#jinja2:trim_blocks:True,lstrip_blocks:True # IPv4 domain ip { table filter { chain INPUT { policy DROP; interface lo ACCEPT; # Make sure not to allow flooding via ICMP ping packages by sending them # to flood chain before state module kicks in. proto icmp icmp-type echo-request jump flood; mod state state (ESTABLISHED RELATED) ACCEPT; # For TCP packages we perform floods checks after state module took care # of established and related connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood; # Accept some common incoming connections. proto icmp icmp-type echo-request ACCEPT; proto tcp dport 22 ACCEPT; {% if maintenance %} # Validate source IP against list of allowed source addresses in maintenance mode. jump allowed_sources; {% endif %} } # The flood chain is used for controlling the rate of the incoming connections. chain flood { # Rate-limit the ping requests. proto icmp icmp-type echo-request { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; DROP; } # Rate-limit the TCP connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; LOG; DROP; } } {% if maintenance %} # Resume processing for allowed source addresses, otherwise drop packets. chain allowed_sources { {% for source in maintenance_allowed_sources %} {% if source | ipv4 %} saddr {{ source }} RETURN; {% endif %} {% endfor %} DROP; } {% endif %} } } # IPv6, same as IPv4 config, with addition of a couple of ICMP packets. domain ip6 { table filter { chain INPUT { policy DROP; interface lo ACCEPT; # Make sure not to allow flooding via ICMP ping packages by sending them # to flood chain before state module kicks in. proto icmp icmp-type echo-request jump flood; mod state state (ESTABLISHED RELATED) ACCEPT; # For TCP packages we perform floods checks after state module took care # of established and related connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood; # ICMPv6 packets required for proper functioning of IPv6. proto icmp icmp-type router-advertisement ACCEPT; proto icmp icmp-type neighbor-solicitation ACCEPT; proto icmp icmp-type neighbor-advertisement ACCEPT; # Accept some common incoming connections. proto icmp icmp-type echo-request ACCEPT; proto tcp dport 22 ACCEPT; {% if maintenance %} # Validate source IP against list of allowed source addresses in maintenance mode. jump allowed_sources; {% endif %} } # The flood chain is used for controlling the rate of the incoming connections. chain flood { # Rate-limit the ping requests. proto icmp icmp-type echo-request { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; DROP; } # Rate-limit the TCP connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; LOG; DROP; } } {% if maintenance %} # Resume processing for allowed source addresses, otherwise drop packets. chain allowed_sources { {% for source in maintenance_allowed_sources %} {% if source | ipv6 %} saddr {{ source }} RETURN; {% endif %} {% endfor %} DROP; } {% endif %} } }