# 🐀Whitelisting RATS on Linux👩‍🦳

This is a nft file to whitelist rats, a simple way to allow known address to access server based functions.

```plaintext
table inet ratfilter {
    set allowed_rats {
        type ipv4_addr;
        elements = { 102.134.243.0/24, 154.66.114.0/23, 102.213.4.230/31,
                     105.233.0.0/16, 102.213.4.0/22, 102.209.96.0/18,
                     102.219.109.0/25 }
    }

    chain input {
        type filter hook input priority 0; policy accept;

        # Allow established and related traffic
        ct state established,related accept

        # Accept TCP connections from allowed_rats on ports 30001-49999
        ip saddr @allowed_rats tcp dport 30001-49999 accept

        # Drop all other traffic on ports 30001-49999 from host0 interface
        iifname "host0" tcp dport 30001-49999 drop
    }
}
```

This `nftables` configuration defines a firewall rule set under the table `inet ratfilter`. Let’s break it down in detail:

---

### **1\. Table Definition**

```plaintext
 inet ratfilter {
```

* `table inet ratfilter`:
    
    * Creates a firewall table named `ratfilter`.
        
    * The `inet` keyword means it applies to both **IPv4 and IPv6** traffic (though only IPv4 addresses are used here).
        

---

### **2\. Set Definition (**`allowed_rats`)

```plaintext
    set allowed_rats {
        type ipv4_addr;
        elements = { 102.134.243.0/24, 154.66.114.0/23, 102.213.4.230/31,
                     105.233.0.0/16, 102.213.4.0/22, 102.209.96.0/18,
                     102.219.109.0/25 }
    }
```

* `set allowed_rats`:
    
    * This defines a **set** (a list of allowed IPv4 networks/addresses).
        
    * The set is named `allowed_rats` and will be referenced later in firewall rules.
        
* **Type:** `ipv4_addr`:
    
    * Specifies that only IPv4 addresses can be included.
        
* **Elements (Allowed Networks)**:
    
    * `102.134.243.0/24` → 256 addresses (from `102.134.243.0` to `102.134.243.255`)
        
    * `154.66.114.0/23` → 512 addresses (`154.66.114.0` to `154.66.115.255`)
        
    * `102.213.4.230/31` → 2 addresses (`102.213.4.230` and `102.213.4.231`)
        
    * `105.233.0.0/16` → 65,536 addresses (`105.233.0.0` to `105.233.255.255`)
        
    * `102.213.4.0/22` → 1,024 addresses (`102.213.4.0` to `102.213.7.255`)
        
    * `102.209.96.0/18` → 16,384 addresses (`102.209.96.0` to `102.209.127.255`)
        
    * `102.219.109.0/25` → 128 addresses (`102.219.109.0` to `102.219.109.127`)
        

👉 **Purpose**:

* These IP addresses represent **trusted/allowed sources** that will be permitted to connect on certain ports.
    

---

### **3\. Chain Definition (**`input`)

```plaintext
    chain input {
        type filter hook input priority 0; policy accept;
```

* `chain input`:
    
    * Defines a firewall **chain** named `input`, which processes incoming packets.
        
    * `type filter` → Specifies this is a filtering chain (not NAT or forwarding).
        
    * `hook input` → This means the rules apply to traffic **destined for the local machine**.
        
    * `priority 0` → Specifies the order in which this chain is processed.
        
    * `policy accept` → The default action is **accept**, meaning traffic is allowed unless explicitly dropped.
        

---

### **4\. Allow Established and Related Connections**

```plaintext
        ct state established,related accept
```

* `ct state established,related accept`:
    
    * This rule **allows all packets** that belong to **existing** or **related** connections.
        
    * **Why?** This ensures that responses to outgoing traffic (e.g., SSH, HTTP, apt updates) are not blocked.
        

👉 **Purpose**:

* Without this rule, you might block legitimate responses (e.g., replies from websites or remote SSH servers).
    

---

### **5\. Accept TCP Connections from** `allowed_rats` on Ports 30001-49999

```plaintext
        ip saddr @allowed_rats tcp dport 30001-49999 accept
```

* `ip saddr @allowed_rats`:
    
    * This matches packets **only if the source IP** is in the `allowed_rats` set.
        
* `tcp dport 30001-49999`:
    
    * This restricts the rule to **TCP traffic** on ports **30001-49999**.
        
* `accept`:
    
    * Allows the matching traffic.
        

👉 **Purpose**:

* Only **trusted IPs** (`allowed_rats`) can connect to **ports 30001-49999**.
    
* If an untrusted source tries to connect, it will be dropped (or follow the default policy).
    

---

### **6\. Drop All Other Traffic on Ports 30001-49999 from Interface** `host0`

```plaintext
        iifname "host0" tcp dport 30001-49999 drop
```

* `iifname "host0"`:
    
    * Matches packets **only if they arrive on interface** `host0`.
        
* `tcp dport 30001-49999 drop`:
    
    * Drops **all TCP traffic** to ports **30001-49999** if it comes from `host0`.
        

👉 **Purpose**:

* Blocks **untrusted** traffic from `host0` on these ports.
    
* Prevents unauthorized access from devices on that interface.
    

---

## **Wrap**

1. **Defines a firewall table (**`ratfilter`) and a trusted IP set (`allowed_rats`).
    
2. **Allows existing and related connections** (important for stability).
    
3. **Permits trusted IPs (**`allowed_rats`) to connect to ports 30001-49999.
    
4. **Blocks all traffic on ports 30001-49999 from** `host0` unless explicitly allowed.
    

🚀 **Final Thought**:  
This configuration **secures high-numbered ports** while allowing **only trusted sources** to access them. It's a solid setup for protecting services running on **non-standard TCP ports**.
