-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsokar-fw-nftables.conf
125 lines (105 loc) · 8.6 KB
/
sokar-fw-nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/sbin/nft -f
flush ruleset
define WLAN-ZONE = vlan30
define LAN-ZONE = vlan10
define RASP-ZONE = vlan40
define INTERNET-ZONE-DSL = vlan201
define INTERNET-ZONE-5G = vlan200
define REX-ZONE = rex-wg
###### BASIC TABLES AND CHAINS ######
### IPv4 FILTER ###
add table ip filter
add chain ip filter INPUT { type filter hook input priority filter; }
add chain ip filter PREROUTING { type filter hook prerouting priority filter; }
add chain ip filter FORWARD { type filter hook forward priority filter; }
add chain ip filter OUTPUT { type filter hook output priority filter; }
### IPv4 NAT ###
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; }
add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; }
### IPv4 MANGLE ###
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority mangle; }
add chain ip mangle INPUT { type filter hook input priority mangle; }
add chain ip mangle FORWARD { type filter hook forward priority mangle; }
add chain ip mangle OUTPUT { type filter hook output priority mangle; }
add chain ip mangle POSTROUTING { type filter hook output priority mangle; }
###### INTERNET OUT FILTER SETS ######
### Denied Internet-traffic, destination protocol + port ###
add set filter INTERNET-OUT-DENIED-SERVICES { type inet_proto . inet_service; flags constant, interval; auto-merge; }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 25 comment "SMTP" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 135-139 comment "NetBIOS" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 161 comment "SNMP" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 445 comment "Microsoft-DS" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 539 comment "RPC" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 1433-1434 comment "Microsoft SQL" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { udp . 1900 comment "Simple Network Discovery Protocol" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 0 comment "IANA Reserved" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 25 comment "SMTP" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 135-139 comment "NetBIOS" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 179 comment "Border Gateway Protocol" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 445 comment "Microsoft-DS" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 539 comment "RPC" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 1433-1434 comment "Microsoft SQL" }
add element ip filter INTERNET-OUT-DENIED-SERVICES { tcp . 7547 comment "CPE WAN Management Protocol" }
### RFC 5735 Special Use IPv4 Addresses ###
add set filter RFC-5735-ADDRESSES { type ipv4_addr; flags constant, interval; auto-merge; }
add element ip filter RFC-5735-ADDRESSES { 0.0.0.0/8 comment "This network, RFC 1122" }
add element ip filter RFC-5735-ADDRESSES { 10.0.0.0/8 comment "Private-Use Networks, RFC 1918" }
add element ip filter RFC-5735-ADDRESSES { 127.0.0.0/8 comment "Loopback, RFC 1122" }
add element ip filter RFC-5735-ADDRESSES { 169.254.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element ip filter RFC-5735-ADDRESSES { 172.16.0.0/12 comment "Private-Use Networks, RFC 1918" }
add element ip filter RFC-5735-ADDRESSES { 192.0.0.0/24 comment "IETF Protocol Assignments, RFC 5736" }
add element ip filter RFC-5735-ADDRESSES { 192.0.2.0/24 comment "TEST-NET-1, RFC 5737" }
add element ip filter RFC-5735-ADDRESSES { 192.168.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element ip filter RFC-5735-ADDRESSES { 198.18.0.0/15 comment "Network Interconnect Device Benchmark Testing, RFC 1918" }
add element ip filter RFC-5735-ADDRESSES { 198.51.100.0/24 comment "TEST-NET-2, RFC 5737" }
add element ip filter RFC-5735-ADDRESSES { 203.0.113.0/24 comment "TEST-NET-3, RFC 5737" }
add element ip filter RFC-5735-ADDRESSES { 224.0.0.0/4 comment "Multicast, RFC 3171" }
add element ip filter RFC-5735-ADDRESSES { 240.0.0.0/4 comment "Reserved for Future Use, RFC 1112" }
add element ip filter RFC-5735-ADDRESSES { 192.88.99.0/24 comment "6to4 Relay Anycast, RFC 3068" }
###### SERVICE FILTER SETS ######
#add set filter SERVICE-IPERF { type inet_proto . inet_service; flags constant; }
#add element ip filter SERVICE-IPERF { udp . 5201 comment "Iperf UDP" }
#add element ip filter SERVICE-IPERF { tcp . 5201 comment "Iperf TCP" }
##### FLOWTABLE FASTPATH TEST #####
add flowtable ip filter fastpath { hook ingress priority filter; devices = { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE, $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G }; }
###### FILTER RULES BEGIN HERE ######
### PREROUTING CHAIN ###
add rule ip filter PREROUTING ct state invalid counter drop comment "Drop invalid conntrack states"
add rule ip filter PREROUTING fib saddr . iif oif missing counter drop comment "Drop packets without reverse path"
### INPUT CHAIN ###
add rule ip filter INPUT ct state established, related counter accept comment "Allow established and related connections"
add rule ip filter INPUT meta l4proto icmp counter accept comment "Allow ICMP"
add rule ip filter INPUT iif lo accept comment "Allow loopback"
add rule ip filter INPUT iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE, $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G, $REX-ZONE } tcp dport 22 counter accept comment "Local SSH-server"
add rule ip filter INPUT iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE } udp dport { 53, 5353 } counter accept comment "Local DNS-server"
add rule ip filter INPUT iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE } udp dport 67 counter accept comment "Local DHCP-server"
add rule ip filter INPUT iifname { $REX-ZONE } tcp dport 179 counter accept comment "REX BGP-peering"
add rule ip filter INPUT iifname { $REX-ZONE } udp dport { 3784,3785 } counter accept comment "REX BFD-peering"
#add rule ip filter INPUT ct state new iifname { $INTERNET-ZONE, $LAN-ZONE, $WLAN-ZONE, $REX-ZONE } tcp dport { 80, 443 } counter accept comment "Local Nginx-server"
add rule ip filter INPUT counter drop comment "POLICY DROP INPUT"
### OUTPUT FILTER ###
add rule ip filter OUTPUT oifname { $INTERNET-ZONE-5G } ip daddr 192.168.8.1 counter accept comment "5G management"
add rule ip filter OUTPUT oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } ip daddr @RFC-5735-ADDRESSES counter log prefix "Internet-out-deny: " drop comment "Deny output to private address range"
add rule ip filter OUTPUT oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter log prefix "Internet-out-deny: " drop comment "Denied Internet-traffic"
add rule ip filter OUTPUT counter accept comment "POLICY ACCEPT OUTPUT"
### FORWARD FILTER ###
add rule ip filter FORWARD iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE, $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } counter flow add @fastpath comment "Software fastpath"
add rule ip filter FORWARD ct state established, related counter accept comment "Allow established and related connections"
add rule ip filter FORWARD oifname { $INTERNET-ZONE-5G } ip daddr 192.168.8.1 counter accept comment "5G management"
add rule ip filter FORWARD oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } ip daddr @RFC-5735-ADDRESSES counter log prefix "FORWARD-DENY: " drop comment "Deny forwarding to private address range"
add rule ip filter FORWARD oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter log prefix "FORWARD-DENY: " drop comment "Denied Internet-traffic"
add rule ip filter FORWARD meta l4proto icmp counter accept comment "Allow ICMP"
add rule ip filter FORWARD iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE } oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } counter accept comment "Allowed Internet-traffic"
add rule ip filter FORWARD iifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE } oifname { $WLAN-ZONE, $LAN-ZONE, $RASP-ZONE } counter accept comment "Allow traffic between Local networks"
add rule ip filter FORWARD counter drop comment "POLICY DROP FORWARD"
###### NAT RULES BEGIN HERE ######
## Source NAT ##
add rule ip nat POSTROUTING oifname { $INTERNET-ZONE-5G } ip daddr 192.168.8.1 counter snat to 192.168.8.2
add rule ip nat POSTROUTING oifname { $INTERNET-ZONE-DSL, $INTERNET-ZONE-5G } counter masquerade comment "Internet Source NAT"
## Destination NAT ##
#add rule ip nat PREROUTING iifname { "REX-ZONE" } tcp dport 445 counter dnat 10.23.10.1 comment "REX-ZONE -> SAMBA"
###### MANGLE RULES BEGIN HERE ######
#add rule ip mangle PREROUTING iifname $INTERNET-ZONE-5G tcp flags syn tcp option maxseg size set 1460 counter comment "MSSCLAMP 5G"
#add rule ip mangle POSTROUTING oif $INTERNET-ZONE tcp sport { 22,80,443 } counter meta priority set 1:2