From 1c1d5480bc562e1ac2037b4cc8880b0b27e4bebe Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 14 Oct 2020 17:16:17 +0200
Subject: [PATCH] Add rules to redirsct traffic from blocked IPs to
 protected_tcp_pots and protected_udp_ports chains

---
 minifirewall-start.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/minifirewall-start.sh b/minifirewall-start.sh
index d94a01a..43204eb 100755
--- a/minifirewall-start.sh
+++ b/minifirewall-start.sh
@@ -121,6 +121,11 @@ $NFT add rule inet minifirewall minifirewall_input ct state invalid drop
 $NFT add rule inet minifirewall minifirewall_input ip protocol icmp accept
 $NFT add rule inet minifirewall minifirewall_input ip protocol igmp accept
 
+# New UDP traffic from blocked IPs jumps to the private_udp_ports chain
+$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_ips meta l4proto udp ct state new jump protected_udp_ports'
+
+# New TCP traffic from blocked IPs jumps to the private_tcp_ports chain
+$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump protected_tcp_ports'
 # New UDP traffic from trusted IPs jumps to the private_udp_ports chain
 $NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_ips meta l4proto udp ct state new jump private_udp_ports'