-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnftables.conf
executable file
·160 lines (118 loc) · 8.86 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/usr/sbin/nft -f
flush ruleset
define lan-if = enp5s0f1
define wan-if = enp5s0f0
define upstream-isp-bgp = x.x.x.x
###### BASIC TABLES AND CHAINS ######
### IPv4 FILTER ###
add table ip filter
add chain ip filter INPUT { type filter hook input priority filter; }
add chain ip filter PREROUTING { type filter hook prerouting priority filter; }
add chain ip filter FORWARD { type filter hook forward priority filter; }
add chain ip filter OUTPUT { type filter hook output priority filter; }
### IPv4 NAT ###
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; }
add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; }
### IPv4 MANGLE ###
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority mangle; }
add chain ip mangle INPUT { type filter hook input priority mangle; }
add chain ip mangle FORWARD { type filter hook forward priority mangle; }
add chain ip mangle OUTPUT { type filter hook output priority mangle; }
add chain ip mangle POSTROUTING { type filter hook output priority mangle; }
###### LAN-INTERFACES ######
add set ip filter lan_vlans { type ifname; }
add element ip filter lan_vlans { enp5s0f1.10 }
add element ip filter lan_vlans { enp5s0f1.40 }
add element ip filter lan_vlans { enp5s0f1.100 }
###### INTERNET OUT FILTER SETS ######
### INTERNET OUT BLOCKED UDP PORTS ###
add set filter internet-out-blocked-udp-ports { type inet_service; flags constant, interval; auto-merge; }
add element ip filter internet-out-blocked-udp-ports { 25 comment "SMTP" }
add element ip filter internet-out-blocked-udp-ports { 135-139 comment "Microsoft NetBIOS" }
add element ip filter internet-out-blocked-udp-ports { 161 comment "SNMP" }
add element ip filter internet-out-blocked-udp-ports { 445 comment "Microsoft-DS" }
add element ip filter internet-out-blocked-udp-ports { 593 comment "RPC" }
add element ip filter internet-out-blocked-udp-ports { 1433-1434 comment "Microsoft SQL" }
add element ip filter internet-out-blocked-udp-ports { 1900 comment "Simple Network Discovery Protocol" }
### INTERNET OUT BLOCKED TCP PORTS ###
add set filter internet-out-blocked-tcp-ports { type inet_service; flags constant, interval; auto-merge; }
add element ip filter internet-out-blocked-tcp-ports { 0 comment "IANA Reserved" }
add element ip filter internet-out-blocked-tcp-ports { 25 comment "SMTP" }
add element ip filter internet-out-blocked-tcp-ports { 135-139 comment "Microsoft NetBIOS" }
add element ip filter internet-out-blocked-tcp-ports { 179 comment "Border Gateway Protocol" }
add element ip filter internet-out-blocked-tcp-ports { 445 comment "Microsoft-DS"}
add element ip filter internet-out-blocked-tcp-ports { 593 comment "RPC"}
add element ip filter internet-out-blocked-tcp-ports { 1433-1434 comment "Microsoft SQL" }
add element ip filter internet-out-blocked-tcp-ports { 7547 comment "CPE WAN Management Protocol" }
### RFC 5735 Special Use IPv4 Addresses ###
add set filter special-use-ipv4-addresses { type ipv4_addr; flags constant, interval; auto-merge; }
add element ip filter special-use-ipv4-addresses { 0.0.0.0/8 comment "This network, RFC 1122" }
add element ip filter special-use-ipv4-addresses { 10.0.0.0/8 comment "Private-Use Networks, RFC 1918" }
add element ip filter special-use-ipv4-addresses { 127.0.0.0/8 comment "Loopback, RFC 1122" }
add element ip filter special-use-ipv4-addresses { 169.254.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element ip filter special-use-ipv4-addresses { 172.16.0.0/12 comment "Private-Use Networks, RFC 1918" }
add element ip filter special-use-ipv4-addresses { 192.0.0.0/24 comment "IETF Protocol Assignments, RFC 5736" }
add element ip filter special-use-ipv4-addresses { 192.0.2.0/24 comment "TEST-NET-1, RFC 5737" }
add element ip filter special-use-ipv4-addresses { 192.168.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element ip filter special-use-ipv4-addresses { 198.18.0.0/15 comment "Network Interconnect Device Benchmark Testing, RFC 1918" }
add element ip filter special-use-ipv4-addresses { 198.51.100.0/24 comment "TEST-NET-2, RFC 5737" }
add element ip filter special-use-ipv4-addresses { 203.0.113.0/24 comment "TEST-NET-3, RFC 5737" }
add element ip filter special-use-ipv4-addresses { 224.0.0.0/4 comment "Multicast, RFC 3171" }
add element ip filter special-use-ipv4-addresses { 240.0.0.0/4 comment "Reserved for Future Use, RFC 1112" }
add element ip filter special-use-ipv4-addresses { 192.88.99.0/24 comment "6to4 Relay Anycast, RFC 3068" }
### RFC 792 ICMP TYPES ###
add set filter blocked-icmp-types { type icmp_type; flags constant; auto-merge; }
add element ip filter blocked-icmp-types { 9 comment "ROUTER ADVERTISEMENT" }
add element ip filter blocked-icmp-types { 10 comment "ROUTER SOLICITATION" }
###### CONNTRACK VERDICT MAP FOR EARLY FILTERING ######
add map filter ct_map { type ct_state : verdict; }
add element filter ct_map { established : accept }
add element filter ct_map { related : accept }
add element filter ct_map { invalid : drop }
##########################################################################################
##### NETFILTER FASTPATH INGRESS HOOK ######
#add flowtable ip filter fastpath { hook ingress priority filter ; devices = { enp5s0f1.10, enp5s0f1.40, enp5s0f1.100, enp5s0f0 }; }
##### FILTER RULES BEGIN HERE #####
### PREROUTING CHAIN ###
#add rule ip filter PREROUTING fib saddr oif accept
add rule ip filter PREROUTING iifname @lan_vlans fib saddr . iif oif missing counter drop comment "DROP PACKETS WITHOUT A REVERSE PATH"
### INPUT CHAIN ###
add rule ip filter INPUT ct state vmap @ct_map
add rule ip filter INPUT iif lo counter accept comment "LOOPBACK"
add rule ip filter INPUT icmp type != @blocked-icmp-types counter accept comment "ANY -> ICMP"
add rule ip filter INPUT iifname $wan-if tcp dport 179 counter accept comment "BGP-PEERING FROM UPSTREAM ISP"
add rule ip filter INPUT iifname @lan_vlans udp dport 53 counter accept comment "LAN -> DNS-SERVER"
add rule ip filter INPUT iifname @lan_vlans udp dport 67 counter accept comment "LAN -> DHCP-SERVER"
add rule ip filter INPUT iifname @lan_vlans tcp dport 22 counter accept comment "LAN -> SSH-MANAGEMENT"
add rule ip filter INPUT iifname @lan_vlans udp dport 123 counter accept comment "LAN -> NTP-SERVER"
#add rule ip filter INPUT iif $wan-if tcp dport 22 counter accept comment "INTERNET -> SSH-MANAGEMENT"
add rule ip filter INPUT counter drop comment "INPUT POLICY DROP"
### OUTPUT FILTER ###
add rule ip filter OUTPUT oifname $wan-if ip daddr $upsteam-isp-bgp tcp dport 179 counter accept comment "BGP-PEERING TO UPSTREAM ISP"
add rule ip filter OUTPUT oifname $wan-if tcp dport @internet-out-blocked-tcp-ports log prefix "INTERNET-OUT-TCP-BLOCK " counter drop
add rule ip filter OUTPUT oifname $wan-if udp dport @internet-out-blocked-udp-ports log prefix "INTERNET-OUT-UDP-BLOCK " counter drop
add rule ip filter OUTPUT oifname $wan-if ip daddr @special-use-ipv4-addresses log prefix "INTERNET-OUT-SADDR-BLOCK " counter drop
add rule ip filter OUTPUT counter accept comment "OUTPUT POLICY ACCEPT"
### FORWARD FILTER ###
#add rule ip filter FORWARD ct state established iifname $wan-if oifname @lan_vlans counter flow offload @fastpath comment "FASTPATH BYPASS"
add rule ip filter FORWARD ct state vmap @ct_map
add rule ip filter FORWARD oifname $wan-if tcp dport @internet-out-blocked-tcp-ports log prefix "INTERNET-OUT-TCP-BLOCK " counter drop
add rule ip filter FORWARD oifname $wan-if udp dport @internet-out-blocked-udp-ports log prefix "INTERNET-OUT-UDP-BLOCK " counter drop
add rule ip filter FORWARD oifname $wan-if ip daddr @special-use-ipv4-addresses log prefix "INTERNET-OUT-SADDR-BLOCK " counter drop
add rule ip filter FORWARD oifname $wan-if icmp type @blocked-icmp-types counter drop comment "INTERNET-OUT-ICMP-BLOCK "
add rule ip filter FORWARD iifname @lan_vlans oifname $wan-if counter accept comment "LAN -> INTERNET DEFAULT"
add rule ip filter FORWARD iifname $wan-if oifname enp5s0f1.10 counter accept comment "INTERNET -> PARTYNET"
add rule ip filter FORWARD iifname @lan_vlans oifname @lan_vlans counter accept comment "LAN <-> LAN"
add rule ip filter FORWARD counter drop comment "FORWARD POLICY DROP"
##### NAT RULES BEGIN HERE ######
## Source NAT ##
#add rule ip nat POSTROUTING oifname $wan-if masquerade fully-random comment "Internet SOURCE NAT"
#add rule ip nat POSTROUTING iifname enp5s0f1.100 oifname $wan-if snat x.x.x.x fully-random persistent
## Destination NAT ##
add rule ip nat PREROUTING iifname $wan-if ip daddr x.x.x.x udp dport 27015 counter dnat 10.44.100.70:27015 comment "INTERNET -> CSGO NAT UDP"
##### MANGLE RULES BEGIN HERE ######
#add rule ip mangle PREROUTING iifname rex0 tcp flags syn tcp option maxseg size set 1432 counter comment "MSSFIX REX0"
#add rule ip mangle POSTROUTING oif $wan-if udp sport {27015,27025,27047,64738} meta priority set 1:2
#add rule ip mangle POSTROUTING oif $wan-if tcp sport {22,80,443} counter meta priority set 1:2