So I’m very unfamiliar with nftables and networking in general and no matter how many manpages or tutorials I go through, I can’t seem to figure how exactly it works and how to manage my way around the software. Mainly, I want to setup a set of rules that blocks all non-proxied traffic, aside from maybe the connectivity check(http://fedoraproject.org/static/hotspot.txt is the default for Fedora), ntp, and I2P reseed services; at least I think those are the only things that need to escape the tunnel if I understand correctly. I2P does choose a random outward facing port, so for simplicity sake, I’ll say it’s 32000(for udp and tcp traffic, and I think both ipv4 and ipv6 traffic). I’m trying to avoid any unnecessary leaks and if it helps, i2p will be running under the i2psvc user, so if possible I think it’d be best to limit access based on users as well. I don’t want to achieve this with firewalld or iptables, only with nftables.
This is how it works for me:
table inet local {
set uids-allow {
type uid
elements = { root, i2pd, systemd-network,
systemd-resolve, systemd-timesync }
}
chain output {
type filter hook output priority filter; policy drop;
ct state { established, related } accept
skuid @uids-allow accept
skuid != @uids-allow oifname lo accept
}
}
Thanks, that’s helpful. I didn’t realize it would be relatively simple. I’m going to try to play around with this, making it more strict and such; this is a really good start.
1 Like