-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnft.load.standalone.sh
executable file
·128 lines (97 loc) · 3.2 KB
/
nft.load.standalone.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
#
# last modified 2017.06.04
#
set -o nounset
set -o errexit
#set -o noclobber
set -o noglob
NFT=$(which nft)
MOD=$(which modprobe)
# load modules
MODS='nf_tables
nf_tables_ipv4
nf_tables_ipv6
nf_tables_inet
nft_compat
nft_counter
nft_ct
nft_exthdr
nft_hash
nft_limit
nft_log
nft_meta
nft_nat
nft_queue
nft_rbtree
nft_reject
nft_reject_inet
nft_chain_route_ipv6
nft_chain_nat_ipv6'
for a in ${MODS}; do ${MOD} ${a};done
############################ proc-settings #############################
### activate forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
### Max. 500/second (5/Jiffie)
echo 10 > /proc/sys/net/ipv4/icmp_ratelimit
echo 10 > /proc/sys/net/ipv6/icmp/ratelimit
### ram and ram-timing for IP-de/-fragmentation
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
echo 262144 > /proc/sys/net/ipv6/ip6frag_high_thresh
echo 196608 > /proc/sys/net/ipv6/ip6frag_low_thresh
echo 30 > /proc/sys/net/ipv6/ip6frag_time
### TCP-FIN-Timeout protection against DoS-attacks
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
### max 3 answers to a TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
### repeat TCP-packets max 15x
echo 15 > /proc/sys/net/ipv4/tcp_retries2
### disable source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv6/conf/all/accept_source_route
### ignore bogus icmp_errors
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### deactivate source redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
### deactivate source route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv6/conf/all/accept_source_route
############################ proc-settings #############################
# flush all rules in filter
${NFT} flush table ip filter
${NFT} flush table ip6 filter
${NFT} flush table ip nat
${NFT} flush table ip6 nat
# delete everything in filter
# ipv4
#${NFT} delete chain filter my_world_tcpv4
#${NFT} delete chain filter my_world_udpv4
#${NFT} delete chain filter my_world_icmpv4
#${NFT} delete chain filter my_tcpv4
#${NFT} delete chain filter my_udpv4
#${NFT} delete chain filter my_icmpv4
#${NFT} delete chain filter output
#${NFT} delete chain filter forward
#${NFT} delete chain filter input
#${NFT} delete table filter
# ipv6
#${NFT} delete chain ip6 filter my_world_tcpv6
#${NFT} delete chain ip6 filter my_world_udpv6
#${NFT} delete chain ip6 filter my_world_icmpv6
#${NFT} delete chain ip6 filter my_tcpv6
#${NFT} delete chain ip6 filter my_udpv6
#${NFT} delete chain ip6 filter my_icmpv6
#${NFT} delete chain ip6 filter output
#${NFT} delete chain ip6 filter forward
#${NFT} delete chain ip6 filter input
#${NFT} delete table ip6 filter
# delete everything in nat
#${NFT} delete chain nat prerouting
#${NFT} delete chain nat postrouting
#${NFT} delete table nat
exit 0