addr : verdict | |
flags interval | |
elements = { 192.168.0.0/16 . 127.0.0.0/8 : accept } | |
} | |
map igmp_in4 { # handle 61 | |
typeof ip saddr . ip daddr . igmp type : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 224.0.0.0/4 . membership-query : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . membership-query : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . membership-query : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . membership-query : accept, | |
169.254.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . membership-report-v2 : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . membership-report-v2 : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept } | |
} | |
map igmp_out4 { # handle 62 | |
typeof ip saddr . ip daddr . igmp type : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . membership-report-v2 : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . membership-report-v2 : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept } | |
} | |
map udp_broadcast_out { # handle 63 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept } | |
} | |
map udp_broadcast_in { # handle 64 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 240.0.0.0/4 . 1900 : accept, | |
0.0.0.0/8 . 240.0.0.0/4 . "bootps" : accept, | |
10.0.0.0/8 . 240.0.0.0/4 . 1900 : accept, | |
192.168.0.0/16 . 240.0.0.0/4 . 1900 : accept, | |
172.16.0.0/12 . 240.0.0.0/4 . 1900 : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "netbios-ns" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept } | |
} | |
map udp_multicast_out4 { # handle 65 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept } | |
} | |
map udp_multicast_in4 { # handle 66 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 224.0.0.0/4 . "mdns" : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . 1900 : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . 1900 : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . 1900 : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . 1902 : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . 1902 : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . 1902 : accept, | |
192.168.0.0/16 . 240.0.0.0/4 . 1900 : accept, | |
10.0.0.0/8 . 240.0.0.0/4 . 1900 : accept, | |
172.16.0.0/12 . 240.0.0.0/4 . 1900 : accept } | |
} | |
map udp_multicast_out6 { # handle 67 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { fe80::/10 . ff00::/8 . "mdns" : accept, | |
fc00::/7 . ff00::/8 . "mdns" : accept } | |
} | |
map udp_multicast_in6 { # handle 68 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { fe80::/10 . ff00::/8 . "mdns" : accept, | |
fc00::/7 . ff00::/8 . "mdns" : accept } | |
} | |
map drop_hosts4 { # handle 69 | |
type ipv4_addr : verdict | |
flags interval | |
} | |
map drop_hosts6 { # handle 70 | |
type ipv6_addr : verdict | |
flags interval | |
} | |
set tcp_syn_quarantine_meter4 { | |
type ipv4_addr | |
size 1024 | |
flags dynamic,timeout | |
} | |
set tcp_syn_quarantine_meter6 { | |
type ipv6_addr | |
size 1024 | |
flags dynamic,timeout | |
} | |
set tcp_syn_ingress_meter4 { | |
type ipv4_addr . inet_service | |
size 8 | |
flags dynamic,timeout | |
} | |
set tcp_syn_ingress_meter6 { | |
type ipv6_addr . inet_service | |
size 8 | |
flags dynamic,timeout | |
} | |
set tcp_rst_egress_meter4 { # handle 71 | |
type ipv4_addr | |
size 8 | |
flags dynamic,timeout | |
} | |
set tcp_rst_egress_meter6 { # handle 71 | |
type ipv6_addr | |
size 8 | |
flags dynamic,timeout | |
} | |
set icmp_egress_meter4 { # handle 72 | |
type ipv4_addr | |
size 8 | |
flags dynamic,timeout | |
} | |
set icmp_egress_meter6 { # handle 73 | |
type ipv6_addr | |
size 8 | |
flags dynamic,timeout | |
} | |
map drop_bogons4 { # handle 74 | |
type ipv4_addr : verdict | |
flags interval | |
elements = { 0.0.0.0/8 : continue, 10.0.0.0/8 : continue, | |
100.64.0.0/17 : continue, 100.64.128.0/17 : jump bogon, | |
100.65.0.0/16 : jump bogon, 100.66.0.0/15 : jump bogon, | |
100.68.0.0/15 : jump bogon, 100.70.0.0/15 : jump bogon, | |
100.72.0.0/15 : jump bogon, 100.74.0.0/15 : jump bogon, | |
100.76.0.0/15 : jump bogon, 100.78.0.0/15 : jump bogon, | |
100.80.0.0/15 : jump bogon, 100.82.0.0/15 : jump bogon, | |
100.84.0.0/15 : jump bogon, 100.86.0.0/15 : jump bogon, | |
100.88.0.0/15 : jump bogon, 100.90.0.0/15 : jump bogon, | |
100.92.0.0/15 : jump bogon, 100.94.0.0/15 : jump bogon, | |
100.96.0.0/11 : jump bogon, 127.0.0.0/8 : continue, | |
169.254.0.0/16 : continue, 172.16.0.0/12 : continue, | |
192.0.0.0/24 : jump bogon, 192.0.2.0/24 : jump bogon, | |
192.168.0.0/16 : continue, 198.18.0.0/15 : jump bogon, | |
198.51.100.0/24 : jump bogon, 203.0.113.0/24 : jump bogon, | |
224.0.0.0/4 : continue, 240.0.0.0/4 : continue } | |
} | |
set invalid_nat_destinations { # handle 75 | |
type ipv4_addr | |
flags interval | |
elements = { 169.254.0.0/16 } | |
} | |
map drop_bogons6 { # handle 76 | |
type ipv6_addr : verdict | |
flags interval | |
elements = { ::/96 : jump bogon, | |
::ffff:0.0.0.0/96 : jump bogon, | |
100::/64 : jump bogon, | |
2001::/40 : jump bogon, | |
2001:0:a00::/40 : jump bogon, | |
2001:0:7f00::/40 : jump bogon, | |
2001:0:a9fe::/48 : jump bogon, | |
2001:0:ac10::/44 : jump bogon, | |
2001:0:c000::/56 : jump bogon, | |
2001:0:c000:200::/56 : jump bogon, | |
2001:0:c0a8::/48 : jump bogon, | |
2001:0:c612::/47 : jump bogon, | |
2001:0:c633:6400::/56 : jump bogon, | |
2001:0:cb00:7100::/56 : jump bogon, | |
2001:0:e000::/36 : jump bogon, | |
2001:0:f000::/36 : jump bogon, | |
2001:10::/28 : jump bogon, | |
2001:db8::/32 : jump bogon, | |
2002::/24 : jump bogon, | |
2002:a00::/24 : jump bogon, | |
2002:7f00::/24 : jump bogon, | |
2002:a9fe::/32 : jump bogon, | |
2002:ac10::/28 : jump bogon, | |
2002:c000::/40 : jump bogon, | |
2002:c000:200::/40 : jump bogon, | |
2002:c0a8::/32 : jump bogon, | |
2002:c612::/31 : jump bogon, | |
2002:c633:6400::/40 : jump bogon, | |
2002:cb00:7100::/40 : jump bogon, | |
2002:e000::/20 : jump bogon, | |
2002:f000::/20 : jump bogon, | |
fc00::/7 : continue, | |
fe80::/10 : continue, | |
fec0::/10 : jump bogon, | |
ff00::/8 : continue } | |
} | |
map reject_or_drop_port4 { # handle 77 | |
type ipv4_addr . ipv4_addr : verdict | |
flags interval | |
elements = { 10.0.0.0/8 . 10.0.0.0/8 : jump reject_with_icmp_port_unreachable, | |
172.16.0.0/12 . 172.16.0.0/12 : jump reject_with_icmp_port_unreachable, | |
192.168.0.0/16 . 192.168.0.0/16 : jump reject_with_icmp_port_unreachable, | |
169.254.0.0/16 . 169.254.0.0/16 : jump reject_with_icmp_port_unreachable, | |
0.0.0.0/0 . 0.0.0.0/0 : jump reject_with_icmp_port_unreachable_metered } | |
} | |
map reject_or_drop_port6 { # handle 78 | |
type ipv6_addr . ipv6_addr : verdict | |
flags interval | |
elements = { fe80::/10 . fe80::/10 : jump reject_with_icmp_port_unreachable, | |
fc00::/7 . fc00::/7 : jump reject_with_icmp_port_unreachable, | |
::/0 . ::/0 : jump reject_with_icmp_port_unreachable_metered } | |
} | |
map icmp_types_in4 { # handle 79 | |
typeof ip saddr . ip daddr . icmp type : verdict | |
flags interval | |
elements = { 0.0.0.0/0 . 0.0.0.0/0 . echo-request : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept } | |
} | |
map icmp_types_in6 { # handle 80 | |
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict | |
flags interval | |
elements = { fe80::/10 . fe80::/10 . echo-request : accept, | |
fe80::/10 . ff00::/8 . echo-request : accept, | |
fc00::/7 . fc00::/7 . echo-request : accept, | |
fe80::/10 . fe80::/10 . echo-reply : accept, | |
fe80::/10 . ff00::/8 . echo-reply : accept, | |
fc00::/7 . fc00::/7 . echo-reply : accept, | |
2000::/3 . 2000::/3 . echo-request : accept, | |
2000::/3 . 2000::/3 . echo-reply : accept, | |
2a0a:3840::/29 . 2a0a:3840::/29 . nd-neighbor-advert : accept, | |
2a0a:3840::/29 . fe80::/10 . nd-neighbor-advert : accept, | |
2a0a:3840::/29 . fe80::/10 . nd-neighbor-solicit : accept, | |
fe80::/10 . 2a0a:3840::/29 . nd-neighbor-solicit : accept, | |
fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept, | |
fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept, | |
fc00::/7 . fc00::/7 . nd-neighbor-solicit : accept, | |
fe80::/10 . ff00::/8 . nd-neighbor-solicit : accept, | |
fc00::/7 . fc00::/7 . nd-neighbor-advert : accept, | |
fe80::/10 . fe80::/10 . nd-neighbor-advert : accept, | |
fe80::/10 . ff00::/8 . nd-router-advert : accept, | |
fe80::/10 . fe80::/10 . nd-router-advert : accept } | |
} | |
map tcp_unicast_in4 { # handle 81 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 0.0.0.0/0 . 0.0.0.0/0 . "ssh" : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . "ircs-u" : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . "auth" : accept } | |
} | |
map tcp_unicast_in6 { # handle 82 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { ::/0 . ::/0 . "ircs-u" : accept, | |
::/0 . ::/0 . "auth" : accept, | |
::/0 . ::/0 . "ssh" : accept } | |
} | |
map udp_unicast_in4 { # handle 83 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 169.254.0.0/16 . "bootpc" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "bootpc" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "bootpc" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "bootpc" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "netbios-ns" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept } | |
} | |
map udp_unicast_in6 { # handle 84 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { fe80::/10 . ff00::/8 . "dhcpv6-client" : accept } | |
} | |
map default_forward4 { # handle 85 | |
typeof ip saddr . ip daddr . ct state : verdict | |
flags interval | |
elements = { 169.254.0.0/16 . 0.0.0.0/0 . new : jump wont_forward, | |
0.0.0.0/0 . 169.254.0.0/16 . new : jump wont_forward, | |
10.0.0.0/8 . 172.16.0.0/12 . new : jump reject_with_icmp_no_route, | |
10.0.0.0/8 . 192.168.0.0/16 . new : jump reject_with_icmp_no_route, | |
172.16.0.0/12 . 10.0.0.0/8 . new : jump reject_with_icmp_no_route, | |
172.16.0.0/12 . 192.168.0.0/16 . new : jump reject_with_icmp_no_route, | |
192.168.0.0/16 . 10.0.0.0/8 . new : jump reject_with_icmp_no_route, | |
192.168.0.0/16 . 172.16.0.0/12 . new : jump reject_with_icmp_no_route, | |
10.0.0.0/8 . 10.0.0.0/8 . new : continue, | |
10.0.0.0/8 . 10.0.0.0/8 . established : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . new : continue, | |
172.16.0.0/12 . 172.16.0.0/12 . established : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . new : continue, | |
192.168.0.0/16 . 192.168.0.0/16 . established : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . new : continue, | |
172.16.0.0/12 . 0.0.0.0/0 . new : continue, | |
192.168.0.0/16 . 0.0.0.0/0 . new : continue, | |
0.0.0.0/0 . 10.0.0.0/8 . established : accept, | |
0.0.0.0/0 . 172.16.0.0/12 . established : accept, | |
0.0.0.0/0 . 192.168.0.0/16 . established : accept, | |
100.64.0.0/20 . 0.0.0.0/0 . new : jump reject_with_icmp_no_route, | |
100.64.16.0/20 . 100.64.32.0/20 . new : continue, | |
100.64.32.0/20 . 100.64.16.0/20 . established : accept, | |
100.64.48.0/20 . 100.64.0.0/17 . new : continue, | |
100.64.80.0/20 . 100.64.0.0/17 . new : continue, | |
100.64.48.0/20 . 0.0.0.0/0 . new : continue, | |
100.64.80.0/20 . 0.0.0.0/0 . new : continue, | |
100.64.48.0/20 . 0.0.0.0/0 . established : accept, | |
100.64.80.0/20 . 0.0.0.0/0 . established : accept, | |
0.0.0.0/0 . 100.64.48.0/20 . established : accept, | |
0.0.0.0/0 . 100.64.80.0/20 . established : accept, | |
100.64.64.0/20 . 100.64.64.0/20 . new : continue, | |
100.64.96.0/20 . 100.64.96.0/20 . new : continue, | |
100.64.64.0/20 . 100.64.64.0/20 . established : accept, | |
100.64.96.0/20 . 100.64.96.0/20 . established : accept } | |
} | |
map default_forward6 { # handle 86 | |
typeof ip6 saddr . ip6 daddr . ct state : verdict | |
flags interval | |
elements = { fe80::/10 . ::/0 . new : jump wont_forward, | |
::/0 . fe80::/10 . new : jump wont_forward, | |
fc00::/7 . fc00::/7 . new : continue, | |
fc00::/7 . fc00::/7 . established : accept } | |
} | |
map icmp_types_out4 { # handle 87 | |
typeof ip saddr . ip daddr . icmp type : verdict | |
flags interval | |
elements = { 0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit, | |
80.78.23.0/24 . 0.0.0.0/0 . echo-request : accept } | |
} | |
map icmp_types_out6 { # handle 88 | |
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict | |
flags interval | |
elements = { fe80::/10 . ff00::/8 . echo-request : accept, | |
fc00::/7 . fc00::/7 . echo-reply : accept, | |
2000::/3 . ::/0 . echo-request : accept, | |
2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit, | |
fc00::/7 . fc00::/7 . nd-neighbor-advert : accept, | |
fe80::/10 . fe80::/10 . nd-neighbor-advert : accept, | |
fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept, | |
::/0 . ::/0 . destination-unreachable : accept, | |
2000::/3 . ff00::/8 . nd-neighbor-solicit : accept, | |
2000::/3 . fe80::/10 . nd-neighbor-advert : accept, | |
fe80::/10 . fc00::/7 . nd-neighbor-solicit : accept, | |
fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept, | |
fe80::/10 . ff00::/8 . nd-router-solicit : accept, | |
fe80::/10 . 2000::/3 . nd-neighbor-solicit : accept } | |
} | |
map tcp_unicast_out4 { # handle 89 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 80.78.23.0/24 . 127.0.0.0/8 . 3128 : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "ssh" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "ssh" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "ssh" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "domain-s" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "domain-s" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "domain-s" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "ntske" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "ntske" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "ntske" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . "ircs-u" : accept } | |
} | |
map tcp_unicast_out6 { # handle 90 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { 2000::/3 . 2000::/3 . "ircs-u" : accept, | |
fc00::/7 . fc00::/7 . "https" : accept, | |
fc00::/7 . fc00::/7 . "domain-s" : accept, | |
fc00::/7 . fc00::/7 . "ntske" : accept, | |
fc00::/7 . fc00::/7 . 5349 : accept, | |
2000::/3 . 2000::/3 . "https" : accept, | |
2000::/3 . 2000::/3 . "domain-s" : accept, | |
2000::/3 . 2000::/3 . "ntske" : accept, | |
2000::/3 . 2000::/3 . 5349 : accept } | |
} | |
map udp_unicast_out4 { # handle 91 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { | |
80.78.23.0/24 . 0.0.0.0/0 . "ntp" : accept, | |
80.78.23.0/24 . 0.0.0.0/0 . "domain" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "bootps" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "bootps" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "bootps" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "bootps" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "openvpn" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "openvpn" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "openvpn" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "ntp" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "ntp" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "ntp" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "mdns" : accept, | |
169.254.0.0/16 . 224.0.0.0/4 . "mdns" : accept, | |
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept, | |
192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept, | |
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept, | |
169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept } | |
} | |
map udp_unicast_out6 { # handle 92 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { | |
2000::/3 . ::/0 . "ntp" : accept, | |
2000::/3 . ::/0 . "domain" : accept, | |
fe80::/10 . ff00::/8 . "dhcpv6-server" : accept, | |
2000::/3 . ::/0 . "https" : accept, | |
fe80::/10 . ff00::/8 . "mdns" : accept, | |
fc00::/7 . ff00::/8 . "mdns" : accept } | |
} | |
map icmp_types_forward4 { # handle 93 | |
typeof ip saddr . ip daddr . icmp type : verdict | |
flags interval | |
elements = { 10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . destination-unreachable : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . destination-unreachable : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . destination-unreachable : accept, | |
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit, | |
100.64.80.0/20 . 100.64.0.0/17 . echo-request : jump reject_with_icmp_admin_prohibited, | |
100.64.80.0/20 . 0.0.0.0/0 . echo-request : accept, | |
100.64.48.0/20 . 100.64.0.0/17 . echo-request : jump reject_with_icmp_admin_prohibited, | |
100.64.48.0/20 . 0.0.0.0/0 . echo-request : accept } | |
} | |
map icmp_types_forward6 { # handle 94 | |
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict | |
flags interval | |
elements = { fe80::/10 . ff00::/8 . echo-request : accept, | |
fc00::/7 . fc00::/7 . echo-reply : accept, | |
2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit } | |
} | |
map forward_all4 { # handle 95 | |
type ipv4_addr . ipv4_addr : verdict | |
flags interval | |
elements = { 100.64.80.0/20 . 0.0.0.0/0 : accept, | |
0.0.0.0/0 . 100.64.80.0/20 : accept, | |
100.64.48.0/20 . 0.0.0.0/0 : accept, | |
0.0.0.0/0 . 100.64.48.0/20 : accept } | |
} | |
map forward_all6 { # handle 96 | |
type ipv6_addr . ipv6_addr : verdict | |
flags interval | |
} | |
map tcp_net_forward_by_port4 { # handle 97 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept, | |
10.0.0.0/8 . 10.0.0.0/8 . "http" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "http" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "http" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "ssh" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "ssh" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "ssh" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "domain-s" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "domain-s" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "domain-s" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "ntske" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "ntske" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "ntske" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept, | |
100.64.80.0/20 . 100.64.0.0/17 . "http" : jump reject_with_icmp_admin_prohibited, | |
100.64.80.0/20 . 0.0.0.0/0 . "http" : accept, | |
100.64.80.0/20 . 100.64.0.0/17 . "https" : jump reject_with_icmp_admin_prohibited, | |
100.64.80.0/20 . 0.0.0.0/0 . "https" : accept, | |
100.64.48.0/20 . 100.64.0.0/17 . "https" : jump reject_with_icmp_admin_prohibited, | |
100.64.48.0/20 . 0.0.0.0/0 . "https" : accept } | |
} | |
map tcp_net_forward_by_port6 { # handle 98 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { fc00::/7 . fc00::/7 . "http" : accept, | |
fc00::/7 . fc00::/7 . "https" : accept, | |
fc00::/7 . fc00::/7 . "domain-s" : accept, | |
fc00::/7 . fc00::/7 . "ntske" : accept, | |
fc00::/7 . fc00::/7 . 5349 : accept, | |
2000::/3 . 2000::/3 . "https" : accept, | |
2000::/3 . 2000::/3 . "domain-s" : accept, | |
2000::/3 . 2000::/3 . "ntske" : accept, | |
2000::/3 . 2000::/3 . 5349 : accept } | |
} | |
map udp_net_forward_by_port4 { # handle 99 | |
type ipv4_addr . ipv4_addr . inet_service : verdict | |
flags interval | |
elements = { 10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept, | |
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept, | |
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept, | |
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept, | |
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept, | |
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept } | |
} | |
map udp_net_forward_by_port6 { # handle 100 | |
type ipv6_addr . ipv6_addr . inet_service : verdict | |
flags interval | |
elements = { 2000::/3 . ::/0 . "https" : accept } | |
} | |
map tcp_ports_nat_in_redirect4 { # handle 101 | |
type inet_service : ipv4_addr | |
} | |
map tcp_ports_nat_out_redirect4 { # handle 102 | |
type ipv4_addr . inet_service : ipv4_addr . inet_service | |
flags interval | |
elements = { 0.0.0.0/0 . "http" : 127.0.0.1 . 3128 } | |
} | |
map udp_ports_nat_in_redirect4 { # handle 103 | |
type inet_service : ipv4_addr | |
} | |
map masquerade_networks4 { # handle 104 | |
type iface_index . ipv4_addr : verdict | |
flags interval | |
elements = { "eth0" . 100.64.80.0/20 : jump masq, | |
"eth0" . 100.64.48.0/20 : jump masq } | |
} | |
chain input { # handle 1 | |
type filter hook input priority filter; policy drop; | |
meta iiftype vmap { loopback : accept } # handle 115 | |
ip saddr vmap @drop_hosts4 # handle 116 | |
meta iiftype vmap { ether : jump ether_in } # handle 117 | |
log prefix "input" group 1 # handle 118 | |
counter # handle 119 | |
} | |
chain forward { # handle 2 | |
type filter hook forward priority filter; policy drop; | |
ip daddr vmap @drop_hosts4 # handle 120 | |
meta oiftype vmap { ether : jump ether_forward } # handle 121 | |
log prefix "forward" group 1 # handle 122 | |
counter # handle 123 | |
} | |
chain output { # handle 3 | |
type filter hook output priority filter; policy drop; | |
meta oiftype vmap { loopback : accept } # handle 124 | |
meta oiftype vmap { ether : jump ether_out } # handle 125 | |
log prefix "output" group 1 # handle 126 | |
counter # handle 127 | |
} | |
chain filter_prerouting { # handle 4 | |
type filter hook prerouting priority raw; policy accept; | |
ip saddr vmap @drop_bogons4 # handle 128 | |
ip6 saddr vmap @drop_bogons6 # handle 129 | |
ip saddr @tcp_syn_quarantine_meter4 tcp flags syn drop | |
ip6 saddr @tcp_syn_quarantine_meter6 tcp flags syn drop | |
tcp dport @synproxy_in_ports tcp flags syn notrack # handle 130 | |
} | |
chain nat_output { # handle 5 | |
type nat hook output priority -100; policy accept; | |
ip protocol tcp dnat ip to ip daddr . tcp dport map @tcp_ports_nat_out_redirect4 # handle 131 | |
} | |
chain prerouting { # handle 6 | |
type nat hook prerouting priority dstnat; policy accept; | |
ip protocol tcp dnat ip to tcp dport map @tcp_ports_nat_in_redirect4 # handle 132 | |
ip protocol udp dnat ip to udp dport map @udp_ports_nat_in_redirect4 # handle 133 | |
} | |
chain filter_postrouting { # handle 7 | |
type filter hook postrouting priority raw; policy accept; | |
ip daddr vmap @drop_bogons4 # handle 134 | |
ip6 daddr vmap @drop_bogons6 # handle 135 | |
} | |
chain nat_postrouting { # handle 8 | |
type nat hook postrouting priority srcnat; policy accept; | |
oif . ip saddr vmap @masquerade_networks4 # handle 136 | |
} | |
chain masq { # handle 9 | |
ip daddr vmap @drop_bogons4 # handle 137 | |
ip daddr @invalid_nat_destinations return # handle 138 | |
counter masquerade # handle 139 | |
} | |
chain ether_in { # handle 10 | |
ip protocol vmap { icmp : jump icmp_in, igmp : jump igmp_in, tcp : jump tcp_in, udp : jump udp_in } # handle 140 | |
ip6 nexthdr vmap { tcp : jump tcp_in, udp : jump udp_in, ipv6-icmp : jump icmp_in } # handle 141 | |
log prefix "ether_in" group 1 # handle 142 | |
counter drop # handle 143 | |
} | |
chain ether_out { # handle 11 | |
ip protocol vmap { icmp : jump icmp_out, igmp : jump igmp_out, tcp : jump tcp_out, udp : jump udp_out } # handle 144 | |
ip6 nexthdr vmap { tcp : jump tcp_out, udp : jump udp_out, ipv6-icmp : jump icmp_out } # handle 145 | |
log prefix "ether_out" group 1 # handle 146 | |
counter drop # handle 147 | |
} | |
chain ether_forward { # handle 12 | |
ip saddr . ip daddr . ct state vmap @default_forward4 # handle 148 | |
ip6 saddr . ip6 daddr . ct state vmap @default_forward6 # handle 149 | |
ip protocol vmap { icmp : jump icmp_forward, tcp : jump tcp_forward, udp : jump udp_forward } # handle 150 | |
log prefix "ether_forward" group 1 # handle 151 | |
counter drop # handle 152 | |
} | |
chain igmp_in { # handle 13 | |
meta pkttype multicast ip saddr . ip daddr . igmp type vmap @igmp_in4 # handle 153 | |
limit name "igmp_in_log_lim" log prefix "igmp_in" group 1 # handle 154 | |
counter drop # handle 155 | |
} | |
chain igmp_out { # handle 14 | |
ip saddr . ip daddr . igmp type vmap @igmp_out4 # handle 156 | |
limit name "igmp_out_log_lim" log prefix "igmp_out" group 1 # handle 157 | |
counter drop # handle 158 | |
} | |
chain icmp_in { # handle 15 | |
ip saddr . ip daddr . icmp type vmap @icmp_types_in4 # handle 159 | |
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_in6 # handle 160 | |
limit name "icmp_in_log_lim" log prefix "icmp_in" group 1 # handle 161 | |
counter drop # handle 162 | |
} | |
chain icmp_out { # handle 16 | |
ip saddr . ip daddr . icmp type vmap @icmp_types_out4 # handle 163 | |
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_out6 # handle 164 | |
limit name "icmp_out_log_lim" log prefix "icmp_out" group 1 # handle 165 | |
counter drop # handle 166 | |
} | |
chain icmp_forward { # handle 17 | |
ip saddr . ip daddr . icmp type vmap @icmp_types_forward4 # handle 167 | |
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_forward6 # handle 168 | |
limit name "icmp_forward_log_lim" log prefix "icmp_forward" group 1 # handle 169 | |
counter drop # handle 170 | |
} | |
chain icmp_echo_reply_rate_limit { # handle 18 | |
add @icmp_egress_meter4 { ip saddr timeout 4s limit rate 3/second } accept # handle 171 | |
add @icmp_egress_meter6 { ip6 saddr timeout 4s limit rate 3/second } accept # handle 172 | |
limit name "icmp_out_log_lim" log prefix "icmp_echo_reply_rate_limit" group 1 # handle 173 | |
counter drop # handle 174 | |
} | |
chain reject_with_icmp_port_unreachable_metered { # handle 19 | |
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmp port-unreachable # handle 175 | |
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpv6 port-unreachable # handle 176 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_port_unreachable_metered" group 1 # handle 177 | |
counter drop # handle 178 | |
} | |
chain reject_with_icmp_port_unreachable { # handle 20 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_port_unreachable" group 1 # handle 179 | |
counter reject # handle 180 | |
} | |
chain reject_with_icmp_host_unreachable_metered { # handle 21 | |
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx host-unreachable # handle 181 | |
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx host-unreachable # handle 182 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_host_unreachable_metered" group 1 # handle 183 | |
counter drop # handle 184 | |
} | |
chain reject_with_icmp_host_unreachable { # handle 22 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_host_unreachable" group 1 # handle 185 | |
counter reject with icmpx host-unreachable # handle 186 | |
} | |
chain reject_with_icmp_no_route_metered { # handle 23 | |
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx no-route # handle 187 | |
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx no-route # handle 188 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_no_route_metered" group 1 # handle 189 | |
counter drop # handle 190 | |
} | |
chain reject_with_icmp_no_route { # handle 24 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_no_route" group 1 # handle 191 | |
counter reject with icmpx no-route # handle 192 | |
} | |
chain reject_with_icmp_admin_prohibited_metered { # handle 25 | |
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx admin-prohibited # handle 193 | |
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx admin-prohibited # handle 194 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_admin_prohibited_metered" group 1 # handle 195 | |
counter drop # handle 196 | |
} | |
chain reject_with_icmp_admin_prohibited { # handle 26 | |
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_admin_prohibited" group 1 # handle 197 | |
counter reject with icmpx admin-prohibited # handle 198 | |
} | |
chain tcp_rst_metered { # handle 27 | |
add @tcp_rst_egress_meter4 { ip daddr timeout 32s limit rate 3/minute } counter return # handle 199 | |
add @tcp_rst_egress_meter6 { ip6 daddr timeout 32s limit rate 3/minute } counter return # handle 199 | |
limit name "tcp_rst_out_log_lim" log prefix "tcp_rst_metered" group 1 # handle 200 | |
counter drop # handle 201 | |
} | |
chain tcp_in_syn_rate_limit { | |
add @tcp_syn_ingress_meter4 { ip daddr . tcp dport timeout 8s limit rate 8/minute } counter return # handle 199 | |
add @tcp_syn_ingress_meter6 { ip6 daddr . tcp dport timeout 8s limit rate 8/minute } counter return # handle 199 | |
add @tcp_syn_quarantine_meter4 { ip saddr timeout 64s } | |
add @tcp_syn_quarantine_meter6 { ip6 saddr timeout 64s } | |
counter drop | |
} | |
chain tcp_in { # handle 28 | |
meta pkttype host ct state established accept # handle 202 | |
meta pkttype host tcp flags syn ct state new jump tcp_in_syn_rate_limit | |
meta pkttype host ct state invalid,untracked synproxy name tcp dport map @synproxy_in_ports # handle 203 | |
ct state invalid limit name "tcp_in_log_lim" log prefix "tcp_in_invalid" group 1 # handle 204 | |
ct state invalid counter drop # handle 205 | |
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_unicast_in4 # handle 206 | |
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_unicast_in6 # handle 207 | |
limit name "tcp_in_log_lim" log prefix "tcp_in" group 1 # handle 208 | |
ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 209 | |
ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 210 | |
counter drop # handle 211 | |
} | |
chain tcp_out { # handle 29 | |
meta pkttype host tcp flags rst jump tcp_rst_metered # handle 212 | |
meta pkttype host ct state invalid tcp sport @synproxy_in_ports accept # handle 213 | |
meta pkttype host ct state established accept # handle 214 | |
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_unicast_out4 # handle 215 | |
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_unicast_out6 # handle 216 | |
meta pkttype host ip saddr . ip daddr . meta skuid vmap @unrestrict_out_by_user_id4 # handle 217 | |
meta pkttype host ip6 saddr . ip6 daddr . meta skuid vmap @unrestrict_out_by_user_id6 # handle 218 | |
meta pkttype host ip saddr . ip daddr vmap @unrestrict_out_by_src_dest_network4 # handle 219 | |
limit name "tcp_out_log_lim" log prefix "tcp_out" group 1 # handle 220 | |
counter drop # handle 221 | |
} | |
chain tcp_forward { # handle 30 | |
meta pkttype host ct state established accept # handle 222 | |
meta pkttype host ct state invalid,untracked synproxy name tcp dport map @synproxy_forward_ports # handle 223 | |
meta pkttype host ip saddr . ip daddr vmap @forward_all4 # handle 224 | |
meta pkttype host ip6 saddr . ip6 daddr vmap @forward_all6 # handle 225 | |
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_net_forward_by_port4 # handle 226 | |
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_net_forward_by_port6 # handle 227 | |
limit name "tcp_forward_log_lim" log prefix "tcp_forward" group 1 # handle 228 | |
counter drop # handle 229 | |
} | |
chain udp_in { # handle 31 | |
ct state established accept # handle 230 | |
meta pkttype broadcast ip saddr . ip daddr . udp dport vmap @udp_broadcast_in # handle 231 | |
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_unicast_in4 # handle 232 | |
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_unicast_in6 # handle 233 | |
meta pkttype multicast ip saddr . ip daddr . udp dport vmap @udp_multicast_in4 # handle 234 | |
meta pkttype multicast ip6 saddr . ip6 daddr . udp dport vmap @udp_multicast_in6 # handle 235 | |
meta pkttype host limit name "udp_in_log_lim" log prefix "udp_unicast_in" group 1 # handle 236 | |
meta pkttype broadcast limit name "udp_in_log_lim" log prefix "udp_broadcast_in" group 1 # handle 237 | |
meta pkttype multicast limit name "udp_in_log_lim" log prefix "udp_multicast_in" group 1 # handle 238 | |
ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 239 | |
ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 240 | |
counter drop # handle 241 | |
} | |
chain udp_out { # handle 32 | |
ct state established accept # handle 242 | |
meta pkttype broadcast ip saddr . ip daddr . udp dport vmap @udp_broadcast_out # handle 243 | |
meta pkttype multicast ip saddr . ip daddr . udp dport vmap @udp_multicast_out4 # handle 244 | |
meta pkttype multicast ip6 saddr . ip6 daddr . udp dport vmap @udp_multicast_out6 # handle 245 | |
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_unicast_out4 # handle 246 | |
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_unicast_out6 # handle 247 | |
meta pkttype host ip saddr . ip daddr vmap @unrestrict_out_by_src_dest_network4 # handle 248 | |
meta pkttype host limit name "udp_out_log_lim" log prefix "udp_unicast_out" group 1 # handle 249 | |
meta pkttype broadcast meta pkttype host limit name "udp_out_log_lim" log prefix "udp_broadcast_out" group 1 # handle 250 | |
meta pkttype multicast meta pkttype host limit name "udp_out_log_lim" log prefix "udp_multicast_out" group 1 # handle 251 | |
counter drop # handle 252 | |
} | |
chain udp_forward { # handle 33 | |
meta pkttype host ct state established accept # handle 253 | |
meta pkttype host ip saddr . ip daddr vmap @forward_all4 # handle 254 | |
meta pkttype host ip6 saddr . ip6 daddr vmap @forward_all6 # handle 255 | |
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_net_forward_by_port4 # handle 256 | |
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_net_forward_by_port6 # handle 257 | |
limit name "udp_forward_log_lim" log prefix "udp_forward" group 1 # handle 258 | |
counter drop # handle 259 | |
} | |
chain bogon { # handle 34 | |
limit name "bogon_log_lim" log prefix "bogon" group 1 # handle 260 | |
counter drop # handle 261 | |
} | |
chain wont_forward { # handle 35 | |
limit name "wont_forward_log_lim" log prefix "wont_forward" group 1 # handle 262 | |
counter drop # handle 263 | |
} | |
chain dropped_host { # handle 36 | |
limit name "dropped_host_log_lim" log prefix "blocked" group 1 # handle 264 | |
counter drop # handle 265 | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logfile_rotate 0 | |
acl redir proto HTTP | |
deny_info 301:https://%H%R redir | |
http_access deny redir | |
http_port 3128 intercept |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
net.netfilter.nf_conntrack_tcp_loose = 0 | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_timestamps = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment