]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/networking/nftables.txt
nix: add PR for kernel-hardening-checker
[julm/julm-nix.git] / nixos / profiles / networking / nftables.txt
1 table inet filter {
2 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
3 set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
4 chain block {
5 add @lograte4 { ip saddr limit rate 1/minute }
6 add @lograte6 { ip6 saddr limit rate 1/minute }
7 log level warn prefix "block: " counter drop
8 }
9 chain ping-flood {
10 add @lograte4 { ip saddr limit rate 1/minute }
11 add @lograte6 { ip6 saddr limit rate 1/minute }
12 log level warn prefix "ping-flood: " counter drop
13 }
14 chain smurf {
15 add @lograte4 { ip saddr limit rate 1/minute }
16 add @lograte6 { ip6 saddr limit rate 1/minute }
17 log level warn prefix "smurf: " counter drop
18 }
19 chain bogus-tcp {
20 add @lograte4 { ip saddr limit rate 1/minute }
21 add @lograte6 { ip6 saddr limit rate 1/minute }
22 log level warn prefix "bogus-tcp: " counter drop
23 }
24 chain syn-flood {
25 add @lograte4 { ip saddr limit rate 1/minute }
26 add @lograte6 { ip6 saddr limit rate 1/minute }
27 log level warn prefix "syn-flood: " counter drop
28 }
29 chain check-tcp {
30 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
31 tcp flags & (ack|fin) == fin counter goto bogus-tcp
32 tcp flags & (ack|psh) == psh counter goto bogus-tcp
33 tcp flags & (ack|urg) == urg counter goto bogus-tcp
34 tcp flags & (fin|ack) == fin counter goto bogus-tcp
35 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
36 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
37 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
38 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
39 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
40 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
41 tcp flags == (fin|urg|psh) counter goto bogus-tcp
42 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
43 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
44
45 ct state new tcp flags != syn counter goto bogus-tcp
46 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
47 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
48 }
49 chain check-broadcast {
50 #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
51 fib saddr type broadcast counter goto smurf
52 #ip saddr 224.0.0.0/4 counter goto smurf
53 }
54 chain limit-ping {
55 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
56 # Note the use `meta nfproto ipv6 meta l4proto ipv6-icmp`
57 # instead of the buggy `ip6 nexthdr ipv6-icmp`.
58 # See https://unix.stackexchange.com/questions/645561/nftables-how-to-set-up-simple-ip-and-port-forwarding#comment1209441_645561
59 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
60 }
61 chain non-public {
62 add @lograte4 { ip saddr limit rate 1/minute }
63 add @lograte6 { ip6 saddr limit rate 1/minute }
64 log level warn prefix "non-public: " counter drop
65 }
66 chain check-public {
67 ip saddr 0.0.0.0/8 counter goto non-public comment "Self identification"
68 ip saddr 0.0.0.0/32 counter goto non-public comment "Broadcast"
69 ip saddr 10.0.0.0/8 counter goto non-public comment "Private Networks (rfc1918)"
70 ip saddr 127.0.0.0/8 counter goto non-public comment "Loopback"
71 ip saddr 128.0.0.0/16 counter goto non-public comment "IANA Reserved (rfc3330)"
72 ip saddr 169.254.0.0/16 counter goto non-public comment "Local"
73 ip saddr 172.16.0.0/12 counter goto non-public comment "Private Networks (rfc1918)"
74 ip saddr 192.0.2.0/24 counter goto non-public comment "TEST-NET-1 (rfc5737)"
75 ip saddr 192.168.0.0/16 counter goto non-public comment "Networks (rfc1918)"
76 ip saddr 198.51.100.0/24 counter goto non-public comment "TEST-NET-2 (rfc5737)"
77 ip saddr 203.0.113.0/24 counter goto non-public comment "TEST-NET-3 (rfc5737)"
78 ip saddr 224.0.0.0/3 counter goto non-public comment "Multicast"
79 ip saddr 240.0.0.0/5 counter goto non-public comment "Class E Reserved"
80 ip saddr 191.255.0.0/16 counter goto non-public comment "Reserved (rfc3330)"
81 ip saddr 192.0.0.0/24 counter goto non-public comment "IANA Reserved (rfc3330)"
82 ip saddr 198.18.0.0/15 counter goto non-public comment "Network Interconnect Device Benchmark Testing"
83 ip saddr 223.255.255.0/24 counter goto non-public comment "Special Use Networks (rfc3330)"
84
85 ip6 saddr ::/0 counter goto non-public comment "Default (can be advertised as a route in BGP to peers if desired)"
86 ip6 saddr ::/96 counter goto non-public comment "IPv4-compatible IPv6 address – deprecated by rfc4291"
87 ip6 saddr ::/128 counter goto non-public comment "Unspecified address"
88 ip6 saddr ::1 /128 counter goto non-public comment "Local host loopback address"
89 ip6 saddr ::ffff:0.0.0.0 /96 counter goto non-public comment "IPv4-mapped addresses"
90 ip6 saddr ::224.0.0.0 /100 counter goto non-public comment "Compatible address (IPv4 format)"
91 ip6 saddr ::127.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
92 ip6 saddr ::0.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
93 ip6 saddr ::255.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
94 ip6 saddr 0000:: /8 counter goto non-public comment "Pool used for unspecified, loopback and embedded IPv4 addresses"
95 ip6 saddr 0200:: /7 counter goto non-public comment "OSI NSAP-mapped prefix set (rfc4548) – deprecated by rfc4048"
96 ip6 saddr 3ffe::/16 counter goto non-public comment "Former 6bone, now decommissioned"
97 ip6 saddr 2001:db8::/32 counter goto non-public comment "Reserved by IANA for special purposes and documentation"
98 ip6 saddr 2002:e000:: /20 counter goto non-public comment "Invalid 6to4 packets (IPv4 multicast)"
99 ip6 saddr 2002:7f00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 loopback)"
100 ip6 saddr 2002:0000:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 default)"
101 ip6 saddr 2002:ff00:: /24 counter goto non-public comment "Invalid 6to4 packets"
102 ip6 saddr 2002:0a00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)"
103 ip6 saddr 2002:ac10:: /28 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)"
104 ip6 saddr 2002:c0a8:: /32 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)"
105 ip6 saddr fc00:: /7 counter goto non-public comment "Unicast Unique Local Addresses (ULA) – rfc4193"
106 ip6 saddr fe80:: /10 counter goto non-public comment "Link-local Unicast"
107 ip6 saddr fec0:: /10 counter goto non-public comment "Site-local Unicast – deprecated by rfc3879 (replaced by ULA)"
108 ip6 saddr ff00:: /8 counter goto non-public comment "Multicast"
109 }
110 chain accept-icmpv6 {
111 # Traffic That Must Not Be Dropped
112 # https://tools.ietf.org/html/rfc4890#section-4.4.1
113 icmpv6 type destination-unreachable counter accept
114 icmpv6 type packet-too-big counter accept
115 icmpv6 type time-exceeded counter accept
116 icmpv6 type parameter-problem counter accept
117
118 # Address Configuration and Router Selection messages
119 # (must be received with hop limit = 255)
120 icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
121 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
122 icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
123 icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
124 icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
125 icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
126 icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
127
128 # Link-local multicast receiver notification messages
129 # (must have link-local source address)
130 icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
131 icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
132 icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
133 # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
134 icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
135
136 # SEND Certificate Path notification messages
137 # (must be received with hop limit = 255)
138 icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
139 icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
140
141 # Multicast Router Discovery messages
142 # (must have link-local source address and hop limit = 1)
143 icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
144 icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
145 icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
146 }
147
148 chain input-connectivity {
149 # Connectivity checking messages
150 # (multicast) ping
151 ip protocol icmp icmp type echo-reply counter accept
152
153 # drop packets with rh0 headers
154 rt type 0 jump block
155 rt type 0 jump block
156 rt type 0 jump block
157
158 # (multicast) ping
159 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
160 #ct state invalid counter drop
161
162 ip protocol icmp icmp type destination-unreachable counter accept
163 ip protocol icmp icmp type time-exceeded counter accept
164 ip protocol icmp icmp type parameter-problem counter accept
165 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
166 ip protocol icmp icmp type echo-request counter accept
167 # echo-reply is handled before invalid packets to allow multicast ping
168 # which do not have an associated connection.
169
170 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
171
172 # Connectivity checking messages
173 icmpv6 type echo-request counter accept
174 # echo-reply is handled before invalid because of multicast
175 }
176 chain input {
177 type filter hook input priority 0
178 policy drop
179 iifname lo accept
180 jump check-tcp
181 jump limit-ping
182 ct state { established, related } accept
183 jump input-connectivity
184 ct state invalid counter drop
185 }
186
187 chain output-connectivity {
188 ip protocol icmp counter accept
189 skuid root udp dport 33434-33523 counter accept comment "traceroute"
190
191 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
192
193 # Connectivity checking messages
194 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
195 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
196 }
197 chain output {
198 type filter hook output priority 0
199 policy drop
200 oifname lo accept
201 tcp flags syn tcp option maxseg size set rt mtu
202 ct state { established, related } accept
203 jump output-connectivity
204 }
205
206 chain forward-connectivity {
207 ip protocol icmp icmp type destination-unreachable counter accept
208 ip protocol icmp icmp type time-exceeded counter accept
209 ip protocol icmp icmp type parameter-problem counter accept
210 ip protocol icmp icmp type echo-request counter accept
211
212 # Traffic That Must Not Be Dropped
213 # https://tools.ietf.org/html/rfc4890#section-4.3.1
214 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter accept
215 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type packet-too-big counter accept
216 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type time-exceeded counter accept
217 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type parameter-problem counter accept
218
219 # Connectivity checking messages
220 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
221 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
222
223 # Traffic That Normally Should Not Be Dropped
224 # https://tools.ietf.org/html/rfc4890#section-4.3.2
225 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
226 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
227 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
228 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
229 }
230 chain forward {
231 type filter hook forward priority 0
232 policy drop
233 }
234 }
235 table inet nat {
236 chain prerouting {
237 type nat hook prerouting priority filter
238 policy accept
239 }
240 chain postrouting {
241 type nat hook postrouting priority srcnat
242 policy accept
243 }
244 }