#!/usr/sbin/nft -f # our hosts define ap1 = 10.42.0.5 define ap2 = 10.42.0.6 define labitat = 185.38.172.72 define spacewand4 = 185.38.175.70 define spacewand6 = 2a01:4260:1ab::cafe # internal stuff define ext_if = wan define ext_ip4 = 185.38.175.0 define ext_ip6 = 2a01:4260:1ab:: define int_net4 = 10.42.0.0/16 define ext_net4 = 185.38.175.0/24 define ext_net6 = 2a01:4260:1ab::/48 define link_net4 = 193.106.167.40/29 define link_net6 = 2a03:5440:1:2935:1ab::/120 define adm_if = lan10 define adm_ip4 = 10.42.0.1 define adm_net4 = 10.42.0.0/24 define wire_if = lan11 define wire_ip4 = 10.42.1.1 define wire_net4 = 10.42.1.0/24 define wire_net6 = 2a01:4260:1ab:b::/64 define priv_if = lan12 define priv_ip4 = 10.42.2.1 define priv_net4 = 10.42.2.0/24 define priv_net6 = 2a01:4260:1ab:c::/64 define free_if = lan13 define free_ip4 = 10.42.3.1 define free_net4 = 10.42.3.0/24 define pass_if = lan14 define pass_ip4 = 10.42.4.1 define pass_net4 = 10.42.4.0/24 define pass_net6 = 2a01:4260:1ab:e::/64 define serv_if = lan20 define serv_ip4 = 185.38.175.65 define serv_net4 = 185.38.175.64/24 define serv_net6 = 2a01:4260:1ab:20::/64 define avahi_ifs = { $wire_if, $priv_if, $pass_if } #define nat64_if = nat64 #define nat64_net = 10.42.255.0/24 #define nat64_net6 = fde2:52b4:4a19:ffff::/96 table ip filter { chain input { type filter hook input priority 0; ct state established,related accept ct state invalid drop # no ping floods ip protocol icmp limit rate 100/second accept ip protocol icmp drop iif lo accept # infrastructure iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP # allow ssh tcp dport 22 accept # dns ip saddr $int_net4 tcp dport 53 accept ip saddr $int_net4 udp dport 53 accept ip saddr $ext_net4 tcp dport 53 accept ip saddr $ext_net4 udp dport 53 accept # Avahi ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept ip protocol igmp iif $avahi_ifs accept # Allow IGMP here iif $ext_if counter drop udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi udp sport 17500 udp dport 17500 drop # Dropbox LANsync ip protocol igmp drop # IGMP #counter log prefix "in4: " drop drop } chain forward { type filter hook forward priority 0; ct state established,related accept ct state invalid drop # no ping floods ip protocol icmp limit rate 100/second accept ip protocol icmp drop ip daddr $spacewand4 accept ip saddr $labitat udp dport 161 counter accept # traffic stats # no traffic to admin net ip saddr $int_net4 ip daddr $adm_net4 drop # local traffic iif $adm_if ip saddr $adm_net4 accept iif $wire_if ip saddr $wire_net4 accept iif $priv_if ip saddr $priv_net4 accept iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept iif $pass_if ip saddr $pass_net4 accept iif $serv_if ip saddr $serv_net4 accept #counter log prefix "fw4: " drop drop } } table ip nat { chain portforward { ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats } chain prerouting { type nat hook prerouting priority -150; goto portforward } chain output { type nat hook output priority -150; goto portforward } chain input { type nat hook input priority -150; # this chain is needed to make dnat from the output chain work } chain postrouting { type nat hook postrouting priority -150; oif $ext_if snat $ext_ip4 } } table ip6 filter { chain input { type filter hook input priority 0; ct state established,related accept ct state invalid drop # no ping floods ip6 nexthdr icmpv6 limit rate 100/second accept ip6 nexthdr icmpv6 drop iif lo accept iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept # allow ssh tcp dport 22 accept # dns ip6 saddr $ext_net6 tcp dport 53 accept ip6 saddr $ext_net6 udp dport 53 accept #counter log prefix "in6: " drop drop } chain forward { type filter hook forward priority 0; ct state established,related accept ct state invalid drop # no ping floods ip6 nexthdr icmpv6 limit rate 100/second accept ip6 nexthdr icmpv6 drop ip6 daddr $spacewand6 accept iif $wire_if ip6 saddr $wire_net6 accept iif $priv_if ip6 saddr $priv_net6 accept iif $pass_if ip6 saddr $pass_net6 accept iif $serv_if ip6 saddr $serv_net6 accept #counter log prefix "fw6: " drop drop } } # Allow all by default # (couldn't get default-deny to work, and this script is better than nothing) #table ip6 filter { # chain input { # type filter hook input priority 0; # # Don't allow ULA net on outside # #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net # iif $ext_if6 ip6 daddr $ula_net reject # #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net # iif $ext_if6 ip6 saddr $ula_net reject # # accept # } # # chain output { # type filter hook output priority 0; # #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net # oif $ext_if6 ip6 daddr $ula_net reject # #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net # oif $ext_if6 ip6 saddr $ula_net reject # # accept # } # # chain forward { # type filter hook forward priority 0; # # Don't allow NAT64 for networks with IPv4 # # (remember: free and admin don't have IPv6) # #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6 # iif $wire_if ip6 daddr $nat64_net6 reject # #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6 # iif $priv_if ip6 daddr $nat64_net6 reject # #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6 # iif $pass_if ip6 daddr $nat64_net6 reject # # #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net # iif $ext_if6 ip6 daddr $ula_net reject # #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net # iif $ext_if6 ip6 saddr $ula_net reject # #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net # oif $ext_if6 ip6 daddr $ula_net reject # #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net # oif $ext_if6 ip6 saddr $ula_net reject # # accept # } #}