我正在尝试设置一个 nftable 规则,如果 IP 尝试通过 dport ssh 多次连接,则添加源 IP。我是 nftables 的新手,所以我仍在尝试了解创建规则的正确方法。此规则在 VPS 服务器上。因此,我需要尽可能锁定访问权限。
table inet firewall {
set denylist {
type ipv4_addr
flags dynamic,timeout
timeout 60m
}
chain inbound_ipv4 {
ip saddr @denylist counter packets 9 bytes 540 drop
ct state vmap { invalid : drop, established : accept, related : accept }
tcp dport 22 ct state new,untracked counter limit rate over 4/minute add @denylist { ip saddr } accept
icmp type echo-request limit rate 2/second accept
tcp dport 80 counter packets 0 bytes 0 accept comment "allow http"
tcp dport 443 counter packets 1 bytes 40 accept comment "allow https"
}
chain inbound_ipv6 {
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept }
iifname "lo" accept
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}