{
"nftables": [
{
"metainfo": {
"version": "1.0.9",
"release_name": "Old Doc Yak #3",
"json_schema_version": 1
}
},
{
"table": {
"family": "ip",
"name": "nat",
"handle": 1
}
},
{
"chain": {
"family": "ip",
"table": "nat",
"name": "prerouting",
"handle": 1,
"type": "nat",
"hook": "prerouting",
"prio": 0,
"policy": "accept"
}
},
{
"chain": {
"family": "ip",
"table": "nat",
"name": "postrouting",
"handle": 2,
"type": "nat",
"hook": "postrouting",
"prio": 0,
"policy": "accept"
}
},
{
"rule": {
"family": "ip",
"table": "nat",
"chain": "prerouting",
"handle": 3,
"expr": [
{
"redirect": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "nat",
"chain": "prerouting",
"handle": 4,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 21
}
},
{
"redirect": {
"port": 21212
}
}
]
}
},
{
"table": {
"family": "inet",
"name": "filter",
"handle": 2
}
},
{
"set": {
"family": "inet",
"name": "blackhole",
"table": "filter",
"type": "ipv4_addr",
"handle": 4,
"flags": [
"timeout"
],
"timeout": 86400
}
},
{
"chain": {
"family": "inet",
"table": "filter",
"name": "input",
"handle": 1,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "accept"
}
},
{
"chain": {
"family": "inet",
"table": "filter",
"name": "output",
"handle": 2,
"type": "filter",
"hook": "output",
"prio": 0,
"policy": "accept"
}
},
{
"chain": {
"family": "inet",
"table": "filter",
"name": "admin",
"handle": 3
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 5,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "saddr"
}
},
"right": "@blackhole"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 6,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 7,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 8,
"expr": [
{
"match": {
"op": "!=",
"left": {
"payload": {
"protocol": "tcp",
"field": "flags"
}
},
"right": "syn"
}
},
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "new"
}
},
{
"log": {
"prefix": "FIRST PACKET IS NOT SYN"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 9,
"expr": [
{
"match": {
"op": "==",
"left": {
"&": [
{
"payload": {
"protocol": "tcp",
"field": "flags"
}
},
[
"fin",
"syn"
]
]
},
"right": [
"fin",
"syn"
]
}
},
{
"log": {
"prefix": "SCANNER1"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 10,
"expr": [
{
"match": {
"op": "==",
"left": {
"&": [
{
"payload": {
"protocol": "tcp",
"field": "flags"
}
},
[
"syn",
"rst"
]
]
},
"right": [
"syn",
"rst"
]
}
},
{
"log": {
"prefix": "SCANNER2"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 11,
"expr": [
{
"match": {
"op": "<",
"left": {
"&": [
{
"payload": {
"protocol": "tcp",
"field": "flags"
}
},
{
"|": [
{
"|": [
{
"|": [
{
"|": [
{
"|": [
"fin",
"syn"
]
},
"rst"
]
},
"psh"
]
},
"ack"
]
},
"urg"
]
}
]
},
"right": "fin"
}
},
{
"log": {
"prefix": "SCANNER3"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 12,
"expr": [
{
"match": {
"op": "==",
"left": {
"&": [
{
"payload": {
"protocol": "tcp",
"field": "flags"
}
},
[
"fin",
"syn",
"rst",
"psh",
"ack",
"urg"
]
]
},
"right": [
"fin",
"psh",
"urg"
]
}
},
{
"log": {
"prefix": "SCANNER4"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 13,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"log": {
"prefix": "Invalid conntrack state: ",
"flags": [
"skuid",
"ether"
]
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 15,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": {
"set": [
22,
80,
443
]
}
}
},
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "new"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 17,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "10.0.0.0",
"len": 8
}
},
{
"prefix": {
"addr": "12.34.56.72",
"len": 29
}
},
{
"prefix": {
"addr": "172.16.0.0",
"len": 16
}
}
]
}
}
},
{
"jump": {
"target": "admin"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 19,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "nexthdr"
}
},
"right": "ipv6-icmp"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "icmpv6",
"field": "type"
}
},
"right": {
"set": [
"destination-unreachable",
"packet-too-big",
"time-exceeded",
"parameter-problem",
"nd-router-advert",
"nd-neighbor-solicit",
"nd-neighbor-advert"
]
}
}
},
{
"limit": {
"rate": 100,
"burst": 5,
"per": "second"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "input",
"handle": 21,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "protocol"
}
},
"right": "icmp"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "icmp",
"field": "type"
}
},
"right": {
"set": [
"destination-unreachable",
"router-advertisement",
"time-exceeded",
"parameter-problem"
]
}
}
},
{
"limit": {
"rate": 100,
"burst": 5,
"per": "second"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 22,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 23,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 25,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 53
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "daddr"
}
},
"right": {
"set": [
"8.8.4.4",
"8.8.8.8"
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 27,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 53
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "daddr"
}
},
"right": {
"set": [
"8.8.4.4",
"8.8.8.8"
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 28,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 67
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 29,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 443
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 31,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": {
"set": [
25,
465,
587
]
}
}
},
{
"match": {
"op": "!=",
"left": {
"payload": {
"protocol": "ip",
"field": "daddr"
}
},
"right": "127.0.0.1"
}
},
{
"log": {
"prefix": "SPAMALERT!"
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 33,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": {
"set": [
80,
443
]
}
}
},
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "new"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 34,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "protocol"
}
},
"right": "icmp"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "icmp",
"field": "type"
}
},
"right": "echo-request"
}
},
{
"limit": {
"rate": 1,
"burst": 5,
"per": "second"
}
},
{
"log": null
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "output",
"handle": 35,
"expr": [
{
"log": {
"prefix": "Outgoing packet dropped: ",
"flags": "all"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "filter",
"chain": "admin",
"handle": 36,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 22
}
},
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "new"
}
},
{
"log": {
"prefix": "Admin connection:"
}
},
{
"accept": null
}
]
}
}
]
}