diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/space_server/files/nftables.conf | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 30cda74..4930f2e 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -47,22 +47,18 @@ define nat64_if = nat64 define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 -define colo_ip4 = 185.38.175.65 -define colo_net4 = { - 185.38.175.64/26, - 44.145.128.0/24, # graffen -} -define colo_net6 = { - 2a01:4262:1ab:20::/64, - 2a01:4262:1ab:1100::/60, # Asbjorn - 2a01:4262:1ab:1110::/60, # Esmil - 2001:678:15c::/48, # graffen - 2a0e:8f02:f034::/48 # Hafnium -} define avahi_ifs = { $wire_if, $priv_if, $pass_if } table ip filter { + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } + chain input { type filter hook input priority 0; @@ -139,7 +135,7 @@ table ip filter { iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept iif $pass_if ip saddr $pass_net4 accept iif $nat64_if ip saddr $nat64_net4 accept - iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept + iif $colo_if ip daddr != $int_net4 accept oif $colo_if accept ## debugging @@ -150,6 +146,14 @@ table ip filter { } table ip6 filter { + chain prerouting { + type filter hook prerouting priority 0; + + # colo reverse path filtering + # find route to saddr on iif, get oif, drop if route is missing + iif $colo_if fib saddr . iif oif missing drop; + } + chain input { type filter hook input priority 0; @@ -211,7 +215,7 @@ table ip6 filter { iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept iif $pass_if ip6 saddr $pass_net6 accept iif $futu_if ip6 saddr $futu_net6 accept - iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept + iif $colo_if ip6 daddr != $ext_net6 accept oif $colo_if accept ## debugging |