1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
# our hosts
define ap1 = 10.42.0.5
define ap2 = 10.42.0.6
define labitat = 185.38.172.72
define jumbotron_ip4 = 10.42.1.36
define jumbotron_ip6 = 2a01:4262:1ab:b:ba27:ebff:fed3:c162
# internal stuff
define ext_if = wan
define ext_ip4 = 185.38.175.0
define ext_ip6 = 2a01:4262:1ab::
define int_net4 = 10.42.0.0/16
define ext_net4 = 185.38.175.0/24
define ext_net6 = 2a01:4262:1ab::/48
define link_net4 = 193.106.167.40/29
define link_net6 = 2a03:5440:1:2935:1ab::/80
define adm_if = lan10
define adm_ip4 = 10.42.0.1
define adm_net4 = 10.42.0.0/24
define wire_if = lan11
define wire_ip4 = 10.42.1.1
define wire_net4 = 10.42.1.0/24
define wire_net6 = 2a01:4262:1ab:b::/64
define priv_if = lan12
define priv_ip4 = 10.42.2.1
define priv_net4 = 10.42.2.0/24
define priv_net6 = 2a01:4262:1ab:c::/64
define free_if = lan13
define free_ip4 = 10.42.3.1
define free_nat = 185.38.175.1
define free_net4 = 10.42.3.0/24
define free_net6 = 2a01:4262:1ab:d::/64
define pass_if = lan14
define pass_ip4 = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4262:1ab:e::/64
define futu_if = lan15
define futu_net6 = 2a01:4262:1ab:f::/64
define nat64_if = nat64
define nat64_net4 = 10.42.128.0/17
define colo_if = lan20
define colo_ip4 = 185.38.175.65
define colo_net4 = {
185.38.175.64/26,
44.145.128.0/24, # graffen
}
define colo_net6 = {
2a01:4262:1ab:20::/64,
2a01:4262:1ab:1100::/60, # Asbjorn
2a01:4262:1ab:1110::/60, # Esmil
2001:678:15c::/48, # graffen
2a0e:8f02:f034::/48 # Hafnium
}
define avahi_ifs = { $wire_if, $priv_if, $pass_if }
table ip filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip protocol icmp limit rate 100/second accept
ip protocol icmp drop
iif lo accept
# drop incoming spoofed packages
iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
# bird etc. on fiberby link
iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
# dhcp
udp sport bootpc udp dport bootps iif != $ext_if counter accept
# radius
iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
# tftp
iif $wire_if ip saddr $wire_net4 udp dport 69 accept
# ssh
tcp dport 22 accept
# dns
tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
# ntp
udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
# avahi
ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
ip protocol igmp iif $avahi_ifs accept
# http cert validation
tcp dport 80 ip daddr $ext_ip4 accept
## debugging
#iif $ext_if counter drop
#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
#udp sport 17500 udp dport 17500 drop # Dropbox LANsync
#ip protocol igmp drop # IGMP
#counter log prefix "in4: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# drop incoming spoofed packages
iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
# jumbotron webhook
ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
# no traffic to admin net
ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
ip daddr $adm_net4 drop
# local traffic
iif $adm_if ip saddr $adm_net4 accept
iif $wire_if ip saddr $wire_net4 accept
iif $priv_if ip saddr $priv_net4 accept
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
iif $nat64_if ip saddr $nat64_net4 accept
iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
oif $colo_if accept
## debugging
#iif $ext_if counter drop
#counter log prefix "fw4: " drop
drop
}
}
table ip6 filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
ct state invalid drop
# no ping floods
ip6 nexthdr ipv6-icmp limit rate 100/second accept
ip6 nexthdr ipv6-icmp drop
iif lo accept
# drop incoming spoofed packages
iif $ext_if ip6 saddr $ext_net6 drop
iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
# bird etc. on fiberby link
iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
# tftp
iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept
# ssh
tcp dport 22 accept
# dns
tcp dport 53 ip6 saddr $ext_net6 accept
udp dport 53 ip6 saddr $ext_net6 accept
# ntp
udp dport 123 ip6 saddr $ext_net6 accept
# avahi
ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
# http cert validation
tcp dport 80 ip6 daddr $ext_ip6 accept
## debugging
#counter log prefix "in6: " drop
drop
}
chain forward {
type filter hook forward priority 0;
ct state established,related accept
ct state invalid drop
# drop incoming spoofed packages
iif $ext_if ip6 saddr $ext_net6 drop
# jumbotron webhook
ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
iif $wire_if ip6 saddr $wire_net6 accept
iif $priv_if ip6 saddr $priv_net6 accept
iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
iif $futu_if ip6 saddr $futu_net6 accept
iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
oif $colo_if accept
## debugging
#counter log prefix "fw6: " drop
drop
}
}
table ip nat {
chain portforward {
ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
}
chain prerouting {
type nat hook prerouting priority -150;
goto portforward
}
chain output {
type nat hook output priority -150;
goto portforward
}
chain input {
type nat hook input priority -150;
# this chain is needed to make dnat from the output chain work
}
chain postrouting {
type nat hook postrouting priority -150;
oif $ext_if ip saddr $free_net4 snat $free_nat
oif $ext_if ip saddr $int_net4 snat $ext_ip4
}
}
table ip6 nat {
chain portforward {
ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
}
chain prerouting {
type nat hook prerouting priority -150;
goto portforward
}
chain output {
type nat hook output priority -150;
goto portforward
}
#chain input {
# type nat hook input priority -150;
# # this chain is needed to make dnat from the output chain work
#}
#chain postrouting {
# type nat hook postrouting priority -150;
#}
}
|