122 lines
3.5 KiB
Text
122 lines
3.5 KiB
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
define eth_iface = enp1s0
|
|
define wg_iface = wg0
|
|
define wg_port = 51820
|
|
define dns_port = 53
|
|
define srt_input_udp_port = 60001
|
|
define srt_output_port = 60000
|
|
define srb2kart_port = 5029
|
|
define syncthing_port = 22000
|
|
define syncthing_gui_port = 8384
|
|
|
|
table inet filter {
|
|
chain input_ipv4 {
|
|
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
|
# However, it also lets probes discover this host is alive.
|
|
# This sample accepts them within a certain rate limit:
|
|
icmp type echo-request limit rate 5/second accept
|
|
}
|
|
|
|
chain input_ipv6 {
|
|
# accept neighbour discovery otherwise connectivity breaks
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
|
|
# However, it also lets probes discover this host is alive.
|
|
# This sample accepts them within a certain rate limit:
|
|
icmpv6 type echo-request limit rate 5/second accept
|
|
}
|
|
|
|
chain input_world {
|
|
udp dport {
|
|
$wg_port
|
|
} accept
|
|
}
|
|
|
|
chain input_vpn {
|
|
# TODO: Should we limit source address space?
|
|
#
|
|
# ip saddr 10.8.0.0/32
|
|
|
|
# Allow VPN to use DNS.
|
|
tcp dport {
|
|
$dns_port,
|
|
$syncthing_port,
|
|
$syncthing_gui_port,
|
|
} accept
|
|
|
|
udp dport {
|
|
$dns_port,
|
|
$srt_input_udp_port,
|
|
$syncthing_port,
|
|
} accept
|
|
}
|
|
|
|
chain input {
|
|
# By default, drop all traffic unless it meets a filter
|
|
# criteria specified by the rules that follow below.
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# Jump to chain according to layer 3 protocol using a verdict map
|
|
meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
|
|
|
|
# Allow traffic for/from both the world and VPN.
|
|
tcp dport {
|
|
ssh,
|
|
http,
|
|
https,
|
|
} accept
|
|
|
|
udp dport {
|
|
$srt_output_port,
|
|
$srb2kart_port,
|
|
} accept
|
|
|
|
# allow loopback traffic, anything else jump to chain for further evaluation
|
|
iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
|
|
|
|
# Uncomment to enable logging of denied input traffic
|
|
# log prefix "[nftables] input Denied: " counter drop
|
|
|
|
# Reject with polite "port unreachable" icmp response
|
|
reject
|
|
}
|
|
|
|
chain forward {
|
|
# Drop everything (assumes this device is not a router)
|
|
# type filter hook forward priority filter;
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Forward all icmp/icmpv6 packets
|
|
meta l4proto { icmp, ipv6-icmp } accept
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# Forward traffic within the VPN and between it and the outside world.
|
|
iifname $wg_iface oifname $wg_iface counter accept;
|
|
iifname $wg_iface oifname $eth_iface counter accept;
|
|
iifname $eth_iface oifname $eth_iface counter accept;
|
|
|
|
# Reject with polite "host unreachable" icmp response
|
|
reject with icmpx type host-unreachable
|
|
}
|
|
|
|
chain prerouting {
|
|
type nat hook prerouting priority 0;
|
|
}
|
|
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100; policy accept;
|
|
# Masquerade all packets from WireGuard VPN to the outside world.
|
|
iifname $wg_iface oifname $eth_iface masquerade
|
|
}
|
|
|
|
# no need to define output chain, default policy is accept if undefined.
|
|
}
|