summaryrefslogtreecommitdiffstats
path: root/files/etc/nftables.conf
blob: e8784abd6122300778b4064dc8aca4ceff110464 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/sbin/nft -f

flush ruleset

table inet raw {
    chain PREROUTING-stateless {
        # XXX can't add that to the ingress hook as that happens before IP defragmentation
        # so we don't have the TCP header in later fragments (we don't want to drop IP
        # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ )
        type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400)
        policy accept

        # stateless filter for bogus TCP packets
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
        tcp flags & (fin|psh|urg) == fin|psh|urg     counter drop # XMAS packet
        tcp flags & (syn|rst) == syn|rst             counter drop
        tcp flags & (fin|rst) == fin|rst             counter drop
        tcp flags & (fin|syn) == fin|syn             counter drop
        tcp flags & (fin|psh|ack) == fin|psh         counter drop
    }

    chain PREROUTING {
        type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
        policy accept

        # stateful filter
        ct state invalid counter drop
    }
}

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        iif lo accept

        ct state related,established accept
        meta l4proto { icmp, icmpv6 } counter accept

        tcp dport 22 ct state new counter accept
    }

    chain output {
        type filter hook output priority 0
        policy drop

        oif lo accept
        ct state related,established accept
        meta l4proto { icmp, icmpv6 } counter accept

        ct state new counter accept

        # graceful reject
        meta l4proto tcp counter reject with tcp reset
        meta l4proto udp counter reject
        counter reject
    }
}