Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-05-17 14:10:28 -04:00
Code Issues Projects Releases Packages Wiki Activity

enforce strict reverse path filtering via nftables

Browse source
This commit is contained in:
Daniel Micay 2024-03-23 11:18:02 -04:00
parent 81fa5f8ebd
commit ec2cbbdb4e
10 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nftables-attestation.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

3
nftables-discuss.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

3
nftables-mail.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 25, 80, 443, 465, 993} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

3
nftables-matrix.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

3
nftables-network.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443, 7275} notrack accept
udp dport 123 notrack accept

3
nftables-ns1.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept

3
nftables-ns2.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
udp dport 53 notrack accept
tcp dport {22, 53, 80, 443, 853} notrack accept

3
nftables-social.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

3
nftables-web.conf
View file

@ -6,6 +6,9 @@ table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
# drop packets without a reverse path (strict reverse path filtering)
fib saddr . iif oif missing counter drop
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept

4
sysctl.d/local.conf
View file

@ -28,6 +28,10 @@ net.ipv4.conf.default.accept_redirects = 0
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
# enforced with nftables to handle both IPv4 and IPv6 in the same way
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.*.rp_filter = 0
net.mptcp.enabled = 0
kernel.yama.ptrace_scope = 2