From ecd14bddff53805645414a548f1ed075df5f6b52 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 09:49:50 -0400 Subject: [PATCH 1/7] nftables: explain ordering of strong host model check --- nftables-attestation.conf | 2 ++ nftables-discuss.conf | 2 ++ nftables-mail.conf | 2 ++ nftables-matrix.conf | 2 ++ nftables-network.conf | 2 ++ nftables-ns1.conf | 2 ++ nftables-ns2.conf | 2 ++ nftables-social.conf | 2 ++ nftables-web.conf | 2 ++ 9 files changed, 18 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 1063e7b..712f76e 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 227ca74..34d8124 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-mail.conf b/nftables-mail.conf index 69cc7fa..2d4dfb3 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-matrix.conf b/nftables-matrix.conf index a066d54..9b7f897 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-network.conf b/nftables-network.conf index d66147f..3037651 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -42,6 +42,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-ns1.conf b/nftables-ns1.conf index d143868..369db40 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 608bf28..d6f6579 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -42,6 +42,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop # reject SSH packets via anycast IP diff --git a/nftables-social.conf b/nftables-social.conf index 2e50c70..f33770b 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -40,6 +40,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept diff --git a/nftables-web.conf b/nftables-web.conf index 75c639c..d3fc294 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -44,6 +44,8 @@ table inet filter { iif lo notrack accept # drop packets to address not configured on incoming interface (strong host model) + # + # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept From 26a58b2492134733d0062aba399ff14a9b30339f Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 09:56:30 -0400 Subject: [PATCH 2/7] nftables: explain synproxy bypass rate limit --- nftables-attestation.conf | 2 ++ nftables-discuss.conf | 2 ++ nftables-mail.conf | 2 ++ nftables-matrix.conf | 2 ++ nftables-network.conf | 2 ++ nftables-ns1.conf | 3 +++ nftables-ns2.conf | 3 +++ nftables-social.conf | 2 ++ nftables-web.conf | 2 ++ 9 files changed, 20 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 712f76e..405302e 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 34d8124..c71ca31 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 2d4dfb3..57e8c2a 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 9b7f897..616eaca 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-network.conf b/nftables-network.conf index 3037651..6b4b6b1 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -46,8 +46,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept + udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 369db40..5949099 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -45,8 +45,11 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index d6f6579..1030516 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -50,8 +50,11 @@ table inet filter { tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept + + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-social.conf b/nftables-social.conf index f33770b..65cb180 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -44,8 +44,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-web.conf b/nftables-web.conf index d3fc294..a7e2f75 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -48,8 +48,10 @@ table inet filter { # ordered after accepting loopback to permit using external IPs via loopback fib daddr . iif type != { local, broadcast, multicast } counter drop + # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept } From 8f047de0c3be1fda3c8d4b651c54cb50a7e50c07 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 10:19:39 -0400 Subject: [PATCH 3/7] nftables: explain synproxy untracked/invalid cases --- nftables-attestation.conf | 2 ++ nftables-discuss.conf | 2 ++ nftables-mail.conf | 2 ++ nftables-matrix.conf | 2 ++ nftables-network.conf | 2 ++ nftables-ns1.conf | 2 ++ nftables-ns2.conf | 2 ++ nftables-social.conf | 2 ++ nftables-web.conf | 2 ++ 9 files changed, 18 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 405302e..ff2340d 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index c71ca31..64677e7 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 57e8c2a..edd56fd 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 616eaca..7a81d23 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 6b4b6b1..f343d55 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -61,6 +61,8 @@ table inet filter { iif lo goto input-loopback udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 5949099..5716612 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -60,6 +60,8 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 1030516..8d2ee70 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -65,6 +65,8 @@ table inet filter { iif lo goto input-loopback udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 65cb180..e2975e7 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -57,6 +57,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index a7e2f75..6b72cdb 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -61,6 +61,8 @@ table inet filter { iif lo goto input-loopback meta l4proto { icmp, ipv6-icmp } accept + + # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset From 832a430954f03f790b21f61167d6980c66aee0a3 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 10:34:00 -0400 Subject: [PATCH 4/7] nftables: handle non-TCP case in input-new chain --- nftables-attestation.conf | 1 + nftables-discuss.conf | 1 + nftables-mail.conf | 1 + nftables-matrix.conf | 1 + nftables-network.conf | 1 + nftables-ns1.conf | 1 + nftables-ns2.conf | 1 + nftables-social.conf | 1 + nftables-web.conf | 1 + 9 files changed, 9 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index ff2340d..2b7542f 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -69,6 +69,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 64677e7..ab99a55 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -69,6 +69,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index edd56fd..f538879 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -69,6 +69,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 7a81d23..044758e 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -69,6 +69,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index f343d55..2e76a32 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -73,6 +73,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443, 7275 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 5716612..08f1e27 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -72,6 +72,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 8d2ee70..e0a7025 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -77,6 +77,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index e2975e7..e4d2f7a 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -69,6 +69,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 6b72cdb..3d70cf5 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -73,6 +73,7 @@ table inet filter { } chain input-new { + meta l4proto != tcp goto graceful-reject tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset From b152574da88992a41369093f211b7a70c48c67f1 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 11:30:58 -0400 Subject: [PATCH 5/7] nftables: avoid unnecessary connection marking --- nftables-attestation.conf | 4 ++++ nftables-discuss.conf | 4 ++++ nftables-mail.conf | 4 ++++ nftables-matrix.conf | 4 ++++ nftables-network.conf | 4 ++++ nftables-ns1.conf | 4 ++++ nftables-ns2.conf | 4 ++++ nftables-social.conf | 4 ++++ nftables-web.conf | 4 ++++ 9 files changed, 36 insertions(+) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 2b7542f..cd83df7 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index ab99a55..a449097 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index f538879..8277c02 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 25, 80, 443, 465, 993 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 25, 80, 443, 465, 993 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 044758e..1bdbc1f 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 2e76a32..57ce349 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -83,6 +83,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443, 7275 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -92,6 +94,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443, 7275 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 08f1e27..fe1f439 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -82,6 +82,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,6 +93,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index e0a7025..e84820b 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -87,6 +87,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -96,6 +98,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index e4d2f7a..23ceac2 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -79,6 +79,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -88,6 +90,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 3d70cf5..bcd5428 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -83,6 +83,8 @@ table inet filter { } chain input-established { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -92,6 +94,8 @@ table inet filter { } chain input-loopback { + meta l4proto != tcp accept + tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset From 3d886dea43a3bc3f8889bdd04630c3be040de757 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 11:49:22 -0400 Subject: [PATCH 6/7] nftables: split out TCP service chain --- nftables-attestation.conf | 16 ++++++++-------- nftables-discuss.conf | 16 ++++++++-------- nftables-mail.conf | 16 ++++++++-------- nftables-matrix.conf | 16 ++++++++-------- nftables-network.conf | 16 ++++++++-------- nftables-ns1.conf | 16 ++++++++-------- nftables-ns2.conf | 16 ++++++++-------- nftables-social.conf | 16 ++++++++-------- nftables-web.conf | 16 ++++++++-------- 9 files changed, 72 insertions(+), 72 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index cd83df7..fa828f0 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index a449097..3c2e248 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 8277c02..0722cb8 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 25, 80, 443, 465, 993 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 25, 80, 443, 465, 993 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 1bdbc1f..3664400 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index 57ce349..bd3b595 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -58,9 +58,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443, 7275 } goto input-tcp-service + iif lo accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -69,12 +75,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443, 7275 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -83,8 +87,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443, 7275 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,8 +96,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443, 7275 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index fe1f439..b434f21 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -57,9 +57,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -68,12 +74,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,8 +86,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -93,8 +95,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index e84820b..448db7e 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -62,9 +62,15 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service + iif lo accept udp dport 53 accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -73,12 +79,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -87,8 +91,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -98,8 +100,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 53, 80, 443, 853 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 23ceac2..234e9e3 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -55,8 +55,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -65,12 +71,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -79,8 +83,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -90,8 +92,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index bcd5428..815f165 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -59,8 +59,14 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-loopback + tcp dport { 22, 80, 443 } goto input-tcp-service + iif lo accept meta l4proto { icmp, ipv6-icmp } accept + ct state vmap { new : goto graceful-reject, established : accept, related : accept } + } + + chain input-tcp-service { + iif lo goto input-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough ct state vmap { new : goto input-new, established : goto input-established, related : accept } @@ -69,12 +75,10 @@ table inet filter { tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset - tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm + synproxy mss 1460 wscale 7 timestamp sack-perm } chain input-new { - meta l4proto != tcp goto graceful-reject - tcp dport != { 22, 80, 443 } goto graceful-reject tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -83,8 +87,6 @@ table inet filter { } chain input-established { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,8 +96,6 @@ table inet filter { } chain input-loopback { - meta l4proto != tcp accept - tcp dport != { 22, 80, 443 } accept tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset From edbf50a3da3ee69c333d570936a77be53c97d177 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 11 Apr 2024 11:59:19 -0400 Subject: [PATCH 7/7] nftables: rename tcp service chains --- nftables-attestation.conf | 10 +++++----- nftables-discuss.conf | 10 +++++----- nftables-mail.conf | 10 +++++----- nftables-matrix.conf | 10 +++++----- nftables-network.conf | 10 +++++----- nftables-ns1.conf | 10 +++++----- nftables-ns2.conf | 10 +++++----- nftables-social.conf | 10 +++++----- nftables-web.conf | 10 +++++----- 9 files changed, 45 insertions(+), 45 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index fa828f0..934cac2 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 3c2e248..1a8e156 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-mail.conf b/nftables-mail.conf index 0722cb8..dd81b0a 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 3664400..90163e2 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-network.conf b/nftables-network.conf index bd3b595..0036286 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -66,10 +66,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -78,7 +78,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -86,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -95,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns1.conf b/nftables-ns1.conf index b434f21..46473f5 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -65,10 +65,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -77,7 +77,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -85,7 +85,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -94,7 +94,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 448db7e..e5f4faf 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -70,10 +70,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -90,7 +90,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -99,7 +99,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-social.conf b/nftables-social.conf index 234e9e3..a948f39 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -62,10 +62,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -74,7 +74,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -82,7 +82,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -91,7 +91,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset diff --git a/nftables-web.conf b/nftables-web.conf index 815f165..e8b7d6a 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -66,10 +66,10 @@ table inet filter { } chain input-tcp-service { - iif lo goto input-loopback + iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-new, established : goto input-established, related : accept } + ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset @@ -78,7 +78,7 @@ table inet filter { synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-new { + chain input-tcp-service-new { tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset @@ -86,7 +86,7 @@ table inet filter { accept } - chain input-established { + chain input-tcp-service-established { ct mark 0x1 accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset @@ -95,7 +95,7 @@ table inet filter { ct mark set 0x1 accept } - chain input-loopback { + chain input-tcp-service-loopback { tcp flags != syn accept tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset