nixos/profiles/networking/nftables.txt

   1 table inet filter {
   2   set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
   3   set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
   4   chain block {
   5     add @lograte4 { ip  saddr limit rate 1/minute }
   6     add @lograte6 { ip6 saddr limit rate 1/minute }
   7     log level warn prefix "block: " counter drop
   8   }
   9   chain ping-flood {
  10     add @lograte4 { ip  saddr limit rate 1/minute }
  11     add @lograte6 { ip6 saddr limit rate 1/minute }
  12     log level warn prefix "ping-flood: " counter drop
  13   }
  14   chain smurf {
  15     add @lograte4 { ip  saddr limit rate 1/minute }
  16     add @lograte6 { ip6 saddr limit rate 1/minute }
  17     log level warn prefix "smurf: " counter drop
  18   }
  19   chain bogus-tcp {
  20     add @lograte4 { ip  saddr limit rate 1/minute }
  21     add @lograte6 { ip6 saddr limit rate 1/minute }
  22     log level warn prefix "bogus-tcp: " counter drop
  23   }
  24   chain syn-flood {
  25     add @lograte4 { ip  saddr limit rate 1/minute }
  26     add @lograte6 { ip6 saddr limit rate 1/minute }
  27     log level warn prefix "syn-flood: " counter drop
  28   }
  29   chain check-tcp {
  30     tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
  31     tcp flags & (ack|fin) == fin counter goto bogus-tcp
  32     tcp flags & (ack|psh) == psh counter goto bogus-tcp
  33     tcp flags & (ack|urg) == urg counter goto bogus-tcp
  34     tcp flags & (fin|ack) == fin counter goto bogus-tcp
  35     tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
  36     tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
  37     tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
  38     tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
  39     tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
  40     tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
  41     tcp flags == (fin|urg|psh) counter goto bogus-tcp
  42     tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
  43     tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
  44
  45     ct state new tcp flags != syn counter goto bogus-tcp
  46     tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
  47     tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
  48   }
  49   chain check-broadcast {
  50     #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
  51     fib saddr type broadcast counter goto smurf
  52     #ip saddr 224.0.0.0/4     counter goto smurf
  53   }
  54   chain limit-ping {
  55     ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
  56     # Note the use `meta nfproto ipv6 meta l4proto ipv6-icmp`
  57     # instead of the buggy `ip6 nexthdr ipv6-icmp`.
  58     # See https://unix.stackexchange.com/questions/645561/nftables-how-to-set-up-simple-ip-and-port-forwarding#comment1209441_645561
  59     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
  60   }
  61   chain non-public {
  62     add @lograte4 { ip saddr limit rate 1/minute }
  63     add @lograte6 { ip6 saddr limit rate 1/minute }
  64     log level warn prefix "non-public: " counter drop
  65   }
  66   chain check-public {
  67     ip saddr 0.0.0.0/8            counter goto non-public
  68     ip saddr 10.0.0.0/8           counter goto non-public
  69     ip saddr 127.0.0.0/8          counter goto non-public
  70     ip saddr 169.254.0.0/16       counter goto non-public
  71     ip saddr 172.16.0.0/12        counter goto non-public
  72     ip saddr 192.0.2.0/24         counter goto non-public
  73     ip saddr 192.168.0.0/16       counter goto non-public
  74     ip saddr 224.0.0.0/3          counter goto non-public
  75     ip saddr 240.0.0.0/5          counter goto non-public
  76     ip6 saddr ::/0                counter goto non-public
  77     ip6 saddr ::/96               counter goto non-public
  78     ip6 saddr ::/128              counter goto non-public
  79     ip6 saddr ::1/128             counter goto non-public
  80     ip6 saddr ::ffff:0.0.0.0/96   counter goto non-public
  81     ip6 saddr ::224.0.0.0/100     counter goto non-public
  82     ip6 saddr ::127.0.0.0/104     counter goto non-public
  83     ip6 saddr ::0.0.0.0/104       counter goto non-public
  84     ip6 saddr ::255.0.0.0/104     counter goto non-public
  85     ip6 saddr 0000::/8            counter goto non-public
  86     ip6 saddr 0200::/7            counter goto non-public
  87     ip6 saddr 3ffe::/16           counter goto non-public
  88     ip6 saddr 2001:db8::/32       counter goto non-public
  89     ip6 saddr 2002:e000::/20      counter goto non-public
  90     ip6 saddr 2002:7f00::/24      counter goto non-public
  91     ip6 saddr 2002:0000::/24      counter goto non-public
  92     ip6 saddr 2002:ff00::/24      counter goto non-public
  93     ip6 saddr 2002:0a00::/24      counter goto non-public
  94     ip6 saddr 2002:ac10::/28      counter goto non-public
  95     ip6 saddr 2002:c0a8::/32      counter goto non-public
  96     ip6 saddr fc00::/7            counter goto non-public
  97     ip6 saddr fe80::/10           counter goto non-public
  98     ip6 saddr fec0::/10           counter goto non-public
  99     ip6 saddr ff00::/8            counter goto non-public
 100   }
 101   chain accept-icmpv6 {
 102     # Traffic That Must Not Be Dropped
 103     # https://tools.ietf.org/html/rfc4890#section-4.4.1
 104     icmpv6 type destination-unreachable counter accept
 105     icmpv6 type packet-too-big counter accept
 106     icmpv6 type time-exceeded counter accept
 107     icmpv6 type parameter-problem counter accept
 108
 109     # Address Configuration and Router Selection messages
 110     # (must be received with hop limit = 255)
 111     icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
 112     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
 113     icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
 114     icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
 115     icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
 116     icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
 117     icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
 118
 119     # Link-local multicast receiver notification messages
 120     # (must have link-local source address)
 121     icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
 122     icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
 123     icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
 124     # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
 125     icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
 126
 127     # SEND Certificate Path notification messages
 128     # (must be received with hop limit = 255)
 129     icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
 130     icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
 131
 132     # Multicast Router Discovery messages
 133     # (must have link-local source address and hop limit = 1)
 134     icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
 135     icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
 136     icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
 137   }
 138
 139   chain input-connectivity {
 140     # Connectivity checking messages
 141     # (multicast) ping
 142     ip protocol icmp icmp type echo-reply counter accept
 143
 144     # drop packets with rh0 headers
 145     rt type 0 jump block
 146     rt type 0 jump block
 147     rt type 0 jump block
 148
 149     # (multicast) ping
 150     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
 151     #ct state invalid counter drop
 152
 153     ip protocol icmp icmp type destination-unreachable counter accept
 154     ip protocol icmp icmp type time-exceeded counter accept
 155     ip protocol icmp icmp type parameter-problem counter accept
 156     ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
 157     ip protocol icmp icmp type echo-request counter accept
 158     # echo-reply is handled before invalid packets to allow multicast ping
 159     # which do not have an associated connection.
 160
 161     meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
 162
 163     # Connectivity checking messages
 164     icmpv6 type echo-request counter accept
 165     # echo-reply is handled before invalid because of multicast
 166   }
 167   chain input {
 168     type filter hook input priority 0
 169     policy drop
 170     iifname lo accept
 171     jump check-tcp
 172     jump limit-ping
 173     ct state { established, related } accept
 174     jump input-connectivity
 175     ct state invalid counter drop
 176   }
 177
 178   chain output-connectivity {
 179     ip protocol icmp counter accept
 180     meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
 181
 182     meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
 183
 184     # Connectivity checking messages
 185     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
 186     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
 187   }
 188   chain output {
 189     type filter hook output priority 0
 190     policy drop
 191     oifname lo accept
 192     tcp flags syn tcp option maxseg size set rt mtu
 193     ct state { established, related } accept
 194     jump output-connectivity
 195   }
 196
 197   chain forward-connectivity {
 198     ip protocol icmp icmp type destination-unreachable counter accept
 199     ip protocol icmp icmp type time-exceeded counter accept
 200     ip protocol icmp icmp type parameter-problem counter accept
 201     ip protocol icmp icmp type echo-request counter accept
 202
 203     # Traffic That Must Not Be Dropped
 204     # https://tools.ietf.org/html/rfc4890#section-4.3.1
 205     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter accept
 206     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type packet-too-big counter accept
 207     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type time-exceeded counter accept
 208     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type parameter-problem counter accept
 209
 210     # Connectivity checking messages
 211     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
 212     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
 213
 214     # Traffic That Normally Should Not Be Dropped
 215     # https://tools.ietf.org/html/rfc4890#section-4.3.2
 216     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
 217     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
 218     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
 219     meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
 220   }
 221   chain forward {
 222     type filter hook forward priority 0
 223     policy drop
 224   }
 225 }
 226 table inet nat {
 227   chain prerouting {
 228     type nat hook prerouting priority filter
 229     policy accept
 230   }
 231   chain postrouting {
 232     type nat hook postrouting priority srcnat
 233     policy accept
 234   }
 235 }