2024-10-28 11:32:24 +05:00
|
|
|
nftables test cheat sheet
|
|
|
|
|
simplified rules to test nfqws and tpws
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For DNAT :
|
|
|
|
|
|
|
|
|
|
# run tpws as user "tpws". its required to avoid loops.
|
|
|
|
|
|
|
|
|
|
nft delete table inet ztest
|
|
|
|
|
nft create table inet ztest
|
|
|
|
|
nft add chain inet ztest pre "{type nat hook prerouting priority dstnat;}"
|
|
|
|
|
nft add rule inet ztest pre tcp dport "{80,443}" redirect to :988
|
|
|
|
|
nft add chain inet ztest out "{type nat hook output priority -100;}"
|
|
|
|
|
nft add rule inet ztest out tcp dport "{80,443}" skuid != tpws redirect to :988
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For dpi desync attack :
|
|
|
|
|
|
|
|
|
|
nft delete table inet ztest
|
|
|
|
|
nft create table inet ztest
|
|
|
|
|
nft add chain inet ztest post "{type filter hook postrouting priority mangle;}"
|
2024-10-12 23:55:18 +05:00
|
|
|
nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass
|
2024-10-25 16:29:47 +05:00
|
|
|
nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-12 queue num 200 bypass
|
2024-10-28 11:32:24 +05:00
|
|
|
|
|
|
|
|
# auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
|
|
|
|
|
sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
|
|
|
|
|
nft add chain inet ztest pre "{type filter hook prerouting priority filter;}"
|
2024-10-25 16:29:47 +05:00
|
|
|
nft add rule inet ztest pre tcp sport "{80,443}" ct reply packets 1-3 queue num 200 bypass
|
2024-10-28 11:32:24 +05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
show rules : nft list table inet ztest
|
|
|
|
|
delete table : nft delete table inet ztest
|
