nft-hilfe

# ## Vorbereitung fuer nftables
## nft flush chain filter BFBSCAN
## nft flush chain filter BFBBLOCK
## nft flush chain filter BFBATMA
#### set leeren (flushen)
##### nft flush set filter BFBLONG geht nicht, also
## elements=$(nft list set ip6 filter BFBLONG | awk '/{ /,/}/' | cut -d '=' -f 2)
## if [ "$elements" != "" ]
## then
## nft delete element ip6 filter BFBLONG ${elements}
## fi

## nft list table nat|mangle|filter
## nft list chain filter INPUT
## nft list chain ip6 filter BFBBLOCK
## nft list chain ip filter BFBATMA |sed 's/^.*ip saddr $[0-9a-f:.]*$.*$/\1/' | grep -Ev "table*|chain*|}|{" | sort -u
## nft -a list set ip6 filter BFBTIMELIST

## nft add element ip filter BCNNETE "{ 192.168.10.3 }"
## nft add element ip filter BCNNETE "{ 192.168.11.0/24 }"
## nft add element ip filter BCNNETP "{ 22 }"
## nft add element ip filter BCNNETP "{ 26-28 }"
## nft add element ip filter BCNNETP "{ 24,25 }"

## nft add rule ip filter BFBBLOCK ip saddr @BFBTIMELISTG accept
## nft add rule ip filter INPUT position 18 tcp dport 25 jump MAIL
## nft add rule ip filter INPUT position 18 tcp dport "{ 25,143, 465, 587, 993 }" jump MAIL
## nft add rule ip filter BOESEIPS ip saddr @BOESEIPS drop
## nft add rule ip filter INPUT position 6 jump BOESEIPS
## nft add rule ip filter INPUT iif eth0 ether saddr != 00:00:5e:00:53:00 drop
## nft add chain ip filter MAIL
## nft add chain ip6 filter MAIL

## nft add set ip filter BFBTIMELIST "{type ipv4_addr ; flags timeout ; elements={$ip timeout 2m};}"
## oder ## nft add set ip filter BFBTIMELIST {type ipv4_addr \; flags timeout \; elements={$ip timeout $BFB_MAX_BLOCKING_TIME_MINUTES\m} \;} ## nft add set ip filter BFBTIMELISTG "{ type ipv4_addr; flags timeout; }"
## nft add set ip filter BCNNETE "{ type ipv4_addr ; flags interval ; }"
## nft add set ip filter BCNNETP "{ type inet_service ; flags interval ; }"

## nft add set ip filter DYN "{type ipv4_addr; flags dynamic;}"
## nft add element ip filter DYN { 192.168.3.4 }

## nft set ip filter BOESEIPS "{ type ipv4_addr ; flags interval ; }"

## Besser:
## nft set ip filter BOESEIPS "{ type ipv4_addr ; flags dynamic ; timeout 30m; }"
## nft add element ip filter BOESEIPST { $ip }

## nft insert rule ip filter BLUBB goto HOME
## nft insert rule filter MAIL ip saddr @BOESEIPS drop
## nft insert rule ip6 filter MAIL ip6 saddr @BOESEIPS drop
## nft insert rule filter BCNNET ip saddr @BCNNETE accept
## nft insert rule filter BCNNET tcp dport @BCNNETP accept
## nft insert rule filter BCNNET @BCNNETE accept
## nft insert rule filter BCNNET tcp dport @BCNNETP accept
## nft insert rule ip6 filter BFBBLOCK ip6 saddr fd00:1234::5 limit rate 3/hour burst 1 packets log prefix ATTACKER.. level debug

## for handle in `nft -a list chain filter INPUT | grep -E "BFB|BOTBLOCK" | awk -F"handle" {'print $2'}`
## do
## nft delete rule filter INPUT handle $handle
## done
## nft delete rule ip filter INPUT handle HANDLE
## nft delete rule ip filter BOESEIPS handle HANDLE
## nft delete chain filter BOESEIPS
## nft delete set ip filter BOESEIPS
## nft delete element ip filter BOESEIPS "{ IP }"
## nft delete chain filter BOTBLOCK
## nft delete chain filter BFBATMA
## nft delete chain filter BFBBLOCK
## nft delete chain filter BFBSCAN
## nft delete rule filter INPUT handle 15
## nft delete element ip filter BCNNETP "{ 22 }"
## nft delete element ip filter BCNNETE "{ 192.168.10.3 }"