From 1b92a4ba610b1621d52057589468c4c55ec0c0ea Mon Sep 17 00:00:00 2001 From: Kenny Ballou Date: Wed, 25 Jan 2023 16:41:59 -0700 Subject: nft: remove counters The counter module is not being built by default. Ideally, this commit will be short-lived with a custom kernel config which compiles in the counter "device". Signed-off-by: Kenny Ballou --- systems/bard/nftables-rules.nft | 84 +++++++++++++-------------- systems/daeva/nftables-rules.nft | 117 ++++++++++++++++++------------------- systems/koi/nftables-rules.nft | 121 +++++++++++++++++++-------------------- systems/owl/nftables-rules.nft | 105 +++++++++++++++++---------------- 4 files changed, 208 insertions(+), 219 deletions(-) (limited to 'systems') diff --git a/systems/bard/nftables-rules.nft b/systems/bard/nftables-rules.nft index 46c2ae2a..0cc44d9d 100644 --- a/systems/bard/nftables-rules.nft +++ b/systems/bard/nftables-rules.nft @@ -1,56 +1,54 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; - ct state invalid counter drop comment "drop invalid packets" - ct state established,related counter accept comment "accept related connections" - iif lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - ip protocol icmp counter accept - ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.16.0.0/12 counter accept - tcp dport ssh counter accept - tcp dport 3000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - counter + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport ssh accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + } chain forward { type filter hook forward priority 0; policy drop; - ct state established,related counter accept - counter + ct state established,related accept } chain output { type filter hook output priority 0; policy drop; - ct state established,related counter accept - icmp type echo-request counter accept - icmp type echo-reply counter accept - ip daddr 127.0.0.0/8 counter accept - ip6 daddr ::1 counter accept - udp dport domain counter accept - tcp dport 853 counter accept comment "DNS over TLS" - udp dport 853 counter accept comment "DNS over TLS" - tcp dport http counter accept - tcp dport https counter accept - udp dport https counter accept - tcp dport ssh counter accept - tcp dport bootps counter accept - udp dport bootps counter accept - tcp dport ntp counter accept - udp dport ntp counter accept - tcp dport nntps counter accept - udp dport nntps counter accept - tcp dport rsync counter accept - udp dport rsync counter accept - tcp dport 8000 counter accept - tcp dport http-alt counter accept - tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - counter + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" } } diff --git a/systems/daeva/nftables-rules.nft b/systems/daeva/nftables-rules.nft index 35479d56..b5e20c26 100644 --- a/systems/daeva/nftables-rules.nft +++ b/systems/daeva/nftables-rules.nft @@ -1,73 +1,70 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; - ct state invalid counter drop comment "drop invalid packets" - ct state established,related counter accept comment "accept related connections" - iif lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - ip protocol icmp counter accept - ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.16.0.0/12 counter accept - tcp dport 3000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - counter + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept } chain forward { type filter hook forward priority 0; policy drop; - ct state established,related counter accept - counter + ct state established,related accept } chain output { type filter hook output priority 0; policy drop; - ct state established,related counter accept - icmp type echo-request counter accept - icmp type echo-reply counter accept - ip daddr 127.0.0.0/8 counter accept - ip6 daddr ::1 counter accept - udp dport domain counter accept - tcp dport 853 counter accept comment "DNS over TLS" - udp dport 853 counter accept comment "DNS over TLS" - tcp dport http counter accept - tcp dport https counter accept - udp dport https counter accept - tcp dport ssh counter accept - tcp dport bootps counter accept - udp dport bootps counter accept - tcp dport ntp counter accept - udp dport ntp counter accept - tcp dport nntps counter accept - udp dport nntps counter accept - tcp dport submission counter accept - tcp dport imaps counter accept - tcp dport 2222 counter accept - tcp dport hkp counter accept - udp dport hkp counter accept - tcp dport 9100 counter accept - tcp dport git counter accept - udp dport git counter accept - tcp dport rsync counter accept - udp dport rsync counter accept - tcp dport 8000 counter accept - tcp dport http-alt counter accept - udp dport openvpn counter accept - tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 5222 counter accept comment "XMPP" - tcp dport 6697 counter accept comment "IRC" - tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 19302-19309 counter accept comment "Google Meet Ports" - tcp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 51820 counter accept comment "WireGuard" - counter + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 5222 accept comment "XMPP" + tcp dport 6697 accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 19302-19309 accept comment "Google Meet Ports" + tcp dport 1714-1764 accept comment "KDEConnect" + udp dport 1714-1764 accept comment "KDEConnect" + udp dport 51820 accept comment "WireGuard" } } diff --git a/systems/koi/nftables-rules.nft b/systems/koi/nftables-rules.nft index 2e68f351..83458e42 100644 --- a/systems/koi/nftables-rules.nft +++ b/systems/koi/nftables-rules.nft @@ -1,75 +1,72 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; - ct state invalid counter drop comment "drop invalid packets" - ct state established,related counter accept comment "accept related connections" - iif lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - ip protocol icmp counter accept - ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.16.0.0/12 counter accept - tcp dport ssh ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 3000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" - tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - counter + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport ssh ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept } chain forward { type filter hook forward priority 0; policy drop; - ct state established,related counter accept - counter + ct state established,related accept } chain output { type filter hook output priority 0; policy drop; - ct state established,related counter accept - icmp type echo-request counter accept - icmp type echo-reply counter accept - ip daddr 127.0.0.0/8 counter accept - ip6 daddr ::1 counter accept - udp dport domain counter accept - tcp dport 853 counter accept comment "DNS over TLS" - udp dport 853 counter accept comment "DNS over TLS" - tcp dport http counter accept - tcp dport https counter accept - udp dport https counter accept - tcp dport ssh counter accept - tcp dport bootps counter accept - udp dport bootps counter accept - tcp dport ntp counter accept - udp dport ntp counter accept - tcp dport nntps counter accept - udp dport nntps counter accept - tcp dport submission counter accept - tcp dport imaps counter accept - tcp dport 2222 counter accept - tcp dport hkp counter accept - udp dport hkp counter accept - tcp dport 9100 counter accept - tcp dport git counter accept - udp dport git counter accept - tcp dport rsync counter accept - udp dport rsync counter accept - tcp dport 8000 counter accept - tcp dport http-alt counter accept - udp dport openvpn counter accept - tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 5222 counter accept comment "XMPP" - tcp dport 6697 counter accept comment "IRC" - tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 19302-19309 counter accept comment "Google Meet Ports" - tcp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 1714-1764 counter accept comment "KDEConnect" - udp dport 51820 counter accept comment "WireGuard" - tcp dport 9876 counter accept comment "yggdrasil" - counter + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 5222 accept comment "XMPP" + tcp dport 6697 accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 19302-19309 accept comment "Google Meet Ports" + tcp dport 1714-1764 accept comment "KDEConnect" + udp dport 1714-1764 accept comment "KDEConnect" + udp dport 51820 accept comment "WireGuard" + tcp dport 9876 accept comment "yggdrasil" } } diff --git a/systems/owl/nftables-rules.nft b/systems/owl/nftables-rules.nft index 3e83e2bf..e11047a9 100644 --- a/systems/owl/nftables-rules.nft +++ b/systems/owl/nftables-rules.nft @@ -1,67 +1,64 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; - ct state invalid counter drop comment "drop invalid packets" - ct state established,related counter accept comment "accept related connections" - iif lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter drop - iif != lo ip6 daddr ::1/128 counter drop - ip protocol icmp counter accept - ip6 nexthdr ipv6-icmp counter accept - udp dport domain ip saddr 172.16.0.0/12 counter accept - tcp dport ssh counter accept - tcp dport 3000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8000 ip saddr 127.0.0.1/8 counter accept - tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - counter + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport ssh accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept } chain forward { type filter hook forward priority 0; policy drop; - ct state established,related counter accept - counter + ct state established,related accept } chain output { type filter hook output priority 0; policy drop; - ct state established,related counter accept - icmp type echo-request counter accept - icmp type echo-reply counter accept - ip daddr 127.0.0.0/8 counter accept - ip6 daddr ::1 counter accept - udp dport domain counter accept - tcp dport 853 counter accept comment "DNS over TLS" - udp dport 853 counter accept comment "DNS over TLS" - tcp dport http counter accept - tcp dport https counter accept - udp dport https counter accept - tcp dport ssh counter accept - tcp dport bootps counter accept - udp dport bootps counter accept - tcp dport ntp counter accept - udp dport ntp counter accept - tcp dport nntps counter accept - udp dport nntps counter accept - tcp dport submission counter accept - tcp dport imaps counter accept - tcp dport 2222 counter accept - tcp dport hkp counter accept - udp dport hkp counter accept - tcp dport 9100 counter accept - tcp dport git counter accept - udp dport git counter accept - tcp dport rsync counter accept - udp dport rsync counter accept - tcp dport 8000 counter accept - tcp dport http-alt counter accept - udp dport openvpn counter accept - tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept - tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" - tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" - udp dport 51820 counter accept comment "WireGuard" - counter + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 51820 accept comment "WireGuard" } } -- cgit v1.2.1