committing changes in /etc made by "-bash"

Package changes:
2023-11-26 12:16:34 +02:00
parent c1fb419da5
commit e8ff7fce2f
25 changed files with 528 additions and 53 deletions
--- a/nftables/nat.nft
+++ b/nftables/nat.nft
@@ -18,13 +18,21 @@ table ip nftables_svc {
 		elements = { 192.168.122.0/24 }
 	}

+	# force port randomization for non-locally originated connections using
+	# suspicious port values to prevent port-shadow attacks, i.e.
+	# accidental matching of new inbound connections vs. existing ones
+	chain do_masquerade {
+		meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+		masquerade
+	}
+
 	# base-chain to manipulate conntrack in postrouting,
 	# will see packets for new or related traffic only
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat + 20
 		policy accept

-		iifname @masq_interfaces oifname != @masq_interfaces masquerade
-		ip saddr @masq_ips masquerade
+		iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+		ip saddr @masq_ips jump do_masquerade
 	}
 }