From 3ecae343f4c6e315f5bc04d1094bf2a56d3968c3 Mon Sep 17 00:00:00 2001
From: Samson-W <samson@hardenedlinux.org>
Date: Wed, 17 Jul 2019 17:12:44 +0800
Subject: [PATCH] Update nftables.conf: Add example when there are multiple net
 interface.

---
 docs/configurations/nftables.conf | 37 +++++++++++++++++--------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/docs/configurations/nftables.conf b/docs/configurations/nftables.conf
index b3be724..8ecdbe4 100644
--- a/docs/configurations/nftables.conf
+++ b/docs/configurations/nftables.conf
@@ -1,6 +1,9 @@
 #!/usr/sbin/nft -f
 
-define int_if1 = ens33
+define int_if = ens33
+
+# If there are multiple net interface, example:
+# define int_if = {ens33, ens36}
 
 flush ruleset
 
@@ -14,22 +17,22 @@ table ip filter {
 		ip protocol icmp ct state established counter packets 0 bytes 0 accept
 		ip protocol icmp ct state related counter packets 0 bytes 0 accept
 		limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
-		iifname $int_if1 tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
-		iifname $int_if1 tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
-		iifname $int_if1 ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
-		iifname $int_if1 ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
-		iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
-		iifname $int_if1 tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
-		iifname $int_if1 tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
-		iifname $int_if1 tcp dport 137-139 counter packets 0 bytes 0 reject
-		iifname $int_if1 udp dport 137-139 counter packets 0 bytes 0 reject
+		iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
+		iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
+		iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
+		iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
+		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
+		iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
+		iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
+		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
+		iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject
+		iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject
 		icmp type source-quench counter packets 0 bytes 0 accept
 		tcp dport ssh ct state new counter packets 0 bytes 0 accept
 		udp dport ntp ct state new counter packets 0 bytes 0 accept