On 9/23/23 13:51, Christian wrote:
...
In case of interest, the nft rules that I shared with David previously
are available here [1].
This is a sample nftables ruleset for a laptop or workstation.
It allows established / related packets to come back. These packets are
returned after a connection is initiated from the local machine. e.g.
going to a website, or sending an icmp ping.
It supports local services running on same machine where nftables rules
are installewd (these are services which are available to the internet):
- DNS server
- SSH server
- WEB server for http and https including http/2 and http/3.
Uncomment to turn on.
It also allows blocking from a list of CIDR addresses. This prevents any
IP from the blocked list any access to the above services offered on the
machine.
N.B. Replies from these "blocked" IPs, are still permitted to come back
in if they are related/established. e.g. if you go to website hosted at
a blocked IP everything should work normally.
The reason this works, is that these 'blocks' are done in the 'inet'
table. If you wanted to block inbound SYN and in addition block
established/related - then add similar blocks for ingress hook in the
'netdev' table.
Adding ingress blocks prevents any packets from those IPs from getting
in - regardless if related/established. It is very early in the packet
flow - see [2] for how the packets flow in nftables. ingress hook is
not available in (legacy) iptables last I checked.
gene
[1] https://github.com/gene-git/blog/tree/master/nftables
[2] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
