config: shione: init nftables config

10 files changed, 141 insertions, 0 deletions

diff --git a/config/shione/nftables/debian/changelog b/config/shione/nftables/debian/changelog
new file mode 100644
index 0000000..6a29509
--- /dev/null
+++ b/config/shione/nftables/debian/changelog
@@ -0,0 +1,5 @@
+nftables-config (1.0) unstable; urgency=low
+
+  * Initial release.
+
+ -- Renken <renken@shione.net>  Sun, 24 Dec 2023 19:32:00 +0100
diff --git a/config/shione/nftables/debian/compat b/config/shione/nftables/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/config/shione/nftables/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/config/shione/nftables/debian/control b/config/shione/nftables/debian/control
new file mode 100644
index 0000000..46514e9
--- /dev/null
+++ b/config/shione/nftables/debian/control
@@ -0,0 +1,16 @@
+Source: nftables-config
+Section: tasks
+Priority: optional
+Maintainer: Renken <renken@shione.net>
+Rules-Requires-Root: no
+Build-Depends: debhelper (>= 13.11~), config-package-dev (>= 4.15~)
+Standards-Version: 4.1.0
+
+Package: nftables-config
+Architecture: all
+Multi-Arch: foreign
+Depends: ${misc:Depends}, nftables
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: Shione nftables configuration.
+  Shione nftables configuration.
diff --git a/config/shione/nftables/debian/copyright b/config/shione/nftables/debian/copyright
new file mode 100644
index 0000000..2fff8a7
--- /dev/null
+++ b/config/shione/nftables/debian/copyright
@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://gitlab.com/renken/nichijou
+Upstream-Contact: Renken <renken@shione.net>
+
+Files:
+ *
+Copyright: 2023, Renken <renken@shione.net>
+License: GPL-3
diff --git a/config/shione/nftables/debian/files b/config/shione/nftables/debian/files
new file mode 100644
index 0000000..2b4ebfb
--- /dev/null
+++ b/config/shione/nftables/debian/files
@@ -0,0 +1,2 @@
+nftables-config_1.0_all.deb tasks optional
+nftables-config_1.0_amd64.buildinfo tasks optional
diff --git a/config/shione/nftables/debian/nftables-config.displace b/config/shione/nftables/debian/nftables-config.displace
new file mode 100644
index 0000000..a8c1aeb
--- /dev/null
+++ b/config/shione/nftables/debian/nftables-config.displace
@@ -0,0 +1 @@
+/etc/nftables.conf
diff --git a/config/shione/nftables/debian/nftables-config.install b/config/shione/nftables/debian/nftables-config.install
new file mode 100644
index 0000000..5b79850
--- /dev/null
+++ b/config/shione/nftables/debian/nftables-config.install
@@ -0,0 +1 @@
+files/* /
diff --git a/config/shione/nftables/debian/rules b/config/shione/nftables/debian/rules
new file mode 100755
index 0000000..a089a9e
--- /dev/null
+++ b/config/shione/nftables/debian/rules
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@ --with config-package
diff --git a/config/shione/nftables/debian/source/format b/config/shione/nftables/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/config/shione/nftables/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf
new file mode 100644
index 0000000..ed6634b
--- /dev/null
+++ b/config/shione/nftables/files/etc/nftables.conf
@@ -0,0 +1,102 @@
+#!/usr/sbin/nft -f
+
+flush ruleset                                                                    
+
+define eth_iface = enp1s0
+define wg_iface = wg0
+define wg_port = 51820
+                                                                                 
+table inet filter {
+  chain input_ipv4 {
+    # accepting ping (icmp-echo-request) for diagnostic purposes.
+    # However, it also lets probes discover this host is alive.
+    # This sample accepts them within a certain rate limit:
+      icmp type echo-request limit rate 5/second accept      
+  }
+
+  chain input_ipv6 {                                                         
+    # accept neighbour discovery otherwise connectivity breaks
+    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+                                                                                 
+    # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+    # However, it also lets probes discover this host is alive.
+    # This sample accepts them within a certain rate limit:
+    icmpv6 type echo-request limit rate 5/second accept
+  }
+
+  chain input_world {
+    udp dport {
+      $wg_port
+    } accept
+  }
+
+  chain input_vpn {
+    # TODO: Should we limit source address space?
+    #
+    # ip saddr 10.8.0.0/32
+
+    # Allow VPN to use DNS.
+    tcp dport { 53 } accept
+    udp dport { 53 } accept
+  }
+
+  chain input {                                                              
+    # By default, drop all traffic unless it meets a filter
+    # criteria specified by the rules that follow below.
+    type filter hook input priority 0; policy drop;
+
+    # Allow traffic from established and related packets, drop invalid
+    ct state vmap { established : accept, related : accept, invalid : drop } 
+
+    # Jump to chain according to layer 3 protocol using a verdict map
+    meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
+
+    # Allow traffic for/from both the world and VPN.
+    tcp dport {
+      ssh,
+      http,
+      https,
+    } accept
+
+    # allow loopback traffic, anything else jump to chain for further evaluation
+    iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
+
+    # Uncomment to enable logging of denied input traffic
+    # log prefix "[nftables] input Denied: " counter drop
+
+    # Reject with polite "port unreachable" icmp response
+    reject
+  }                                                                            
+                                                                                 
+  chain forward {                                                              
+    # Drop everything (assumes this device is not a router)                  
+    # type filter hook forward priority filter;
+    type filter hook forward priority 0; policy drop;
+
+    # Forward all icmp/icmpv6 packets
+    meta l4proto { icmp, ipv6-icmp } accept
+
+    # Allow traffic from established and related packets, drop invalid
+    ct state vmap { established : accept, related : accept, invalid : drop } 
+
+    # Forward traffic within the VPN and between it and the outside world.
+    iifname $wg_iface oifname $wg_iface counter accept;
+    iifname $wg_iface oifname $eth_iface counter accept;
+    iifname $eth_iface oifname $eth_iface counter accept;
+
+    # Reject with polite "host unreachable" icmp response
+    reject with icmpx type host-unreachable
+  }                                                                            
+
+  chain prerouting {
+    type nat hook prerouting priority 0;
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 100; policy accept;
+    # Masquerade all packets from WireGuard VPN to the outside world.
+    iifname $wg_iface oifname $eth_iface masquerade
+  }
+                                                                                 
+  # no need to define output chain, default policy is accept if undefined.
+}