HorlogeSkynet/blog
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Prefers filter table (with lowered priority) over nat for conntrack

Browse Source 
> See <https://blog.samuel.domains/blog/security/nftables-hardening-rules-and-good-practices#isso-56>
This commit is contained in:
Samuel FORESTIER
2021-08-30 17:16:57 +02:00
parent 02468560c1
commit eb7cfe4505
1 changed files with 9 additions and 8 deletions

17
_posts/2020-03-20-nftables-hardening-rules-and-good-practices.md

@ -151,15 +151,12 @@ A regular anti-DDoS rule is to [block new packets that are not `SYN`](https://ja
Well, in order to match "new" packets, we need the help of the `conntrack` Netfilter module.
The problem : It's not available within a chain registered with the `ingress` hook, that's why we gotta use it elsewhere.
Let's then take the firstly encountered other "location" on the Netfilter flow, the `PREROUTING` hook.
> Note : The snippet below [requires a Kernel >= 5.2](https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Inet_family_NAT).
> If that's not the case on your machine, replace `inet` by `ip`, but please notice that incoming IPv6 traffic won't be matched.
Let's then take the firstly encountered other "location" on the Netfilter flow : [the `PREROUTING` chain of the `filter` table, at the `mangle` (-150) priority](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook).
{% highlight nftables %}
table inet nat {
table inet mangle {
chain prerouting {
type nat hook prerouting priority -100;
type filter hook prerouting priority -150;
# CT INVALID
ct state invalid counter drop
@ -245,9 +242,9 @@ table inet filter {
}
}
table inet nat {
table inet mangle {
chain prerouting {
type nat hook prerouting priority -100;
type filter hook prerouting priority -150;
# CT INVALID
ct state invalid counter drop
@ -283,3 +280,7 @@ If you think that something is definitely missing (or wrong !), please feel free
* [paulgorman.org/technical &mdash; nftables](https://paulgorman.org/technical/linux-nftables.txt.html)
* [Netfilters connection tracking system](https://people.netfilter.org/pablo/docs/login.pdf)
### Acknowledgments
* Thanks to [Timo](#isso-56) for their improvement of `conntrack`-based hardening rules