Skip to main content
HashnodeHub & Spoke | Best SD-WAN Blog on Earth

Command Palette

Search for a command to run...

🐀Whitelisting RATS on Linux👩‍🦳

Learn how to whitelist rats with this NFT file for secure server access

Updated
🐀Whitelisting RATS on Linux👩‍🦳
R
Ronald Bartels

Driving SD-WAN Adoption in South Africa

This is a nft file to whitelist rats, a simple way to allow known address to access server based functions.

table inet ratfilter {
    set allowed_rats {
        type ipv4_addr;
        elements = { 102.134.243.0/24, 154.66.114.0/23, 102.213.4.230/31,
                     105.233.0.0/16, 102.213.4.0/22, 102.209.96.0/18,
                     102.219.109.0/25 }
    }

    chain input {
        type filter hook input priority 0; policy accept;

        # Allow established and related traffic
        ct state established,related accept

        # Accept TCP connections from allowed_rats on ports 30001-49999
        ip saddr @allowed_rats tcp dport 30001-49999 accept

        # Drop all other traffic on ports 30001-49999 from host0 interface
        iifname "host0" tcp dport 30001-49999 drop
    }
}

This nftables configuration defines a firewall rule set under the table inet ratfilter. Let’s break it down in detail:

1. Table Definition

 inet ratfilter {

  • table inet ratfilter:

    • Creates a firewall table named ratfilter.

    • The inet keyword means it applies to both IPv4 and IPv6 traffic (though only IPv4 addresses are used here).

2. Set Definition (allowed_rats)

    set allowed_rats {
        type ipv4_addr;
        elements = { 102.134.243.0/24, 154.66.114.0/23, 102.213.4.230/31,
                     105.233.0.0/16, 102.213.4.0/22, 102.209.96.0/18,
                     102.219.109.0/25 }
    }

  • set allowed_rats:

    • This defines a set (a list of allowed IPv4 networks/addresses).

    • The set is named allowed_rats and will be referenced later in firewall rules.

  • Type: ipv4_addr:

    • Specifies that only IPv4 addresses can be included.

  • Elements (Allowed Networks):

    • 102.134.243.0/24 → 256 addresses (from 102.134.243.0 to 102.134.243.255)

    • 154.66.114.0/23 → 512 addresses (154.66.114.0 to 154.66.115.255)

    • 102.213.4.230/31 → 2 addresses (102.213.4.230 and 102.213.4.231)

    • 105.233.0.0/16 → 65,536 addresses (105.233.0.0 to 105.233.255.255)

    • 102.213.4.0/22 → 1,024 addresses (102.213.4.0 to 102.213.7.255)

    • 102.209.96.0/18 → 16,384 addresses (102.209.96.0 to 102.209.127.255)

    • 102.219.109.0/25 → 128 addresses (102.219.109.0 to 102.219.109.127)

👉 Purpose:

  • These IP addresses represent trusted/allowed sources that will be permitted to connect on certain ports.

3. Chain Definition (input)

    chain input {
        type filter hook input priority 0; policy accept;

  • chain input:

    • Defines a firewall chain named input, which processes incoming packets.

    • type filter → Specifies this is a filtering chain (not NAT or forwarding).

    • hook input → This means the rules apply to traffic destined for the local machine.

    • priority 0 → Specifies the order in which this chain is processed.

    • policy accept → The default action is accept, meaning traffic is allowed unless explicitly dropped.

        ct state established,related accept

  • ct state established,related accept:

    • This rule allows all packets that belong to existing or related connections.

    • Why? This ensures that responses to outgoing traffic (e.g., SSH, HTTP, apt updates) are not blocked.

👉 Purpose:

  • Without this rule, you might block legitimate responses (e.g., replies from websites or remote SSH servers).

5. Accept TCP Connections from allowed_rats on Ports 30001-49999

        ip saddr @allowed_rats tcp dport 30001-49999 accept

  • ip saddr @allowed_rats:

    • This matches packets only if the source IP is in the allowed_rats set.

  • tcp dport 30001-49999:

    • This restricts the rule to TCP traffic on ports 30001-49999.

  • accept:

    • Allows the matching traffic.

👉 Purpose:

  • Only trusted IPs (allowed_rats) can connect to ports 30001-49999.

  • If an untrusted source tries to connect, it will be dropped (or follow the default policy).

6. Drop All Other Traffic on Ports 30001-49999 from Interface host0

        iifname "host0" tcp dport 30001-49999 drop

  • iifname "host0":

    • Matches packets only if they arrive on interface host0.

  • tcp dport 30001-49999 drop:

    • Drops all TCP traffic to ports 30001-49999 if it comes from host0.

👉 Purpose:

  • Blocks untrusted traffic from host0 on these ports.

  • Prevents unauthorized access from devices on that interface.

Wrap

  1. Defines a firewall table (ratfilter) and a trusted IP set (allowed_rats).

  2. Allows existing and related connections (important for stability).

  3. Permits trusted IPs (allowed_rats) to connect to ports 30001-49999.

  4. Blocks all traffic on ports 30001-49999 from host0 unless explicitly allowed.

🚀 Final Thought:
This configuration secures high-numbered ports while allowing only trusted sources to access them. It's a solid setup for protecting services running on non-standard TCP ports.

#linux#nftables

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

H

Hub & Spoke | Best SD-WAN Blog on Earth

830 posts

Driving Software Defined Wide Area Networking (SD-WAN) Adoption in South Africa. The best SD-WAN blog on Earth & in the World that also includes insights on Cybersecurity, IoT, Cloud, & Data Centres!