blob: c9dc9d76079e0bd7ad3b092494e1a72cf06247d2 (
plain) (
tree)
|
|
#!/usr/sbin/nft -f
# our hosts
define ap1 = 10.42.0.5
define ap2 = 10.42.0.6
define labitat = 185.38.172.72
define spacewand4 = 185.38.175.70
define spacewand6 = 2a01:4260:1ab::cafe
# internal stuff
define ext_if = wan
define ext_ip4 = 185.38.175.0
define ext_ip6 = 2a01:4260:1ab::
define int_net4 = 10.42.0.0/16
define ext_net4 = 185.38.175.0/24
define ext_net6 = 2a01:4260:1ab::/48
define link_net4 = 193.106.167.40/29
define link_net6 = 2a03:5440:1:2935:1ab::/120
define adm_if = lan10
define adm_ip4 = 10.42.0.1
define adm_net4 = 10.42.0.0/24
define wire_if = lan11
define wire_ip4 = 10.42.1.1
define wire_net4 = 10.42.1.0/24
define wire_net6 = 2a01:4260:1ab:b::/64
define priv_if = lan12
define priv_ip4 = 10.42.2.1
define priv_net4 = 10.42.2.0/24
define priv_net6 = 2a01:4260:1ab:c::/64
define free_if = lan13
define free_ip4 = 10.42.3.1
define free_net4 = 10.42.3.0/24
define pass_if = lan14
define pass_ip4 = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4260:1ab:e::/64
define serv_if = lan20
define serv_ip4 = 185.38.175.65
define serv_net4 = 185.38.175.64/24
define serv_net6 = 2a01:4260:1ab:20::/64
define avahi_ifs = { $wire_if, $priv_if, $pass_if }
#define nat64_if = nat64
#define nat64_net = 10.42.255.0/24
#define nat64_net6 = fde2:52b4:4a19:ffff::/96
table ip filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip protocol icmp limit rate 100/second accept
ip protocol icmp drop
iif lo accept
# infrastructure
iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests
iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP
iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel
iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP
iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP
# allow ssh
tcp dport 22 accept
# dns
ip saddr $int_net4 tcp dport 53 accept
ip saddr $int_net4 udp dport 53 accept
ip saddr $ext_net4 tcp dport 53 accept
ip saddr $ext_net4 udp dport 53 accept
# Avahi
ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
ip protocol igmp iif $avahi_ifs accept # Allow IGMP here
iif $ext_if counter drop
udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi
udp sport 17500 udp dport 17500 drop # Dropbox LANsync
ip protocol igmp drop # IGMP
#counter log prefix "in4: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip protocol icmp limit rate 100/second accept
ip protocol icmp drop
ip daddr $spacewand4 accept
ip saddr $labitat udp dport 161 counter accept # traffic stats
# no traffic to admin net
ip saddr $int_net4 ip daddr $adm_net4 drop
# local traffic
iif $adm_if ip saddr $adm_net4 accept
iif $wire_if ip saddr $wire_net4 accept
iif $priv_if ip saddr $priv_net4 accept
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
iif $serv_if ip saddr $serv_net4 accept
#counter log prefix "fw4: " drop
drop
}
}
table ip nat {
chain portforward {
ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
}
chain prerouting {
type nat hook prerouting priority -150;
goto portforward
}
chain output {
type nat hook output priority -150;
goto portforward
}
chain input {
type nat hook input priority -150;
# this chain is needed to make dnat from the output chain work
}
chain postrouting {
type nat hook postrouting priority -150;
oif $ext_if snat $ext_ip4
}
}
table ip6 filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip6 nexthdr icmpv6 limit rate 100/second accept
ip6 nexthdr icmpv6 drop
iif lo accept
iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
# allow ssh
tcp dport 22 accept
# dns
ip6 saddr $ext_net6 tcp dport 53 accept
ip6 saddr $ext_net6 udp dport 53 accept
#counter log prefix "in6: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip6 nexthdr icmpv6 limit rate 100/second accept
ip6 nexthdr icmpv6 drop
ip6 daddr $spacewand6 accept
iif $wire_if ip6 saddr $wire_net6 accept
iif $priv_if ip6 saddr $priv_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
iif $serv_if ip6 saddr $serv_net6 accept
#counter log prefix "fw6: " drop
drop
}
}
# Allow all by default
# (couldn't get default-deny to work, and this script is better than nothing)
#table ip6 filter {
# chain input {
# type filter hook input priority 0;
# # Don't allow ULA net on outside
# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net
# iif $ext_if6 ip6 daddr $ula_net reject
# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net
# iif $ext_if6 ip6 saddr $ula_net reject
#
# accept
# }
#
# chain output {
# type filter hook output priority 0;
# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net
# oif $ext_if6 ip6 daddr $ula_net reject
# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net
# oif $ext_if6 ip6 saddr $ula_net reject
#
# accept
# }
#
# chain forward {
# type filter hook forward priority 0;
# # Don't allow NAT64 for networks with IPv4
# # (remember: free and admin don't have IPv6)
# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6
# iif $wire_if ip6 daddr $nat64_net6 reject
# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6
# iif $priv_if ip6 daddr $nat64_net6 reject
# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6
# iif $pass_if ip6 daddr $nat64_net6 reject
#
# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net
# iif $ext_if6 ip6 daddr $ula_net reject
# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net
# iif $ext_if6 ip6 saddr $ula_net reject
# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net
# oif $ext_if6 ip6 daddr $ula_net reject
# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net
# oif $ext_if6 ip6 saddr $ula_net reject
#
# accept
# }
#}
|
