From 6691410f945719e62601c3d69d9b2ff9c4cfb4fb Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 4 Jan 2024 12:59:39 +0100
Subject: Base system.

---
 files/etc/nftables.conf | 59 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 files/etc/nftables.conf

(limited to 'files/etc/nftables.conf')

diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf
new file mode 100644
index 0000000..e8784ab
--- /dev/null
+++ b/files/etc/nftables.conf
@@ -0,0 +1,59 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet raw {
+    chain PREROUTING-stateless {
+        # XXX can't add that to the ingress hook as that happens before IP defragmentation
+        # so we don't have the TCP header in later fragments (we don't want to drop IP
+        # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ )
+        type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400)
+        policy accept
+
+        # stateless filter for bogus TCP packets
+        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
+        tcp flags & (fin|psh|urg) == fin|psh|urg     counter drop # XMAS packet
+        tcp flags & (syn|rst) == syn|rst             counter drop
+        tcp flags & (fin|rst) == fin|rst             counter drop
+        tcp flags & (fin|syn) == fin|syn             counter drop
+        tcp flags & (fin|psh|ack) == fin|psh         counter drop
+    }
+
+    chain PREROUTING {
+        type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
+        policy accept
+
+        # stateful filter
+        ct state invalid counter drop
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        iif lo accept
+
+        ct state related,established accept
+        meta l4proto { icmp, icmpv6 } counter accept
+
+        tcp dport 22 ct state new counter accept
+    }
+
+    chain output {
+        type filter hook output priority 0
+        policy drop
+
+        oif lo accept
+        ct state related,established accept
+        meta l4proto { icmp, icmpv6 } counter accept
+
+        ct state new counter accept
+
+        # graceful reject
+        meta l4proto tcp counter reject with tcp reset
+        meta l4proto udp counter reject
+        counter reject
+    }
+}
-- 
cgit v1.2.3