Last active
December 31, 2023 18:51
-
-
Save paigeadelethompson/f6cfb9b46d41081657cf1622abd323f8 to your computer and use it in GitHub Desktop.
99 handles and iptables aint one
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nft flush ruleset | |
| nft add table inet filter | |
| nft add set inet filter icmp_egress_meter4 '{ type ipv4_addr; size 8; flags timeout, dynamic; }' | |
| nft add set inet filter icmp_egress_meter6 '{ type ipv6_addr; size 8; flags timeout, dynamic; }' | |
| nft add map inet filter drop_bogons4 '{ type ipv4_addr : verdict; flags interval; }' | |
| nft add element inet filter drop_bogons4 '{ 224.0.0.0/4 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 192.168.0.0/16 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 10.0.0.0/8 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 172.16.0.0/12 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 169.254.0.0/16 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 100.64.0.0/10 : continue }' | |
| nft add element inet filter drop_bogons4 '{ 0.0.0.0/8 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 127.0.0.0/8 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 192.0.0.0/24 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 192.0.2.0/24 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 198.18.0.0/15 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 198.51.100.0/24 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 203.0.113.0/24 : drop }' | |
| nft add element inet filter drop_bogons4 '{ 240.0.0.0/4 : drop }' | |
| nft add map inet filter drop_bogons6 '{ type ipv6_addr : verdict; flags interval; }' | |
| nft add element inet filter drop_bogons6 '{ fe80::/10 : continue }' | |
| nft add element inet filter drop_bogons6 '{ fc00::/7 : continue }' | |
| nft add element inet filter drop_bogons6 '{ ff00::/8 : continue }' | |
| nft add element inet filter drop_bogons6 '{ ::ffff:0:0/96 : drop }' | |
| nft add element inet filter drop_bogons6 '{ ::/96 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 100::/64 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:10::/28 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:db8::/32 : drop }' | |
| nft add element inet filter drop_bogons6 '{ fec0::/10 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002::/24 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:a00::/24 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:7f00::/24 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:a9fe::/32 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:ac10::/28 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:c000::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:c000:200::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:c0a8::/32 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:c612::/31 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:c633:6400::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:cb00:7100::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:e000::/20 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2002:f000::/20 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:a00::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:7f00::/40 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:a9fe::/48 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:ac10::/44 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:c000::/56 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:c000:200::/56 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:c0a8::/48 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:c612::/47 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:c633:6400::/56 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:cb00:7100::/56 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:e000::/36 : drop }' | |
| nft add element inet filter drop_bogons6 '{ 2001:0:f000::/36 : drop }' | |
| nft add chain inet filter reject_with_icmp_port_unreachable_metered | |
| nft add rule inet filter reject_with_icmp_port_unreachable_metered add @icmp_egress_meter4 '{ ip daddr timeout 4s limit rate 3/second }' counter reject with icmpx type port-unreachable | |
| nft add rule inet filter reject_with_icmp_port_unreachable_metered add @icmp_egress_meter6 '{ ip6 daddr timeout 4s limit rate 3/second }' counter reject with icmpx type port-unreachable | |
| nft add rule inet filter reject_with_icmp_port_unreachable_metered counter drop | |
| nft add chain inet filter reject_with_icmp_port_unreachable | |
| nft add rule inet filter reject_with_icmp_port_unreachable reject with icmpx type port-unreachable | |
| nft add map inet filter reject_or_drop_port4 '{ typeof ip saddr . ip daddr : verdict; flags interval; }' | |
| nft add element inet filter reject_or_drop_port4 '{ 10.0.0.0/8 . 10.0.0.0/8 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port4 '{ 172.16.0.0/12 . 172.16.0.0/12 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port4 '{ 192.168.0.0/16 . 192.168.0.0/16 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port4 '{ 169.254.0.0/16 . 169.254.0.0/16 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port4 '{ 0.0.0.0/0 . 0.0.0.0/0 : jump reject_with_icmp_port_unreachable_metered }' | |
| nft add map inet filter reject_or_drop_port6 '{ typeof ip6 saddr . ip6 daddr : verdict; flags interval; }' | |
| nft add element inet filter reject_or_drop_port6 '{ fe80::/10 . fe80::/10 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port6 '{ fc00::/7 . fc00::/7 : jump reject_with_icmp_port_unreachable }' | |
| nft add element inet filter reject_or_drop_port6 '{ ::/0 . ::/0 : jump reject_with_icmp_port_unreachable_metered }' | |
| nft add map inet filter icmp_types_in4 '{ typeof ip saddr . ip daddr . icmp type : verdict; flags interval; }' | |
| nft add element inet filter icmp_types_in4 '{ 0.0.0.0/0 . 0.0.0.0/0 . echo-request : accept }' | |
| nft add element inet filter icmp_types_in4 '{ 0.0.0.0/0 . 0.0.0.0/0 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_in4 '{ 0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept }' | |
| nft add map inet filter icmp_types_in6 '{ typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict; flags interval; }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . fe80::/10 . echo-request : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . ff00::/8 . echo-request : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fc00::/7 . fc00::/7 . echo-request : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . fe80::/10 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . ff00::/8 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fc00::/7 . fc00::/7 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fc00::/7 . fc00::/7 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fc00::/7 . fc00::/7 . nd-neighbor-advert : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . fe80::/10 . nd-neighbor-advert : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . ff00::/8 . nd-router-advert : accept }' | |
| nft add element inet filter icmp_types_in6 '{ fe80::/10 . fe80::/10 . nd-router-advert : accept }' | |
| nft add chain inet filter icmp_in | |
| nft add rule inet filter icmp_in ip saddr . ip daddr . icmp type vmap @icmp_types_in4 counter | |
| nft add rule inet filter icmp_in ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_in6 counter | |
| nft add rule inet filter icmp_in log prefix "icmp_in" group 1 | |
| nft add rule inet filter icmp_in counter drop | |
| nft add map inet filter tcp_ports_in4 '{ typeof ip saddr . ip daddr . tcp dport : verdict; flags interval; }' | |
| nft add element inet filter tcp_ports_in4 '{ 0.0.0.0/0 . 0.0.0.0/0 . 22 : accept }' | |
| nft add map inet filter tcp_ports_in6 '{ typeof ip6 saddr . ip6 daddr . tcp dport : verdict; flags interval; }' | |
| nft add element inet filter tcp_ports_in6 '{ ::/0 . ::/0 . 22 : accept }' | |
| nft add chain inet filter tcp_in | |
| nft add rule inet filter tcp_in ct state established counter accept | |
| nft add rule inet filter tcp_in ip saddr . ip daddr . tcp dport vmap @tcp_ports_in4 counter | |
| nft add rule inet filter tcp_in ip6 saddr . ip6 daddr . tcp dport vmap @tcp_ports_in6 counter | |
| nft add rule inet filter tcp_in log prefix "tcp_in" group 1 | |
| nft add rule inet filter tcp_in ip saddr . ip daddr vmap @reject_or_drop_port4 | |
| nft add rule inet filter tcp_in ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 | |
| nft add map inet filter udp_ports_in4 '{ typeof ip saddr . ip daddr . udp dport : verdict; flags interval; }' | |
| nft add element inet filter udp_ports_in4 '{ 169.254.0.0/16 . 169.254.0.0/16 . 68 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 68 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 68 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 192.168.0.0/12 . 192.168.0.0/16 . 68 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 137 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 137 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 192.168.0.0/12 . 192.168.0.0/16 . 137 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 192.168.0.0/12 . 192.168.0.0/16 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 10.0.0.0/8 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 172.16.0.0/12 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in4 '{ 192.168.0.0/12 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add map inet filter udp_ports_in6 '{ typeof ip6 saddr . ip6 daddr . udp dport : verdict; flags interval; }' | |
| nft add element inet filter udp_ports_in6 '{ fe80::/10 . ff00::/8 . 546 : accept }' | |
| nft add element inet filter udp_ports_in6 '{ fe80::/10 . ff00::/8 . 5353 : accept }' | |
| nft add element inet filter udp_ports_in6 '{ fc00::/7 . ff00::/8 . 5353 : accept }' | |
| nft add chain inet filter udp_in | |
| nft add rule inet filter udp_in ct state established counter accept | |
| nft add rule inet filter udp_in ip saddr . ip daddr . udp dport vmap @udp_ports_in4 counter | |
| nft add rule inet filter udp_in ip6 saddr . ip6 daddr . udp dport vmap @udp_ports_in6 counter | |
| nft add rule inet filter udp_in log prefix "udp_in" group 1 | |
| nft add rule inet filter udp_in ip saddr . ip daddr vmap @reject_or_drop_port4 | |
| nft add rule inet filter udp_in ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 | |
| nft add chain inet filter ether_in | |
| nft add rule inet filter ether_in ip protocol vmap '{ tcp : jump tcp_in, udp : jump udp_in , icmp : jump icmp_in }' counter | |
| nft add rule inet filter ether_in ip6 nexthdr vmap '{ tcp : jump tcp_in, udp : jump udp_in , icmpv6 : jump icmp_in, ipv6-icmp: jump icmp_in }' counter | |
| nft add rule inet filter ether_in log prefix "ether_in" group 1 | |
| nft add rule inet filter ether_in counter drop | |
| nft add chain inet filter input '{ type filter hook input priority filter; policy accept; }' | |
| nft add rule inet filter input meta iiftype vmap '{ loopback: accept }' | |
| nft add rule inet filter input ip saddr vmap @drop_bogons4 counter | |
| nft add rule inet filter input ip6 saddr vmap @drop_bogons6 counter | |
| nft add rule inet filter input meta iiftype vmap '{ ether: jump ether_in }' | |
| nft add rule inet filter input log prefix "input" group 1 | |
| nft add rule inet filter input counter | |
| nft add chain inet filter input '{ policy drop; }' | |
| nft add chain inet filter icmp_echo_reply_rate_limit | |
| nft add rule inet filter icmp_echo_reply_rate_limit add @icmp_egress_meter4 '{ ip saddr timeout 4s limit rate 3/second }' counter accept | |
| nft add rule inet filter icmp_echo_reply_rate_limit add @icmp_egress_meter6 '{ ip6 saddr timeout 4s limit rate 3/second }' counter accept | |
| nft add rule inet filter icmp_echo_reply_rate_limit log group 1 | |
| nft add rule inet filter icmp_echo_reply_rate_limit counter drop | |
| nft add map inet filter icmp_types_out4 '{ typeof ip saddr . ip daddr . icmp type : verdict; flags interval; }' | |
| nft add element inet filter icmp_types_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . destination-unreachable : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . destination-unreachable : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . destination-unreachable : accept }' | |
| nft add element inet filter icmp_types_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit }' | |
| nft add map inet filter icmp_types_out6 '{ typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict; flags interval; }' | |
| nft add element inet filter icmp_types_out6 '{ fe80::/10 . ff00::/8 . echo-request : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fc00::/7 . fc00::/7 . echo-reply : accept }' | |
| nft add element inet filter icmp_types_out6 '{ 2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit }' | |
| nft add element inet filter icmp_types_out6 '{ fc00::/7 . fc00::/7 . nd-neighbor-advert : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fe80::/10 . fe80::/10 . nd-neighbor-advert : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fe80::/10 . fc00::/7 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept }' | |
| nft add element inet filter icmp_types_out6 '{ fe80::/10 . ff00::/8 . nd-router-solicit : accept }' | |
| nft add chain inet filter icmp_out | |
| nft add rule inet filter icmp_out ip saddr . ip daddr . icmp type vmap @icmp_types_out4 counter | |
| nft add rule inet filter icmp_out ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_out6 counter | |
| nft add rule inet filter icmp_out log prefix "icmp_out" group 1 | |
| nft add rule inet filter icmp_out counter drop | |
| nft add map inet filter tcp_ports_out4 '{ typeof ip saddr . ip daddr . tcp dport : verdict; flags interval; }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 21 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 21 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 21 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 23 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 23 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 23 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 25 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 25 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 25 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 53 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 53 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 53 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 80 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 80 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 80 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 22 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 22 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 22 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 853 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 853 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 853 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 4460 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 4460 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 4460 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept }' | |
| nft add element inet filter tcp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept }' | |
| nft add map inet filter tcp_ports_out6 '{ typeof ip6 saddr . ip6 daddr . tcp dport : verdict; flags interval; }' | |
| nft add chain inet filter tcp_out | |
| nft add rule inet filter tcp_out ct state established counter accept | |
| nft add rule inet filter tcp_out ip saddr . ip daddr . tcp dport vmap @tcp_ports_out4 counter | |
| nft add rule inet filter tcp_out ip6 saddr . ip6 daddr . tcp dport vmap @tcp_ports_out6 counter | |
| nft add rule inet filter tcp_out log prefix "tcp_out" group 1 | |
| nft add rule inet filter tcp_out counter drop | |
| nft add map inet filter udp_ports_out4 '{ typeof ip saddr . ip daddr . udp dport : verdict; flags interval; }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 67 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 67 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 67 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 169.254.0.0/16 . 169.254.0.0/16 . 67 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 53 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 53 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 53 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 10.0.0.0/8 . 137 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 172.16.0.0/12 . 137 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 192.168.0.0/16 . 137 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 169.254.0.0/16 . 224.0.0.0/4 . 5353 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 443 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 10.0.0.0/8 . 0.0.0.0/0 . 1194 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 172.16.0.0/12 . 0.0.0.0/0 . 1194 : accept }' | |
| nft add element inet filter udp_ports_out4 '{ 192.168.0.0/16 . 0.0.0.0/0 . 1194 : accept }' | |
| nft add map inet filter udp_ports_out6 '{ typeof ip6 saddr . ip6 daddr . udp dport : verdict; flags interval; }' | |
| nft add element inet filter udp_ports_out6 '{ fe80::/10 . ff00::/8 . 547 : accept }' | |
| nft add element inet filter udp_ports_out6 '{ 2000::/3 . ::/0 . 443 : accept }' | |
| nft add element inet filter udp_ports_out6 '{ fc00::/7 . ff00::/8 . 5353 : accept }' | |
| nft add chain inet filter udp_out | |
| nft add rule inet filter udp_out ct state established counter accept | |
| nft add rule inet filter udp_out ip saddr . ip daddr . udp dport vmap @udp_ports_out4 counter | |
| nft add rule inet filter udp_out ip6 saddr . ip6 daddr . udp dport vmap @udp_ports_out6 counter | |
| nft add rule inet filter udp_out log prefix "udp_out" group 1 | |
| nft add rule inet filter udp_out counter drop | |
| nft add chain inet filter ether_out | |
| nft add rule inet filter ether_out ip protocol vmap { tcp : jump tcp_out, udp : jump udp_out, icmp : jump icmp_out } | |
| nft add rule inet filter ether_out ip6 nexthdr vmap { tcp : jump tcp_out, udp : jump udp_out, icmpv6 : jump icmp_out, ipv6-icmp: jump icmp_out } | |
| nft add rule inet filter ether_out log prefix "ether_out" group 1 | |
| nft add rule inet filter ether_out counter drop | |
| nft add chain inet filter output '{ type filter hook output priority filter; policy accept; }' | |
| nft add rule inet filter output meta oiftype vmap '{ loopback: accept }' | |
| nft add rule inet filter output ip daddr vmap @drop_bogons4 counter | |
| nft add rule inet filter output ip6 daddr vmap @drop_bogons6 counter | |
| nft add rule inet filter output meta oiftype vmap '{ ether: jump ether_out }' | |
| nft add rule inet filter output log prefix "output" group 1 | |
| nft add rule inet filter output counter | |
| nft add chain inet filter output '{ policy drop; }' | |
| nft add map inet filter docker_forward_map4 '{ typeof ip saddr . ip daddr . ct state : verdict; flags interval; }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.0.0/20 . 0.0.0.0/0 . new : drop }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.16.0/20 . 100.64.32.0/20 . new : accept }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.32.0/20 . 100.64.16.0/20 . established : accept }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.48.0/20 . 100.64.0.0/17 . new : drop }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.48.0/20 . 0.0.0.0/0 . new : accept }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.48.0/20 . 0.0.0.0/0 . established : accept }' | |
| nft add element inet filter docker_forward_map4 '{ 100.64.64.0/20 . 100.64.64.0/20 . new : accept }' | |
| nft add chain inet filter ether_forward | |
| nft add rule inet filter ether_forward ip saddr . ip daddr . ct state vmap @docker_forward_map4 | |
| nft add rule inet filter ether_out log prefix "ether_forward" group 1 | |
| nft add rule inet filter ether_out counter drop | |
| nft add chain inet filter forward '{ type filter hook forward priority filter; policy accept; }' | |
| nft add rule inet filter forward ip saddr vmap @drop_bogons4 counter | |
| nft add rule inet filter forward ip6 saddr vmap @drop_bogons6 counter | |
| nft add rule inet filter output meta oiftype vmap '{ ether: jump ether_forward }' | |
| nft add rule inet filter forward log prefix "forward" group 1 | |
| nft add rule inet filter forward counter | |
| nft add chain inet filter forward '{ policy drop; }' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table inet filter { # handle 123 | |
| set icmp_egress_meter4 { # handle 1 | |
| type ipv4_addr | |
| size 8 | |
| flags dynamic,timeout | |
| } | |
| set icmp_egress_meter6 { # handle 2 | |
| type ipv6_addr | |
| size 8 | |
| flags dynamic,timeout | |
| } | |
| map drop_bogons4 { # handle 3 | |
| type ipv4_addr : verdict | |
| flags interval | |
| elements = { 0.0.0.0/8 : drop, 10.0.0.0/8 : continue, | |
| 100.64.0.0/10 : continue, 127.0.0.0/8 : drop, | |
| 169.254.0.0/16 : continue, 172.16.0.0/12 : continue, | |
| 192.0.0.0/24 : drop, 192.0.2.0/24 : drop, | |
| 192.168.0.0/16 : continue, 198.18.0.0/15 : drop, | |
| 198.51.100.0/24 : drop, 203.0.113.0/24 : drop, | |
| 224.0.0.0/4 : continue, 240.0.0.0/4 : drop } | |
| } | |
| map drop_bogons6 { # handle 4 | |
| type ipv6_addr : verdict | |
| flags interval | |
| elements = { ::/96 : drop, | |
| ::ffff:0.0.0.0/96 : drop, | |
| 100::/64 : drop, | |
| 2001::/40 : drop, | |
| 2001:0:a00::/40 : drop, | |
| 2001:0:7f00::/40 : drop, | |
| 2001:0:a9fe::/48 : drop, | |
| 2001:0:ac10::/44 : drop, | |
| 2001:0:c000::/56 : drop, | |
| 2001:0:c000:200::/56 : drop, | |
| 2001:0:c0a8::/48 : drop, | |
| 2001:0:c612::/47 : drop, | |
| 2001:0:c633:6400::/56 : drop, | |
| 2001:0:cb00:7100::/56 : drop, | |
| 2001:0:e000::/36 : drop, | |
| 2001:0:f000::/36 : drop, | |
| 2001:10::/28 : drop, | |
| 2001:db8::/32 : drop, | |
| 2002::/24 : drop, | |
| 2002:a00::/24 : drop, | |
| 2002:7f00::/24 : drop, | |
| 2002:a9fe::/32 : drop, | |
| 2002:ac10::/28 : drop, | |
| 2002:c000::/40 : drop, | |
| 2002:c000:200::/40 : drop, | |
| 2002:c0a8::/32 : drop, | |
| 2002:c612::/31 : drop, | |
| 2002:c633:6400::/40 : drop, | |
| 2002:cb00:7100::/40 : drop, | |
| 2002:e000::/20 : drop, | |
| 2002:f000::/20 : drop, | |
| fc00::/7 : continue, | |
| fe80::/10 : continue, | |
| fec0::/10 : drop, | |
| ff00::/8 : continue } | |
| } | |
| map reject_or_drop_port4 { # handle 11 | |
| typeof ip saddr . ip daddr : verdict | |
| flags interval | |
| elements = { 10.0.0.0/8 . 10.0.0.0/8 : jump reject_with_icmp_port_unreachable, | |
| 172.16.0.0/12 . 172.16.0.0/12 : jump reject_with_icmp_port_unreachable, | |
| 192.168.0.0/16 . 192.168.0.0/16 : jump reject_with_icmp_port_unreachable, | |
| 169.254.0.0/16 . 169.254.0.0/16 : jump reject_with_icmp_port_unreachable, | |
| 0.0.0.0/0 . 0.0.0.0/0 : jump reject_with_icmp_port_unreachable_metered } | |
| } | |
| map reject_or_drop_port6 { # handle 12 | |
| typeof ip6 saddr . ip6 daddr : verdict | |
| flags interval | |
| elements = { fe80::/10 . fe80::/10 : jump reject_with_icmp_port_unreachable, | |
| fc00::/7 . fc00::/7 : jump reject_with_icmp_port_unreachable, | |
| ::/0 . ::/0 : jump reject_with_icmp_port_unreachable_metered } | |
| } | |
| map icmp_types_in4 { # handle 13 | |
| typeof ip saddr . ip daddr . icmp type : verdict | |
| flags interval | |
| elements = { 0.0.0.0/0 . 0.0.0.0/0 . echo-request : accept, | |
| 0.0.0.0/0 . 0.0.0.0/0 . echo-reply : accept, | |
| 0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept } | |
| } | |
| map icmp_types_in6 { # handle 14 | |
| typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict | |
| flags interval | |
| elements = { fe80::/10 . fe80::/10 . echo-request : accept, | |
| fe80::/10 . ff00::/8 . echo-request : accept, | |
| fc00::/7 . fc00::/7 . echo-request : accept, | |
| fe80::/10 . fe80::/10 . echo-reply : accept, | |
| fe80::/10 . ff00::/8 . echo-reply : accept, | |
| fc00::/7 . fc00::/7 . echo-reply : accept, | |
| fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept, | |
| fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept, | |
| fc00::/7 . fc00::/7 . nd-neighbor-solicit : accept, | |
| fc00::/7 . fc00::/7 . nd-neighbor-advert : accept, | |
| fe80::/10 . fe80::/10 . nd-neighbor-advert : accept, | |
| fe80::/10 . ff00::/8 . nd-router-advert : accept, | |
| fe80::/10 . fe80::/10 . nd-router-advert : accept } | |
| } | |
| map tcp_ports_in4 { # handle 20 | |
| typeof ip saddr . ip daddr . tcp dport : verdict | |
| flags interval | |
| elements = { 0.0.0.0/0 . 0.0.0.0/0 . 22 : accept } | |
| } | |
| map tcp_ports_in6 { # handle 21 | |
| typeof ip6 saddr . ip6 daddr . tcp dport : verdict | |
| flags interval | |
| elements = { ::/0 . ::/0 . 22 : accept } | |
| } | |
| map udp_ports_in4 { # handle 29 | |
| typeof ip saddr . ip daddr . udp dport : verdict | |
| flags interval | |
| elements = { 169.254.0.0/16 . 169.254.0.0/16 . 68 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 68 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 68 : accept, | |
| 192.160.0.0/12 . 192.168.0.0/16 . 68 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 137 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 137 : accept, | |
| 192.160.0.0/12 . 192.168.0.0/16 . 137 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 5353 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 5353 : accept, | |
| 192.160.0.0/12 . 192.168.0.0/16 . 5353 : accept, | |
| 10.0.0.0/8 . 224.0.0.0/4 . 5353 : accept, | |
| 172.16.0.0/12 . 224.0.0.0/4 . 5353 : accept, | |
| 192.160.0.0/12 . 224.0.0.0/4 . 5353 : accept } | |
| } | |
| map udp_ports_in6 { # handle 30 | |
| typeof ip6 saddr . ip6 daddr . udp dport : verdict | |
| flags interval | |
| elements = { fe80::/10 . ff00::/8 . 546 : accept, | |
| fe80::/10 . ff00::/8 . 5353 : accept, | |
| fc00::/7 . ff00::/8 . 5353 : accept } | |
| } | |
| map icmp_types_out4 { # handle 59 | |
| typeof ip saddr . ip daddr . icmp type : verdict | |
| flags interval | |
| elements = { 10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . destination-unreachable : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . destination-unreachable : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . destination-unreachable : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit } | |
| } | |
| map icmp_types_out6 { # handle 60 | |
| typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict | |
| flags interval | |
| elements = { fe80::/10 . ff00::/8 . echo-request : accept, | |
| fc00::/7 . fc00::/7 . echo-reply : accept, | |
| 2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit, | |
| fc00::/7 . fc00::/7 . nd-neighbor-advert : accept, | |
| fe80::/10 . fe80::/10 . nd-neighbor-advert : accept, | |
| fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept, | |
| fe80::/10 . fc00::/7 . nd-neighbor-solicit : accept, | |
| fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept, | |
| fe80::/10 . ff00::/8 . nd-router-solicit : accept } | |
| } | |
| map tcp_ports_out4 { # handle 66 | |
| typeof ip saddr . ip daddr . tcp dport : verdict | |
| flags interval | |
| elements = { 10.0.0.0/8 . 10.0.0.0/8 . 21 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 21 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 21 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 23 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 23 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 23 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 25 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 25 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 25 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 53 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 53 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 53 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 80 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 80 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 80 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 22 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 22 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 22 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 443 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 443 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 443 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 853 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 853 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 853 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 4460 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 4460 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 4460 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept } | |
| } | |
| map tcp_ports_out6 { # handle 67 | |
| typeof ip6 saddr . ip6 daddr . tcp dport : verdict | |
| flags interval | |
| } | |
| map udp_ports_out4 { # handle 74 | |
| typeof ip saddr . ip daddr . udp dport : verdict | |
| flags interval | |
| elements = { 10.0.0.0/8 . 10.0.0.0/8 . 67 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 67 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 67 : accept, | |
| 169.254.0.0/16 . 169.254.0.0/16 . 67 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 53 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 53 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 53 : accept, | |
| 10.0.0.0/8 . 10.0.0.0/8 . 137 : accept, | |
| 172.16.0.0/12 . 172.16.0.0/12 . 137 : accept, | |
| 192.168.0.0/16 . 192.168.0.0/16 . 137 : accept, | |
| 10.0.0.0/8 . 224.0.0.0/4 . 5353 : accept, | |
| 172.16.0.0/12 . 224.0.0.0/4 . 5353 : accept, | |
| 192.168.0.0/16 . 224.0.0.0/4 . 5353 : accept, | |
| 169.254.0.0/16 . 224.0.0.0/4 . 5353 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 443 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 443 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 443 : accept, | |
| 10.0.0.0/8 . 0.0.0.0/0 . 1194 : accept, | |
| 172.16.0.0/12 . 0.0.0.0/0 . 1194 : accept, | |
| 192.168.0.0/16 . 0.0.0.0/0 . 1194 : accept } | |
| } | |
| map udp_ports_out6 { # handle 75 | |
| typeof ip6 saddr . ip6 daddr . udp dport : verdict | |
| flags interval | |
| elements = { fe80::/10 . ff00::/8 . 547 : accept, | |
| 2000::/3 . ::/0 . 443 : accept, | |
| fc00::/7 . ff00::/8 . 5353 : accept } | |
| } | |
| map docker_forward_map4 { # handle 98 | |
| typeof ip saddr . ip daddr . ct state : verdict | |
| flags interval | |
| elements = { 100.64.0.0/20 . 0.0.0.0/0 . new : drop, | |
| 100.64.16.0/20 . 100.64.32.0/20 . new : accept, | |
| 100.64.32.0/20 . 100.64.16.0/20 . established : accept, | |
| 100.64.48.0/20 . 100.64.0.0/17 . new : drop, | |
| 100.64.48.0/20 . 0.0.0.0/0 . new : accept, | |
| 100.64.48.0/20 . 0.0.0.0/0 . established : accept, | |
| 100.64.64.0/20 . 100.64.64.0/20 . new : accept } | |
| } | |
| chain reject_with_icmp_port_unreachable_metered { # handle 5 | |
| add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject # handle 6 | |
| add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject # handle 7 | |
| counter drop # handle 8 | |
| } | |
| chain reject_with_icmp_port_unreachable { # handle 9 | |
| reject # handle 10 | |
| } | |
| chain icmp_in { # handle 15 | |
| ip saddr . ip daddr . icmp type vmap @icmp_types_in4 counter # handle 16 | |
| ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_in6 counter # handle 17 | |
| log prefix "icmp_in" group 1 # handle 18 | |
| counter drop # handle 19 | |
| } | |
| chain tcp_in { # handle 22 | |
| ct state established counter accept # handle 23 | |
| ip saddr . ip daddr . tcp dport vmap @tcp_ports_in4 counter # handle 24 | |
| ip6 saddr . ip6 daddr . tcp dport vmap @tcp_ports_in6 counter # handle 25 | |
| log prefix "tcp_in" group 1 # handle 26 | |
| ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 27 | |
| ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 28 | |
| } | |
| chain udp_in { # handle 31 | |
| ct state established counter accept # handle 32 | |
| ip saddr . ip daddr . udp dport vmap @udp_ports_in4 counter # handle 33 | |
| ip6 saddr . ip6 daddr . udp dport vmap @udp_ports_in6 counter # handle 34 | |
| log prefix "udp_in" group 1 # handle 35 | |
| ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 36 | |
| ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 37 | |
| } | |
| chain ether_in { # handle 38 | |
| ip protocol vmap { icmp : jump icmp_in, tcp : jump tcp_in, udp : jump udp_in } counter # handle 40 | |
| ip6 nexthdr vmap { tcp : jump tcp_in, udp : jump udp_in, ipv6-icmp : jump icmp_in } counter # handle 42 | |
| log prefix "ether_in" group 1 # handle 43 | |
| counter drop # handle 44 | |
| } | |
| chain input { # handle 45 | |
| type filter hook input priority filter; policy drop; | |
| meta iiftype vmap { loopback : accept } # handle 47 | |
| ip saddr vmap @drop_bogons4 counter # handle 48 | |
| ip6 saddr vmap @drop_bogons6 counter # handle 49 | |
| meta iiftype vmap { ether : jump ether_in } # handle 51 | |
| log prefix "input" group 1 # handle 52 | |
| counter # handle 53 | |
| } | |
| chain icmp_echo_reply_rate_limit { # handle 54 | |
| add @icmp_egress_meter4 { ip saddr timeout 4s limit rate 3/second } counter accept # handle 55 | |
| add @icmp_egress_meter6 { ip6 saddr timeout 4s limit rate 3/second } counter accept # handle 56 | |
| log group 1 # handle 57 | |
| counter drop # handle 58 | |
| } | |
| chain icmp_out { # handle 61 | |
| ip saddr . ip daddr . icmp type vmap @icmp_types_out4 counter # handle 62 | |
| ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_out6 counter # handle 63 | |
| log prefix "icmp_out" group 1 # handle 64 | |
| counter drop # handle 65 | |
| } | |
| chain tcp_out { # handle 68 | |
| ct state established counter accept # handle 69 | |
| ip saddr . ip daddr . tcp dport vmap @tcp_ports_out4 counter # handle 70 | |
| ip6 saddr . ip6 daddr . tcp dport vmap @tcp_ports_out6 counter # handle 71 | |
| log prefix "tcp_out" group 1 # handle 72 | |
| counter drop # handle 73 | |
| } | |
| chain udp_out { # handle 76 | |
| ct state established counter accept # handle 77 | |
| ip saddr . ip daddr . udp dport vmap @udp_ports_out4 counter # handle 78 | |
| ip6 saddr . ip6 daddr . udp dport vmap @udp_ports_out6 counter # handle 79 | |
| log prefix "udp_out" group 1 # handle 80 | |
| counter drop # handle 81 | |
| } | |
| chain ether_out { # handle 82 | |
| ip protocol vmap { icmp : jump icmp_out, tcp : jump tcp_out, udp : jump udp_out } # handle 84 | |
| ip6 nexthdr vmap { tcp : jump tcp_out, udp : jump udp_out, ipv6-icmp : jump icmp_out } # handle 86 | |
| log prefix "ether_out" group 1 # handle 87 | |
| counter drop # handle 88 | |
| log prefix "ether_forward" group 1 # handle 101 | |
| counter drop # handle 102 | |
| } | |
| chain output { # handle 89 | |
| type filter hook output priority filter; policy drop; | |
| meta oiftype vmap { loopback : accept } # handle 91 | |
| ip daddr vmap @drop_bogons4 counter # handle 92 | |
| ip6 daddr vmap @drop_bogons6 counter # handle 93 | |
| meta oiftype vmap { ether : jump ether_out } # handle 95 | |
| log prefix "output" group 1 # handle 96 | |
| counter # handle 97 | |
| meta oiftype vmap { ether : jump ether_forward } # handle 107 | |
| } | |
| chain ether_forward { # handle 99 | |
| ip saddr . ip daddr . ct state vmap @docker_forward_map4 # handle 100 | |
| } | |
| chain forward { # handle 103 | |
| type filter hook forward priority filter; policy drop; | |
| ip saddr vmap @drop_bogons4 counter # handle 104 | |
| ip6 saddr vmap @drop_bogons6 counter # handle 105 | |
| log prefix "forward" group 1 # handle 108 | |
| counter # handle 109 | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment