diff options
Diffstat (limited to 'roles/space_server/files/nftables.conf')
-rw-r--r-- | roles/space_server/files/nftables.conf | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 3502959..93ecc25 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -48,6 +48,15 @@ define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 +define tor_if = lan21 +define tor_net4 = 185.38.175.128/28 +define tor_net6 = 2a01:4262:1ab:ffff::/64 + +define local_ip4 = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 } +define local_ip6 = { $ext_ip6 } +define local_net4 = { $ext_ip4, $free_nat, $int_net4 } +define local_net6 = 2a01:4262:1ab::/52 + define avahi_ifs = { $wire_if, $priv_if, $pass_if } table ip filter { @@ -118,6 +127,10 @@ table ip filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept + oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept + ct state established,related accept ct state invalid drop @@ -207,6 +220,10 @@ table ip6 filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept + oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept + ct state established,related accept ct state invalid drop @@ -281,3 +298,35 @@ table ip6 nat { # type nat hook postrouting priority -150; #} } + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip saddr $local_ip4 accept + ip daddr $local_ip4 accept + + # avoid connection tracking for most Tor traffic + ip saddr $tor_net4 ip daddr != $local_net4 notrack + ip daddr $tor_net4 ip saddr != $local_net4 notrack + } +} + +table ip6 raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip6 saddr $local_ip6 accept + ip6 daddr $local_ip6 accept + + # avoid connection tracking for most Tor traffic + ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack + ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack + } +} |