From 84eb287357bb94c222110e2ad7e079a843117ce0 Mon Sep 17 00:00:00 2001 From: FollieHiyuki Date: Sat, 26 Jun 2021 16:09:26 +0300 Subject: [PATCH] nftables: move rate limit above established connections --- home/.config/alacritty/alacritty.yml | 1 + system/etc/nftables.conf | 42 ++++++++++++++++++++-------- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/home/.config/alacritty/alacritty.yml b/home/.config/alacritty/alacritty.yml index e89a9dc..8bf0d68 100644 --- a/home/.config/alacritty/alacritty.yml +++ b/home/.config/alacritty/alacritty.yml @@ -2,6 +2,7 @@ env: TERM: alacritty + # TERM: xterm-256color window: padding: diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf index ec468b6..5ec2296 100644 --- a/system/etc/nftables.conf +++ b/system/etc/nftables.conf @@ -1,19 +1,31 @@ #!/sbin/nft -f +# --------------------------------------------------------------------------------- # + # References: # https://wiki.nftables.org/wiki-nftables/index.php/Main_Page # https://wiki.gentoo.org/wiki/Nftables/Examples # https://wiki.archlinux.org/title/Nftables # https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf # https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf +# https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/ # Libvirt: # https://libvirt.org/firewall.html +# Notes: +# - "limit" rules need to be put before "established" connections +# - use sets for groups of things (eg. IP, ports, ...) +# - explicitly allow IPv6 ICMP if do not have "policy accept" on the outgoing chain +# - hook order: ingress -> prerouting -> input/output/forward -> postrouting +# - "iif" should be use when possible (for persistent interfaces) since it is faster than "iifname" + +# --------------------------------------------------------------------------------- # + flush ruleset # TCP ports to accept (both IPv4 and IPv6) -#define ACCEPT_TCP_PORTS = {} +#define ACCEPT_TCP_PORTS = { 80, 443, 1965 } # UDP ports to accept (both IPv4 and IPv6) #define ACCEPT_UDP_PORTS = {} @@ -38,23 +50,15 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; + # Drop invalid packets early ct state invalid counter drop - ct state { established, related } counter accept - ct status dnat accept - iif lo accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - - counter jump libvirt_input + # Drop none SYN packets + #tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop # Reject AUTH to make it fail fast tcp dport 113 reject with icmpx type port-unreachable - # Accept user-defined ports - #tcp dport $ACCEPT_TCP_PORTS counter accept - #udp dport $ACCEPT_UDP_PORTS counter accept - # Rate limit on SSH port #tcp dport ssh ct state new limit rate 6/minute accept @@ -62,6 +66,20 @@ table inet filter { ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop + ct state { established, related } counter accept + ct status dnat accept + + # Allow loopback from host + iif lo accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + + counter jump libvirt_input + + # Accept user-defined ports + #tcp dport $ACCEPT_TCP_PORTS ct state new counter accept + #udp dport $ACCEPT_UDP_PORTS ct state new counter accept + # Accept ICMPv4 ip protocol icmp icmp type { echo-reply,