From b928b197b05a79d1ca4820da9dca4aafbc8b00f5 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 15:59:07 -0400 Subject: [PATCH] nftables: add comments explaining adding to connlimit sets --- nftables-attestation.conf | 2 ++ nftables-discuss.conf | 2 ++ nftables-mail.conf | 2 ++ nftables-matrix.conf | 2 ++ nftables-network.conf | 2 ++ nftables-ns1.conf | 2 ++ nftables-ns2.conf | 2 ++ nftables-social.conf | 2 ++ nftables-web.conf | 2 ++ 9 files changed, 18 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 934cac2..a2e113f 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -82,6 +82,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -91,6 +92,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 1a8e156..f61b4d0 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -82,6 +82,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -91,6 +92,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index dd81b0a..351988d 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -82,6 +82,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -91,6 +92,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 90163e2..17002ef 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -82,6 +82,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -91,6 +92,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 0036286..6088aa8 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -86,6 +86,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -95,6 +96,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 46473f5..a714516 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -85,6 +85,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -94,6 +95,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index e5f4faf..6a002aa 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -90,6 +90,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -99,6 +100,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index a948f39..087aac3 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -82,6 +82,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -91,6 +92,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index e8b7d6a..d47464e 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -86,6 +86,7 @@ table inet filter { accept } + # add connections established without synproxy to connection limit sets with limits enforced chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset @@ -95,6 +96,7 @@ table inet filter { ct mark set 0x1 accept } + # add connections established with synproxy to connection limit sets with limits enforced chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset