Update nftables.conf: Add example when there are multiple net interface.
This commit is contained in:
Samson-W
parent
c71dc9a977
commit
3ecae343f4
|
|
@ -1,6 +1,9 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
define int_if1 = ens33
|
||||
define int_if = ens33
|
||||
|
||||
# If there are multiple net interface, example:
|
||||
# define int_if = {ens33, ens36}
|
||||
|
||||
flush ruleset
|
||||
|
||||
|
|
@ -14,22 +17,22 @@ table ip filter {
|
|||
ip protocol icmp ct state established counter packets 0 bytes 0 accept
|
||||
ip protocol icmp ct state related counter packets 0 bytes 0 accept
|
||||
limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
|
||||
iifname $int_if1 ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
|
||||
iifname $int_if1 tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
|
||||
iifname $int_if1 tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if1 tcp dport 137-139 counter packets 0 bytes 0 reject
|
||||
iifname $int_if1 udp dport 137-139 counter packets 0 bytes 0 reject
|
||||
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
|
||||
iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
|
||||
iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
|
||||
iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
|
||||
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
|
||||
iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
|
||||
iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
|
||||
iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject
|
||||
iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject
|
||||
icmp type source-quench counter packets 0 bytes 0 accept
|
||||
tcp dport ssh ct state new counter packets 0 bytes 0 accept
|
||||
udp dport ntp ct state new counter packets 0 bytes 0 accept
|
||||
|
|
|
|||
Loading…
Reference in New Issue