[RFE] Documentation on how to configure nftables for basic https and ssh

[bignay2000]

Current situation

Currently I have been using IPTables on a Digital Ocean server (1 vCPU, 1 GB Ram, Premium AMD droplet) for a few years and update weekly to the latest Flatcar Stable release. I think out of the box IPtables only keeps a ban list of 100 IPs, which I think is insufficient to protect against bot networks in 2024.

While the server is a small digital ocean droplet, I think it would be able to handle increased security. Some research points me to /sys/module/xt_recent/parameters/ip_list_tot & /sys/module/xt_recent/parameters/ip_pkt_list_tot files, but not sure how to modify these within flatcar's read only system on an existing system or how to write the ignition file. Also need changes to persist between reboots and updates.

https://www.flatcar.org/releases#release-3510.2.0 migrated iptables to nftables with backwards compatibility. So now I think it may be better to configure nftables.

Impact

Ensure the ability to handle a bot attack with more than 100 ip addresses used.

Ideal future situation

Flatcar add documentation webpage

1. how to configure basic nftables for existing servers
2. how to configure basic nftables for butane 1.1
3. How to modify nftables configuration from default settings.

Additional information

I do this procedure on my digital ocean boxes that have SSH and HTTPS:

IP Tables to protect Denial of Service and attacks on https and ssh

- sudo -i
- vi /var/lib/iptables/rules-save
- Note: Get the nic card name from ifconfg eg ens192 or eth0 or ens224?
- Note: Drop packets on second or more nics otherwise if only 1 nic remove ETH1 line
- Note: Addjust for 443, 80, 22 or other ports as needed.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 90 --hitcount 10 -j DROP
-I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 60 -j DROP
COMMIT

- chmod 0644 /var/lib/iptables/rules-save
- /sbin/iptables-restore /var/lib/iptables/rules-save
- systemctl enable iptables-restore

[bignay2000]

systemctl enable nftables.service
Failed to enable unit: Unit file nftables.service does not exist.

Also do not see this config file either

/etc/nftables.conf

[bignay2000]

This issue may actually be a request to finish implementing nftables?

[bignay2000]

Increase IPTables capabilities

Increase block list from 100 to 10000.
Increase packet per ip address max from 20 to 200.
Set ip_list_hash_size=0 to be based of block list size 10000.

https://ipset.netfilter.org/iptables-extensions.man.html

mkdir /etc/modprobe.d
vi /etc/modprobe.d/xt_recent.conf

options xt_recent ip_list_tot=1000 ip_pkt_list_tot=200 ip_list_hash_size=0

reboot
cat /sys/module/xt_recent/parameters/ip_list_tot
cat /sys/module/xt_recent/parameters/ip_pkt_list_tot

[t-lo]

Hello @bignay2000 , thanks for reaching out! Our docs are in markdown (we use Hugo for generating HTML) and are here: https://github.com/flatcar/flatcar-website . Instructions on how to add content and to check with a local Hugo are included in the repo.
Please feel free to take a stab at this - our technical documentation resides here: https://github.com/flatcar/flatcar-website/tree/master/content/docs/latest. Would happily review a PR from you!

[pothos]

This issue may actually be a request to finish implementing nftables?

We had a tracking issue for this: #900