-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnftables.nft
159 lines (143 loc) · 9.11 KB
/
nftables.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
table ip filter { # handle 60
set INTERNET-OUT-DENIED-SERVICES { # handle 7
type inet_proto . inet_service
flags constant,interval
auto-merge
elements = { 17 . 0 comment "IANA Reserved",
17 . 25 comment "SMTP",
17 . 135-139 comment "NetBIOS",
17 . 161 comment "SNMP",
17 . 445 comment "Microsoft-DS",
17 . 539 comment "RPC",
17 . 1433-1434 comment "Microsoft SQL",
17 . 1900 comment "Simple Network Discovery Protocol",
6 . 0 comment "IANA Reserved",
6 . 25 comment "SMTP",
6 . 135-139 comment "NetBIOS",
6 . 179 comment "Border Gateway Protocol",
6 . 445 comment "Microsoft-DS",
6 . 539 comment "RPC",
6 . 1433-1434 comment "Microsoft SQL",
6 . 7547 comment "CPE WAN Management Protocol" }
}
set RFC-5735-ADDRESSES { # handle 8
type ipv4_addr
flags constant,interval
auto-merge
elements = { 0.0.0.0/8 comment "This network, RFC 1122", 10.0.0.0/8 comment "Private-Use Networks, RFC 1918",
127.0.0.0/8 comment "Loopback, RFC 1122", 169.254.0.0/16 comment "Private-Use Networks, RFC 1918",
172.16.0.0/12 comment "Private-Use Networks, RFC 1918", 192.0.0.0/24 comment "IETF Protocol Assignments, RFC 5736",
192.0.2.0/24 comment "TEST-NET-1, RFC 5737", 192.88.99.0/24 comment "6to4 Relay Anycast, RFC 3068",
192.168.0.0/16 comment "Private-Use Networks, RFC 1918", 198.18.0.0/15 comment "Network Interconnect Device Benchmark Testing, RFC 1918",
198.51.100.0/24 comment "TEST-NET-2, RFC 5737", 203.0.113.0/24 comment "TEST-NET-3, RFC 5737",
224.0.0.0/4 comment "Multicast, RFC 3171", 240.0.0.0-255.255.255.255 comment "Reserved for Future Use, RFC 1112" }
}
set SERVICE-NFS { # handle 9
type inet_proto . inet_service
flags constant
elements = { 6 . 2049 comment "NFS data",
17 . 2049 comment "NFS data",
6 . 111 comment "Portmapper",
17 . 111 comment "Portmapper",
6 . 112 comment "Rpcbind",
17 . 112 comment "Rpcbind" }
}
set NFS-CLIENTS { # handle 10
type ipv4_addr
flags constant
elements = { 10.23.200.3 comment "Jimmy Mediaserver", 10.23.200.25 comment "Areena44 CAM" }
}
set SERVICE-MUMBLE { # handle 11
type inet_proto . inet_service
flags constant
elements = { 6 . 64738 comment "Mumble data",
17 . 64738 comment "Mumble voice" }
}
set SERVICE-IPERF { # handle 12
type inet_proto . inet_service
flags constant
elements = { 6 . 5201 comment "Iperf TCP",
17 . 5201 comment "Iperf UDP" }
}
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
ct state 0x2,0x4 counter packets 136523 bytes 20386077 accept comment "Allow established and related connections" # handle 15
meta l4proto 1 counter packets 90 bytes 7128 accept comment "Allow ICMP" # handle 16
iif "lo" accept comment "Allow loopback" # handle 17
iifname { "rex-wg", "enp6s0f0", "enp7s0f0", "enp6s0f1", "enp7s0f1.41", "rex-a44-ptp", "rex-sokar-ptp" } tcp dport 22 counter packets 232 bytes 13784 accept comment "Local SSH-server" # handle 19
iifname { "ovsbr0", "rex-wg", "enp7s0f0", "enp6s0f1", "enp7s0f1", "enp7s0f1.41" } udp dport 53 counter packets 3131 bytes 215816 accept comment "Local DNS-server" # handle 21
iifname { "ovsbr0", "rex-wg", "enp7s0f0", "enp6s0f1", "enp7s0f1", "enp7s0f1.41" } udp dport 123 counter packets 1 bytes 76 accept comment "Local NTP-server" # handle 23
iifname { "enp7s0f0", "enp6s0f1", "enp7s0f1.41" } udp dport 67 counter packets 22 bytes 7427 accept comment "Local DHCP-server" # handle 25
iifname { "enp6s0f0", "enp6s0f1", "enp7s0f1.41" } udp dport { 1223, 1224, 1225 } counter packets 438 bytes 77088 accept comment "WireGuard gateways, rex-wg, sokar-rex-ptp, rex-a44-ptp" # handle 28
iifname "ovsbr0" udp dport 161 counter packets 1361 bytes 141203 accept comment "Local SNMP-server" # handle 29
iifname { "rex-wg", "enp6s0f0", "enp6s0f1", "enp7s0f1.41", "rex-a44-ptp", "rex-sokar-ptp" } tcp dport { 80, 443 } counter packets 36 bytes 1984 accept comment "Local Nginx-server" # handle 32
iifname { "rex-wg", "enp6s0f0", "enp6s0f1", "enp7s0f1.41", "rex-a44-ptp", "rex-sokar-ptp" } meta l4proto . th dport @SERVICE-MUMBLE counter packets 32 bytes 1300 accept comment "Local Mumble-server" # handle 34
iifname { "rex-wg", "enp6s0f1", "rex-a44-ptp", "rex-sokar-ptp" } tcp dport 445 counter packets 0 bytes 0 accept comment "Local Samba-server" # handle 36
iifname { "rex-a44-ptp", "rex-sokar-ptp" } tcp dport 179 counter packets 0 bytes 0 accept comment "Sokar-FW BGP-peering" # handle 38
iifname { "rex-a44-ptp", "rex-sokar-ptp" } udp dport { 3784, 3785 } counter packets 0 bytes 0 accept comment "Sokar-FW BFD-peering" # handle 41
iifname { "rex-wg", "rex-a44-ptp" } ip saddr @NFS-CLIENTS meta l4proto . th dport @SERVICE-NFS counter packets 2867 bytes 172020 accept comment "Local NFS-server" # handle 43
iifname { "rex-wg", "enp6s0f1", "enp7s0f1.41", "rex-a44-ptp", "rex-sokar-ptp" } meta l4proto . th dport @SERVICE-IPERF counter packets 0 bytes 0 accept comment "Local IPERF-server" # handle 45
counter packets 1719 bytes 219608 drop comment "POLICY DROP INPUT" # handle 46
}
chain PREROUTING { # handle 2
type filter hook prerouting priority 0; policy accept;
ct state 0x1 counter packets 453 bytes 60569 drop comment "Drop invalid conntrack states" # handle 13
fib saddr . iif oif 0 counter packets 0 bytes 0 drop comment "Drop packets without reverse path" # handle 14
}
chain FORWARD { # handle 3
type filter hook forward priority 0; policy accept;
ct state 0x2,0x4 counter packets 438236 bytes 245015002 accept comment "Allow established and related connections" # handle 52
oifname "enp6s0f0" ip daddr @RFC-5735-ADDRESSES counter packets 0 bytes 0 log prefix "FORWARD-DENY: " drop comment "Deny forwarding to private address range" # handle 53
oifname "enp6s0f0" meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter packets 1 bytes 132 log prefix "FORWARD-DENY: " drop comment "Denied Internet-traffic" # handle 54
meta l4proto 1 counter packets 5092 bytes 427728 accept comment "Allow ICMP" # handle 55
iifname { "ovsbr0", "enp7s0f0", "enp6s0f1", "enp7s0f1.41" } oifname "enp6s0f0" counter packets 5684 bytes 658318 accept comment "Allowed Internet-traffic" # handle 57
iifname "rex-wg" oifname "rex-wg" counter packets 0 bytes 0 accept comment "REX-ZONE <-> REX-ZONE" # handle 58
iifname "rex-wg" oifname "enp6s0f1" ip daddr 10.23.10.10 tcp dport 3389 counter packets 0 bytes 0 accept comment "REX-ZONE -> PC RDP" # handle 59
iifname "enp6s0f1" oifname { "ovsbr0", "rex-wg", "rex-a44-ptp" } counter packets 0 bytes 0 accept comment "Allow VPN- and VM-services for LAN" # handle 61
iifname { "ovsbr0", "rex-wg", "enp6s0f1" } ip daddr 10.44.0.0/16 counter packets 9207 bytes 845647 accept comment "Areena44" # handle 63
iifname { "rex-wg", "rex-a44-ptp" } oifname "ovsbr0" ip saddr 10.44.99.0/24 ip daddr 10.0.100.7 udp dport 162 counter packets 0 bytes 0 accept comment "Areena44 SW-MGMT" # handle 65
iifname "enp7s0f1" oifname "ovsbr0" ip daddr 10.0.100.56 counter packets 518 bytes 61264 accept comment "Local WLAN-NET -> UNIFI-Controller" # handle 66
counter packets 0 bytes 0 drop comment "POLICY DROP FORWARD" # handle 67
}
chain OUTPUT { # handle 4
type filter hook output priority 0; policy accept;
ct state 0x8 oifname "enp6s0f0" ip daddr @RFC-5735-ADDRESSES counter packets 0 bytes 0 log prefix "Internet-out-deny: " drop comment "Deny output to private address range" # handle 49
ct state 0x8 oifname "enp6s0f0" meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter packets 0 bytes 0 log prefix "Internet-out-deny: " drop comment "Denied Internet-traffic" # handle 50
counter packets 95719 bytes 649017469 accept comment "POLICY ACCEPT OUTPUT" # handle 51
}
chain IPS_INPUT { # handle 5
type filter hook input priority 10; policy accept;
iifname { "enp6s0f0", "enp6s0f1", "enp7s0f1.41" } counter packets 135108 bytes 20273494 queue flags bypass,fanout to 1-4 comment "Suricata NFQUEUE" # handle 48
}
chain IPS_FORWARD { # handle 6
type filter hook forward priority 10; policy accept;
iifname { "enp6s0f0", "enp6s0f1", "enp7s0f1.41" } counter packets 353233 bytes 229416430 queue flags bypass,fanout to 1-4 comment "Suricata NFQUEUE" # handle 69
}
}
table ip nat { # handle 61
chain PREROUTING { # handle 1
type nat hook prerouting priority -100; policy accept;
}
chain POSTROUTING { # handle 2
type nat hook postrouting priority 100; policy accept;
oifname "enp6s0f0" counter packets 7713 bytes 843605 masquerade random,persistent comment "Internet Source NAT" # handle 3
oifname "rex-wg" counter packets 10681 bytes 969463 masquerade random,persistent comment "VPN Source NAT" # handle 4
}
}
table ip mangle { # handle 62
chain PREROUTING { # handle 1
type filter hook prerouting priority -150; policy accept;
}
chain INPUT { # handle 2
type filter hook input priority -150; policy accept;
}
chain FORWARD { # handle 3
type filter hook forward priority -150; policy accept;
}
chain OUTPUT { # handle 4
type filter hook output priority -150; policy accept;
}
chain POSTROUTING { # handle 5
type filter hook output priority -150; policy accept;
}
}