diff options
| author | Emil Renner Berthing <esmil@labitat.dk> | 2020-10-17 17:04:11 +0200 | 
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2020-10-17 17:07:35 +0200 | 
| commit | 43ebd729c377098a66588dcc64ef1e4f1f1a80e5 (patch) | |
| tree | 7e6b28409c2c145395d779902fc46c2527618125 | |
| parent | a5ccc4b5ee50f5fd1efeb967579fa975f769428d (diff) | |
| download | labitat-ansible-43ebd729c377098a66588dcc64ef1e4f1f1a80e5.tar.gz labitat-ansible-43ebd729c377098a66588dcc64ef1e4f1f1a80e5.tar.xz labitat-ansible-43ebd729c377098a66588dcc64ef1e4f1f1a80e5.zip | |
space_server: nftables: drop spoofed incoming traffic
Discovered by IMAAL Research Lab, Brigham Young University,
thank you.
| -rw-r--r-- | roles/space_server/files/nftables.conf | 13 | 
1 files changed, 13 insertions, 0 deletions
| diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index adb1208..a0c17c1 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -74,6 +74,9 @@ table ip filter {  		iif lo accept +		# drop incoming spoofed packages +		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop +  		# bird etc. on fiberby link  		iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept @@ -112,6 +115,9 @@ table ip filter {  		ct state established,related accept  		ct state invalid drop +		# drop incoming spoofed packages +		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop +  		# jumbotron webhook  		ip daddr $jumbotron_ip4 tcp dport 17380 counter accept @@ -148,6 +154,10 @@ table ip6 filter {  		ip6 nexthdr ipv6-icmp drop  		iif lo accept + +		# drop incoming spoofed packages +		iif $ext_if ip6 saddr $ext_net6 drop +  		iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept  		# bird etc. on fiberby link @@ -177,6 +187,9 @@ table ip6 filter {  		ct state established,related accept  		ct state invalid drop +		# drop incoming spoofed packages +		iif $ext_if ip6 saddr $ext_net6 drop +  		# jumbotron webhook  		ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept | 
