]> Git — Sourcephile - sourcephile-nix.git/blob - networking/nftables/filter.txt
mermet: nftables: use meta l4proto
[sourcephile-nix.git] / networking / nftables / filter.txt
1 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
2 set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
3 chain block {
4 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "block: "
5 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "block: "
6 counter drop
7 }
8 chain ping-flood {
9 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
10 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: "
11 counter drop
12 }
13 chain smurf {
14 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
15 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: "
16 counter drop
17 }
18 chain bogus-tcp {
19 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
20 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
21 counter drop
22 }
23 chain syn-flood {
24 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
25 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: "
26 counter drop
27 }
28 chain check-tcp {
29 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
30 tcp flags & (ack|fin) == fin counter goto bogus-tcp
31 tcp flags & (ack|psh) == psh counter goto bogus-tcp
32 tcp flags & (ack|urg) == urg counter goto bogus-tcp
33 tcp flags & (fin|ack) == fin counter goto bogus-tcp
34 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
35 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
36 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
37 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
38 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
39 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
40 tcp flags == (fin|urg|psh) counter goto bogus-tcp
41 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
42 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
43
44 ct state new tcp flags != syn counter goto bogus-tcp
45 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
46 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
47 }
48 chain spoofing {
49 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "spoofing: "
50 counter drop
51 }
52 chain check-broadcast {
53 #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
54 fib saddr type broadcast counter goto smurf
55 #ip saddr 224.0.0.0/4 counter goto smurf
56 }
57 chain check-ping {
58 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
59 # Note the use `meta nfproto ipv6 meta l4proto ipv6-icmp`
60 # instead of the buggy `ip6 nexthdr ipv6-icmp`.
61 # See https://unix.stackexchange.com/questions/645561/nftables-how-to-set-up-simple-ip-and-port-forwarding#comment1209441_645561
62 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
63 }
64 chain check-public {
65 ip saddr 0.0.0.0/8 counter goto spoofing
66 ip saddr 10.0.0.0/8 counter goto spoofing
67 ip saddr 127.0.0.0/8 counter goto spoofing
68 ip saddr 169.254.0.0/16 counter goto spoofing
69 ip saddr 172.16.0.0/12 counter goto spoofing
70 ip saddr 192.0.2.0/24 counter goto spoofing
71 ip saddr 192.168.0.0/16 counter goto spoofing
72 ip saddr 224.0.0.0/3 counter goto spoofing
73 ip saddr 240.0.0.0/5 counter goto spoofing
74 }
75 chain accept-icmpv6 {
76 # Traffic That Must Not Be Dropped
77 # https://tools.ietf.org/html/rfc4890#section-4.4.1
78 icmpv6 type destination-unreachable counter accept
79 icmpv6 type packet-too-big counter accept
80 icmpv6 type time-exceeded counter accept
81 icmpv6 type parameter-problem counter accept
82
83 # Address Configuration and Router Selection messages
84 # (must be received with hop limit = 255)
85 icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
86 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
87 icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
88 icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
89 icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
90 icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
91 icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
92
93 # Link-local multicast receiver notification messages
94 # (must have link-local source address)
95 icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
96 icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
97 icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
98 # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
99 icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
100
101 # SEND Certificate Path notification messages
102 # (must be received with hop limit = 255)
103 icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
104 icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
105
106 # Multicast Router Discovery messages
107 # (must have link-local source address and hop limit = 1)
108 icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
109 icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
110 icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
111 }
112 chain accept-connectivity-input {
113 # Connectivity checking messages
114 # (multicast) ping
115 ip protocol icmp icmp type echo-reply counter accept
116
117 # drop packets with rh0 headers
118 rt type 0 jump block
119 rt type 0 jump block
120 rt type 0 jump block
121
122 # (multicast) ping
123 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
124 #ct state invalid counter drop
125
126 ip protocol icmp icmp type destination-unreachable counter accept
127 ip protocol icmp icmp type time-exceeded counter accept
128 ip protocol icmp icmp type parameter-problem counter accept
129 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
130 ip protocol icmp icmp type echo-request counter accept
131 # echo-reply is handled before invalid packets to allow multicast ping
132 # which do not have an associated connection.
133
134 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
135
136 # Connectivity checking messages
137 icmpv6 type echo-request counter accept
138 # echo-reply is handled before invalid because of multicast
139 }
140 chain accept-connectivity-output {
141 ip protocol icmp counter accept
142 meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
143
144 meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
145
146 # Connectivity checking messages
147 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
148 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
149 }
150 chain accept-connectivity-forward {
151 ip protocol icmp icmp type destination-unreachable counter accept
152 ip protocol icmp icmp type time-exceeded counter accept
153 ip protocol icmp icmp type parameter-problem counter accept
154 ip protocol icmp icmp type echo-request counter accept
155
156 # Traffic That Must Not Be Dropped
157 # https://tools.ietf.org/html/rfc4890#section-4.3.1
158 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter accept
159 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type packet-too-big counter accept
160 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type time-exceeded counter accept
161 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type parameter-problem counter accept
162
163 # Connectivity checking messages
164 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-request counter accept
165 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type echo-reply counter accept
166
167 # Traffic That Normally Should Not Be Dropped
168 # https://tools.ietf.org/html/rfc4890#section-4.3.2
169 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
170 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
171 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
172 meta nfproto ipv6 meta l4proto ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
173 }