|
|
add table ip6 filter
|
|
|
add chain ip6 filter INPUT { type filter hook input priority 0; }
|
|
|
add chain ip6 filter FORWARD { type filter hook forward priority 0; }
|
|
|
add chain ip6 filter OUTPUT { type filter hook output priority 0; }
|
|
|
add chain ip6 filter TCP
|
|
|
add chain ip6 filter UDP
|
|
|
add chain ip6 filter SSH
|
|
|
add rule ip6 filter INPUT rt type 0 counter drop
|
|
|
add rule ip6 filter OUTPUT rt type 0 counter drop
|
|
|
add rule ip6 filter FORWARD rt type 0 counter drop
|
|
|
add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request limit rate 30/minute burst 8 packets counter accept
|
|
|
add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request counter drop
|
|
|
add rule ip6 filter INPUT ct state related,established counter accept
|
|
|
add rule ip6 filter INPUT iifname lo counter accept
|
|
|
add rule ip6 filter INPUT ct state invalid counter drop
|
|
|
add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
|
|
|
# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
|
|
# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
|
|
|
# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT
|
|
|
add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
|
|
|
add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
|
|
|
add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
|
|
|
add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
|
|
|
add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited
|
|
|
|