diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-07 16:27:49 +0100 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-12 14:56:32 +0100 |
commit | e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 (patch) | |
tree | 41ba5163cf6f110521f2ebc9035f77d2754796a0 /roles/space_server/files/nftables | |
download | labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.gz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.xz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.zip |
initial commit
Diffstat (limited to 'roles/space_server/files/nftables')
-rwxr-xr-x | roles/space_server/files/nftables/nftables.conf | 248 | ||||
-rw-r--r-- | roles/space_server/files/nftables/nftables.service | 30 |
2 files changed, 278 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf new file mode 100755 index 0000000..c9dc9d7 --- /dev/null +++ b/roles/space_server/files/nftables/nftables.conf @@ -0,0 +1,248 @@ +#!/usr/sbin/nft -f + +# our hosts +define ap1 = 10.42.0.5 +define ap2 = 10.42.0.6 +define labitat = 185.38.172.72 + +define spacewand4 = 185.38.175.70 +define spacewand6 = 2a01:4260:1ab::cafe + +# internal stuff +define ext_if = wan +define ext_ip4 = 185.38.175.0 +define ext_ip6 = 2a01:4260:1ab:: +define int_net4 = 10.42.0.0/16 +define ext_net4 = 185.38.175.0/24 +define ext_net6 = 2a01:4260:1ab::/48 +define link_net4 = 193.106.167.40/29 +define link_net6 = 2a03:5440:1:2935:1ab::/120 + +define adm_if = lan10 +define adm_ip4 = 10.42.0.1 +define adm_net4 = 10.42.0.0/24 + +define wire_if = lan11 +define wire_ip4 = 10.42.1.1 +define wire_net4 = 10.42.1.0/24 +define wire_net6 = 2a01:4260:1ab:b::/64 + +define priv_if = lan12 +define priv_ip4 = 10.42.2.1 +define priv_net4 = 10.42.2.0/24 +define priv_net6 = 2a01:4260:1ab:c::/64 + +define free_if = lan13 +define free_ip4 = 10.42.3.1 +define free_net4 = 10.42.3.0/24 + +define pass_if = lan14 +define pass_ip4 = 10.42.4.1 +define pass_net4 = 10.42.4.0/24 +define pass_net6 = 2a01:4260:1ab:e::/64 + +define serv_if = lan20 +define serv_ip4 = 185.38.175.65 +define serv_net4 = 185.38.175.64/24 +define serv_net6 = 2a01:4260:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + +#define nat64_if = nat64 +#define nat64_net = 10.42.255.0/24 +#define nat64_net6 = fde2:52b4:4a19:ffff::/96 + +table ip filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + iif lo accept + + # infrastructure + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP + iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel + iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP + iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP + + # allow ssh + tcp dport 22 accept + + # dns + ip saddr $int_net4 tcp dport 53 accept + ip saddr $int_net4 udp dport 53 accept + ip saddr $ext_net4 tcp dport 53 accept + ip saddr $ext_net4 udp dport 53 accept + + # Avahi + ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept + ip protocol igmp iif $avahi_ifs accept # Allow IGMP here + + iif $ext_if counter drop + udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi + udp sport 17500 udp dport 17500 drop # Dropbox LANsync + ip protocol igmp drop # IGMP + #counter log prefix "in4: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + ip daddr $spacewand4 accept + + ip saddr $labitat udp dport 161 counter accept # traffic stats + + # no traffic to admin net + ip saddr $int_net4 ip daddr $adm_net4 drop + + # local traffic + iif $adm_if ip saddr $adm_net4 accept + iif $wire_if ip saddr $wire_net4 accept + iif $priv_if ip saddr $priv_net4 accept + iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept + iif $pass_if ip saddr $pass_net4 accept + iif $serv_if ip saddr $serv_net4 accept + + #counter log prefix "fw4: " drop + drop + } +} + +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if snat $ext_ip4 + } +} + +table ip6 filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr icmpv6 limit rate 100/second accept + ip6 nexthdr icmpv6 drop + + iif lo accept + + iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + + # allow ssh + tcp dport 22 accept + + # dns + ip6 saddr $ext_net6 tcp dport 53 accept + ip6 saddr $ext_net6 udp dport 53 accept + + #counter log prefix "in6: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr icmpv6 limit rate 100/second accept + ip6 nexthdr icmpv6 drop + + ip6 daddr $spacewand6 accept + + iif $wire_if ip6 saddr $wire_net6 accept + iif $priv_if ip6 saddr $priv_net6 accept + iif $pass_if ip6 saddr $pass_net6 accept + iif $serv_if ip6 saddr $serv_net6 accept + + #counter log prefix "fw6: " drop + drop + } +} + +# Allow all by default +# (couldn't get default-deny to work, and this script is better than nothing) + +#table ip6 filter { +# chain input { +# type filter hook input priority 0; +# # Don't allow ULA net on outside +# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net +# iif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net +# iif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +# +# chain output { +# type filter hook output priority 0; +# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net +# oif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net +# oif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +# +# chain forward { +# type filter hook forward priority 0; +# # Don't allow NAT64 for networks with IPv4 +# # (remember: free and admin don't have IPv6) +# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6 +# iif $wire_if ip6 daddr $nat64_net6 reject +# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6 +# iif $priv_if ip6 daddr $nat64_net6 reject +# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6 +# iif $pass_if ip6 daddr $nat64_net6 reject +# +# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net +# iif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net +# iif $ext_if6 ip6 saddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net +# oif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net +# oif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +#} diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service new file mode 100644 index 0000000..f1c9028 --- /dev/null +++ b/roles/space_server/files/nftables/nftables.service @@ -0,0 +1,30 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Requires=sys-devices-virtual-net-lan10.device +Requires=sys-devices-virtual-net-lan11.device +Requires=sys-devices-virtual-net-lan12.device +Requires=sys-devices-virtual-net-lan13.device +Requires=sys-devices-virtual-net-lan14.device +Requires=sys-devices-virtual-net-lan15.device +Requires=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan10.device +After=sys-devices-virtual-net-lan11.device +After=sys-devices-virtual-net-lan12.device +After=sys-devices-virtual-net-lan13.device +After=sys-devices-virtual-net-lan14.device +After=sys-devices-virtual-net-lan15.device +After=sys-devices-virtual-net-lan20.device +Before=network-online.target + +[Service] +Type=oneshot +ProtectSystem=full +ProtectHome=true +ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf +ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' +ExecStop=/sbin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target |