From 9454fdbff511e965e4fd9eb187b7fe432dcd437e Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Wed, 26 Sep 2018 13:16:11 +0200 Subject: space_server: drop uneccessary subdirs --- roles/space_server/files/nftables.conf | 212 +++++++++++++++++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 roles/space_server/files/nftables.conf (limited to 'roles/space_server/files/nftables.conf') diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf new file mode 100644 index 0000000..5f2f1b3 --- /dev/null +++ b/roles/space_server/files/nftables.conf @@ -0,0 +1,212 @@ +# our hosts +define ap1 = 10.42.0.5 +define ap2 = 10.42.0.6 +define labitat = 185.38.172.72 + +define spacewand4 = 185.38.175.70 +define spacewand6 = 2a01:4262:1ab::cafe + +define spacebrain4 = 185.38.175.69 +define spacebrain6 = 2a01:4262:1ab::db + +define labservers4 = { $spacewand4, $spacebrain4 } +define labservers6 = { $spacewand6, $spacebrain6 } + +# internal stuff +define ext_if = wan +define ext_ip4 = 185.38.175.0 +define ext_ip6 = 2a01:4262:1ab:: +define int_net4 = 10.42.0.0/16 +define ext_net4 = 185.38.175.0/24 +define ext_net6 = 2a01:4262:1ab::/48 +define link_net4 = 193.106.167.40/29 +define link_net6 = 2a03:5440:1:2935:1ab::/120 + +define adm_if = lan10 +define adm_ip4 = 10.42.0.1 +define adm_net4 = 10.42.0.0/24 + +define wire_if = lan11 +define wire_ip4 = 10.42.1.1 +define wire_net4 = 10.42.1.0/24 +define wire_net6 = 2a01:4262:1ab:b::/64 + +define priv_if = lan12 +define priv_ip4 = 10.42.2.1 +define priv_net4 = 10.42.2.0/24 +define priv_net6 = 2a01:4262:1ab:c::/64 + +define free_if = lan13 +define free_ip4 = 10.42.3.1 +define free_net4 = 10.42.3.0/24 +define free_net6 = 2a01:4262:1ab:d::/64 + +define pass_if = lan14 +define pass_ip4 = 10.42.4.1 +define pass_net4 = 10.42.4.0/24 +define pass_net6 = 2a01:4262:1ab:e::/64 + +define serv_if = lan20 +define serv_ip4 = 185.38.175.65 +define serv_net4 = 185.38.175.64/24 +define serv_net6 = 2a01:4262:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + +#define nat64_if = nat64 +#define nat64_net = 10.42.255.0/24 +#define nat64_net6 = fde2:52b4:4a19:ffff::/96 + +table ip filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + iif lo accept + + # bird etc. on fiberby link + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + + # dhcp + udp sport bootpc udp dport bootps iif != $ext_if counter accept + + # radius + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept + + # tftp + iif $wire_if ip saddr $wire_net4 udp dport 69 accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept + udp dport 53 ip saddr { $int_net4, $ext_net4 } accept + + # avahi + ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept + ip protocol igmp iif $avahi_ifs accept + + ## debugging + #iif $ext_if counter drop + #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream + #udp sport 17500 udp dport 17500 drop # Dropbox LANsync + #ip protocol igmp drop # IGMP + #counter log prefix "in4: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip daddr $labservers4 accept + + ip saddr $labitat udp dport 161 counter accept # traffic stats + + # no traffic to admin net + ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited + ip daddr $adm_net4 drop + + # local traffic + iif $adm_if ip saddr $adm_net4 accept + iif $wire_if ip saddr $wire_net4 accept + iif $priv_if ip saddr $priv_net4 accept + iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept + iif $pass_if ip saddr $pass_net4 accept + iif $serv_if ip saddr $serv_net4 accept + + ## debugging + #iif $ext_if counter drop + #counter log prefix "fw4: " drop + drop + } +} + +table ip6 filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr ipv6-icmp limit rate 100/second accept + ip6 nexthdr ipv6-icmp drop + + iif lo accept + iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept + + # bird etc. on fiberby link + iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip6 saddr $ext_net6 accept + udp dport 53 ip6 saddr $ext_net6 accept + + # avahi + ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept + + ## debugging + #counter log prefix "in6: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip6 daddr $labservers6 accept + + iif $wire_if ip6 saddr $wire_net6 accept + iif $priv_if ip6 saddr $priv_net6 accept + iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept + iif $pass_if ip6 saddr $pass_net6 accept + iif $serv_if ip6 saddr $serv_net6 accept + + ## debugging + #counter log prefix "fw6: " drop + drop + } +} + +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if ip saddr $int_net4 snat $ext_ip4 + } +} -- cgit v1.2.1