aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files/nftables/nftables.conf
blob: c9dc9d76079e0bd7ad3b092494e1a72cf06247d2 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
#!/usr/sbin/nft -f

# our hosts
define ap1 = 10.42.0.5
define ap2 = 10.42.0.6
define labitat = 185.38.172.72

define spacewand4 = 185.38.175.70
define spacewand6 = 2a01:4260:1ab::cafe

# internal stuff
define ext_if    = wan
define ext_ip4   = 185.38.175.0
define ext_ip6   = 2a01:4260:1ab::
define int_net4  = 10.42.0.0/16
define ext_net4  = 185.38.175.0/24
define ext_net6  = 2a01:4260:1ab::/48
define link_net4 = 193.106.167.40/29
define link_net6 = 2a03:5440:1:2935:1ab::/120

define adm_if    = lan10
define adm_ip4   = 10.42.0.1
define adm_net4  = 10.42.0.0/24

define wire_if   = lan11
define wire_ip4  = 10.42.1.1
define wire_net4 = 10.42.1.0/24
define wire_net6 = 2a01:4260:1ab:b::/64

define priv_if   = lan12
define priv_ip4  = 10.42.2.1
define priv_net4 = 10.42.2.0/24
define priv_net6 = 2a01:4260:1ab:c::/64

define free_if   = lan13
define free_ip4  = 10.42.3.1
define free_net4 = 10.42.3.0/24

define pass_if   = lan14
define pass_ip4  = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4260:1ab:e::/64

define serv_if   = lan20
define serv_ip4  = 185.38.175.65
define serv_net4 = 185.38.175.64/24
define serv_net6 = 2a01:4260:1ab:20::/64

define avahi_ifs = { $wire_if, $priv_if, $pass_if }

#define nat64_if   = nat64
#define nat64_net  = 10.42.255.0/24
#define nat64_net6 = fde2:52b4:4a19:ffff::/96

table ip filter {
	chain input {
		type filter hook input priority 0;

		ct state established,related accept
		ct state invalid drop

		# no ping floods
		ip protocol icmp limit rate 100/second accept
		ip protocol icmp drop

		iif lo accept

		# infrastructure
		iif $ext_if  ip saddr $link_net4 ip daddr $link_net4 counter accept
		udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests
		iif $adm_if  ip saddr { $ap1, $ap2 } udp dport 1812 accept      # RADIUS from AP
		iif $ext_if  ip saddr $labitat ip protocol 41 accept            # IPv6 tunnel
		iif $wire_if ip saddr $wire_net4 udp dport 69 accept            # TFTP
		iif $wire_if ip saddr $wire_net4 udp dport 123 accept           # NTP

		# allow ssh
		tcp dport 22 accept

		# dns
		ip saddr $int_net4 tcp dport 53 accept
		ip saddr $int_net4 udp dport 53 accept
		ip saddr $ext_net4 tcp dport 53 accept
		ip saddr $ext_net4 udp dport 53 accept

		# Avahi
		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
		ip protocol igmp iif $avahi_ifs accept # Allow IGMP here

		iif $ext_if counter drop
		udp dport { 137, 138, 5353 } drop    # NetBIOS, Avahi
		udp sport 17500 udp dport 17500 drop # Dropbox LANsync
		ip protocol igmp drop                # IGMP
		#counter log prefix "in4: " drop
		drop
	}

	chain forward {
		type filter hook forward priority 0;

		ct state established,related accept
		ct state invalid drop

		# no ping floods
		ip protocol icmp limit rate 100/second accept
		ip protocol icmp drop

		ip daddr $spacewand4 accept

		ip saddr $labitat udp dport 161 counter accept # traffic stats

		# no traffic to admin net
		ip saddr $int_net4 ip daddr $adm_net4 drop

		# local traffic
		iif $adm_if  ip saddr $adm_net4  accept
		iif $wire_if ip saddr $wire_net4 accept
		iif $priv_if ip saddr $priv_net4 accept
		iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
		iif $pass_if ip saddr $pass_net4 accept
		iif $serv_if ip saddr $serv_net4 accept

		#counter log prefix "fw4: " drop
		drop
	}
}

table ip nat {
	chain portforward {
		ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9      # traffic stats
	}

	chain prerouting {
		type nat hook prerouting priority -150;
		goto portforward
	}

	chain output {
		type nat hook output priority -150;
		goto portforward
	}

	chain input {
		type nat hook input priority -150;
		# this chain is needed to make dnat from the output chain work
	}

	chain postrouting {
		type nat hook postrouting priority -150;
		oif $ext_if snat $ext_ip4
        }
}

table ip6 filter {
	chain input {
		type filter hook input priority 0;

		ct state established,related accept
		ct state invalid drop

		# no ping floods
		ip6 nexthdr icmpv6 limit rate 100/second accept
		ip6 nexthdr icmpv6 drop

		iif lo accept

		iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept

		# allow ssh
		tcp dport 22 accept

		# dns
		ip6 saddr $ext_net6 tcp dport 53 accept
		ip6 saddr $ext_net6 udp dport 53 accept

		#counter log prefix "in6: " drop
		drop
	}

	chain forward {
		type filter hook forward priority 0;

		ct state established,related accept
		ct state invalid drop

		# no ping floods
		ip6 nexthdr icmpv6 limit rate 100/second accept
		ip6 nexthdr icmpv6 drop

		ip6 daddr $spacewand6 accept

		iif $wire_if ip6 saddr $wire_net6 accept
		iif $priv_if ip6 saddr $priv_net6 accept
		iif $pass_if ip6 saddr $pass_net6 accept
		iif $serv_if ip6 saddr $serv_net6 accept

		#counter log prefix "fw6: " drop
		drop
	}
}

# Allow all by default
# (couldn't get default-deny to work, and this script is better than nothing)

#table ip6 filter {
#	chain input {
#		type filter hook input priority 0;
#		# Don't allow ULA net on outside
#		#ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net
#		iif $ext_if6 ip6 daddr $ula_net reject
#		#ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net
#		iif $ext_if6 ip6 saddr $ula_net reject
#
#		accept
#	}
#
#	chain output {
#		type filter hook output priority 0;
#		#ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net
#		oif $ext_if6 ip6 daddr $ula_net reject
#		#ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net
#		oif $ext_if6 ip6 saddr $ula_net reject
#
#		accept
#	}
#
#	chain forward {
#		type filter hook forward priority 0;
#		# Don't allow NAT64 for networks with IPv4
#		# (remember: free and admin don't have IPv6)
#		#ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6
#		iif $wire_if ip6 daddr $nat64_net6 reject
#		#ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6
#		iif $priv_if ip6 daddr $nat64_net6 reject
#		#ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6
#		iif $pass_if ip6 daddr $nat64_net6 reject
#
#		#ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net
#		iif $ext_if6 ip6 daddr $ula_net reject
#		#ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net
#		iif $ext_if6 ip6 saddr $ula_net reject
#		#ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net
#		oif $ext_if6 ip6 daddr $ula_net reject
#		#ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net
#		oif $ext_if6 ip6 saddr $ula_net reject
#
#		accept
#	}
#}