nftables: implement loopback access control

2024-12-22 13:45:02 -05:00 · 2022-07-25 20:03:09 -04:00 · 2022-07-25 20:03:09 -04:00 · 984d0f200f
commit 984d0f200f
parent a68a456778
6 changed files with 66 additions and 3 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -43,9 +43,21 @@ table inet filter {
    chain output {
        type filter hook output priority filter

+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8080 accept
+        skuid {chrony, attestation} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8080 th dport 53 accept
+
+        skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
+        skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -43,9 +43,18 @@ table inet filter {
    chain output {
        type filter hook output priority filter

+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, http, flarum, flarum-admin} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
+        skuid {chrony, http, flarum, flarum-admin} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
--- a/nftables-dns.conf
+++ b/nftables-dns.conf
@ -47,9 +47,18 @@ table inet filter {
    chain output {
        type filter hook output priority filter

+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
+        skuid {chrony, powerdns} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -43,10 +43,18 @@ table inet filter {
    chain output {
        type filter hook output priority filter

-        skuid {opendkim, opendmarc, policyd-spf} oif lo meta l4proto {tcp, udp} th dport 53 accept
+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
+        skuid {chrony, postfix, opendkim, opendmarc, policyd-spf} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -43,11 +43,27 @@ table inet filter {
    chain output {
        type filter hook output priority filter

-        skuid postgres oif lo meta l4proto udp accept
-        skuid mjolnir oif lo tcp dport 8008 accept
+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8008 accept
+        skuid {chrony, synapse, matterbridge} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8008 th dport 53 accept
+
+        skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
+
+        skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
+        skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
+        skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
+
+        skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
+        skuid matterbridge tcp sport >= 1024 tcp dport != 8008 tcp dport 443 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -43,9 +43,18 @@ table inet filter {
    chain output {
        type filter hook output priority filter

+        oif lo goto output-internal
        skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
    }

+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
+        skuid {chrony, http} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
    chain output-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset