2024-09-17 16:16:35 +03:00
|
|
|
`nftables` test cheat sheet. Simplified rules to test `nfqws` and `tpws`.
|
2023-10-12 12:35:06 +03:00
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
For DNAT:
|
2023-10-12 12:35:06 +03:00
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
```sh
|
|
|
|
|
# run tpws as user "tpws". its required to avoid loops
|
2023-10-12 12:35:06 +03:00
|
|
|
nft delete table inet ztest
|
|
|
|
|
nft create table inet ztest
|
|
|
|
|
nft add chain inet ztest pre "{type nat hook prerouting priority dstnat;}"
|
|
|
|
|
nft add rule inet ztest pre tcp dport "{80,443}" redirect to :988
|
|
|
|
|
nft add chain inet ztest out "{type nat hook output priority -100;}"
|
|
|
|
|
nft add rule inet ztest out tcp dport "{80,443}" skuid != tpws redirect to :988
|
2024-09-17 16:16:35 +03:00
|
|
|
```
|
2023-10-12 12:35:06 +03:00
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
For `dpi-desync` attack:
|
2023-10-12 12:35:06 +03:00
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
```sh
|
2023-10-12 12:35:06 +03:00
|
|
|
nft delete table inet ztest
|
|
|
|
|
nft create table inet ztest
|
|
|
|
|
nft add chain inet ztest post "{type filter hook postrouting priority mangle;}"
|
2023-10-26 15:12:32 +03:00
|
|
|
nft add rule inet ztest post tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass
|
|
|
|
|
nft add rule inet ztest post udp dport 443 ct original packets 1-4 queue num 200 bypass
|
|
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
# auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by Russian DPI
|
|
|
|
|
|
|
|
|
|
sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
|
2023-10-26 15:12:32 +03:00
|
|
|
nft add chain inet ztest pre "{type filter hook prerouting priority filter;}"
|
|
|
|
|
nft add rule inet ztest pre tcp sport "{80,443}" ct reply packets 1-4 queue num 200 bypass
|
2024-09-17 16:16:35 +03:00
|
|
|
```
|
2023-10-12 12:35:06 +03:00
|
|
|
|
2024-09-17 16:16:35 +03:00
|
|
|
* show rules: `nft list table inet ztest`,
|
|
|
|
|
* delete table: `nft delete table inet ztest`
|
