From 984d0f200f734c39b7eb983ed258dfce6f684205 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Mon, 25 Jul 2022 20:03:09 -0400 Subject: [PATCH] nftables: implement loopback access control --- nftables-attestation.conf | 12 ++++++++++++ nftables-discuss.conf | 9 +++++++++ nftables-dns.conf | 9 +++++++++ nftables-mail.conf | 10 +++++++++- nftables-matrix.conf | 20 ++++++++++++++++++-- nftables-web.conf | 9 +++++++++ 6 files changed, 66 insertions(+), 3 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index e0a7a8f..ec581a6 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -43,9 +43,21 @@ table inet filter { chain output { type filter hook output priority filter + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8080 accept + skuid {chrony, attestation} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8080 th dport 53 accept + + skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept + skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 0aeed70..6bf7352 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -43,9 +43,18 @@ table inet filter { chain output { type filter hook output priority filter + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, http, flarum, flarum-admin} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept + skuid {chrony, http, flarum, flarum-admin} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset diff --git a/nftables-dns.conf b/nftables-dns.conf index fdfe49b..66e7c74 100644 --- a/nftables-dns.conf +++ b/nftables-dns.conf @@ -47,9 +47,18 @@ table inet filter { chain output { type filter hook output priority filter + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept + skuid {chrony, powerdns} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 4aac75b..0ebd5b0 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -43,10 +43,18 @@ table inet filter { chain output { type filter hook output priority filter - skuid {opendkim, opendmarc, policyd-spf} oif lo meta l4proto {tcp, udp} th dport 53 accept + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept + skuid {chrony, postfix, opendkim, opendmarc, policyd-spf} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index c66699a..52376d3 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -43,11 +43,27 @@ table inet filter { chain output { type filter hook output priority filter - skuid postgres oif lo meta l4proto udp accept - skuid mjolnir oif lo tcp dport 8008 accept + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8008 accept + skuid {chrony, synapse, matterbridge} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8008 th dport 53 accept + + skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept + + skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept + skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept + skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept + + skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept + skuid matterbridge tcp sport >= 1024 tcp dport != 8008 tcp dport 443 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 1302bf0..5f08aa7 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -43,9 +43,18 @@ table inet filter { chain output { type filter hook output priority filter + oif lo goto output-internal skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject } + chain output-internal { + skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept + skuid {chrony, http} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept + + skuid != root counter goto output-reject + accept + } + chain output-reject { meta l4proto udp reject meta l4proto tcp reject with tcp reset