From 8f047de0c3be1fda3c8d4b651c54cb50a7e50c07 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 10:19:39 -0400 Subject: [PATCH] nftables: explain synproxy untracked/invalid cases --- nftables-attestation.conf | 2 ++ nftables-discuss.conf | 2 ++ nftables-mail.conf | 2 ++ nftables-matrix.conf | 2 ++ nftables-network.conf | 2 ++ nftables-ns1.conf | 2 ++ nftables-ns2.conf | 2 ++ nftables-social.conf | 2 ++ nftables-web.conf | 2 ++ 9 files changed, 18 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 405302e..ff2340d 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index c71ca31..64677e7 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 57e8c2a..edd56fd 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 616eaca..7a81d23 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 6b4b6b1..f343d55 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -61,6 +61,8 @@ table inet filter { iif lo goto input-loopback udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 5949099..5716612 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -60,6 +60,8 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 1030516..8d2ee70 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -65,6 +65,8 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 65cb180..e2975e7 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index a7e2f75..6b72cdb 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -61,6 +61,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset