8d211afc1d
* Fri Nov 25 2022 Phil Sutter <psutter@redhat.com> [1.0.4-3.el9] - Prevent port-shadow attacks in sample nat config (Phil Sutter) [2061940] Resolves: rhbz#2061940
39 lines
1.0 KiB
Plaintext
39 lines
1.0 KiB
Plaintext
# Sample configuration snippet for nftables service.
|
|
# Meant to be included by main.nft, not for direct use.
|
|
|
|
# dedicated table for IPv4
|
|
table ip nftables_svc {
|
|
|
|
# interfaces to masquerade traffic from
|
|
set masq_interfaces {
|
|
type ifname
|
|
elements = { "virbr0" }
|
|
}
|
|
|
|
# networks to masquerade traffic from
|
|
# 'interval' flag is required to support subnets
|
|
set masq_ips {
|
|
type ipv4_addr
|
|
flags interval
|
|
elements = { 192.168.122.0/24 }
|
|
}
|
|
|
|
# force port randomization for non-locally originated connections using
|
|
# suspicious port values to prevent port-shadow attacks, i.e.
|
|
# accidental matching of new inbound connections vs. existing ones
|
|
chain do_masquerade {
|
|
meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
|
|
masquerade
|
|
}
|
|
|
|
# base-chain to manipulate conntrack in postrouting,
|
|
# will see packets for new or related traffic only
|
|
chain POSTROUTING {
|
|
type nat hook postrouting priority srcnat + 20
|
|
policy accept
|
|
|
|
iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
|
|
ip saddr @masq_ips jump do_masquerade
|
|
}
|
|
}
|