Do you accept file attachments?
On Sat, Sep 7, 2019 at 9:52 AM, Thomas <tad1073@xxxxxxxxx> wrote:
I need some help simplifying my nft ruleset, I put it inline and my
email rejected, I attached it and it was rejected again.
#!/usr/bin/nft -f
###### Defines ######
define mynic = removed for security purposes
define myvln = removed for security purposes
define routerv4 = removed for security purposes
define rllgav6 = removed for security purposes
define rgga = removed for security purposes
define delpre = removed for security purposes
define lo4 = 127.0.0.1
define lo6 = ::1
define blov4 = 127.0.0.0/8
define blov6 = ::/8
define myIPv4 = removed for security purposes
define myIPv6 = removed for security purposes
define vlanv4 = removed for security purposes
define vlan6 = removed for security purposes
define my4net = removed for security purposes
define my6net = removed for security purposes
define block = {
104.16.0.0/12,
199.182.216.0/22,
23.64.0.0/14,
23.32.0.0/11,
138.198.0.0/15,
138.200.0.0/15,
81.22.45.0/24,
193.29.13.0/24,
178.132.200.0/22,
162.243.0.0/16,
37.189.0.0/17,
64.30.224.0/20
}
define stupid_tv = removed for security purposes
# define g4dns = {8.8.8.8, 8.8.4.4}
define g6dns = {2001:4860:4860::8888, 2001:4860:4860::8844}
define ssh = removed for security purposes
define mysql = removed for security purposes
define squid = removed for security purposes
define wbmn = removed for security purposes
define httpS = removed for security purposes
define imapS = removed for security purposes
define Tsmb = removed for security purposes # Samba over TCP{ (T)CPsmb) }
define Usmb = removed for security purposes # Samba over UDP { (U)DPsmb) }
###### Defines ######
# include "/etc/nftable.d/defines.nft"
# include "/etc/nftable.d/chainForward.nft"
# include "/etc/nftable.d/chainOutput.nft"
# nft flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ip6 saddr $myIPv6 ct state established counter accept
ip saddr $myIPv4 ct state established counter accept
ip6 saddr $lo6 ct state established counter accept
ip saddr $lo4 ct state established counter accept
iif "lo" ct state established counter accept
iif "lo" ip6 saddr $lo6 ct state established counter accept
iif "lo" ip saddr $lo4 ct state established counter accept
iif != "lo" ip6 saddr $blov6 counter drop
iif != "lo" ip saddr $blov4 counter drop
fib daddr type broadcast ct state invalid,new,untracked counter reject
fib daddr type multicast ct state invalid,new,untracked counter reject
fib daddr type anycast ct state invalid,new,untracked counter reject
tcp flags & rst == rst ct state invalid,new,untracked counter drop
icmp type echo-request ct state invalid,new,untracked counter reject
icmp type address-mask-request ct state invalid,new,untracked counter reject
icmp type timestamp-request ct state invalid,new counter reject
ct state new tcp dport 113 tcp flags & (fin | syn | rst | ack) == syn counter drop
ip6 saddr $my6net ip6 daddr $myIPv6 ct state established counter accept
ip6 daddr $my6net ip6 saddr $myIPv6 ct state established counter accept
ip saddr $my4net ip daddr $myIPv4 ct state established counter accept
ip daddr $my4net ip saddr $myIPv4 ct state established counter accept
ip6 saddr $my6net ct state established counter accept
ip saddr $my4net ct state related,established counter accept
ip6 saddr { $lo6, $myIPv6 } tcp dport $mysql ct state established counter accept
ip6 saddr { $lo6, $myIPv6 } udp dport $mysql ct state established counter accept
ip saddr { $lo4, $myIPv4 } tcp dport $mysql ct state established counter accept
ip saddr { $lo4, $myIPv4 } udp dport $mysql ct state established counter accept
tcp dport $mysql ct state new,invalid counter drop
udp dport $mysql ct state new,invalid counter drop
tcp dport $mysql counter drop
udp dport $mysql counter drop
ip6 saddr { $lo6, $myIPv6 } tcp dport 631 ct state established counter accept
ip6 saddr { $lo6, $myIPv6 } udp dport 631 ct state established counter accept
ip saddr { $lo4, $myIPv4 } tcp dport 631 ct state established counter accept
ip saddr { $lo4, $myIPv4 } tcp dport 631 ct state established counter accept
tcp dport 631 ct state new,invalid counter drop
udp dport 631 ct state new,invalid counter drop
tcp dport 631 counter drop
udp dport 631 counter drop
ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 ct state established counter accept
ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 ct state established counter accept
tcp dport $imapS ip6 daddr != $g6dns drop
udp dport $imapS ip6 daddr != $g6dns drop
tcp dport 5353 ct state invalid,new,untracked counter drop
udp dport 5353 ct state invalid,new,untracked counter drop
tcp dport 5353 counter drop
udp dport 5353 counter drop
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 ct state established counter accept
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 ct state established counter accept
tcp dport $imapS ip daddr != {8.8.8.8, 8.8.4.4} log prefix "SPAMALERT!" drop
udp dport $imapS ip daddr != {8.8.8.8, 8.8.4.4} log prefix "SPAMALERT!" drop
tcp dport 53 ct state invalid,new,untracked counter drop
udp dport 53 ct state invalid,new,untracked counter drop
tcp dport 53 counter drop
udp dport 53 counter drop
ip6 daddr $myIPv6 tcp dport $squid ct state established counter accept
ip6 daddr $myIPv6 udp dport $squid ct state established counter accept
ip daddr $myIPv4 tcp dport $squid ct state established counter accept
ip daddr $myIPv4 udp dport $squid ct state established counter accept
tcp dport $squid ct state invalid,new,untracked counter drop
udp dport $squid ct state invalid,new,untracked counter drop
tcp dport $squid counter drop
udp dport $squid counter drop
ip6 daddr $myIPv6 tcp dport $httpS ct state established counter accept
ip6 daddr $myIPv6 udp dport $httpS ct state established counter accept
ip daddr $myIPv4 tcp dport $httpS ct state established counter accept
ip daddr $myIPv4 udp dport $httpS ct state established counter accept
tcp dport $httpS ct state invalid,new,untracked counter drop
udp dport $httpS ct state invalid,new,untracked counter drop
tcp dport $httpS counter drop
udp dport $httpS counter drop
ip6 saddr $my6net tcp dport $Usmb ct state established counter accept
ip6 saddr $my6net udp dport $Usmb ct state established counter accept
ip saddr $my4net ip daddr $myIPv4 tcp dport $Tsmb ct state established counter accept
ip saddr $my4net ip daddr $myIPv4 udp dport $Usmb ct state established counter accept
tcp dport $Tsmb ct state invalid,new,untracked counter drop
udp dport $Usmb ct state invalid,new,untracked counter drop
tcp dport $Tsmb counter drop
udp dport $Usmb counter drop
ip6 saddr $my6net ip6 daddr $myIPv6 tcp dport $ssh ct state established counter accept
ip6 saddr $my6net ip6 daddr $myIPv6 udp dport $ssh ct state established counter accept
ip6 saddr $myIPv6 tcp dport $ssh ct state established counter accept
ip6 saddr $myIPv6 udp dport $ssh ct state established counter accept
ip saddr $my4net ip daddr $myIPv4 tcp dport $ssh ct state established counter accept
ip saddr $my4net ip daddr $myIPv4 udp dport $ssh ct state established counter accept
ip saddr $myIPv4 tcp dport $ssh ct state established counter accept
ip saddr $myIPv4 udp dport $ssh ct state established counter accept
tcp dport $ssh ct state invalid,new,untracked counter drop
tcp dport $ssh ct state invalid,new,untracked counter drop
tcp dport $ssh counter drop
tcp dport $ssh counter drop
ip6 daddr $lo6 tcp dport $wbmn ip6 saddr $lo6 ct state established counter accept
ip6 daddr $lo6 udp dport $wbmn ip6 saddr $lo6 ct state established counter accept
ip6 daddr $myIPv6 tcp dport $wbmn ip6 daddr $myIPv6 ct state established counter accept
ip6 daddr $myIPv6 udp dport $wbmn ip6 daddr $myIPv6 ct state established counter accept
ip daddr $lo4 tcp dport $wbmn ip saddr $lo4 ct state established counter accept
ip daddr $lo4 udp dport $wbmn ip saddr $lo4 ct state established counter accept
ip daddr $myIPv4 tcp dport $wbmn ip saddr $myIPv4 ct state established counter accept
ip daddr $myIPv4 udp dport $wbmn ip saddr $myIPv4 ct state established counter accept
tcp dport $wbmn ct state invalid,new,untracked counter drop
udp dport $wbmn ct state invalid,new,untracked counter drop
tcp dport $wbmn counter drop
udp dport $wbmn counter drop
ct state established counter accept
ct state invalid,new,untracked counter drop
counter drop
}
chain forward {
type filter hook forward priority 0;
ct state new tcp flags & (fin | syn | rst | ack) != syn counter drop
ct state invalid,new,untracked counter drop
}
chain output {
type filter hook output priority 0;
ip6 saddr $myIPv6 ct state established counter accept
ip saddr $myIPv4 ct state established counter accept
ip6 saddr $myIPv6 counter accept
ip saddr $myIPv4 counter accept
oif "lo" ip6 saddr $lo6 ct state established counter accept
oif "lo" ip6 saddr $lo6 counter accept
oif "lo" ip saddr $lo4 ct state established counter accept
oif "lo" ip saddr $lo4 counter accept
oif "lo" counter ct state established counter accept
oif "lo" counter accept
ip6 saddr $lo6 ct state established counter accept
ip6 saddr $lo6 counter accept
ip saddr $lo4 ct state established counter accept
ip saddr $lo4 counter accept
ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 ct state established counter accept
ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 ct state established counter accept
ip6 saddr $g6dns ip6 daddr $myIPv6 udp dport 5353 counter accept
ip6 saddr $g6dns ip6 daddr $myIPv6 tcp dport 5353 counter accept
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 ct state established counter accept
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 ct state established counter accept
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 udp dport 53 counter accept
ip saddr {8.8.8.8, 8.8.4.4} ip daddr $myIPv4 tcp dport 53 counter accept
ip6 daddr { $lo6, $myIPv6 } tcp sport $mysql ct state established counter accept
ip6 daddr { $lo6, $myIPv6 } udp sport $mysql ct state established counter accept
ip daddr { $myIPv4, $lo4 } tcp sport $mysql ct state established counter accept
ip daddr { $myIPv4, $lo4 } udp sport $mysql ct state established counter accept
tcp dport $mysql ct state invalid,new,related,untracked counter drop
udp dport $mysql ct state invalid,new,related,untracked counter drop
tcp dport $mysql counter drop
udp dport $mysql counter drop
tcp dport $squid ct state established counter accept
udp dport $squid ct state established counter accept
tcp dport $squid ct state invalid,untracked counter drop
udp dport $squid ct state invalid,untracked counter drop
tcp dport $squid counter drop
udp dport $squid counter drop
ip6 saddr $myIPv6 tcp dport $httpS ct state established counter accept
ip6 saddr $myIPv6 udp dport $httpS ct state established counter accept
tcp dport $httpS ct state established counter accept
udp dport $httpS ct state established counter accept
ip6 daddr $my6net udp dport $Usmb ct state established counter accept
ip6 daddr $my6net tcp dport $Tsmb ct state established counter accept
ip saddr $myIPv4 ip daddr $my4net tcp dport $Tsmb ct state established counter accept
ip saddr $myIPv4 ip daddr $my4net udp dport $Usmb ct state established counter accept
tcp dport $Tsmb ct state established counter accept
udp dport $Usmb ct state established counter accept
tcp dport $ssh ct state established counter accept
udp dport $ssh ct state established counter accept
ip6 saddr { $myIPv6, $lo6 } tcp dport $wbmn ct state established counter accept
ip6 saddr { $myIPv6, $lo6 } udp dport $wbmn ct state established counter accept
ip saddr { $myIPv4, $lo4 } tcp dport $wbmn ct state established counter accept
ip saddr { $myIPv4, $lo4 } udp dport $wbmn ct state established counter accept
tcp dport $wbmn ct state invalid,new,untracked counter drop
tcp dport $wbmn ct state invalid,new,untracked counter drop
tcp dport $wbmn counter drop
tcp dport $wbmn counter drop
ct state invalid,new,untracked counter drop
counter drop
}
}
