nnd/ports
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

NFT and netfilter changes

Browse Source 
- Separate hooked chains with explicit defaults and isolated chains
- Use labels for priorities according to
  https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
- Add minecraft port
- Add admin blackhole for subnet rejection
This commit is contained in:
Alex D. 2024-08-12 06:32:00 +00:00
parent 1c2f0171b7
commit fb30fb2e00
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
6 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/25565 Normal file
View File

@ -0,0 +1 @@
tcp dport 25565 counter accept;

1
main/nnd-nft/nft/inet/nnd-base/sets/admin4 Normal file
View File

@ -0,0 +1 @@
set admin4 { type ipv4_addr; flags timeout, interval; auto-merge; }

1
main/nnd-nft/nft/inet/nnd-base/sets/admin6 Normal file
View File

@ -0,0 +1 @@
set admin6 { type ipv6_addr; flags timeout, interval; auto-merge; }

1
main/nnd-nft/nft/inet/nnd-base/sets/blackhole4 Normal file
View File

@ -0,0 +1 @@
set blackhole4 { type ipv4_addr; flags dynamic, timeout; }

1
main/nnd-nft/nft/inet/nnd-base/sets/blackhole6 Normal file
View File

@ -0,0 +1 @@
set blackhole6 { type ipv6_addr; flags dynamic, timeout; }

37
main/nnd-nft/nft/inet/nnd-base/table
View File

@ -1,39 +1,58 @@
table inet nnd-base { table inet nnd-base {
include "inet/nnd-base/sets/*";
chain rxfilter { chain rxfilter {
type filter hook input priority 0; type filter hook input priority filter;
policy drop; policy drop;
include "inet/nnd-base/filter/input/*"; jump input;
counter reject with icmpx type admin-prohibited; counter reject with icmpx type admin-prohibited;
} }
chain input {
include "inet/nnd-base/filter/input/*";
}
chain fwfilter { chain fwfilter {
type filter hook forward priority 0; type filter hook forward priority filter;
policy drop; policy drop;
include "inet/nnd-base/filter/forward/*";
jump forward;
counter reject with icmpx type no-route; counter reject with icmpx type no-route;
} }
chain forward {
include "inet/nnd-base/filter/forward/*";
}
chain txfilter { chain txfilter {
type filter hook output priority 0; type filter hook output priority filter;
policy accept; policy accept;
jump output;
}
chain output {
include "inet/nnd-base/filter/output/*"; include "inet/nnd-base/filter/output/*";
} }
chain prenat { chain prenat {
type nat hook prerouting priority -100; type nat hook prerouting priority dstnat;
policy accept; policy accept;
include "inet/nnd-base/nat/prerouting/*"; include "inet/nnd-base/nat/prerouting/*";
} }
chain rxnat { chain rxnat {
type nat hook input priority 100; type nat hook input priority filter;
policy accept; policy accept;
include "inet/nnd-base/nat/input/*"; include "inet/nnd-base/nat/input/*";
} }
chain txnat { chain txnat {
type nat hook output priority -100; type nat hook output priority filter;
policy accept; policy accept;
include "inet/nnd-base/nat/output/*"; include "inet/nnd-base/nat/output/*";
} }
chain postnat { chain postnat {
type nat hook postrouting priority 100; type nat hook postrouting priority srcnat;
policy accept; policy accept;
include "inet/nnd-base/nat/postrouting/*"; include "inet/nnd-base/nat/postrouting/*";
} }