simplify nftables based on strong host model

This commit is contained in:
Daniel Micay 2024-03-24 15:22:00 -04:00
parent 59984a477c
commit 7b64ffd4cd
9 changed files with 18 additions and 27 deletions

View File

@ -31,8 +31,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -14,6 +14,9 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# IPv6 interacts badly with IP-based spam filtering
meta nfproto ipv6 tcp dport {22, 80, 443} reject with tcp reset
tcp dport {22, 80, 443} notrack accept tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto {icmp, ipv6-icmp} notrack accept
} }
@ -31,9 +34,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443} accept
# IPv6 interacts badly with IP-based spam filtering
#tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -31,8 +31,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 25, 80, 443, 465, 993} ip daddr {{ipv4_address}} accept tcp dport {22, 25, 80, 443, 465, 993} accept
tcp dport {22, 25, 80, 443, 465, 993} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -31,8 +31,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -33,10 +33,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443, 7275} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443, 7275} accept
tcp dport {22, 80, 443, 7275} ip6 daddr {{ipv6_address}} accept udp dport 123 accept
udp dport 123 ip daddr {{ipv4_address}} accept
udp dport 123 ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -33,10 +33,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
udp dport 53 ip daddr {{ipv4_address}} accept udp dport 53 accept
udp dport 53 ip6 daddr {{ipv6_address}} accept tcp dport {22, 53, 80, 443, 853} accept
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -14,6 +14,9 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
# reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept tcp dport {22, 53, 80, 443, 853} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept meta l4proto {icmp, ipv6-icmp} notrack accept
@ -33,12 +36,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
udp dport 53 ip daddr {{ipv4_address}} accept udp dport 53 accept
udp dport 53 ip daddr 198.251.90.93 accept tcp dport {22, 53, 80, 443, 853} accept
udp dport 53 ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -31,8 +31,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -31,8 +31,7 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept tcp dport {22, 80, 443} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }