# our hosts
define ap1 = 10.42.0.5
define ap2 = 10.42.0.6
define labitat = 185.38.172.72
define jumbotron_ip4 = 10.42.1.36
define jumbotron_ip6 = 2a01:4262:1ab:b:ba27:ebff:fed3:c162
# internal stuff
define ext_if = wan
define ext_ip4 = 185.38.175.0
define ext_ip6 = 2a01:4262:1ab::
define int_net4 = 10.42.0.0/16
define ext_net4 = 185.38.175.0/24
define ext_net6 = 2a01:4262:1ab::/48
define link_net4 = 193.106.167.40/29
define link_net6 = 2a03:5440:1:2935:1ab::/80
define adm_if = lan10
define adm_ip4 = 10.42.0.1
define adm_net4 = 10.42.0.0/24
define wire_if = lan11
define wire_ip4 = 10.42.1.1
define wire_net4 = 10.42.1.0/24
define wire_net6 = 2a01:4262:1ab:b::/64
define priv_if = lan12
define priv_ip4 = 10.42.2.1
define priv_net4 = 10.42.2.0/24
define priv_net6 = 2a01:4262:1ab:c::/64
define free_if = lan13
define free_ip4 = 10.42.3.1
define free_nat = 185.38.175.1
define free_net4 = 10.42.3.0/24
define free_net6 = 2a01:4262:1ab:d::/64
define pass_if = lan14
define pass_ip4 = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4262:1ab:e::/64
define futu_if = lan15
define futu_net6 = 2a01:4262:1ab:f::/64
define nat64_if = nat64
define nat64_net4 = 10.42.128.0/17
define colo_if = lan20
define colo_ip4 = 185.38.175.65
define colo_net4 = {
185.38.175.64/26,
44.145.128.0/24, # graffen
}
define colo_net6 = {
2a01:4262:1ab:20::/64,
2a01:4262:1ab:1100::/60, # Asbjorn
2a01:4262:1ab:1110::/60, # Esmil
2001:678:15c::/48, # graffen
2a0e:8f02:f034::/48 # Hafnium
}
define avahi_ifs = { $wire_if, $priv_if, $pass_if }
table ip filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip protocol icmp limit rate 100/second accept
ip protocol icmp drop
iif lo accept
# drop incoming spoofed packages
iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
# bird etc. on fiberby link
iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
# dhcp
udp sport bootpc udp dport bootps iif != $ext_if counter accept
# radius
iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
# tftp
iif $wire_if ip saddr $wire_net4 udp dport 69 accept
# ssh
tcp dport 22 accept
# dns
tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
# ntp
udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
# avahi
ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
ip protocol igmp iif $avahi_ifs accept
# http cert validation
tcp dport 80 ip daddr $ext_ip4 accept
## debugging
#iif $ext_if counter drop
#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
#udp sport 17500 udp dport 17500 drop # Dropbox LANsync
#ip protocol igmp drop # IGMP
#counter log prefix "in4: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# drop incoming spoofed packages
iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
# jumbotron webhook
ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
# no traffic to admin net
ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
ip daddr $adm_net4 drop
# local traffic
iif $adm_if ip saddr $adm_net4 accept
iif $wire_if ip saddr $wire_net4 accept
iif $priv_if ip saddr $priv_net4 accept
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
iif $nat64_if ip saddr $nat64_net4 accept
iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
oif $colo_if accept
## debugging
#iif $ext_if counter drop
#counter log prefix "fw4: " drop
drop
}
}
table ip6 filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip6 nexthdr ipv6-icmp limit rate 100/second accept
ip6 nexthdr ipv6-icmp drop
iif lo accept
# drop incoming spoofed packages
iif $ext_if ip6 saddr $ext_net6 drop
iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
# bird etc. on fiberby link
iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
# tftp
iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept
# ssh
tcp dport 22 accept
# dns
tcp dport 53 ip6 saddr $ext_net6 accept
udp dport 53 ip6 saddr $ext_net6 accept
# ntp
udp dport 123 ip6 saddr $ext_net6 accept
# avahi
ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
# http cert validation
tcp dport 80 ip6 daddr $ext_ip6 accept
## debugging
#counter log prefix "in6: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# drop incoming spoofed packages
iif $ext_if ip6 saddr $ext_net6 drop
# jumbotron webhook
ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
iif $wire_if ip6 saddr $wire_net6 accept
iif $priv_if ip6 saddr $priv_net6 accept
iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
iif $futu_if ip6 saddr $futu_net6 accept
iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
oif $colo_if accept
## debugging
#counter log prefix "fw6: " drop
drop
}
}
table ip nat {
chain portforward {
ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
}
chain prerouting {
type nat hook prerouting priority -150;
goto portforward
}
chain output {
type nat hook output priority -150;
goto portforward
}
chain input {
type nat hook input priority -150;
# this chain is needed to make dnat from the output chain work
}
chain postrouting {
type nat hook postrouting priority -150;
oif $ext_if ip saddr $free_net4 snat $free_nat
oif $ext_if ip saddr $int_net4 snat $ext_ip4
}
}
table ip6 nat {
chain portforward {
ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
}
chain prerouting {
type nat hook prerouting priority -150;
goto portforward
}
chain output {
type nat hook output priority -150;
goto portforward
}
#chain input {
# type nat hook input priority -150;
# # this chain is needed to make dnat from the output chain work
#}
#chain postrouting {
# type nat hook postrouting priority -150;
#}
}
