1 Topic by CrashXRU (edited by CrashXRU 2019-12-20 13:36:53)

  • CrashXRU
  • Member
  • Offline
  • From: Russia Siberia
  • Registered: 2019-12-09
  • Posts: 33

Topic: nftables rule no ping floods

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0
- Deployed with iRedMail offline
- Linux/BSD distribution name and version: Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP -> Active Directory
- Web server: Nginx
- Manage mail accounts with iRedAdmin-Pro? NONE
====

the rule describing flood blocking does not work, moreover, it blocks ping requests
but if you install it in the right place it works as expected

Fixit
example https://wiki.archlinux.org/index.php/Nf … Limit_rate

move the rules (# no ping floods) after this rule (# accept any localhost traffic)
You can also add a blacklist as I have done
nftables.conf

#!/usr/sbin/nft -f

flush ruleset

# `inet` applies to both IPv4 and IPv6.
table inet filter {

    set blacklist-v4 {
        type ipv4_addr
             flags interval
             auto-merge
             elements = { 185.176.221.167, 81.30.158.0/24,
                          213.137.128.0/19 }
    }

    chain input {
        type filter hook input priority 0;

        # accept any localhost traffic
        iif lo accept

        # no ping floods
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop

        # accept traffic originated from us
        ct state established,related counter accept

        # drop ip form blacklist
        ip saddr @blacklist-v4 drop

        # accept ICMP & IGMP
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        ip protocol igmp accept

        # DNS/named/BIND/53
        #tcp dport 53 accept
        #udp dport 53 accept

        # ssh (only local)
        tcp dport 22 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept

        # http/https (only local)
        tcp dport 80 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept
        tcp dport 443 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept

        # smtp/submission
        tcp dport 25 accept
        tcp dport 587 accept

        # smtps/SMTP over SSL (only local)
        tcp dport 465 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept

        # pop3/pop3s
        tcp dport 110 accept
        tcp dport 995 accept

        # imap/imaps
        tcp dport 143 accept
        tcp dport 993 accept

        # sieve (only local)
        tcp dport 2000 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept
        tcp dport 4190 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept

        # zabbix (only local)
        tcp dport 1050 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept
        tcp dport 1051 ip saddr { 10.0.0.0/8, 192.168.0.0/16} accept


        # count and drop any other traffic
        counter drop
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }
}

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: nftables rule no ping floods

Fixed in git repo, thanks for the feedback. smile