mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 13:45:02 -05:00
nftables: implement loopback access control
This commit is contained in:
parent
a68a456778
commit
984d0f200f
@ -43,9 +43,21 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8080 accept
|
||||||
|
skuid {chrony, attestation} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8080 th dport 53 accept
|
||||||
|
|
||||||
|
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
|
||||||
|
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
@ -43,9 +43,18 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, chrony, unbound, http, flarum, flarum-admin} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, http, flarum, flarum-admin} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
|
skuid {chrony, http, flarum, flarum-admin} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
@ -47,9 +47,18 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
|
skuid {chrony, powerdns} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
@ -43,10 +43,18 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
skuid {opendkim, opendmarc, policyd-spf} oif lo meta l4proto {tcp, udp} th dport 53 accept
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
|
skuid {chrony, postfix, opendkim, opendmarc, policyd-spf} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
@ -43,11 +43,27 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
skuid postgres oif lo meta l4proto udp accept
|
oif lo goto output-internal
|
||||||
skuid mjolnir oif lo tcp dport 8008 accept
|
|
||||||
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8008 accept
|
||||||
|
skuid {chrony, synapse, matterbridge} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8008 th dport 53 accept
|
||||||
|
|
||||||
|
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
|
||||||
|
|
||||||
|
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
|
||||||
|
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
||||||
|
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
||||||
|
|
||||||
|
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
|
||||||
|
skuid matterbridge tcp sport >= 1024 tcp dport != 8008 tcp dport 443 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
@ -43,9 +43,18 @@ table inet filter {
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
|
skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-internal {
|
||||||
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
|
skuid {chrony, http} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
|
skuid != root counter goto output-reject
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output-reject {
|
chain output-reject {
|
||||||
meta l4proto udp reject
|
meta l4proto udp reject
|
||||||
meta l4proto tcp reject with tcp reset
|
meta l4proto tcp reject with tcp reset
|
||||||
|
Loading…
Reference in New Issue
Block a user