From f334f2c7e831929155b29a126ab1227ed945ad16 Mon Sep 17 00:00:00 2001 From: Renken Date: Mon, 1 Jan 2024 21:10:48 +0100 Subject: [PATCH] config: shione: init nftables config --- config/shione/nftables/debian/changelog | 5 + config/shione/nftables/debian/compat | 1 + config/shione/nftables/debian/control | 16 +++ config/shione/nftables/debian/copyright | 8 ++ config/shione/nftables/debian/files | 2 + .../nftables/debian/nftables-config.displace | 1 + .../nftables/debian/nftables-config.install | 1 + config/shione/nftables/debian/rules | 4 + config/shione/nftables/debian/source/format | 1 + .../shione/nftables/files/etc/nftables.conf | 102 ++++++++++++++++++ 10 files changed, 141 insertions(+) create mode 100644 config/shione/nftables/debian/changelog create mode 100644 config/shione/nftables/debian/compat create mode 100644 config/shione/nftables/debian/control create mode 100644 config/shione/nftables/debian/copyright create mode 100644 config/shione/nftables/debian/files create mode 100644 config/shione/nftables/debian/nftables-config.displace create mode 100644 config/shione/nftables/debian/nftables-config.install create mode 100755 config/shione/nftables/debian/rules create mode 100644 config/shione/nftables/debian/source/format create mode 100644 config/shione/nftables/files/etc/nftables.conf diff --git a/config/shione/nftables/debian/changelog b/config/shione/nftables/debian/changelog new file mode 100644 index 0000000..6a29509 --- /dev/null +++ b/config/shione/nftables/debian/changelog @@ -0,0 +1,5 @@ +nftables-config (1.0) unstable; urgency=low + + * Initial release. + + -- Renken Sun, 24 Dec 2023 19:32:00 +0100 diff --git a/config/shione/nftables/debian/compat b/config/shione/nftables/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/config/shione/nftables/debian/compat @@ -0,0 +1 @@ +10 diff --git a/config/shione/nftables/debian/control b/config/shione/nftables/debian/control new file mode 100644 index 0000000..46514e9 --- /dev/null +++ b/config/shione/nftables/debian/control @@ -0,0 +1,16 @@ +Source: nftables-config +Section: tasks +Priority: optional +Maintainer: Renken +Rules-Requires-Root: no +Build-Depends: debhelper (>= 13.11~), config-package-dev (>= 4.15~) +Standards-Version: 4.1.0 + +Package: nftables-config +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, nftables +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: Shione nftables configuration. + Shione nftables configuration. diff --git a/config/shione/nftables/debian/copyright b/config/shione/nftables/debian/copyright new file mode 100644 index 0000000..2fff8a7 --- /dev/null +++ b/config/shione/nftables/debian/copyright @@ -0,0 +1,8 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: https://gitlab.com/renken/nichijou +Upstream-Contact: Renken + +Files: + * +Copyright: 2023, Renken +License: GPL-3 diff --git a/config/shione/nftables/debian/files b/config/shione/nftables/debian/files new file mode 100644 index 0000000..2b4ebfb --- /dev/null +++ b/config/shione/nftables/debian/files @@ -0,0 +1,2 @@ +nftables-config_1.0_all.deb tasks optional +nftables-config_1.0_amd64.buildinfo tasks optional diff --git a/config/shione/nftables/debian/nftables-config.displace b/config/shione/nftables/debian/nftables-config.displace new file mode 100644 index 0000000..a8c1aeb --- /dev/null +++ b/config/shione/nftables/debian/nftables-config.displace @@ -0,0 +1 @@ +/etc/nftables.conf diff --git a/config/shione/nftables/debian/nftables-config.install b/config/shione/nftables/debian/nftables-config.install new file mode 100644 index 0000000..5b79850 --- /dev/null +++ b/config/shione/nftables/debian/nftables-config.install @@ -0,0 +1 @@ +files/* / diff --git a/config/shione/nftables/debian/rules b/config/shione/nftables/debian/rules new file mode 100755 index 0000000..a089a9e --- /dev/null +++ b/config/shione/nftables/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ --with config-package diff --git a/config/shione/nftables/debian/source/format b/config/shione/nftables/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/config/shione/nftables/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf new file mode 100644 index 0000000..ed6634b --- /dev/null +++ b/config/shione/nftables/files/etc/nftables.conf @@ -0,0 +1,102 @@ +#!/usr/sbin/nft -f + +flush ruleset + +define eth_iface = enp1s0 +define wg_iface = wg0 +define wg_port = 51820 + +table inet filter { + chain input_ipv4 { + # accepting ping (icmp-echo-request) for diagnostic purposes. + # However, it also lets probes discover this host is alive. + # This sample accepts them within a certain rate limit: + icmp type echo-request limit rate 5/second accept + } + + chain input_ipv6 { + # accept neighbour discovery otherwise connectivity breaks + icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept + + # accepting ping (icmpv6-echo-request) for diagnostic purposes. + # However, it also lets probes discover this host is alive. + # This sample accepts them within a certain rate limit: + icmpv6 type echo-request limit rate 5/second accept + } + + chain input_world { + udp dport { + $wg_port + } accept + } + + chain input_vpn { + # TODO: Should we limit source address space? + # + # ip saddr 10.8.0.0/32 + + # Allow VPN to use DNS. + tcp dport { 53 } accept + udp dport { 53 } accept + } + + chain input { + # By default, drop all traffic unless it meets a filter + # criteria specified by the rules that follow below. + type filter hook input priority 0; policy drop; + + # Allow traffic from established and related packets, drop invalid + ct state vmap { established : accept, related : accept, invalid : drop } + + # Jump to chain according to layer 3 protocol using a verdict map + meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 } + + # Allow traffic for/from both the world and VPN. + tcp dport { + ssh, + http, + https, + } accept + + # allow loopback traffic, anything else jump to chain for further evaluation + iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn } + + # Uncomment to enable logging of denied input traffic + # log prefix "[nftables] input Denied: " counter drop + + # Reject with polite "port unreachable" icmp response + reject + } + + chain forward { + # Drop everything (assumes this device is not a router) + # type filter hook forward priority filter; + type filter hook forward priority 0; policy drop; + + # Forward all icmp/icmpv6 packets + meta l4proto { icmp, ipv6-icmp } accept + + # Allow traffic from established and related packets, drop invalid + ct state vmap { established : accept, related : accept, invalid : drop } + + # Forward traffic within the VPN and between it and the outside world. + iifname $wg_iface oifname $wg_iface counter accept; + iifname $wg_iface oifname $eth_iface counter accept; + iifname $eth_iface oifname $eth_iface counter accept; + + # Reject with polite "host unreachable" icmp response + reject with icmpx type host-unreachable + } + + chain prerouting { + type nat hook prerouting priority 0; + } + + chain postrouting { + type nat hook postrouting priority 100; policy accept; + # Masquerade all packets from WireGuard VPN to the outside world. + iifname $wg_iface oifname $eth_iface masquerade + } + + # no need to define output chain, default policy is accept if undefined. +}