51 (edited by ashfolk Yesterday 11:16:32)

Re: Debian 10 Buster Post

this "nftables.conf" is working for most services in my-side s3 (kvm) server.

below services & functionalities are tested by me, & working:
IPv4 & IPv6 based ping/icmp, DNS (authoritative) NameServer services, Web-server (HTTP & HTTPS) services, EMail-server (SMTP, IMAPS, POP3S, etc) services, etc are working,
and now (August-18, 2019) connection with SSH server also working ( though initially after iRedMail installed nftables , my-side SSH stopped working as my-side SSH config contained shorter Alive time ).

instead of showing real IP-Address numbers here , i'm replacing with words like these : IPv4-Adrs-S3 , IPv6-Adrs-S3-N1 , IPv6-Adrs-S3-N2 , etc etc.

#!/usr/sbin/nft -f
#
# nftables in s3 : id/serial : 065.
#
# /etc/nftables.conf file in  s3/SRVR3  "s3.example.com"  Server
#
#
# This server includes these IP-addresses & associated services/functions:
#   IPv4-Adrs-S3 :
#     used for: ssh-server, dns/nameServer, mail-server, webServer, etc.
#   IPv6-Adrs-S3-N1, IPv6-Adrs-S3-N2, IPv6-Adrs-S3-N3, IPv6-Adrs-S3-N4, IPv6-Adrs-S3-N5, IPv6-Adrs-S3-N6 :
#     used for: ssh-Server, dns/nameServer/bind, mail-Server, webServer, etc.
#   IPv6-Adrs-S3-N7, IPv6-Adrs-S3-N8 :
#     used for: dns-Server/unbound, webServer, etc.
#   IPv6-Adrs-S3-N11, IPv6-Adrs-S3-N12, IPv6-Adrs-S3-N13, IPv6-Adrs-S3-N14 :
#     used for: mail-Server, webServer, etc.
#
#
# Lines that begin with the "#" symbol are comments/notes/etc.
#
#
# Instead of showing real IP-Address numbers, we
#   are using these words IPv4-Adrs-S3 , IPv6-Adrs-S3-N1 , etc
#
#
# Commands to control "nftables" on Debian-10 based computer:
#   systemctl restart nftables.service
#   systemctl stop nftables.service
#   systemctl start nftables.service
#   systemctl status nftables.service
#   

flush ruleset

# the `ip` adrs-family-table applies to IPv4:
table ip filter {
    chain incoming {
        type filter hook input priority 0; policy drop;
        # for IPv4, this "ip" rules are processed 1st, then "inet".
        
        # We are handling ICMP 1st, & to rate limit:
        ip protocol icmp icmp type echo-request limit rate 100/second accept
        ip protocol icmp icmp type echo-request counter drop
        # No ping floods:
        # ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
        
        # ... For IPv4 DNS NameServer/Authoritative Server, rate limit rules are here ...
        
        # ... For IPv4 SSH Server, rate limit rules are here ...
        
        # Accept (established/related) traffic originated from us this server-computer:
        ct state { established, related } accept
        
        # Accept these ICMP (IPv4 based)
        #   (usually for initial server setup or app debug stage,
        #    when hardening server then remove whats not necessary)
        # (Keyword = Value | echo-reply = 0 | destination-unreachable = 3 | source-quench = 4 | redirect = 5
        #  | echo-request = 8 | router-advertisement = 9 | router-solicitation = 10 | time-exceeded = 11 |
        #  parameter-problem = 12 | timestamp-request = 13 | timestamp-reply = 14 | info-request = 15 |
        #  info-reply = 16 | address-mask-request = 17 | address-mask-reply = 18 )
        ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        # if this computer is not a packet router, then do not accept icmp "redirect", See "sysctl.conf"
        
        # Accept IGMP:
        ip protocol igmp accept
        
        # Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel:
        # ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr IPv4-Adrs-S3 accept
        
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state { new, established, related } accept
        #udp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state { new, established, related } accept
        # nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state new tcp flags & (syn | ack) == syn accept
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state new accept
        #tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
        tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 accept
        
        # ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, EMail, Web, etc services:
        tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr IPv4-Adrs-S3 accept
        udp dport { 53, 80, 443 } ip daddr IPv4-Adrs-S3 accept
        
        # ... other IP / IPv4 related rules (also add in "inet" section) ...
        
        counter drop
    }
    
    chain FORWARD {
        type filter hook forward priority 0; policy drop;
    }
    
    chain outgoing {
        type filter hook output priority 0; policy accept;
    }
}


# the `ip6` adrs-family-table applies to IPv6:
table ip6 filter {
    chain incoming {
        type filter hook input priority 0; policy drop;
        # for IPv6, this "ip6" rules are processed 1st, then "inet".
        
        # ICMPv6 handled 1st, & to rate limit:
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept
        ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
        # No ping floods:
        # ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        
        # ... For IPv6 DNS NameServer/Authoritative Server, rate limit rules are here ...
        
        # ... For IPv6 SSH Server, rate limit rules are here ...
        
        # Accept (established/related) traffic originated from us this server-computer:
        ct state { established, related } accept
        
        # Accept these ICMPv6:
        #   (usually for initial server setup or app debug stage,
        #    when hardening server then remove whats not necessary)
        # (Keyword = Value | destination-unreachable = 1 | packet-too-big = 2 | time-exceeded = 3 |
        #  parameter-problem = 4 | echo-request = 128 | echo-reply = 129 | mld-listener-query = 130 |
        #  mld-listener-report = 131 | mld-listener-done = 132 | mld-listener-reduction = 132 |
        #  nd-router-solicit = 133 | nd-router-advert = 134 | nd-neighbor-solicit = 135 | nd-neighbor-advert
        #  = 136 | nd-redirect = 137 | router-renumbering = 138 | ind-neighbor-solicit = 141 |
        #  ind-neighbor-advert = 142 | mld2-listener-report = 143)
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        # the "nd-redirect", "router-renumbering" were removed.
        # research more on each icmpv6 packets how NDP can be used to abuse.
        
        # ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, EMail, Web, etc services:
        tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-S3-N1, IPv6-Adrs-S3-N2, IPv6-Adrs-S3-N3, IPv6-Adrs-S3-N4, IPv6-Adrs-S3-N5, IPv6-Adrs-S3-N6 } accept
        udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N1, IPv6-Adrs-S3-N2, IPv6-Adrs-S3-N3, IPv6-Adrs-S3-N4, IPv6-Adrs-S3-N5, IPv6-Adrs-S3-N6 } accept
        
        # ip6_SRVR3 : Used for DNS/unbound/53, Web-servers(http/80, https/443), etc:
        tcp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N7, IPv6-Adrs-S3-N8  } accept
        udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N7, IPv6-Adrs-S3-N8  } accept
        
        # ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993
        #                   pop3s/995, sieve/4190, etc):
        tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-S3-N11, IPv6-Adrs-S3-N12, IPv6-Adrs-S3-N13, IPv6-Adrs-S3-N14 } accept
        udp dport { 80, 443 } ip6 daddr { IPv6-Adrs-S3-N11, IPv6-Adrs-S3-N12, IPv6-Adrs-S3-N13, IPv6-Adrs-S3-N14 } accept
        
        # ... other IPv6 related rules (also add in "inet" section) ...
        
        counter drop
    }
    
    chain FORWARD {
        type filter hook forward priority 0; policy drop;
    }
    
    chain outgoing {
        type filter hook output priority 0; policy accept;
    }
}



# the `inet` adrs-family-table applies to both IPv4 and IPv6:
table inet filter {
    chain incoming {
        type filter hook input priority 0; policy drop;
        # "inet" adrs-family (aka table) is processed after "ip" for IPv4 related packets,
        #   & "inet" is processed after "ip6" for IPv6 related network-packets.
        # Duplicate rules & ADD IPv4 related rules in "ip" section, & IPv6 into "ip6" section
        # When all working perfectly then, slowly
        #   remove/reduce duplicate rules ONE-BY-ONE from here 1st & TEST EACH TIME.
        # Tips: if set of IPv4 or IPv6 rules both using same PORTs, then keep it here
        #    in "inet" as combined. Other (unique) rules usually can go into separate sections.
        #    when rules have specific IPv4 / IPv6 ADDRESS,
        #    then its better to place them in respective "ip" or "ip6" tables/sections.
        
        # Accept any localhost traffic:
        iif lo accept
        
        # ICMP+ICMPv6 handled 1st, & to rate limit:
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 100/second accept
        ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
        ip protocol icmp icmp type echo-request limit rate 100/second accept
        ip protocol icmp icmp type echo-request counter drop
        # No ping floods:
        #ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
        #ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        
        # ... For DNS NameServer/Authoritative Server, rate limit rules are here ...
        
        # ... For SSH Server, rate limit rules are here ...
        
        # Accept (established/related) traffic originated from us this server-computer:
        ct state { established, related } accept
        
        # Accept these ICMP & ICMPv6:
        #  (usually for initial server setup or app debug stage,
        #   when hardening server then remove whats not necessary)
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        # the "nd-redirect", "router-renumbering" were removed.
        # research more on each icmpv6 packets how NDP can be used to abuse.
        
        ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        
        # Accept IGMP:
        ip protocol igmp accept
        
        # Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 GRE/p41 Tunnel:
        # ip protocol 41 ip saddr HE.END-POINT.IPv4.ADRS ip daddr IPv4-Adrs-S3 accept
        
        # SSH/5022 server & fixed clients
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state { new, established, related } accept
        #udp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state { new, established, related } accept
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state new tcp flags & (syn | ack) == syn counter accept
        #tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 ct state new accept
        #tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
        #nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
        #tcp dport 5022 ct state new tcp flags & (syn|ack) == syn counter accept
        tcp dport 5022 ip saddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip daddr IPv4-Adrs-S3 accept
        
        # ip4_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, EMail, Web, etc services:
        tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip daddr IPv4-Adrs-S3 accept
        udp dport { 53, 80, 443 } ip daddr IPv4-Adrs-S3 accept
        
        # ip6_SRVR3 : Used for DNS/named/BIND/53, SSH/5022, EMail, Web, etc services:
        tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-S3-N1, IPv6-Adrs-S3-N2, IPv6-Adrs-S3-N3, IPv6-Adrs-S3-N4, IPv6-Adrs-S3-N5, IPv6-Adrs-S3-N6 } accept
        udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N1, IPv6-Adrs-S3-N2, IPv6-Adrs-S3-N3, IPv6-Adrs-S3-N4, IPv6-Adrs-S3-N5, IPv6-Adrs-S3-N6 } accept
        
        # ip6_SRVR3 : Used for DNS/unbound/53, Web-servers(http/80, https/443), etc:
        tcp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N7, IPv6-Adrs-S3-N8  } accept
        udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-S3-N7, IPv6-Adrs-S3-N8  } accept
        
        # ip6_SRVR3_MX : Used for EMail-related-services (smtp/25, submission/587, smtps/465, imaps/993
        #                   pop3s/995, sieve/4190, etc):
        tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-S3-N11, IPv6-Adrs-S3-N12, IPv6-Adrs-S3-N13, IPv6-Adrs-S3-N14 } accept
        udp dport { 80, 443 } ip6 daddr { IPv6-Adrs-S3-N11, IPv6-Adrs-S3-N12, IPv6-Adrs-S3-N13, IPv6-Adrs-S3-N14 } accept
        
        # ... other IPv4 & IPv6 related rules (also add in "ip" & "ip6" section) ...
        
        # count and drop any other traffic
        counter drop
        
    }
    
    chain outgoing {
        type filter hook output priority 0;
        policy accept;
        
        #tcp sport 5022 ip daddr { IPv4-Adrs-S1, IPv4-Adrs-S2, MyLoc1.IPv4.ADRS, MyLoc2.IPv4.ADRS } ip saddr IPv4-Adrs-S3 accept
    }
    
    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }
}

EDIT : updated the nftables in above (from serial 015 to 065) , and removed+changed sentences/info related to SSH, as they are mentioned/addressed in my next message.

52

Re: Debian 10 Buster Post

- Did you test with the nftables.conf generated by iRedMail installer or your own one?
- Any issue with the one generated by iRedMail installer? Did it correctly detect your ssh port number (5022)?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

53 (edited by ashfolk 2019-08-19 16:38:40)

Re: Debian 10 Buster Post

when iRedMail was installed & after that, around 2 days i have used exact same nftables.conf what was placed by iRedMail in /etc/ folder.
yes, iRedMail itself detected the 5022 port for SSH in that server, & used that inside the nftables.conf file.

initial "nftables.conf" which is supplied by the iRedMail , that disables ping/icmp, etc, etc functionalities , as "nftables.conf" did not had firewall rules for all running (LISTEN/serving) services in that server.

so we need+want iRedMail to supply an improved "nftables.conf" , (but its your choice).

and, my-side one of the primary computer is an old macOS (Sierra 10.12.6) based computer , from it, i could not connect to that s3 server (which has iRedMail) !

i have finally found out the exact problem : in sshd_config (in Server side) & in ssh_config (in client side) i was using "ConnectTimeout" with 30 seconds value , but SSH needed more time than that when nftables was loaded+ON+enabled by the iRedMail , so SSH was keep on disconnecting with error message "Authentication failed" !
when i created sshd_config/ssh_config then nftables was not loaded/ON/enabled, and SSH connection usually taken less than 7 seconds to complete, so at that point that config with "ConnectTimeout" 30 was sufficient.

After iRedMail loaded/installed the nftables firewall in s3 Server , few more settings were needed to be changed, (beside the earlier mentioned "ConnectTimeout" in above paragraph) for SSH to work in between Server/Client, & those settings are:
# in ssh client's ~/.ssh/config file, 18 x 2 = 36 seconds:
ServerAliveInterval 18
ServerAliveCountMax 2

# in ssh server's /etc/ssh/sshd_config file, 18 x 2 = 36 seconds:
ClientAliveInterval 18
ClientAliveCountMax 2

previously, those/above settings had these/below values (tuned for a Server without nftables) , which is why SSH connection did not work when nftables was loaded:
# so 20 x 1 = 20 seconds
ServerAliveInterval 20
ServerAliveCountMax 1
# so 30 x 1 = 30 seconds
ClientAliveInterval 30
ClientAliveCountMax 1

i have changed nftables config after 2 days, of installing iRedMail in that s3 server , since then i have been trying various changes/techniques to solve this problem , but macOS SSH software could not connect because of mentioned wrong configuration for nftables.

When few days earlier i loaded the SSH from MacPorts, it's ssh config file did not have the "ServerAliveInterval" (or ConnectTimeout),etc So ssh client (from MacPorts) succeeded in connecting with Server , but i did not notice that "ServerAliveInterval" was not specified in config file then , so i ended-up reaching a wrong conclusion (that it's fault of SSH which is included with macOS) , but further research yesterday, ultimately did reveal, fault was in settings.

So default SSH which is included with macOS is working fine now , No need for MacPorts/HomeBrew based SSH , but if anyone wants more latest SSH features then they can do so.

And, i will soon update the earlier mentioned nftables.conf in this thread in above , as the modified "nftables.conf" worked better at this initial setup stage of that s3 Server , once server setup+configurations for various server apps in s3-Server are done , & Server apps are working as expected , then i will one-by-one reduce unnecessary extra permissions (in nftables) which are now given & TEST AGAIN, and i will also improve+adjust the rate-limiting rules.

i will also change the "nftables_from_netinfo" script (posted earlier) , to create combined one line based compact nftables rules.
once i update that script, then i'm ready to move into iRedMail related configurations.

EDIT : i found the solution for SSH login problem, and found the exact problem what was causing it, updating+changing this entire message.