Общий набор правил для nftables с реализацией техники "port knoсking",
позволяющей организовать временное открытие сетевого порта к SSH только после
предварительной попытки соединения к определённой последовательности портов
(порты задаются в параметрах "define ssh_port_knock_[1234]").


   #!/usr/bin/env -S bash -c 'nft -cof "${0}" && nft -f "${0}"'

   flush ruleset

   table inet filter {

   	define sshd_port = 2299;

   	set ssh_bad_ipv4_set {
   		type ipv4_addr;
   		flags dynamic;
   		timeout 15m;
   	}

   	set ssh_bad_ipv6_set {
   		type ipv6_addr;
   		flags dynamic;
   		timeout 15m;
   	}

   	set ssh_clients_ipv4_set {
   		type ipv4_addr;
   		flags dynamic;
   		timeout 3s;
   	}

   	set ssh_clients_ipv6_set {
   		type ipv6_addr;
   		flags dynamic;
   		timeout 3s;
   	}

   	set ssh_clients_candidates_ipv4_set {
   		type ipv4_addr . inet_service;
   		flags dynamic;
   		timeout 1s;
   	}

   	set ssh_clients_candidates_ipv6_set {
   		type ipv6_addr . inet_service;
   		flags dynamic;
   		timeout 1s;
   	}

   	### printf %d\\n 0x$(openssl rand -hex 2)
   	define ssh_port_knock_1 = changeme1;
   	define ssh_port_knock_2 = changeme2;
   	define ssh_port_knock_3 = changeme3;
   	define ssh_port_knock_4 = changeme4;

   	### opened ports
   	set serving_tcp_ports_set {
   		type inet_service;
   		flags constant;
   #		elements = {
   #			http,
   #			https,
   #		};
   	}

   	set trusted_ipv4_set {
   		type ipv4_addr;
   		flags constant, interval;
   		elements = {
   			169.254.169.254,
   			10.0.0.0/8,
   			192.168.0.0/16,
   		};
   	}

   	set trusted_ipv6_set {
   		type ipv6_addr;
   		flags constant, interval;
   		elements = {
   			fd00:ec2::254,
   		};
   	}

   	define dns_resolvers = {
   		0.0.0.0/0,
   	}

   	define allowed_icmp_types_input = {
   		echo-reply,
   		echo-request,
   		destination-unreachable,
   	}

   	define allowed_icmp_types_output = {
   		echo-reply,
   		echo-request,
   		destination-unreachable,
   	}

   	### rfc4890; assist mobility candidate codes: 144, 145, 146, 147
   	define allowed_icmpv6_types_input = {
   		echo-reply,
   		echo-request,
   		destination-unreachable,
   		packet-too-big,
   		time-exceeded,
   		parameter-problem,
   		nd-router-solicit,
   		nd-router-advert,
   		nd-neighbor-solicit,
   		nd-neighbor-advert,
   		ind-neighbor-solicit,
   		ind-neighbor-advert,
   		mld-listener-query,
   		mld-listener-report,
   		mld-listener-done,
   		mld2-listener-report,
   	}

   	### rfc4890; assist mobility candidate codes: 144, 145, 146, 147
   	define allowed_icmpv6_types_output = {
   		echo-reply,
   		echo-request,
   		destination-unreachable,
   		packet-too-big,
   		time-exceeded,
   		parameter-problem,
   		nd-router-solicit,
   		nd-router-advert,
   		nd-neighbor-solicit,
   		nd-neighbor-advert,
   		ind-neighbor-solicit,
   		ind-neighbor-advert,
   		mld-listener-query,
   		mld-listener-report,
   		mld-listener-done,
   		mld2-listener-report,
   	}

   	chain INPUT {
   		type filter hook input priority filter + 20; policy drop;

   		iif lo accept comment "accept input connections via loopback";
   		iif != lo ip saddr 127.0.0.0/8 counter drop comment "drop loopback connections not coming from loopback";
   		iif != lo ip daddr 127.0.0.0/8 counter drop comment "drop loopback connections not coming from loopback";
   		iif != lo ip6 saddr ::1/128 counter drop comment "drop loopback connections not coming from loopback";
   		iif != lo ip6 daddr ::1/128 counter drop comment "drop loopback connections not coming from loopback";

   		### as little rules as possible for trusted hosts
   		ip saddr @trusted_ipv4_set accept comment "accept trusted hosts";
   		ip6 saddr @trusted_ipv6_set accept comment "accept trusted hosts";

   		### before ct
   		meta l4proto icmp icmp type $allowed_icmp_types_input limit rate 10/second burst 20 packets counter accept comment "accept icmp with limits";
   		meta l4proto icmpv6 icmpv6 type $allowed_icmpv6_types_input limit rate 10/second burst 20 packets counter accept comment "accept icmpv6 with limits";
   		meta l4proto { icmp, icmpv6 } counter drop comment "drop icmp over limit";

   		ct state vmap { established : accept, related : accept, invalid : drop };

   		tcp dport @serving_tcp_ports_set ct state new counter accept comment "accept connections to serving tcp ports";

   		### port knocking
   		#tcp dport $ssh_port_knock_1 add @ssh_clients_candidates_ipv4_set { ip saddr . $ssh_port_knock_2 };
   		#tcp dport $ssh_port_knock_1 add @ssh_clients_candidates_ipv6_set { ip6 saddr . $ssh_port_knock_2 };
   		#tcp dport $ssh_port_knock_2 ip saddr . tcp dport @ssh_clients_candidates_ipv4_set add @ssh_clients_candidates_ipv4_set { ip saddr . $ssh_port_knock_3 };
   		#tcp dport $ssh_port_knock_2 ip6 saddr . tcp dport @ssh_clients_candidates_ipv6_set add @ssh_clients_candidates_ipv6_set { ip6 saddr . $ssh_port_knock_3 };
   		#tcp dport $ssh_port_knock_3 ip saddr . tcp dport @ssh_clients_candidates_ipv4_set add @ssh_clients_candidates_ipv4_set { ip saddr . $ssh_port_knock_4 };
   		#tcp dport $ssh_port_knock_3 ip6 saddr . tcp dport @ssh_clients_candidates_ipv6_set add @ssh_clients_candidates_ipv6_set { ip6 saddr . $ssh_port_knock_4 };
   		#tcp dport $ssh_port_knock_4 ip saddr . tcp dport @ssh_clients_candidates_ipv4_set add @ssh_clients_ipv4_set { ip saddr } counter log prefix "ssh port knocked : ";
   		#tcp dport $ssh_port_knock_4 ip6 saddr . tcp dport @ssh_clients_candidates_ipv6_set add @ssh_clients_ipv6_set { ip6 saddr } counter log prefix "ssh port knocked : ";
   		#tcp dport $sshd_port ip saddr @ssh_clients_ipv4_set counter accept;
   		#tcp dport $sshd_port ip6 saddr @ssh_clients_ipv6_set counter accept;

   		### rate limits
   		tcp dport $sshd_port ct state new, untracked meter ssh_conns_ratemeter4 { ip saddr timeout 5m limit rate over 1/minute burst 7 packets } counter update @ssh_bad_ipv4_set { ip saddr } comment "update ssh bruteforce set with saddr of attacker; hint: nft list meter inet filter ssh_conns_ratemeter4";
   		tcp dport $sshd_port ct state new, untracked meter ssh_conns_ratemeter6 { ip6 saddr timeout 5m limit rate over 1/minute burst 7 packets } counter update @ssh_bad_ipv6_set { ip6 saddr } comment "update ssh bruteforce set with saddr of attacker; hint: nft list meter inet filter ssh_conns_ratemeter6";
   		tcp dport $sshd_port ip saddr @ssh_bad_ipv4_set counter drop comment "drop ssh bruteforce; hint: nft list set inet filter ssh_bad_ipv4_set";
   		tcp dport $sshd_port ip6 saddr @ssh_bad_ipv6_set counter drop comment "drop ssh bruteforce; hint: nft list set inet filter ssh_bad_ipv6_set";
   		tcp dport $sshd_port counter accept comment "accept ssh connections";

   		### new rules place here:

   		counter comment "count dropped packets";
   		#log prefix "nft drop IN : " comment "log dropped packets";
   	}

   	chain OUTPUT {
   		type filter hook output priority filter + 20; policy drop;

   		oif lo accept comment "accept input connections via loopback";
   		oif != lo ip saddr 127.0.0.0/8 counter drop comment "drop loopback connections not coming from loopback";
   		oif != lo ip daddr 127.0.0.0/8 counter drop comment "drop loopback connections not coming from loopback";
   		oif != lo ip6 saddr ::1/128 counter drop comment "drop loopback connections not coming from loopback";
   		oif != lo ip6 daddr ::1/128 counter drop comment "drop loopback connections not coming from loopback";

   		### as little rules as possible for trusted hosts
   		ip daddr @trusted_ipv4_set accept comment "accept trusted hosts";
   		ip6 daddr @trusted_ipv6_set accept comment "accept trusted hosts";

   		### before ct
   		meta l4proto icmp icmp type $allowed_icmp_types_output limit rate 10/second burst 20 packets counter accept comment "accept icmp with limits";
   		meta l4proto icmpv6 icmpv6 type $allowed_icmpv6_types_output limit rate 10/second burst 20 packets counter accept comment "accept icmpv6 with limits";
   		meta l4proto { icmp, icmpv6 } counter drop comment "drop icmp over limit";

   		ct state vmap { established : accept, related : accept, invalid : drop };

   		meta skuid { root, uadm, chrony } meta skgid { root, uadm, chrony } counter accept comment "accept connections from specified users";
   		meta skuid postfix meta skgid postfix tcp dport { smtp, smtps, submission } counter accept comment "accept connections from postfix user";
   		meta l4proto { tcp, udp } th dport 53 ip daddr $dns_resolvers counter accept comment "accept dns; for paranoia specify comma separated list of resolvers in $dns_resolvers";

   		### new rules place here:

   		counter comment "count dropped packets";
   		log prefix "nft drop OUT : " comment "log dropped packets";
   	}

   	chain FORWARD {
   		type filter hook forward priority filter + 20; policy drop;

   		log prefix "nft drop FWD : " comment "log dropped packets";
   	}

   }