From 43ebd729c377098a66588dcc64ef1e4f1f1a80e5 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sat, 17 Oct 2020 17:04:11 +0200
Subject: space_server: nftables: drop spoofed incoming traffic

Discovered by IMAAL Research Lab, Brigham Young University,
thank you.
---
 roles/space_server/files/nftables.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'roles')

diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index adb1208..a0c17c1 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -74,6 +74,9 @@ table ip filter {
 
 		iif lo accept
 
+		# drop incoming spoofed packages
+		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
 		# bird etc. on fiberby link
 		iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
 
@@ -112,6 +115,9 @@ table ip filter {
 		ct state established,related accept
 		ct state invalid drop
 
+		# drop incoming spoofed packages
+		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
 		# jumbotron webhook
 		ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
 
@@ -148,6 +154,10 @@ table ip6 filter {
 		ip6 nexthdr ipv6-icmp drop
 
 		iif lo accept
+
+		# drop incoming spoofed packages
+		iif $ext_if ip6 saddr $ext_net6 drop
+
 		iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
 
 		# bird etc. on fiberby link
@@ -177,6 +187,9 @@ table ip6 filter {
 		ct state established,related accept
 		ct state invalid drop
 
+		# drop incoming spoofed packages
+		iif $ext_if ip6 saddr $ext_net6 drop
+
 		# jumbotron webhook
 		ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
 
-- 
cgit v1.2.1