From 7b64ffd4cda4fb3b4c56bd97843bfd7137e43433 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 24 Mar 2024 15:22:00 -0400 Subject: [PATCH] simplify nftables based on strong host model --- nftables-attestation.conf | 3 +-- nftables-discuss.conf | 7 ++++--- nftables-mail.conf | 3 +-- nftables-matrix.conf | 3 +-- nftables-network.conf | 6 ++---- nftables-ns1.conf | 6 ++---- nftables-ns2.conf | 11 +++++------ nftables-social.conf | 3 +-- nftables-web.conf | 3 +-- 9 files changed, 18 insertions(+), 27 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 08342d3..4299ff6 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -31,8 +31,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept - tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 4091471..536e6ae 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -14,6 +14,9 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop + # IPv6 interacts badly with IP-based spam filtering + meta nfproto ipv6 tcp dport {22, 80, 443} reject with tcp reset + tcp dport {22, 80, 443} notrack accept meta l4proto {icmp, ipv6-icmp} notrack accept } @@ -31,9 +34,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept - # IPv6 interacts badly with IP-based spam filtering - #tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 9c0d302..d42bcc9 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -31,8 +31,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 25, 80, 443, 465, 993} ip daddr {{ipv4_address}} accept - tcp dport {22, 25, 80, 443, 465, 993} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 25, 80, 443, 465, 993} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 35c063d..d904776 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -31,8 +31,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept - tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-network.conf b/nftables-network.conf index 7eb49f6..b940897 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -33,10 +33,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443, 7275} ip daddr {{ipv4_address}} accept - tcp dport {22, 80, 443, 7275} ip6 daddr {{ipv6_address}} accept - udp dport 123 ip daddr {{ipv4_address}} accept - udp dport 123 ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443, 7275} accept + udp dport 123 accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-ns1.conf b/nftables-ns1.conf index ad69b99..85be323 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -33,10 +33,8 @@ table inet filter { policy drop iif lo accept - udp dport 53 ip daddr {{ipv4_address}} accept - udp dport 53 ip6 daddr {{ipv6_address}} accept - tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept - tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept + udp dport 53 accept + tcp dport {22, 53, 80, 443, 853} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 15e7f12..3178e19 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -14,6 +14,9 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop + # reject SSH packets via anycast IP + tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset + udp dport 53 notrack accept tcp dport {22, 53, 80, 443, 853} notrack accept meta l4proto {icmp, ipv6-icmp} notrack accept @@ -33,12 +36,8 @@ table inet filter { policy drop iif lo accept - udp dport 53 ip daddr {{ipv4_address}} accept - udp dport 53 ip daddr 198.251.90.93 accept - udp dport 53 ip6 daddr {{ipv6_address}} accept - tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept - tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept - tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept + udp dport 53 accept + tcp dport {22, 53, 80, 443, 853} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-social.conf b/nftables-social.conf index 74b2eed..7d5e86a 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -31,8 +31,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept - tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-web.conf b/nftables-web.conf index b0104cf..40338cf 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -31,8 +31,7 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept - tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept + tcp dport {22, 80, 443} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept }