diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 1063e7b..934cac2 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -40,10 +40,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -51,19 +55,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -71,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -80,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 227ca74..1a8e156 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -40,10 +40,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -51,19 +55,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -71,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -80,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 69cc7fa..dd81b0a 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -40,10 +40,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -51,19 +55,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -71,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -80,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index a066d54..90163e2 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -40,10 +40,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -51,19 +55,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -71,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -80,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index d66147f..0036286 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -42,10 +42,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept + udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -54,20 +58,27 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443, 7275 } goto input-tcp-service + iif lo accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443, 7275 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -75,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -84,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index d143868..46473f5 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -40,11 +40,16 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -52,20 +57,27 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -73,7 +85,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -82,7 +94,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 608bf28..e5f4faf 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -42,14 +42,19 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop # reject SSH packets via anycast IP tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -57,20 +62,27 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -78,7 +90,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -87,7 +99,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 2e50c70..a948f39 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -40,10 +40,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -51,19 +55,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -71,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -80,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 75c639c..e8b7d6a 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -44,10 +44,14 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -55,19 +59,26 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-tcp-service-loopback + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { - tcp dport != { 22, 80, 443 } goto graceful-reject + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -75,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -84,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset