kubernetes-guide/codeblock/home-network/nftables.conf

#!/sbin/nft -f

table inet firewall
delete table inet firewall

table inet firewall {
    chain prerouting {
        type filter hook prerouting priority mangle; policy drop;

        iifname != ppp0 accept comment "only care about ppp0"

        ip saddr 192.168.43.0/24 counter accept

        udp dport > 32767 counter accept

        # Permit established and related connections
        ct state established,related \
          accept \
          comment "Permit established/related connections"

        # Permit inbound IKEv2 traffic
        udp dport { 500, 4500 } \
          counter \
          accept \
          comment "Permit inbound IKEv2 traffic"

        # Permit inbound k3s traffic
        tcp dport { 6443 } \
          counter \
          accept \
          comment "Permit inbound k3s traffic"

        # Permit inbound traceroute UDP ports but limit to 500 PPS
        udp dport 33434-33524 \
          limit rate 500/second \
          counter \
          accept \
          comment "Permit inbound UDP traceroute limited to 500 PPS"

        # Permit inbound SSH
        tcp dport { 22, 2456, 24567 } \
          counter \
          accept \
          comment "Permit inbound SSH connections"

        # Permit aria2 listen port
        meta l4proto { tcp, udp } \
          th dport 16881 \
          counter \
          accept \
          comment "Permit aria2 listen port"

        # Log and drop new TCP non-SYN packets
        tcp flags != syn ct state new \
          limit rate 100/minute burst 150 packets \
          log prefix "IN - New !SYN: " \
          comment "Rate limit logging for new connections that do not have the SYN TCP flag set"
        tcp flags != syn ct state new \
          counter \
          drop \
          comment "Drop new connections that do not have the SYN TCP flag set"

        # Log and drop TCP packets with invalid fin/syn flag set
        tcp flags & (fin|syn) == (fin|syn) \
          limit rate 100/minute burst 150 packets \
          log prefix "IN - TCP FIN|SIN: " \
          comment "Rate limit logging for TCP packets with invalid fin/syn flag set"
        tcp flags & (fin|syn) == (fin|syn) \
          counter \
          drop \
          comment "Drop TCP packets with invalid fin/syn flag set"

        # Log and drop TCP packets with invalid syn/rst flag set
        tcp flags & (syn|rst) == (syn|rst) \
          limit rate 100/minute burst 150 packets \
          log prefix "IN - TCP SYN|RST: " \
          comment "Rate limit logging for TCP packets with invalid syn/rst flag set"
        tcp flags & (syn|rst) == (syn|rst) \
          counter \
          drop \
          comment "Drop TCP packets with invalid syn/rst flag set"

        # Log and drop invalid TCP flags
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \
          limit rate 100/minute burst 150 packets \
          log prefix "IN - FIN:" \
          comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) < (fin)"
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \
          counter \
          drop \
          comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) < (fin)"

        # Log and drop invalid TCP flags
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
          limit rate 100/minute burst 150 packets \
          log prefix "IN - FIN|PSH|URG:" \
          comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
          counter \
          drop \
          comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"

        # Drop traffic with invalid connection state
        ct state invalid \
          limit rate 100/minute burst 150 packets \
          log flags all prefix "IN - Invalid: " \
          comment "Rate limit logging for traffic with invalid connection state"
        ct state invalid \
          counter \
          drop \
          comment "Drop traffic with invalid connection state"

        # Permit IPv4 ping/ping responses but rate limit to 2000 PPS
        ip protocol icmp icmp type { echo-reply, echo-request } \
          limit rate 2000/second \
          counter \
          accept \
          comment "Permit inbound IPv4 echo (ping) limited to 2000 PPS"

        # Permit all other inbound IPv4 ICMP
        ip protocol icmp \
          counter \
          accept \
          comment "Permit all other IPv4 ICMP"

        # Permit IPv6 ping/ping responses but rate limit to 2000 PPS
        icmpv6 type { echo-reply, echo-request } \
          limit rate 2000/second \
          counter \
          accept \
          comment "Permit inbound IPv6 echo (ping) limited to 2000 PPS"

        ## Permit all other inbound IPv6 ICMP
        meta l4proto { icmpv6 } \
          counter \
          accept \
          comment "Permit all other IPv6 ICMP"

        # Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute
        # The default policy will be applied to unmatched traffic
        limit rate 60/minute burst 100 packets \
          log prefix "IN - Drop: " \
          comment "Log any unmatched traffic"

        # Count the unmatched traffic
        counter \
          comment "Count any unmatched traffic"
    }
}

table inet ppp
delete table inet ppp

table inet ppp {
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname != "ppp0" return
        meta l4proto { tcp, udp } ip saddr 10.10.0.0/16 counter masquerade
        meta l4proto { tcp, udp } ip6 saddr fddd:dddd:dddd:dddd::/64 counter masquerade
    }
}
update at 2024-03-04 17:57:51 2024-03-04 17:57:51 +08:00			`#!/sbin/nft -f`

			`table inet firewall`
			`delete table inet firewall`

			`table inet firewall {`
			`chain prerouting {`
			`type filter hook prerouting priority mangle; policy drop;`

			`iifname != ppp0 accept comment "only care about ppp0"`

			`ip saddr 192.168.43.0/24 counter accept`

			`udp dport > 32767 counter accept`

			`# Permit established and related connections`
			`ct state established,related \`
			`accept \`
			`comment "Permit established/related connections"`

			`# Permit inbound IKEv2 traffic`
			`udp dport { 500, 4500 } \`
			`counter \`
			`accept \`
			`comment "Permit inbound IKEv2 traffic"`

			`# Permit inbound k3s traffic`
			`tcp dport { 6443 } \`
			`counter \`
			`accept \`
			`comment "Permit inbound k3s traffic"`

			`# Permit inbound traceroute UDP ports but limit to 500 PPS`
			`udp dport 33434-33524 \`
			`limit rate 500/second \`
			`counter \`
			`accept \`
			`comment "Permit inbound UDP traceroute limited to 500 PPS"`

			`# Permit inbound SSH`
			`tcp dport { 22, 2456, 24567 } \`
			`counter \`
			`accept \`
			`comment "Permit inbound SSH connections"`

			`# Permit aria2 listen port`
			`meta l4proto { tcp, udp } \`
			`th dport 16881 \`
			`counter \`
			`accept \`
			`comment "Permit aria2 listen port"`

			`# Log and drop new TCP non-SYN packets`
			`tcp flags != syn ct state new \`
			`limit rate 100/minute burst 150 packets \`
			`log prefix "IN - New !SYN: " \`
			`comment "Rate limit logging for new connections that do not have the SYN TCP flag set"`
			`tcp flags != syn ct state new \`
			`counter \`
			`drop \`
			`comment "Drop new connections that do not have the SYN TCP flag set"`

			`# Log and drop TCP packets with invalid fin/syn flag set`
			`tcp flags & (fin\|syn) == (fin\|syn) \`
			`limit rate 100/minute burst 150 packets \`
			`log prefix "IN - TCP FIN\|SIN: " \`
			`comment "Rate limit logging for TCP packets with invalid fin/syn flag set"`
			`tcp flags & (fin\|syn) == (fin\|syn) \`
			`counter \`
			`drop \`
			`comment "Drop TCP packets with invalid fin/syn flag set"`

			`# Log and drop TCP packets with invalid syn/rst flag set`
			`tcp flags & (syn\|rst) == (syn\|rst) \`
			`limit rate 100/minute burst 150 packets \`
			`log prefix "IN - TCP SYN\|RST: " \`
			`comment "Rate limit logging for TCP packets with invalid syn/rst flag set"`
			`tcp flags & (syn\|rst) == (syn\|rst) \`
			`counter \`
			`drop \`
			`comment "Drop TCP packets with invalid syn/rst flag set"`

			`# Log and drop invalid TCP flags`
			`tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) \`
			`limit rate 100/minute burst 150 packets \`
			`log prefix "IN - FIN:" \`
			`comment "Rate limit logging for invalid TCP flags (fin\|syn\|rst\|psh\|ack\|urg) < (fin)"`
			`tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) \`
			`counter \`
			`drop \`
			`comment "Drop TCP packets with flags (fin\|syn\|rst\|psh\|ack\|urg) < (fin)"`

			`# Log and drop invalid TCP flags`
			`tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) \`
			`limit rate 100/minute burst 150 packets \`
			`log prefix "IN - FIN\|PSH\|URG:" \`
			`comment "Rate limit logging for invalid TCP flags (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg)"`
			`tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) \`
			`counter \`
			`drop \`
			`comment "Drop TCP packets with flags (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg)"`

			`# Drop traffic with invalid connection state`
			`ct state invalid \`
			`limit rate 100/minute burst 150 packets \`
			`log flags all prefix "IN - Invalid: " \`
			`comment "Rate limit logging for traffic with invalid connection state"`
			`ct state invalid \`
			`counter \`
			`drop \`
			`comment "Drop traffic with invalid connection state"`

			`# Permit IPv4 ping/ping responses but rate limit to 2000 PPS`
			`ip protocol icmp icmp type { echo-reply, echo-request } \`
			`limit rate 2000/second \`
			`counter \`
			`accept \`
			`comment "Permit inbound IPv4 echo (ping) limited to 2000 PPS"`

			`# Permit all other inbound IPv4 ICMP`
			`ip protocol icmp \`
			`counter \`
			`accept \`
			`comment "Permit all other IPv4 ICMP"`

			`# Permit IPv6 ping/ping responses but rate limit to 2000 PPS`
			`icmpv6 type { echo-reply, echo-request } \`
			`limit rate 2000/second \`
			`counter \`
			`accept \`
			`comment "Permit inbound IPv6 echo (ping) limited to 2000 PPS"`

			`## Permit all other inbound IPv6 ICMP`
			`meta l4proto { icmpv6 } \`
			`counter \`
			`accept \`
			`comment "Permit all other IPv6 ICMP"`

			`# Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute`
			`# The default policy will be applied to unmatched traffic`
			`limit rate 60/minute burst 100 packets \`
			`log prefix "IN - Drop: " \`
			`comment "Log any unmatched traffic"`

			`# Count the unmatched traffic`
			`counter \`
			`comment "Count any unmatched traffic"`
			`}`
			`}`

			`table inet ppp`
			`delete table inet ppp`

			`table inet ppp {`
			`chain postrouting {`
			`type nat hook postrouting priority 100; policy accept;`
			`oifname != "ppp0" return`
			`meta l4proto { tcp, udp } ip saddr 10.10.0.0/16 counter masquerade`
			`meta l4proto { tcp, udp } ip6 saddr fddd:dddd:dddd:dddd::/64 counter masquerade`
			`}`
			`}`