Alan Orth
8dd7663b3c
This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/
102 lines
3.1 KiB
Django/Jinja
Executable File
102 lines
3.1 KiB
Django/Jinja
Executable File
#!/usr/sbin/nft -f
|
|
#
|
|
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
|
|
#
|
|
|
|
flush ruleset
|
|
|
|
# Lists updated daily by update-spamhaus-nftables.sh
|
|
include "/etc/nftables/spamhaus-ipv4.nft"
|
|
include "/etc/nftables/spamhaus-ipv6.nft"
|
|
|
|
# Lists updated daily by update-abusech-nftables.sh
|
|
include "/etc/nftables/abusech-ipv4.nft"
|
|
|
|
# Notes:
|
|
# - tables hold chains, chains hold rules
|
|
# - inet is for both ipv4 and ipv6
|
|
table inet filter {
|
|
set spamhaus-ipv4 {
|
|
type ipv4_addr
|
|
# if the set contains prefixes we need to use the interval flag
|
|
flags interval
|
|
elements = $SPAMHAUS_IPV4
|
|
}
|
|
|
|
set spamhaus-ipv6 {
|
|
type ipv6_addr
|
|
flags interval
|
|
elements = $SPAMHAUS_IPV6
|
|
}
|
|
|
|
set abusech-ipv4 {
|
|
type ipv4_addr
|
|
elements = $ABUSECH_IPV4
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
|
|
# Allow traffic from established and related packets.
|
|
ct state {established, related} accept
|
|
|
|
# Drop invalid packets.
|
|
ct state invalid counter drop
|
|
|
|
# Drop packets matching the spamhaus sets early.
|
|
ip saddr @spamhaus-ipv4 counter drop
|
|
ip6 saddr @spamhaus-ipv6 counter drop
|
|
|
|
# Drop packets matching the abusech set early.
|
|
ip saddr @abusech-ipv4 counter drop
|
|
|
|
# Allow loopback traffic.
|
|
iifname lo accept
|
|
|
|
# Allow all ICMP and IGMP traffic, but enforce a rate limit
|
|
# to help prevent some types of flood attacks.
|
|
ip protocol icmp limit rate 4/second accept
|
|
ip6 nexthdr ipv6-icmp limit rate 4/second accept
|
|
ip protocol igmp limit rate 4/second accept
|
|
|
|
{# SSH rules #}
|
|
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
|
|
ip6 saddr ::/0 ct state new tcp dport 22 counter accept
|
|
|
|
{# Web rules #}
|
|
{% if 'web' in group_names %}
|
|
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
|
|
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
|
|
ip6 saddr ::/0 ct state new tcp dport 80 counter accept
|
|
ip6 saddr ::/0 ct state new tcp dport 443 counter accept
|
|
{% endif %}
|
|
|
|
{# Extra rules #}
|
|
{% if extra_iptables_rules is defined %}
|
|
{% for rule in extra_iptables_rules %}
|
|
ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
|
|
|
|
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
|
|
ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
|
|
{% endif %}
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# everything else
|
|
reject with icmpx type port-unreachable
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
# Drop outgoing packets matching the spamhaus sets too
|
|
ip daddr @spamhaus-ipv4 counter drop
|
|
ip6 daddr @spamhaus-ipv6 counter drop
|
|
|
|
# Drop outgoing packets matching the abusech sets too
|
|
ip daddr @abusech-ipv4 counter drop
|
|
}
|
|
}
|