Amazing-Mirror/FollieHiyuki-dotfiles
Amazing-Mirror/FollieHiyuki-dotfiles
1
0
Fork 0
mirror of https://git.disroot.org/FollieHiyuki/dotfiles.git synced 2024-11-25 00:38:23 -05:00
Code Issues Projects Releases Wiki Activity
master
FollieHiyuki-dotfiles/system/etc/nftables.conf
FollieHiyuki 12e151d3e1
Some system config changes 
- startwl: move `chmod` out of if statement (ensure $XDG_RUNTIME_DIR
  properly has 0700 permission)
- doas: add Void specified config
- nftables: add note for future changes to block rules
- grub: disable submenu
2021-10-17 21:48:13 +07:00

188 lines
5.6 KiB
Plaintext
Raw Permalink Blame History

#!/sbin/nft -f
# --------------------------------------------------------------------------------- #
# References:
# https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
# https://wiki.gentoo.org/wiki/Nftables/Examples
# https://wiki.archlinux.org/title/Nftables
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
# https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/
# Libvirt:
# https://libvirt.org/firewall.html
# Notes:
# - "limit" rules need to be put before "established" connections
# - use sets for groups of things (eg. IP, ports, ...)
# - explicitly allow IPv6 ICMP if do not have "policy accept" on the outgoing chain
# - hook order: ingress -> prerouting -> input/output/forward -> postrouting
# - "iif" should be use when possible (for persistent interfaces) since it is faster than "iifname"
# --------------------------------------------------------------------------------- #
# TODO: move block rules to mangle for faster blocking time (perfomance)
flush ruleset
# TCP ports to accept (both IPv4 and IPv6)
#define ACCEPT_TCP_PORTS = { 80, 443, 1965 }
# UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = { 51820 }
# Wireguard (use for the 'server' only)
define vpn = wg0
define wan = eth0
define vpn_net = 10.2.0.0/24
table inet filter {
chain libvirt_input {
iifname "virbr0" udp dport 53 counter accept
iifname "virbr0" tcp dport 53 counter accept
iifname "virbr0" udp dport 67 counter accept
iifname "virbr0" tcp dport 67 counter accept
}
chain libvirt_forward {
oifname "virbr0" ip daddr 192.168.122.0/24 ct state { established, related } counter accept
iifname "virbr0" ip saddr 192.168.122.0/24 counter accept
iifname "virbr0" oifname "virbr0" counter accept
oifname "virbr0" counter reject with icmpx type port-unreachable
iifname "virbr0" counter reject with icmpx type port-unreachable
}
chain wireguard_input {
# Allow WireGuard clients to access DNS
iifname $vpn udp dport 53 ct state new counter accept
# Allow VPN clients to communicate with each other
iifname $vpn oifname $vpn ct state new accept
}
chain wireguard_forward {
iifname $vpn oifname $wan ct state new accept
}
# Default to drop all inbound traffic, unless they meet the criteria
chain input {
type filter hook input priority 0; policy drop;
# Drop invalid packets early
ct state invalid counter drop
# Drop none SYN packets
#tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Reject AUTH to make it fail fast
tcp dport 113 reject with icmpx type port-unreachable
# Rate limit on SSH port
#tcp dport ssh ct state new limit rate 6/minute accept
# Mitigate ping floods
ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
ct state { established, related } counter accept
ct status dnat accept
# Allow loopback from host
iif lo accept
iif != lo ip daddr 127.0.0.1/8 counter drop
iif != lo ip6 daddr ::1/128 counter drop
counter jump libvirt_input
counter jump wireguard_input
# Accept user-defined ports
#tcp dport $ACCEPT_TCP_PORTS ct state new counter accept
#udp dport $ACCEPT_UDP_PORTS ct state new counter accept
# Accept ICMPv4
ip protocol icmp icmp type {
echo-reply,
echo-request,
destination-unreachable,
time-exceeded,
parameter-problem,
router-advertisement,
router-solicitation
} counter accept
# Accept basic ICMPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
echo-reply,
echo-request,
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem
} counter accept
# Allow ICMPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
} ip6 hoplimit 255 counter accept
# Allow ICMPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
mld2-listener-report,
} ip6 saddr fe80::/10 counter accept
counter comment "Count dropped packets"
#log prefix "[nftables] Inbound Denied: " flags all counter drop
}
# Route your own packets! I'm not your router.
# Can be enabled while using VPN (for tunneling)
chain forward {
type filter hook forward priority 0; policy drop;
ct state { related, established } accept
ct status dnat accept
oif lo accept
oif != lo ip daddr 127.0.0.1/8 counter drop
oif != lo ip6 daddr ::1/128 counter drop
counter jump libvirt_forward
counter jump wireguard_forward
counter comment "Count dropped packets"
#log prefix "[nftables] Forward Denied: " flags all counter drop
}
# Accept all outbound traffic
chain output {
type filter hook output priority 0; policy accept;
counter comment "Count accepted packets"
#log prefix "[nftables] Outbound Accepted: " flags all counter accept
}
}
table inet nat {
chain libvirt_postrouting {
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
}
chain wireguard_postrouting {
# Masquerade WireGuard traffic
# All WireGuard traffic will look like it comes from the servers IP address
oifname $wan ip saddr $vpn_net counter masquerade
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
counter jump libvirt_postrouting
counter jump wireguard_postrouting
}
}
Reference in New Issue View Git Blame Copy Permalink