Feature: NTM open SMTP + add rate limit fn & [DOCs/operators]: Release updates niolo (#6317)

* initialise smtp rate limit

* simplify

* remove duplicate hooks

* fix ordering

* ntm finalized

* add changelog for niolo

* bump up version

* correct nym buy info

* update stats

* fix typo

* fix typo

* ready to merge

* PR finished
This commit is contained in:
import this
2026-01-15 10:09:59 +00:00
committed by GitHub
parent 8a00ed6071
commit 877d4d68c9
16 changed files with 162 additions and 32 deletions
@@ -487,6 +487,25 @@ configure_dns_and_icmp_wg() {
ok "dns and icmp configuration completed"
}
apply_smtps_465_rate_limit() {
info "adding SMTPS tcp/465 rules with rate limiting to ${NYM_CHAIN}"
# IPv4
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v4 -j ACCEPT
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
# IPv6
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v6 -j ACCEPT
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
ok "SMTPS tcp/465 installed: NEW <= 30/min burst 60 per srcip; overflow rejected; ESTABLISHED allowed"
}
###############################################################################
# part 2: wireguard exit policy manager
###############################################################################
@@ -527,6 +546,7 @@ exit_policy_install_deps() {
create_nym_chain() {
info "creating nym exit policy chain $NYM_CHAIN"
# create/flush chain
if iptables -S "$NYM_CHAIN" >/dev/null 2>&1; then
iptables -F "$NYM_CHAIN"
else
@@ -539,15 +559,25 @@ create_nym_chain() {
ip6tables -N "$NYM_CHAIN"
fi
if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
fi
# remove *all* FORWARD -> NYM-EXIT jumps
while read -r rule; do
spec="${rule#-A FORWARD }"
iptables -D FORWARD $spec 2>/dev/null || true
done < <(iptables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
fi
while read -r rule; do
spec="${rule#-A FORWARD }"
ip6tables -D FORWARD $spec 2>/dev/null || true
done < <(ip6tables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
# add the single correct hook
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
ok "NYM-EXIT chain ready + single FORWARD hook installed"
}
setup_nat_rules() {
info "setting up nat and forwarding rules for $WG_INTERFACE via $NETWORK_DEVICE"
@@ -616,6 +646,8 @@ apply_port_allowlist() {
["HTTPS"]="443"
["SMBWindowsFileShare"]="445"
["Kpasswd"]="464"
# this port is opened and rate limited in apply_smtps_465_rate_limit
# ["SMTP"]="465"
["RTSP"]="554"
["SMTPSubmission"]="587"
["LDAPS"]="636"
@@ -1178,6 +1210,7 @@ exit_policy_install() {
create_nym_chain
setup_nat_rules
apply_port_allowlist
apply_smtps_465_rate_limit
apply_spamhaus_blocklist
add_default_reject_rule
save_iptables_rules