From bc647a09b960723615a51ab6e6155c2556bc2e9d Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Mon, 13 Nov 2017 21:03:33 +0100 Subject: space_server: nftables: clean up rules a bit --- roles/space_server/files/nftables/nftables.conf | 169 +++++++++--------------- roles/space_server/tasks/nftables.yml | 10 +- 2 files changed, 70 insertions(+), 109 deletions(-) mode change 100755 => 100644 roles/space_server/files/nftables/nftables.conf (limited to 'roles') diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf old mode 100755 new mode 100644 index c9dc9d7..619d776 --- a/roles/space_server/files/nftables/nftables.conf +++ b/roles/space_server/files/nftables/nftables.conf @@ -1,5 +1,3 @@ -#!/usr/sbin/nft -f - # our hosts define ap1 = 10.42.0.5 define ap2 = 10.42.0.6 @@ -35,6 +33,7 @@ define priv_net6 = 2a01:4260:1ab:c::/64 define free_if = lan13 define free_ip4 = 10.42.3.1 define free_net4 = 10.42.3.0/24 +define free_net6 = 2a01:4260:1ab:d::/64 define pass_if = lan14 define pass_ip4 = 10.42.4.1 @@ -65,31 +64,34 @@ table ip filter { iif lo accept - # infrastructure - iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept - udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests - iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP - iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel - iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP - iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP + # bird etc. on fiberby link + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + + # dhcp + udp sport bootpc udp dport bootps iif != $ext_if counter accept + + # radius + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept + + # tftp + iif $wire_if ip saddr $wire_net4 udp dport 69 accept - # allow ssh + # ssh tcp dport 22 accept # dns - ip saddr $int_net4 tcp dport 53 accept - ip saddr $int_net4 udp dport 53 accept - ip saddr $ext_net4 tcp dport 53 accept - ip saddr $ext_net4 udp dport 53 accept + tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept + udp dport 53 ip saddr { $int_net4, $ext_net4 } accept - # Avahi + # avahi ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept - ip protocol igmp iif $avahi_ifs accept # Allow IGMP here + ip protocol igmp iif $avahi_ifs accept - iif $ext_if counter drop - udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi - udp sport 17500 udp dport 17500 drop # Dropbox LANsync - ip protocol igmp drop # IGMP + ## debugging + #iif $ext_if counter drop + #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream + #udp sport 17500 udp dport 17500 drop # Dropbox LANsync + #ip protocol igmp drop # IGMP #counter log prefix "in4: " drop drop } @@ -100,16 +102,14 @@ table ip filter { ct state established,related accept ct state invalid drop - # no ping floods - ip protocol icmp limit rate 100/second accept - ip protocol icmp drop - - ip daddr $spacewand4 accept - ip saddr $labitat udp dport 161 counter accept # traffic stats # no traffic to admin net - ip saddr $int_net4 ip daddr $adm_net4 drop + ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited + ip daddr $adm_net4 drop + + # accept all traffic to spacewand + ip daddr $spacewand4 accept # local traffic iif $adm_if ip saddr $adm_net4 accept @@ -119,37 +119,13 @@ table ip filter { iif $pass_if ip saddr $pass_net4 accept iif $serv_if ip saddr $serv_net4 accept + ## debugging + #iif $ext_if counter drop #counter log prefix "fw4: " drop drop } } -table ip nat { - chain portforward { - ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats - } - - chain prerouting { - type nat hook prerouting priority -150; - goto portforward - } - - chain output { - type nat hook output priority -150; - goto portforward - } - - chain input { - type nat hook input priority -150; - # this chain is needed to make dnat from the output chain work - } - - chain postrouting { - type nat hook postrouting priority -150; - oif $ext_if snat $ext_ip4 - } -} - table ip6 filter { chain input { type filter hook input priority 0; @@ -158,20 +134,22 @@ table ip6 filter { ct state invalid drop # no ping floods - ip6 nexthdr icmpv6 limit rate 100/second accept - ip6 nexthdr icmpv6 drop + ip6 nexthdr { hopopt, ipv6-icmp } limit rate 100/second accept + ip6 nexthdr { hopopt, ipv6-icmp } drop iif lo accept + # bird etc. on fiberby link iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept - # allow ssh + # ssh tcp dport 22 accept # dns ip6 saddr $ext_net6 tcp dport 53 accept ip6 saddr $ext_net6 udp dport 53 accept + ## debugging #counter log prefix "in6: " drop drop } @@ -182,67 +160,42 @@ table ip6 filter { ct state established,related accept ct state invalid drop - # no ping floods - ip6 nexthdr icmpv6 limit rate 100/second accept - ip6 nexthdr icmpv6 drop - ip6 daddr $spacewand6 accept iif $wire_if ip6 saddr $wire_net6 accept iif $priv_if ip6 saddr $priv_net6 accept + #iif $free_if ip6 saddr $free_net6 ip6 daddr != $int_net6 accept iif $pass_if ip6 saddr $pass_net6 accept iif $serv_if ip6 saddr $serv_net6 accept + ## debugging #counter log prefix "fw6: " drop drop } } -# Allow all by default -# (couldn't get default-deny to work, and this script is better than nothing) - -#table ip6 filter { -# chain input { -# type filter hook input priority 0; -# # Don't allow ULA net on outside -# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net -# iif $ext_if6 ip6 daddr $ula_net reject -# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net -# iif $ext_if6 ip6 saddr $ula_net reject -# -# accept -# } -# -# chain output { -# type filter hook output priority 0; -# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net -# oif $ext_if6 ip6 daddr $ula_net reject -# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net -# oif $ext_if6 ip6 saddr $ula_net reject -# -# accept -# } -# -# chain forward { -# type filter hook forward priority 0; -# # Don't allow NAT64 for networks with IPv4 -# # (remember: free and admin don't have IPv6) -# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6 -# iif $wire_if ip6 daddr $nat64_net6 reject -# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6 -# iif $priv_if ip6 daddr $nat64_net6 reject -# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6 -# iif $pass_if ip6 daddr $nat64_net6 reject -# -# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net -# iif $ext_if6 ip6 daddr $ula_net reject -# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net -# iif $ext_if6 ip6 saddr $ula_net reject -# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net -# oif $ext_if6 ip6 daddr $ula_net reject -# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net -# oif $ext_if6 ip6 saddr $ula_net reject -# -# accept -# } -#} +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if snat $ext_ip4 + } +} diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml index a7fb588..2dc8fce 100644 --- a/roles/space_server/tasks/nftables.yml +++ b/roles/space_server/tasks/nftables.yml @@ -11,10 +11,18 @@ tags: - packages +- name: Symlink to /etc/nftables.conf + file: + path: '/etc/sysconfig/nftables.conf' + state: link + src: '../nftables.conf' + force: yes + notify: + - reload nftables - name: Configure nftables copy: src: nftables/nftables.conf - dest: '/etc/sysconfig/nftables.conf' + dest: '/etc/nftables.conf' notify: - reload nftables -- cgit v1.2.1