HEX
Server: Apache
System: Linux pdx1-shared-a1-11 6.6.104-grsec-jammy+ #3 SMP Tue Sep 16 00:28:11 UTC 2025 x86_64
User: mollywopper (10344313)
PHP: 7.4.33
Disabled: NONE
$ pwd: /etc/
Upload Files
File: //etc/nftables.conf

#!/usr/sbin/nft -f flush ruleset table inet filter { ## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls ## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface) define wl_dh = { 127.0.0.1, 66.33.192.0/19, 205.196.208.0/20, 64.111.96.0/19, 67.205.0.0/18, 75.119.192.0/19, 69.163.128.0/17, 208.113.160.0/19, 208.113.192.0/19, 208.97.128.0/18, 208.113.128.0/19, 173.236.128.0/17, 64.90.32.0/19, 107.180.224.0/19, } # Whitelist data EKS define wl_dh_eks = { 44.193.25.197, 34.237.222.172, 18.207.133.154, 3.238.179.3, 18.207.130.237, 3.235.250.83, 34.206.152.150, 3.239.113.214, 107.20.105.74, 54.212.104.5, 54.213.192.116, 35.165.188.89, 44.229.156.44, 44.238.188.181, } # Reserved internal whitelisting set dh_internal { type ipv4_addr flags interval auto-merge elements = { $wl_dh, $wl_dh_eks, } } set dh_metrics_ips { type ipv4_addr flags interval elements = { 10.0.0.0/8, 66.33.200.0/25, 66.33.205.224/27, 64.90.62.192/27, 64.90.62.224/27 } } chain dh_metrics { ip saddr @dh_metrics_ips counter accept tcp dport 9100 counter drop tcp dport 9633 counter drop tcp dport 9598 counter drop } set dh_nrpe_ips { type ipv4_addr elements = { 66.33.200.4,208.113.156.25,10.5.23.122, } } chain dh_nrpe { ip saddr @dh_nrpe_ips counter accept tcp dport 5666 counter drop } # Intended actionable sets below set dh_ban_in4 { type ipv4_addr flags interval auto-merge } set dh_ban_in6 { type ipv6_addr flags interval auto-merge } set dh_ban_out4 { type ipv4_addr flags interval auto-merge } set dh_ban_out6 { type ipv6_addr flags interval auto-merge } set dh_wl_in4 { type ipv4_addr flags interval auto-merge } set dh_wl_out4 { type ipv4_addr flags interval auto-merge } chain dh-explicit-drop { tcp dport 25 counter drop tcp dport 111 counter drop tcp dport 53 counter drop udp dport 25 counter drop udp dport 111 counter drop udp dport 53 counter drop ip protocol tcp tcp option maxseg size 1-500 counter drop } chain input { type filter hook input priority 0; policy accept; ct state vmap { invalid : drop, established : accept, related : accept } jump dh_nrpe jump dh_metrics iifname eth1 ip saddr @dh_internal counter accept iifname eth1 ip saddr @dh_wl_in4 counter accept iifname eth1 ip saddr @dh_ban_in4 counter drop iifname eth1 ip6 saddr @dh_ban_in6 counter drop # delegate to sub‑chains iifname eth1 counter jump dh-explicit-drop } chain output { type filter hook output priority 0; policy accept; oifname eth1 ip daddr @dh_internal counter accept oifname eth1 ip daddr @dh_wl_out4 counter accept oifname eth1 ip daddr @dh_ban_out4 counter drop oifname eth1 ip6 daddr @dh_ban_out6 counter drop } }

@ Telegram