nftables: friendlier output traffic filtering

2024-09-27 19:15:43 +00:00 · 2022-06-29 20:18:51 -04:00 · 2022-06-29 20:18:51 -04:00 · e0ab41c4f4
commit e0ab41c4f4
parent 3ca0c347c6
6 changed files with 42 additions and 6 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -47,6 +47,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, http, attestation} counter reject
+        skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -47,6 +47,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, http, flarum} counter reject
+        skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }
--- a/nftables-dns.conf
+++ b/nftables-dns.conf
@ -50,6 +50,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, powerdns} counter reject
+        skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -47,6 +47,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter reject
+        skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -47,6 +47,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter reject
+        skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -47,6 +47,12 @@ table inet filter {

        oif lo accept

-        skuid != {root, systemd-network, chrony, unbound, http} counter reject
+        skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
    }
 }