]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/networking/nftables.txt
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
inxi: add to essentials
[julm/julm-nix.git] / nixos / profiles / networking / nftables.txt
1 table inet filter {
2 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
3 set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
4 chain block {
5 add @lograte4 { ip saddr limit rate 1/minute }
6 add @lograte6 { ip6 saddr limit rate 1/minute }
7 log level warn prefix "block: " counter drop
8 }
9 chain ping-flood {
10 add @lograte4 { ip saddr limit rate 1/minute }
11 add @lograte6 { ip6 saddr limit rate 1/minute }
12 log level warn prefix "ping-flood: " counter drop
13 }
14 chain smurf {
15 add @lograte4 { ip saddr limit rate 1/minute }
16 add @lograte6 { ip6 saddr limit rate 1/minute }
17 log level warn prefix "smurf: " counter drop
18 }
19 chain bogus-tcp {
20 add @lograte4 { ip saddr limit rate 1/minute }
21 add @lograte6 { ip6 saddr limit rate 1/minute }
22 log level warn prefix "bogus-tcp: " counter drop
23 }
24 chain syn-flood {
25 add @lograte4 { ip saddr limit rate 1/minute }
26 add @lograte6 { ip6 saddr limit rate 1/minute }
27 log level warn prefix "syn-flood: " counter drop
28 }
29 chain check-tcp {
30 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
31 tcp flags & (ack|fin) == fin counter goto bogus-tcp
32 tcp flags & (ack|psh) == psh counter goto bogus-tcp
33 tcp flags & (ack|urg) == urg counter goto bogus-tcp
34 tcp flags & (fin|ack) == fin counter goto bogus-tcp
35 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
36 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
37 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
38 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
39 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
40 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
41 tcp flags == (fin|urg|psh) counter goto bogus-tcp
42 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
43 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
44
45 ct state new tcp flags != syn counter goto bogus-tcp
46 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
47 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
48 }
49 chain check-broadcast {
50 #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
51 fib saddr type broadcast counter goto smurf
52 #ip saddr 224.0.0.0/4 counter goto smurf
53 }
54 chain limit-ping {
55 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
56 # Note the use `meta nfproto ipv6 meta l4proto ipv6-icmp`
57 # instead of the buggy `ip6 nexthdr ipv6-icmp`.
58 # See https://unix.stackexchange.com/questions/645561/nftables-how-to-set-up-simple-ip-and-port-forwarding#comment1209441_645561
59 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
60 }
61 chain non-public {
62 add @lograte4 { ip saddr limit rate 1/minute }
63 add @lograte6 { ip6 saddr limit rate 1/minute }
64 log level warn prefix "non-public: " counter drop
65 }
66 chain check-public {
67 ip saddr 0.0.0.0/8 counter goto non-public comment "Self identification"
68 ip saddr 0.0.0.0/32 counter goto non-public comment "Broadcast"
69 ip saddr 10.0.0.0/8 counter goto non-public comment "Private Networks (rfc1918)"
70 ip saddr 127.0.0.0/8 counter goto non-public comment "Loopback"
71 ip saddr 128.0.0.0/16 counter goto non-public comment "IANA Reserved (rfc3330)"
72 ip saddr 169.254.0.0/16 counter goto non-public comment "Local"
73 ip saddr 172.16.0.0/12 counter goto non-public comment "Private Networks (rfc1918)"
74 ip saddr 192.0.2.0/24 counter goto non-public comment "TEST-NET-1 (rfc5737)"
75 ip saddr 192.168.0.0/16 counter goto non-public comment "Networks (rfc1918)"
76 ip saddr 198.51.100.0/24 counter goto non-public comment "TEST-NET-2 (rfc5737)"
77 ip saddr 203.0.113.0/24 counter goto non-public comment "TEST-NET-3 (rfc5737)"
78 ip saddr 224.0.0.0/3 counter goto non-public comment "Multicast"
79 ip saddr 240.0.0.0/5 counter goto non-public comment "Class E Reserved"
80 ip saddr 191.255.0.0/16 counter goto non-public comment "Reserved (rfc3330)"
81 ip saddr 192.0.0.0/24 counter goto non-public comment "IANA Reserved (rfc3330)"
82 ip saddr 198.18.0.0/15 counter goto non-public comment "Network Interconnect Device Benchmark Testing"
83 ip saddr 223.255.255.0/24 counter goto non-public comment "Special Use Networks (rfc3330)"
84
85 ip6 saddr ::/0 counter goto non-public comment "Default (can be advertised as a route in BGP to peers if desired)"
86 ip6 saddr ::/96 counter goto non-public comment "IPv4-compatible IPv6 address – deprecated by rfc4291"
87 ip6 saddr ::/128 counter goto non-public comment "Unspecified address"
88 ip6 saddr ::1 /128 counter goto non-public comment "Local host loopback address"
89 ip6 saddr ::ffff:0.0.0.0 /96 counter goto non-public comment "IPv4-mapped addresses"
90 ip6 saddr ::224.0.0.0 /100 counter goto non-public comment "Compatible address (IPv4 format)"
91 ip6 saddr ::127.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
92 ip6 saddr ::0.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
93 ip6 saddr ::255.0.0.0 /104 counter goto non-public comment "Compatible address (IPv4 format)"
94 ip6 saddr 0000:: /8 counter goto non-public comment "Pool used for unspecified, loopback and embedded IPv4 addresses"
95 ip6 saddr 0200:: /7 counter goto non-public comment "OSI NSAP-mapped prefix set (rfc4548) – deprecated by rfc4048"
96 ip6 saddr 3ffe::/16 counter goto non-public comment "Former 6bone, now decommissioned"
97 ip6 saddr 2001:db8::/32 counter goto non-public comment "Reserved by IANA for special purposes and documentation"
98 ip6 saddr 2002:e000:: /20 counter goto non-public comment "Invalid 6to4 packets (IPv4 multicast)"
99 ip6 saddr 2002:7f00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 loopback)"
100 ip6 saddr 2002:0000:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 default)"
101 ip6 saddr 2002:ff00:: /24 counter goto non-public comment "Invalid 6to4 packets"
102 ip6 saddr 2002:0a00:: /24 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)"
103 ip6 saddr 2002:ac10:: /28 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)"
104 ip6 saddr 2002:c0a8:: /32 counter goto non-public comment "Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)"
105 ip6 saddr fc00:: /7 counter goto non-public comment "Unicast Unique Local Addresses (ULA) – rfc4193"
106 ip6 saddr fe80:: /10 counter goto non-public comment "Link-local Unicast"
107 ip6 saddr fec0:: /10 counter goto non-public comment "Site-local Unicast – deprecated by rfc3879 (replaced by ULA)"
108 ip6 saddr ff00:: /8 counter goto non-public comment "Multicast"
109 }
110 chain accept-icmpv6 {
111 # Traffic That Must Not Be Dropped
112 # https://tools.ietf.org/html/rfc4890#section-4.4.1
113 icmpv6 type destination-unreachable counter accept
114 icmpv6 type packet-too-big counter accept
115 icmpv6 type time-exceeded counter accept
116 icmpv6 type parameter-problem counter accept
117
118 # Address Configuration and Router Selection messages
119 # (must be received with hop limit = 255)
120 icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
121 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
122 icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
123 icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
124 icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
125 icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
126 icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
127
128 # Link-local multicast receiver notification messages
129 # (must have link-local source address)
130 icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
131 icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
132 icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
133 # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
134 icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
135
136 # SEND Certificate Path notification messages
137 # (must be received with hop limit = 255)
138 icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
139 icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
140
141 # Multicast Router Discovery messages
142 # (must have link-local source address and hop limit = 1)
143 icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
144 icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
145 icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
146 }
147
148 chain input-connectivity {
149 # Connectivity checking messages
150 # (multicast) ping
151 ip protocol icmp icmp type echo-reply counter accept
152
153 # drop packets with rh0 headers
154 rt type 0 jump block
155 rt type 0 jump block
156 rt type 0 jump block
157
158 # (multicast) ping
159 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
160 #ct state invalid counter drop
161
162 ip protocol icmp icmp type destination-unreachable counter accept
163 ip protocol icmp icmp type time-exceeded counter accept
164 ip protocol icmp icmp type parameter-problem counter accept
165 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
166 ip protocol icmp icmp type echo-request counter accept
167 # echo-reply is handled before invalid packets to allow multicast ping
168 # which do not have an associated connection.
169
170 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
171
172 # Connectivity checking messages
173 icmpv6 type echo-request counter accept
174 # echo-reply is handled before invalid because of multicast
175 }
176 chain input {
177 type filter hook input priority 0
178 policy drop
179 iifname lo accept
180 jump check-tcp
181 jump limit-ping
182 ct state established accept
183 ct state related counter accept
184 jump input-connectivity
185 ct state invalid counter drop
186 }
187
188 chain output-connectivity {
189 ip protocol icmp counter accept
190 skuid root udp dport 33434-33523 counter accept comment "traceroute"
191
192 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
193
194 # Connectivity checking messages
195 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
196 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
197 }
198 chain output {
199 type filter hook output priority 0
200 policy drop
201 oifname lo accept
202 tcp flags syn tcp option maxseg size set rt mtu
203 ct state established accept
204 ct state related counter accept
205 jump output-connectivity
206 }
207
208 chain forward-connectivity {
209 ip protocol icmp icmp type destination-unreachable counter accept
210 ip protocol icmp icmp type time-exceeded counter accept
211 ip protocol icmp icmp type parameter-problem counter accept
212 ip protocol icmp icmp type echo-request counter accept
213
214 # Traffic That Must Not Be Dropped
215 # https://tools.ietf.org/html/rfc4890#section-4.3.1
216 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter accept
217 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type packet-too-big counter accept
218 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type time-exceeded counter accept
219 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type parameter-problem counter accept
220
221 # Connectivity checking messages
222 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
223 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
224
225 # Traffic That Normally Should Not Be Dropped
226 # https://tools.ietf.org/html/rfc4890#section-4.3.2
227 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
228 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
229 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
230 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
231 }
232 chain forward {
233 type filter hook forward priority 0
234 policy drop
235 }
236
237 chain prerouting {
238 type filter hook prerouting priority filter
239 policy accept
240 }
241 }
242 table inet nat {
243 chain prerouting {
244 type nat hook prerouting priority filter
245 policy accept
246 }
247 chain postrouting {
248 type nat hook postrouting priority srcnat
249 policy accept
250 }
251 }
julm's NixOS and home-manager configs