mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
enforce strict reverse path filtering via nftables
This commit is contained in:
parent
81fa5f8ebd
commit
ec2cbbdb4e
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443} notrack accept
|
tcp dport {22, 80, 443} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443} notrack accept
|
tcp dport {22, 80, 443} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 25, 80, 443, 465, 993} notrack accept
|
tcp dport {22, 25, 80, 443, 465, 993} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443} notrack accept
|
tcp dport {22, 80, 443} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443, 7275} notrack accept
|
tcp dport {22, 80, 443, 7275} notrack accept
|
||||||
udp dport 123 notrack accept
|
udp dport 123 notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport {22, 53, 80, 443, 853} notrack accept
|
tcp dport {22, 53, 80, 443, 853} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
udp dport 53 notrack accept
|
udp dport 53 notrack accept
|
||||||
tcp dport {22, 53, 80, 443, 853} notrack accept
|
tcp dport {22, 53, 80, 443, 853} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443} notrack accept
|
tcp dport {22, 80, 443} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -6,6 +6,9 @@ table inet filter {
|
|||||||
chain prerouting-raw {
|
chain prerouting-raw {
|
||||||
type filter hook prerouting priority raw
|
type filter hook prerouting priority raw
|
||||||
|
|
||||||
|
# drop packets without a reverse path (strict reverse path filtering)
|
||||||
|
fib saddr . iif oif missing counter drop
|
||||||
|
|
||||||
iif lo notrack accept
|
iif lo notrack accept
|
||||||
tcp dport {22, 80, 443} notrack accept
|
tcp dport {22, 80, 443} notrack accept
|
||||||
meta l4proto {icmp, ipv6-icmp} notrack accept
|
meta l4proto {icmp, ipv6-icmp} notrack accept
|
||||||
|
@ -28,6 +28,10 @@ net.ipv4.conf.default.accept_redirects = 0
|
|||||||
net.netfilter.nf_conntrack_tcp_loose = 0
|
net.netfilter.nf_conntrack_tcp_loose = 0
|
||||||
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
|
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
|
||||||
|
|
||||||
|
# enforced with nftables to handle both IPv4 and IPv6 in the same way
|
||||||
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
|
net.ipv4.conf.*.rp_filter = 0
|
||||||
|
|
||||||
net.mptcp.enabled = 0
|
net.mptcp.enabled = 0
|
||||||
|
|
||||||
kernel.yama.ptrace_scope = 2
|
kernel.yama.ptrace_scope = 2
|
||||||
|
Loading…
Reference in New Issue
Block a user