Skip to content

Instantly share code, notes, and snippets.

@atErik
Last active August 16, 2019 08:31
Show Gist options
  • Save atErik/5757cfdfcfe25254ac3500c2a570d042 to your computer and use it in GitHub Desktop.
Save atErik/5757cfdfcfe25254ac3500c2a570d042 to your computer and use it in GitHub Desktop.
Server3-D10/etc/nftables.conf
#!/usr/sbin/nft -f
#
# /etc/nftables.conf file in SRVR3 "srvr3.example.com" Server
#
#
# This server includes these IP-addresses & associated functions:
# SRVR3.IPv4.ADRS : ssh-server, dns/nameServer, mail-server, webServer
# SRVR3:IPv6:ADRS1 : ssh-server, dns/nameServer, mail-server, webServer
# SRVR3:IPv6:ADRS3 : ssh-server, dns/nameServer, mail-server, webServer
# SRVR3:IPv6:ADRS5 : dns-Server, webServer
# SRVR3:IPv6:ADRS2 : mail-server, webServer
# SRVR3:IPv6:ADRS4 : mail-server, webServer
#
#
# Lines that begin with the "#" symbol are comments/notes/etc.
#
# Instead of showing real IP-Address numbers,
# We are using these words SRVR3.IPv4.ADRS , SRVR3:IPv6:ADRS, etc
#
#
flush ruleset
# the `ip` adrs-family-table applies to IPv4:
table ip filter {
chain incoming {
type filter hook input priority 0; policy drop;
# for IPv4, this "ip" rules are processed 1st, then "inet".
# ICMP handled 1st, & to rate limit:
ip protocol icmp icmp type echo-request limit rate 100/second accept
ip protocol icmp icmp type echo-request counter drop
# No ping floods:
# ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
# ... For IPv4 DNS NameServer/Authoritative Server, rate limit rules are here ...
# ... For IPv4 SSH Server, rate limit rules are here ...
# Accept traffic originated from us (established/related) from this server-computer:
ct state { established, related } accept
# Accept these ICMP (IPv4 based)
# (usually for initial server setup or app debug stage,
# when hardening server then remove whats not necessary)
# (Keyword = Value | echo-reply = 0 | destination-unreachable = 3 | source-quench = 4 | redirect = 5 |
# echo-request = 8 | router-advertisement = 9 | router-solicitation = 10 | time-exceeded = 11 |
# parameter-problem = 12 | timestamp-request = 13 | timestamp-reply = 14 | info-request = 15 |
# info-reply = 16 | address-mask-request = 17 | address-mask-reply = 18 )
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
# if this computer is not a packet router, then do not accept icmp "redirect", See "sysctl.conf"
# Accept IGMP:
ip protocol igmp accept
# Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel:
# ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr SRVR3.IPv4.ADRS accept
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept
#udp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept
# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new tcp flags & (syn | ack) == syn accept
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new accept
tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
# ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, etc services:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr SRVR3.IPv4.ADRS accept
udp dport { 53, 80, 443 } ip daddr SRVR3.IPv4.ADRS accept
# ... other IP / IPv4 related rules (also add in "inet" section) ...
counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain outgoing {
type filter hook output priority 0; policy accept;
tcp sport 5022 ip daddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip saddr SRVR3.IPv4.ADRS accept
}
}
# the `ip6` adrs-family-table applies to IPv6:
table ip6 filter {
chain incoming {
type filter hook input priority 0; policy drop;
# for IPv6, this "ip6" rules are processed 1st, then "inet".
# ICMPv6 handled 1st, & to rate limit:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
# No ping floods:
# ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
# ... For IPv6 DNS NameServer/Authoritative Server, rate limit rules are here ...
# ... For IPv6 SSH Server, rate limit rules are here ...
# Accept traffic originated from us (established/related) from this server-computer:
ct state { established, related } accept
# Accept these ICMPv6:
# (usually for initial server setup or app debug stage,
# when hardening server then remove whats not necessary)
# (Keyword = Value | destination-unreachable = 1 | packet-too-big = 2 | time-exceeded = 3 |
# parameter-problem = 4 | echo-request = 128 | echo-reply = 129 | mld-listener-query = 130 |
# mld-listener-report = 131 | mld-listener-done = 132 | mld-listener-reduction = 132 |
# nd-router-solicit = 133 | nd-router-advert = 134 | nd-neighbor-solicit = 135 | nd-neighbor-advert
# = 136 | nd-redirect = 137 | router-renumbering = 138 | ind-neighbor-solicit = 141 |
# ind-neighbor-advert = 142 | mld2-listener-report = 143)
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
# the "nd-redirect", "router-renumbering" were removed.
# research more on each icmpv6 packets how NDP can be used to abuse.
# ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept
udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept
# ip6_SRVR3 : Used for DNS/unbound/53, web-servers(http/80, https/443), etc:
tcp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept
udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept
# ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993
# pop3s/995, sieve/4190, etc):
tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept
udp dport { 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept
# ... other IPv6 related rules (also add in "inet" section) ...
counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
}
# the `inet` adrs-family-table applies to both IPv4 and IPv6:
table inet filter {
chain incoming {
type filter hook input priority 0; policy drop;
# "inet" adrs-family (aka table) is processed after "ip" for IPv4 related packets,
# & "inet" is processed after "ip6" for IPv6 related network-packets.
# Duplicate rules & ADD IPv4 related rules in "ip" section, & IPv6 into "ip6" section
# When all working perfectly then slowly
# remove/reduce duplicate rules ONE-BY-ONE from here 1st & TEST EACH TIME.
# Tips: if set of IPv4 or IPv6 rules both using same PORTs, then keep it here
# in "inet" as combined. Other (unique) rules usually can go into separate sections.
# when rules have specific IPv4 / IPv6 ADDRESS,
# then its better to place them in respective "ip" or "ip6" tables/sections.
# Accept any localhost traffic:
iif lo accept
# ICMP+ICMPv6 handled 1st, & to rate limit:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ip protocol icmp icmp type echo-request limit rate 100/second accept
ip protocol icmp icmp type echo-request counter drop
# No ping floods:
#ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
#ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
# ... For DNS NameServer/Authoritative Server, rate limit rules are here ...
# ... For SSH Server, rate limit rules are here ...
# Accept traffic originated from us (established/related) from this server-computer:
ct state { established, related } accept
# Accept these ICMP & ICMPv6:
# (usually for initial server setup or app debug stage,
# when hardening server then remove whats not necessary)
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
# the "nd-redirect", "router-renumbering" were removed.
# research more on each icmpv6 packets how NDP can be used to abuse.
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
# Accept IGMP:
ip protocol igmp accept
# Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel:
# ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr SRVR3.IPv4.ADRS accept
# ssh server & fixed clients
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept
#udp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new tcp flags & (syn | ack) == syn counter accept
#tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new accept
#tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
#nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
# ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr SRVR3.IPv4.ADRS accept
udp dport { 53, 80, 443 } ip daddr SRVR3.IPv4.ADRS accept
# ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept
udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept
# ip6_SRVR3 : Used for DNS/unbound/53, web-servers(http/80, https/443), etc:
tcp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept
udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept
# ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993
# pop3s/995, sieve/4190, etc):
tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept
udp dport { 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept
# ... other IPv4 & IPv6 related rules (also add in "ip" & "ip6" section) ...
# count and drop any other traffic
counter drop
}
chain outgoing {
type filter hook output priority 0;
policy accept;
tcp sport 5022 ip daddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip saddr SRVR3.IPv4.ADRS accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment