blob: e8784abd6122300778b4064dc8aca4ceff110464 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
#!/usr/sbin/nft -f
flush ruleset
table inet raw {
chain PREROUTING-stateless {
# XXX can't add that to the ingress hook as that happens before IP defragmentation
# so we don't have the TCP header in later fragments (we don't want to drop IP
# fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ )
type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400)
policy accept
# stateless filter for bogus TCP packets
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop # XMAS packet
tcp flags & (syn|rst) == syn|rst counter drop
tcp flags & (fin|rst) == fin|rst counter drop
tcp flags & (fin|syn) == fin|syn counter drop
tcp flags & (fin|psh|ack) == fin|psh counter drop
}
chain PREROUTING {
type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
policy accept
# stateful filter
ct state invalid counter drop
}
}
table inet filter {
chain input {
type filter hook input priority 0
policy drop
iif lo accept
ct state related,established accept
meta l4proto { icmp, icmpv6 } counter accept
tcp dport 22 ct state new counter accept
}
chain output {
type filter hook output priority 0
policy drop
oif lo accept
ct state related,established accept
meta l4proto { icmp, icmpv6 } counter accept
ct state new counter accept
# graceful reject
meta l4proto tcp counter reject with tcp reset
meta l4proto udp counter reject
counter reject
}
}
|