From c4b3df829d5b07a2ce909389ac56c3e5dabd82a2 Mon Sep 17 00:00:00 2001 From: Mohammed Amar-Bensaber Date: Tue, 27 Aug 2024 22:22:06 +0200 Subject: [PATCH] nftables: init config package --- debian/changelog | 1 + debian/control | 9 +++ debian/nftables-config.displace | 1 + debian/nftables-config.install | 1 + files/etc/nftables.conf | 122 ++++++++++++++++++++++++++++++++ 5 files changed, 134 insertions(+) create mode 100644 debian/nftables-config.displace create mode 100644 debian/nftables-config.install create mode 100644 files/etc/nftables.conf diff --git a/debian/changelog b/debian/changelog index b145ec6..eeedc3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ shione-config (0.1.0) UNRELEASED; urgency=low * Add current openssh-server configuration. + * Add current nftables configuration. * Initial release. -- Mohammed Amar-Bensaber Sun, 24 Aug 2024 16:06:00 +0200 diff --git a/debian/control b/debian/control index caf410c..659401f 100644 --- a/debian/control +++ b/debian/control @@ -14,3 +14,12 @@ Provides: ${diverted-files} Conflicts: ${diverted-files} Description: Opinionated openssh-server configuration. Opinionated openssh-server configuration. + +Package: nftables-config +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, nftables +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: Shione nftables configuration. + Nftables configuration for shione.net. diff --git a/debian/nftables-config.displace b/debian/nftables-config.displace new file mode 100644 index 0000000..a8c1aeb --- /dev/null +++ b/debian/nftables-config.displace @@ -0,0 +1 @@ +/etc/nftables.conf diff --git a/debian/nftables-config.install b/debian/nftables-config.install new file mode 100644 index 0000000..acb7d4c --- /dev/null +++ b/debian/nftables-config.install @@ -0,0 +1 @@ +files/etc/nftables.conf /etc/ diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf new file mode 100644 index 0000000..aa9f5c4 --- /dev/null +++ b/files/etc/nftables.conf @@ -0,0 +1,122 @@ +#!/usr/sbin/nft -f + +flush ruleset + +define eth_iface = enp1s0 +define wg_iface = wg0 +define wg_port = 51820 +define dns_port = 53 +define srt_input_udp_port = 60001 +define srt_output_port = 60000 +define srb2kart_port = 5029 +define syncthing_port = 22000 +define syncthing_gui_port = 8384 + +table inet filter { + chain input_ipv4 { + # accepting ping (icmp-echo-request) for diagnostic purposes. + # However, it also lets probes discover this host is alive. + # This sample accepts them within a certain rate limit: + icmp type echo-request limit rate 5/second accept + } + + chain input_ipv6 { + # accept neighbour discovery otherwise connectivity breaks + icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept + + # accepting ping (icmpv6-echo-request) for diagnostic purposes. + # However, it also lets probes discover this host is alive. + # This sample accepts them within a certain rate limit: + icmpv6 type echo-request limit rate 5/second accept + } + + chain input_world { + udp dport { + $wg_port + } accept + } + + chain input_vpn { + # TODO: Should we limit source address space? + # + # ip saddr 10.8.0.0/32 + + # Allow VPN to use DNS. + tcp dport { + $dns_port + $syncthing_port, + $syncthing_gui_port, + } accept + + udp dport { + $dns_port, + $srt_input_udp_port, + $syncthing_port, + } accept + } + + chain input { + # By default, drop all traffic unless it meets a filter + # criteria specified by the rules that follow below. + type filter hook input priority 0; policy drop; + + # Allow traffic from established and related packets, drop invalid + ct state vmap { established : accept, related : accept, invalid : drop } + + # Jump to chain according to layer 3 protocol using a verdict map + meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 } + + # Allow traffic for/from both the world and VPN. + tcp dport { + ssh, + http, + https, + } accept + + udp dport { + $srt_output_port, + $srb2kart_port, + } accept + + # allow loopback traffic, anything else jump to chain for further evaluation + iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn } + + # Uncomment to enable logging of denied input traffic + # log prefix "[nftables] input Denied: " counter drop + + # Reject with polite "port unreachable" icmp response + reject + } + + chain forward { + # Drop everything (assumes this device is not a router) + # type filter hook forward priority filter; + type filter hook forward priority 0; policy drop; + + # Forward all icmp/icmpv6 packets + meta l4proto { icmp, ipv6-icmp } accept + + # Allow traffic from established and related packets, drop invalid + ct state vmap { established : accept, related : accept, invalid : drop } + + # Forward traffic within the VPN and between it and the outside world. + iifname $wg_iface oifname $wg_iface counter accept; + iifname $wg_iface oifname $eth_iface counter accept; + iifname $eth_iface oifname $eth_iface counter accept; + + # Reject with polite "host unreachable" icmp response + reject with icmpx type host-unreachable + } + + chain prerouting { + type nat hook prerouting priority 0; + } + + chain postrouting { + type nat hook postrouting priority 100; policy accept; + # Masquerade all packets from WireGuard VPN to the outside world. + iifname $wg_iface oifname $eth_iface masquerade + } + + # no need to define output chain, default policy is accept if undefined. +}