Add rules to redirsct traffic from blocked IPs to protected_tcp_pots and protected_udp_ports chains

2020-10-14 17:16:17 +02:00 · 2020-10-14 17:16:17 +02:00 · 1c1d5480bc
parent 6a46ca716b
commit 1c1d5480bc
1 changed files with 5 additions and 0 deletions
--- a/minifirewall-start.sh
+++ b/minifirewall-start.sh
@ -121,6 +121,11 @@ $NFT add rule inet minifirewall minifirewall_input ct state invalid drop
 $NFT add rule inet minifirewall minifirewall_input ip protocol icmp accept
 $NFT add rule inet minifirewall minifirewall_input ip protocol igmp accept

+# New UDP traffic from blocked IPs jumps to the private_udp_ports chain
+$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_ips meta l4proto udp ct state new jump protected_udp_ports'
+
+# New TCP traffic from blocked IPs jumps to the private_tcp_ports chain
+$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump protected_tcp_ports'
 # New UDP traffic from trusted IPs jumps to the private_udp_ports chain
 $NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_ips meta l4proto udp ct state new jump private_udp_ports'