From b152574da88992a41369093f211b7a70c48c67f1 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 11:30:58 -0400 Subject: [PATCH] nftables: avoid unnecessary connection marking --- nftables-attestation.conf | 4 ++++ nftables-discuss.conf | 4 ++++ nftables-mail.conf | 4 ++++ nftables-matrix.conf | 4 ++++ nftables-network.conf | 4 ++++ nftables-ns1.conf | 4 ++++ nftables-ns2.conf | 4 ++++ nftables-social.conf | 4 ++++ nftables-web.conf | 4 ++++ 9 files changed, 36 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 2b7542f..cd83df7 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index ab99a55..a449097 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index f538879..8277c02 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 25, 80, 443, 465, 993 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 25, 80, 443, 465, 993 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 044758e..1bdbc1f 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 2e76a32..57ce349 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -83,6 +83,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443, 7275 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -92,6 +94,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443, 7275 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 08f1e27..fe1f439 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -82,6 +82,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,6 +93,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index e0a7025..e84820b 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -87,6 +87,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -96,6 +98,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index e4d2f7a..23ceac2 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 3d70cf5..bcd5428 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -83,6 +83,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -92,6 +94,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset