aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files/nftables
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files/nftables')
-rwxr-xr-xroles/space_server/files/nftables/nftables.conf248
-rw-r--r--roles/space_server/files/nftables/nftables.service30
2 files changed, 278 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
new file mode 100755
index 0000000..c9dc9d7
--- /dev/null
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -0,0 +1,248 @@
+#!/usr/sbin/nft -f
+
+# our hosts
+define ap1 = 10.42.0.5
+define ap2 = 10.42.0.6
+define labitat = 185.38.172.72
+
+define spacewand4 = 185.38.175.70
+define spacewand6 = 2a01:4260:1ab::cafe
+
+# internal stuff
+define ext_if = wan
+define ext_ip4 = 185.38.175.0
+define ext_ip6 = 2a01:4260:1ab::
+define int_net4 = 10.42.0.0/16
+define ext_net4 = 185.38.175.0/24
+define ext_net6 = 2a01:4260:1ab::/48
+define link_net4 = 193.106.167.40/29
+define link_net6 = 2a03:5440:1:2935:1ab::/120
+
+define adm_if = lan10
+define adm_ip4 = 10.42.0.1
+define adm_net4 = 10.42.0.0/24
+
+define wire_if = lan11
+define wire_ip4 = 10.42.1.1
+define wire_net4 = 10.42.1.0/24
+define wire_net6 = 2a01:4260:1ab:b::/64
+
+define priv_if = lan12
+define priv_ip4 = 10.42.2.1
+define priv_net4 = 10.42.2.0/24
+define priv_net6 = 2a01:4260:1ab:c::/64
+
+define free_if = lan13
+define free_ip4 = 10.42.3.1
+define free_net4 = 10.42.3.0/24
+
+define pass_if = lan14
+define pass_ip4 = 10.42.4.1
+define pass_net4 = 10.42.4.0/24
+define pass_net6 = 2a01:4260:1ab:e::/64
+
+define serv_if = lan20
+define serv_ip4 = 185.38.175.65
+define serv_net4 = 185.38.175.64/24
+define serv_net6 = 2a01:4260:1ab:20::/64
+
+define avahi_ifs = { $wire_if, $priv_if, $pass_if }
+
+#define nat64_if = nat64
+#define nat64_net = 10.42.255.0/24
+#define nat64_net6 = fde2:52b4:4a19:ffff::/96
+
+table ip filter {
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip protocol icmp limit rate 100/second accept
+ ip protocol icmp drop
+
+ iif lo accept
+
+ # infrastructure
+ iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+ udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests
+ iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP
+ iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel
+ iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP
+ iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP
+
+ # allow ssh
+ tcp dport 22 accept
+
+ # dns
+ ip saddr $int_net4 tcp dport 53 accept
+ ip saddr $int_net4 udp dport 53 accept
+ ip saddr $ext_net4 tcp dport 53 accept
+ ip saddr $ext_net4 udp dport 53 accept
+
+ # Avahi
+ ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
+ ip protocol igmp iif $avahi_ifs accept # Allow IGMP here
+
+ iif $ext_if counter drop
+ udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi
+ udp sport 17500 udp dport 17500 drop # Dropbox LANsync
+ ip protocol igmp drop # IGMP
+ #counter log prefix "in4: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip protocol icmp limit rate 100/second accept
+ ip protocol icmp drop
+
+ ip daddr $spacewand4 accept
+
+ ip saddr $labitat udp dport 161 counter accept # traffic stats
+
+ # no traffic to admin net
+ ip saddr $int_net4 ip daddr $adm_net4 drop
+
+ # local traffic
+ iif $adm_if ip saddr $adm_net4 accept
+ iif $wire_if ip saddr $wire_net4 accept
+ iif $priv_if ip saddr $priv_net4 accept
+ iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
+ iif $pass_if ip saddr $pass_net4 accept
+ iif $serv_if ip saddr $serv_net4 accept
+
+ #counter log prefix "fw4: " drop
+ drop
+ }
+}
+
+table ip nat {
+ chain portforward {
+ ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority -150;
+ goto portforward
+ }
+
+ chain output {
+ type nat hook output priority -150;
+ goto portforward
+ }
+
+ chain input {
+ type nat hook input priority -150;
+ # this chain is needed to make dnat from the output chain work
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority -150;
+ oif $ext_if snat $ext_ip4
+ }
+}
+
+table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip6 nexthdr icmpv6 limit rate 100/second accept
+ ip6 nexthdr icmpv6 drop
+
+ iif lo accept
+
+ iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
+
+ # allow ssh
+ tcp dport 22 accept
+
+ # dns
+ ip6 saddr $ext_net6 tcp dport 53 accept
+ ip6 saddr $ext_net6 udp dport 53 accept
+
+ #counter log prefix "in6: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip6 nexthdr icmpv6 limit rate 100/second accept
+ ip6 nexthdr icmpv6 drop
+
+ ip6 daddr $spacewand6 accept
+
+ iif $wire_if ip6 saddr $wire_net6 accept
+ iif $priv_if ip6 saddr $priv_net6 accept
+ iif $pass_if ip6 saddr $pass_net6 accept
+ iif $serv_if ip6 saddr $serv_net6 accept
+
+ #counter log prefix "fw6: " drop
+ drop
+ }
+}
+
+# Allow all by default
+# (couldn't get default-deny to work, and this script is better than nothing)
+
+#table ip6 filter {
+# chain input {
+# type filter hook input priority 0;
+# # Don't allow ULA net on outside
+# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net
+# iif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net
+# iif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#
+# chain output {
+# type filter hook output priority 0;
+# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net
+# oif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net
+# oif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#
+# chain forward {
+# type filter hook forward priority 0;
+# # Don't allow NAT64 for networks with IPv4
+# # (remember: free and admin don't have IPv6)
+# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6
+# iif $wire_if ip6 daddr $nat64_net6 reject
+# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6
+# iif $priv_if ip6 daddr $nat64_net6 reject
+# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6
+# iif $pass_if ip6 daddr $nat64_net6 reject
+#
+# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net
+# iif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net
+# iif $ext_if6 ip6 saddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net
+# oif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net
+# oif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#}
diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service
new file mode 100644
index 0000000..f1c9028
--- /dev/null
+++ b/roles/space_server/files/nftables/nftables.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Requires=sys-devices-virtual-net-lan10.device
+Requires=sys-devices-virtual-net-lan11.device
+Requires=sys-devices-virtual-net-lan12.device
+Requires=sys-devices-virtual-net-lan13.device
+Requires=sys-devices-virtual-net-lan14.device
+Requires=sys-devices-virtual-net-lan15.device
+Requires=sys-devices-virtual-net-lan20.device
+After=sys-devices-virtual-net-lan10.device
+After=sys-devices-virtual-net-lan11.device
+After=sys-devices-virtual-net-lan12.device
+After=sys-devices-virtual-net-lan13.device
+After=sys-devices-virtual-net-lan14.device
+After=sys-devices-virtual-net-lan15.device
+After=sys-devices-virtual-net-lan20.device
+Before=network-online.target
+
+[Service]
+Type=oneshot
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
+ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
+ExecStop=/sbin/nft flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target