# IPv4 domain ip { table filter { chain INPUT { policy DROP; interface lo ACCEPT; # Make sure not to allow flooding via ICMP ping packages by sending them # to flood chain before state module kicks in. proto icmp icmp-type echo-request jump flood; mod state state (ESTABLISHED RELATED) ACCEPT; # For TCP packages we perform floods checks after state module took care # of established and related connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood; # Accept some common incoming connections. proto icmp icmp-type echo-request ACCEPT; proto tcp dport 22 ACCEPT; {% if maintenance %} # Validate source IP against list of allowed hosts in maintenance mode. jump allowed_hosts; {% endif %} } # The flood chain is used for controlling the rate of the incoming connections. chain flood { # Rate-limit the ping requests. proto icmp icmp-type echo-request { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; DROP; } # Rate-limit the TCP connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; LOG; DROP; } } {% if maintenance %} # Resume processing in case of allowed hosts, drop packets for # any other hosts. chain allowed_hosts { {% for host in maintenance_allowed_hosts %} saddr {{ host }} RETURN; {% endfor %} DROP; } {% endif %} } } # IPv6, same as IPv4 config, with addition of a couple of ICMP packets. domain ip6 { table filter { chain INPUT { policy DROP; interface lo ACCEPT; # Make sure not to allow flooding via ICMP ping packages by sending them # to flood chain before state module kicks in. proto icmp icmp-type echo-request jump flood; mod state state (ESTABLISHED RELATED) ACCEPT; # For TCP packages we perform floods checks after state module took care # of established and related connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood; # ICMPv6 packets required for proper functioning of IPv6. proto icmp icmp-type router-advertisement ACCEPT; proto icmp icmp-type neighbor-solicitation ACCEPT; proto icmp icmp-type neighbor-advertisement ACCEPT; # Accept some common incoming connections. proto icmp icmp-type echo-request ACCEPT; proto tcp dport 22 ACCEPT; {% if maintenance %} # Validate source IP against list of allowed hosts in maintenance mode. jump allowed_hosts; {% endif %} } # The flood chain is used for controlling the rate of the incoming connections. chain flood { # Rate-limit the ping requests. proto icmp icmp-type echo-request { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; DROP; } # Rate-limit the TCP connections. proto tcp tcp-flags (FIN SYN RST ACK) SYN { mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }} hashlimit-mode srcip hashlimit-name icmp RETURN; LOG; DROP; } } {% if maintenance %} # Resume processing in case of allowed hosts, drop packets for # any other hosts. chain allowed_hosts { {% for host in maintenance_allowed_hosts %} {% if lookup('dig', host + '/AAAA') not in ['NXDOMAIN', ''] %} saddr {{ host }} RETURN; {% endif %} {% endfor %} DROP; } {% endif %} } }