Last active
August 16, 2019 08:31
-
-
Save atErik/5757cfdfcfe25254ac3500c2a570d042 to your computer and use it in GitHub Desktop.
Server3-D10/etc/nftables.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| # | |
| # /etc/nftables.conf file in SRVR3 "srvr3.example.com" Server | |
| # | |
| # | |
| # This server includes these IP-addresses & associated functions: | |
| # SRVR3.IPv4.ADRS : ssh-server, dns/nameServer, mail-server, webServer | |
| # SRVR3:IPv6:ADRS1 : ssh-server, dns/nameServer, mail-server, webServer | |
| # SRVR3:IPv6:ADRS3 : ssh-server, dns/nameServer, mail-server, webServer | |
| # SRVR3:IPv6:ADRS5 : dns-Server, webServer | |
| # SRVR3:IPv6:ADRS2 : mail-server, webServer | |
| # SRVR3:IPv6:ADRS4 : mail-server, webServer | |
| # | |
| # | |
| # Lines that begin with the "#" symbol are comments/notes/etc. | |
| # | |
| # Instead of showing real IP-Address numbers, | |
| # We are using these words SRVR3.IPv4.ADRS , SRVR3:IPv6:ADRS, etc | |
| # | |
| # | |
| flush ruleset | |
| # the `ip` adrs-family-table applies to IPv4: | |
| table ip filter { | |
| chain incoming { | |
| type filter hook input priority 0; policy drop; | |
| # for IPv4, this "ip" rules are processed 1st, then "inet". | |
| # ICMP handled 1st, & to rate limit: | |
| ip protocol icmp icmp type echo-request limit rate 100/second accept | |
| ip protocol icmp icmp type echo-request counter drop | |
| # No ping floods: | |
| # ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop | |
| # ... For IPv4 DNS NameServer/Authoritative Server, rate limit rules are here ... | |
| # ... For IPv4 SSH Server, rate limit rules are here ... | |
| # Accept traffic originated from us (established/related) from this server-computer: | |
| ct state { established, related } accept | |
| # Accept these ICMP (IPv4 based) | |
| # (usually for initial server setup or app debug stage, | |
| # when hardening server then remove whats not necessary) | |
| # (Keyword = Value | echo-reply = 0 | destination-unreachable = 3 | source-quench = 4 | redirect = 5 | | |
| # echo-request = 8 | router-advertisement = 9 | router-solicitation = 10 | time-exceeded = 11 | | |
| # parameter-problem = 12 | timestamp-request = 13 | timestamp-reply = 14 | info-request = 15 | | |
| # info-reply = 16 | address-mask-request = 17 | address-mask-reply = 18 ) | |
| ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept | |
| # if this computer is not a packet router, then do not accept icmp "redirect", See "sysctl.conf" | |
| # Accept IGMP: | |
| ip protocol igmp accept | |
| # Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel: | |
| # ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr SRVR3.IPv4.ADRS accept | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept | |
| #udp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept | |
| # nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new tcp flags & (syn | ack) == syn accept | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new accept | |
| tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept | |
| # ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, etc services: | |
| tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr SRVR3.IPv4.ADRS accept | |
| udp dport { 53, 80, 443 } ip daddr SRVR3.IPv4.ADRS accept | |
| # ... other IP / IPv4 related rules (also add in "inet" section) ... | |
| counter drop | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority 0; policy drop; | |
| } | |
| chain outgoing { | |
| type filter hook output priority 0; policy accept; | |
| tcp sport 5022 ip daddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip saddr SRVR3.IPv4.ADRS accept | |
| } | |
| } | |
| # the `ip6` adrs-family-table applies to IPv6: | |
| table ip6 filter { | |
| chain incoming { | |
| type filter hook input priority 0; policy drop; | |
| # for IPv6, this "ip6" rules are processed 1st, then "inet". | |
| # ICMPv6 handled 1st, & to rate limit: | |
| ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept | |
| ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop | |
| # No ping floods: | |
| # ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop | |
| # ... For IPv6 DNS NameServer/Authoritative Server, rate limit rules are here ... | |
| # ... For IPv6 SSH Server, rate limit rules are here ... | |
| # Accept traffic originated from us (established/related) from this server-computer: | |
| ct state { established, related } accept | |
| # Accept these ICMPv6: | |
| # (usually for initial server setup or app debug stage, | |
| # when hardening server then remove whats not necessary) | |
| # (Keyword = Value | destination-unreachable = 1 | packet-too-big = 2 | time-exceeded = 3 | | |
| # parameter-problem = 4 | echo-request = 128 | echo-reply = 129 | mld-listener-query = 130 | | |
| # mld-listener-report = 131 | mld-listener-done = 132 | mld-listener-reduction = 132 | | |
| # nd-router-solicit = 133 | nd-router-advert = 134 | nd-neighbor-solicit = 135 | nd-neighbor-advert | |
| # = 136 | nd-redirect = 137 | router-renumbering = 138 | ind-neighbor-solicit = 141 | | |
| # ind-neighbor-advert = 142 | mld2-listener-report = 143) | |
| ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept | |
| # the "nd-redirect", "router-renumbering" were removed. | |
| # research more on each icmpv6 packets how NDP can be used to abuse. | |
| # ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services: | |
| tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept | |
| udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept | |
| # ip6_SRVR3 : Used for DNS/unbound/53, web-servers(http/80, https/443), etc: | |
| tcp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept | |
| udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept | |
| # ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993 | |
| # pop3s/995, sieve/4190, etc): | |
| tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept | |
| udp dport { 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept | |
| # ... other IPv6 related rules (also add in "inet" section) ... | |
| counter drop | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority 0; policy drop; | |
| } | |
| chain outgoing { | |
| type filter hook output priority 0; policy accept; | |
| } | |
| } | |
| # the `inet` adrs-family-table applies to both IPv4 and IPv6: | |
| table inet filter { | |
| chain incoming { | |
| type filter hook input priority 0; policy drop; | |
| # "inet" adrs-family (aka table) is processed after "ip" for IPv4 related packets, | |
| # & "inet" is processed after "ip6" for IPv6 related network-packets. | |
| # Duplicate rules & ADD IPv4 related rules in "ip" section, & IPv6 into "ip6" section | |
| # When all working perfectly then slowly | |
| # remove/reduce duplicate rules ONE-BY-ONE from here 1st & TEST EACH TIME. | |
| # Tips: if set of IPv4 or IPv6 rules both using same PORTs, then keep it here | |
| # in "inet" as combined. Other (unique) rules usually can go into separate sections. | |
| # when rules have specific IPv4 / IPv6 ADDRESS, | |
| # then its better to place them in respective "ip" or "ip6" tables/sections. | |
| # Accept any localhost traffic: | |
| iif lo accept | |
| # ICMP+ICMPv6 handled 1st, & to rate limit: | |
| ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept | |
| ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop | |
| ip protocol icmp icmp type echo-request limit rate 100/second accept | |
| ip protocol icmp icmp type echo-request counter drop | |
| # No ping floods: | |
| #ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop | |
| #ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop | |
| # ... For DNS NameServer/Authoritative Server, rate limit rules are here ... | |
| # ... For SSH Server, rate limit rules are here ... | |
| # Accept traffic originated from us (established/related) from this server-computer: | |
| ct state { established, related } accept | |
| # Accept these ICMP & ICMPv6: | |
| # (usually for initial server setup or app debug stage, | |
| # when hardening server then remove whats not necessary) | |
| ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept | |
| # the "nd-redirect", "router-renumbering" were removed. | |
| # research more on each icmpv6 packets how NDP can be used to abuse. | |
| ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept | |
| # Accept IGMP: | |
| ip protocol igmp accept | |
| # Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel: | |
| # ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr SRVR3.IPv4.ADRS accept | |
| # ssh server & fixed clients | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept | |
| #udp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state { new, established, related } accept | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new tcp flags & (syn | ack) == syn counter accept | |
| #tcp dport 5022 ip saddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip daddr SRVR3.IPv4.ADRS ct state new accept | |
| #tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept | |
| #nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept | |
| tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept | |
| # ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services: | |
| tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr SRVR3.IPv4.ADRS accept | |
| udp dport { 53, 80, 443 } ip daddr SRVR3.IPv4.ADRS accept | |
| # ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, email, web, etc services: | |
| tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept | |
| udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS1, SRVR3:IPv6:ADRS3 } accept | |
| # ip6_SRVR3 : Used for DNS/unbound/53, web-servers(http/80, https/443), etc: | |
| tcp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept | |
| udp dport { 53, 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS5 } accept | |
| # ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993 | |
| # pop3s/995, sieve/4190, etc): | |
| tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept | |
| udp dport { 80, 443 } ip6 daddr { SRVR3:IPv6:ADRS2, SRVR3:IPv6:ADRS4 } accept | |
| # ... other IPv4 & IPv6 related rules (also add in "ip" & "ip6" section) ... | |
| # count and drop any other traffic | |
| counter drop | |
| } | |
| chain outgoing { | |
| type filter hook output priority 0; | |
| policy accept; | |
| tcp sport 5022 ip daddr { DEB1.PC.IPv4.ADRS, DEB2.PC.IPv4.ADRS, AtErikLoc1.IPv4.ADRS, AtErikLoc2.IPv4.ADRS } ip saddr SRVR3.IPv4.ADRS accept | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; | |
| policy drop; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment