From ad6e998ec2e4f68f8520793cb3fb7a41d5cc3cb0 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 21 Jul 2022 19:30:45 -0400 Subject: [PATCH] nftables: filter input service traffic by dst addr --- nftables-attestation.conf | 3 ++- nftables-discuss.conf | 3 ++- nftables-dns.conf | 6 ++++-- nftables-mail.conf | 3 ++- nftables-matrix.conf | 3 ++- nftables-web.conf | 3 ++- 6 files changed, 14 insertions(+), 7 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index cfc3a6e..e0a7a8f 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -24,7 +24,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} accept + tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept + tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 042fd0b..0aeed70 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -24,7 +24,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} accept + tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept + tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-dns.conf b/nftables-dns.conf index 3744af7..fdfe49b 100644 --- a/nftables-dns.conf +++ b/nftables-dns.conf @@ -26,8 +26,10 @@ table inet filter { policy drop iif lo accept - udp dport 53 accept - tcp dport {22, 53} accept + udp dport 53 ip daddr {{ipv4_address}} accept + udp dport 53 ip6 daddr {{ipv6_address}} accept + tcp dport {22, 53} ip daddr {{ipv4_address}} accept + tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 587a602..4aac75b 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -24,7 +24,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 25, 80, 465, 993} accept + tcp dport {22, 25, 80, 465, 993} ip daddr {{ipv4_address}} accept + tcp dport {22, 25, 80, 465, 993} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 002b28c..c66699a 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -24,7 +24,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} accept + tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept + tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-web.conf b/nftables-web.conf index 2b95466..1302bf0 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -24,7 +24,8 @@ table inet filter { policy drop iif lo accept - tcp dport {22, 80, 443} accept + tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept + tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept }