aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/templates/nftables.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/templates/nftables.conf.j2')
-rw-r--r--roles/space_server/templates/nftables.conf.j2332
1 files changed, 332 insertions, 0 deletions
diff --git a/roles/space_server/templates/nftables.conf.j2 b/roles/space_server/templates/nftables.conf.j2
new file mode 100644
index 0000000..412270c
--- /dev/null
+++ b/roles/space_server/templates/nftables.conf.j2
@@ -0,0 +1,332 @@
+# our hosts
+define ap1 = {{ local_hosts['ap1'].ipv4[0] }}
+define ap2 = {{ local_hosts['ap2'].ipv4[0] }}
+define labitat = 185.38.172.72
+define jumbotron_ip4 = {{ local_hosts['jumbotron'].ipv4[0] }}
+define jumbotron_ip6 = {{ local_hosts['jumbotron'].ipv6[0] }}
+
+# internal stuff
+define ext_if = wan
+define ext_ip4 = 185.38.175.0
+define ext_ip6 = 2a01:4262:1ab::
+define int_net4 = 10.42.0.0/16
+define ext_net4 = 185.38.175.0/24
+define ext_net6 = 2a01:4262:1ab::/48
+define link_net4 = 193.106.167.40/29
+define link_net6 = 2a03:5440:1:2935:1ab::/80
+
+define adm_if = lan10
+define adm_ip4 = 10.42.0.1
+define adm_net4 = 10.42.0.0/24
+
+define wire_if = lan11
+define wire_ip4 = 10.42.1.1
+define wire_net4 = 10.42.1.0/24
+define wire_net6 = 2a01:4262:1ab:b::/64
+
+define priv_if = lan12
+define priv_ip4 = 10.42.2.1
+define priv_net4 = 10.42.2.0/24
+define priv_net6 = 2a01:4262:1ab:c::/64
+
+define free_if = lan13
+define free_ip4 = 10.42.3.1
+define free_nat = 185.38.175.1
+define free_net4 = 10.42.3.0/24
+define free_net6 = 2a01:4262:1ab:d::/64
+
+define pass_if = lan14
+define pass_ip4 = 10.42.4.1
+define pass_net4 = 10.42.4.0/24
+define pass_net6 = 2a01:4262:1ab:e::/64
+
+define futu_if = lan15
+define futu_net6 = 2a01:4262:1ab:f::/64
+
+define nat64_if = nat64
+define nat64_net4 = 10.42.128.0/17
+
+define colo_if = lan20
+
+define tor_if = lan21
+define tor_net4 = 185.38.175.128/28
+define tor_net6 = 2a01:4262:1ab:ffff::/64
+
+define local_ip4 = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 }
+define local_ip6 = { $ext_ip6 }
+define local_net4 = { $ext_ip4, $free_nat, $int_net4 }
+define local_net6 = 2a01:4262:1ab::/52
+
+define avahi_ifs = { $wire_if, $priv_if, $pass_if }
+
+table ip filter {
+ chain prerouting {
+ type filter hook prerouting priority 0;
+
+ # colo reverse path filtering
+ # find route to saddr on iif, get oif, drop if route is missing
+ iif $colo_if fib saddr . iif oif missing drop;
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip protocol icmp limit rate 100/second accept
+ ip protocol icmp drop
+
+ iif lo accept
+
+ # drop incoming spoofed packages
+ iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
+ # bird etc. on fiberby link
+ iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+
+ # bgp
+ iif $colo_if tcp dport bgp accept
+
+ # dhcp
+ udp sport bootpc udp dport bootps iif != $ext_if counter accept
+
+ # radius
+ iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
+
+ # tftp
+ iif $wire_if ip saddr $wire_net4 udp dport 69 accept
+
+ # ssh
+ tcp dport 22 accept
+
+ # dns
+ tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
+ udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
+
+ # ntp
+ udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
+
+ # avahi
+ ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
+ ip protocol igmp iif $avahi_ifs accept
+
+ # http cert validation
+ tcp dport 80 ip daddr $ext_ip4 accept
+
+ ## debugging
+ #iif $ext_if counter drop
+ #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
+ #udp sport 17500 udp dport 17500 drop # Dropbox LANsync
+ #ip protocol igmp drop # IGMP
+ #counter log prefix "in4: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ # handle tor traffic - before ct
+ iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept
+ oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # drop incoming spoofed packages
+ iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
+ # jumbotron webhook
+ ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
+
+ # no traffic to admin net
+ ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
+ ip daddr $adm_net4 drop
+
+ # local traffic
+ iif $adm_if ip saddr $adm_net4 accept
+ iif $wire_if ip saddr $wire_net4 accept
+ iif $priv_if ip saddr $priv_net4 accept
+ iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
+ iif $pass_if ip saddr $pass_net4 accept
+ iif $nat64_if ip saddr $nat64_net4 accept
+ iif $colo_if ip daddr != $int_net4 accept
+ oif $colo_if accept
+
+ ## debugging
+ #iif $ext_if counter drop
+ #counter log prefix "fw4: " drop
+ drop
+ }
+}
+
+table ip6 filter {
+ chain prerouting {
+ type filter hook prerouting priority 0;
+
+ # colo reverse path filtering
+ # find route to saddr on iif, get oif, drop if route is missing
+ iif $colo_if fib saddr . iif oif missing drop;
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip6 nexthdr ipv6-icmp limit rate 100/second accept
+ ip6 nexthdr ipv6-icmp drop
+
+ iif lo accept
+
+ # drop incoming spoofed packages
+ iif $ext_if ip6 saddr $ext_net6 drop
+
+ iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
+
+ # bird etc. on fiberby link
+ iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
+
+ # bgp
+ iif $colo_if tcp dport bgp accept
+
+ # tftp
+ iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept
+
+ # ssh
+ tcp dport 22 accept
+
+ # dns
+ tcp dport 53 ip6 saddr $ext_net6 accept
+ udp dport 53 ip6 saddr $ext_net6 accept
+
+ # ntp
+ udp dport 123 ip6 saddr $ext_net6 accept
+
+ # avahi
+ ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
+
+ # http cert validation
+ tcp dport 80 ip6 daddr $ext_ip6 accept
+
+ ## debugging
+ #counter log prefix "in6: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ # handle tor traffic - before ct
+ iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept
+ oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # drop incoming spoofed packages
+ iif $ext_if ip6 saddr $ext_net6 drop
+
+ # jumbotron webhook
+ ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
+
+ iif $wire_if ip6 saddr $wire_net6 accept
+ iif $priv_if ip6 saddr $priv_net6 accept
+ iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
+ iif $pass_if ip6 saddr $pass_net6 accept
+ iif $futu_if ip6 saddr $futu_net6 accept
+ iif $colo_if ip6 daddr != $ext_net6 accept
+ oif $colo_if accept
+
+ ## debugging
+ #counter log prefix "fw6: " drop
+ drop
+ }
+}
+
+table ip nat {
+ chain portforward {
+ ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority -150;
+ goto portforward
+ }
+
+ chain output {
+ type nat hook output priority -150;
+ goto portforward
+ }
+
+ chain input {
+ type nat hook input priority -150;
+ # this chain is needed to make dnat from the output chain work
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority -150;
+ oif $ext_if ip saddr $free_net4 snat $free_nat
+ oif $ext_if ip saddr $int_net4 snat $ext_ip4
+ }
+}
+
+table ip6 nat {
+ chain portforward {
+ ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority -150;
+ goto portforward
+ }
+
+ chain output {
+ type nat hook output priority -150;
+ goto portforward
+ }
+
+ #chain input {
+ # type nat hook input priority -150;
+ # # this chain is needed to make dnat from the output chain work
+ #}
+
+ #chain postrouting {
+ # type nat hook postrouting priority -150;
+ #}
+}
+
+table ip raw {
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept
+
+ iif lo accept
+
+ # always do connection tracking for local IP's
+ ip saddr $local_ip4 accept
+ ip daddr $local_ip4 accept
+
+ # avoid connection tracking for most Tor traffic
+ ip saddr $tor_net4 ip daddr != $local_net4 notrack
+ ip daddr $tor_net4 ip saddr != $local_net4 notrack
+ }
+}
+
+table ip6 raw {
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept
+
+ iif lo accept
+
+ # always do connection tracking for local IP's
+ ip6 saddr $local_ip6 accept
+ ip6 daddr $local_ip6 accept
+
+ # avoid connection tracking for most Tor traffic
+ ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack
+ ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack
+ }
+}
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-08 22:49:45 +0000