__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
#!/usr/sbin/nft -f
# This example file shows how to use secmark labels with the nftables framework.
# This script is meant to be loaded with `nft -f <file>`
# You require linux kernel >= 4.20 and nft >= 0.9.3
# This example is SELinux based, for the secmark objects you require
# SELinux enabled and a SELinux policy defining the stated contexts
# For up-to-date information please visit https://wiki.nftables.org
flush ruleset
table inet x {
secmark ssh_server {
"system_u:object_r:ssh_server_packet_t:s0"
}
secmark dns_client {
"system_u:object_r:dns_client_packet_t:s0"
}
secmark http_client {
"system_u:object_r:http_client_packet_t:s0"
}
secmark https_client {
"system_u:object_r:http_client_packet_t:s0"
}
secmark ntp_client {
"system_u:object_r:ntp_client_packet_t:s0"
}
secmark icmp_client {
"system_u:object_r:icmp_client_packet_t:s0"
}
secmark icmp_server {
"system_u:object_r:icmp_server_packet_t:s0"
}
secmark ssh_client {
"system_u:object_r:ssh_client_packet_t:s0"
}
secmark git_client {
"system_u:object_r:git_client_packet_t:s0"
}
map secmapping_in {
type inet_service : secmark
elements = { 22 : "ssh_server" }
}
map secmapping_out {
type inet_service : secmark
elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" }
}
chain y {
type filter hook input priority -225;
# label new incoming packets and add to connection
ct state new meta secmark set tcp dport map @secmapping_in
ct state new meta secmark set udp dport map @secmapping_in
ct state new ip protocol icmp meta secmark set "icmp_server"
ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
ct state new ct secmark set meta secmark
# set label for est/rel packets from connection
ct state established,related meta secmark set ct secmark
}
chain z {
type filter hook output priority 225;
# label new outgoing packets and add to connection
ct state new meta secmark set tcp dport map @secmapping_out
ct state new meta secmark set udp dport map @secmapping_out
ct state new ip protocol icmp meta secmark set "icmp_client"
ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client"
ct state new ct secmark set meta secmark
# set label for est/rel packets from connection
ct state established,related meta secmark set ct secmark
}
}
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| sysvinit | Folder | 0755 |
|
|
| README | File | 475 B | 0644 |
|
| all-in-one.nft | File | 1016 B | 0644 |
|
| arp-filter.nft | File | 129 B | 0644 |
|
| bridge-filter.nft | File | 197 B | 0644 |
|
| ct_helpers.nft | File | 1.23 KB | 0755 |
|
| inet-filter.nft | File | 187 B | 0644 |
|
| inet-nat.nft | File | 251 B | 0644 |
|
| ipv4-filter.nft | File | 182 B | 0644 |
|
| ipv4-mangle.nft | File | 74 B | 0644 |
|
| ipv4-nat.nft | File | 246 B | 0644 |
|
| ipv4-raw.nft | File | 137 B | 0644 |
|
| ipv6-filter.nft | File | 186 B | 0644 |
|
| ipv6-mangle.nft | File | 78 B | 0644 |
|
| ipv6-nat.nft | File | 253 B | 0644 |
|
| ipv6-raw.nft | File | 141 B | 0644 |
|
| load_balancing.nft | File | 1.81 KB | 0755 |
|
| nat.nft | File | 1.14 KB | 0755 |
|
| netdev-ingress.nft | File | 128 B | 0644 |
|
| overview.nft | File | 1.05 KB | 0755 |
|
| pf.os | File | 28.21 KB | 0644 |
|
| secmark.nft | File | 2.35 KB | 0755 |
|
| sets_and_maps.nft | File | 1.25 KB | 0755 |
|
| workstation.nft | File | 817 B | 0755 |
|