{ "nftables": [ { "metainfo": { "version": "1.0.9", "release_name": "Old Doc Yak #3", "json_schema_version": 1 } }, { "table": { "family": "ip", "name": "nat", "handle": 1 } }, { "chain": { "family": "ip", "table": "nat", "name": "prerouting", "handle": 1, "type": "nat", "hook": "prerouting", "prio": 0, "policy": "accept" } }, { "chain": { "family": "ip", "table": "nat", "name": "postrouting", "handle": 2, "type": "nat", "hook": "postrouting", "prio": 0, "policy": "accept" } }, { "rule": { "family": "ip", "table": "nat", "chain": "prerouting", "handle": 3, "expr": [ { "redirect": null } ] } }, { "rule": { "family": "ip", "table": "nat", "chain": "prerouting", "handle": 4, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 21 } }, { "redirect": { "port": 21212 } } ] } }, { "table": { "family": "inet", "name": "filter", "handle": 2 } }, { "set": { "family": "inet", "name": "blackhole", "table": "filter", "type": "ipv4_addr", "handle": 4, "flags": [ "timeout" ], "timeout": 86400 } }, { "chain": { "family": "inet", "table": "filter", "name": "input", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept" } }, { "chain": { "family": "inet", "table": "filter", "name": "output", "handle": 2, "type": "filter", "hook": "output", "prio": 0, "policy": "accept" } }, { "chain": { "family": "inet", "table": "filter", "name": "admin", "handle": 3 } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 5, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": "@blackhole" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 6, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 7, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 8, "expr": [ { "match": { "op": "!=", "left": { "payload": { "protocol": "tcp", "field": "flags" } }, "right": "syn" } }, { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "new" } }, { "log": { "prefix": "FIRST PACKET IS NOT SYN" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 9, "expr": [ { "match": { "op": "==", "left": { "&": [ { "payload": { "protocol": "tcp", "field": "flags" } }, [ "fin", "syn" ] ] }, "right": [ "fin", "syn" ] } }, { "log": { "prefix": "SCANNER1" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 10, "expr": [ { "match": { "op": "==", "left": { "&": [ { "payload": { "protocol": "tcp", "field": "flags" } }, [ "syn", "rst" ] ] }, "right": [ "syn", "rst" ] } }, { "log": { "prefix": "SCANNER2" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 11, "expr": [ { "match": { "op": "<", "left": { "&": [ { "payload": { "protocol": "tcp", "field": "flags" } }, { "|": [ { "|": [ { "|": [ { "|": [ { "|": [ "fin", "syn" ] }, "rst" ] }, "psh" ] }, "ack" ] }, "urg" ] } ] }, "right": "fin" } }, { "log": { "prefix": "SCANNER3" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 12, "expr": [ { "match": { "op": "==", "left": { "&": [ { "payload": { "protocol": "tcp", "field": "flags" } }, [ "fin", "syn", "rst", "psh", "ack", "urg" ] ] }, "right": [ "fin", "psh", "urg" ] } }, { "log": { "prefix": "SCANNER4" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 13, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "log": { "prefix": "Invalid conntrack state: ", "flags": "all" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 15, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": { "set": [ 22, 80, 443 ] } } }, { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "new" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 17, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "10.0.0.0", "len": 8 } }, { "prefix": { "addr": "12.34.56.72", "len": 29 } }, { "prefix": { "addr": "172.16.0.0", "len": 16 } } ] } } }, { "jump": { "target": "admin" } } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 19, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "icmpv6", "field": "type" } }, "right": { "set": [ "destination-unreachable", "packet-too-big", "time-exceeded", "parameter-problem", "nd-router-advert", "nd-neighbor-solicit", "nd-neighbor-advert" ] } } }, { "limit": { "rate": 100, "burst": 5, "per": "second" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 21, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "protocol" } }, "right": "icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "icmp", "field": "type" } }, "right": { "set": [ "destination-unreachable", "router-advertisement", "time-exceeded", "parameter-problem" ] } } }, { "limit": { "rate": 100, "burst": 5, "per": "second" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 22, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 23, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 25, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 53 } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "daddr" } }, "right": { "set": [ "8.8.4.4", "8.8.8.8" ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 27, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 53 } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "daddr" } }, "right": { "set": [ "8.8.4.4", "8.8.8.8" ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 28, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 67 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 29, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 443 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 31, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": { "set": [ 25, 465, 587 ] } } }, { "match": { "op": "!=", "left": { "payload": { "protocol": "ip", "field": "daddr" } }, "right": "127.0.0.1" } }, { "log": { "prefix": "SPAMALERT!" } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 33, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": { "set": [ 80, 443 ] } } }, { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "new" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 34, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "protocol" } }, "right": "icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "icmp", "field": "type" } }, "right": "echo-request" } }, { "limit": { "rate": 1, "burst": 5, "per": "second" } }, { "log": null }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 35, "expr": [ { "log": { "prefix": "Outgoing packet dropped: ", "flags": "all" } } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "admin", "handle": 36, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "new" } }, { "log": { "prefix": "Admin connection:" } }, { "accept": null } ] } } ] }