aboutsummaryrefslogtreecommitdiffstats
path: root/files/etc/nftables.conf
diff options
context:
space:
mode:
Diffstat (limited to 'files/etc/nftables.conf')
-rw-r--r--files/etc/nftables.conf122
1 files changed, 0 insertions, 122 deletions
diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf
deleted file mode 100644
index 5d851f0..0000000
--- a/files/etc/nftables.conf
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-define eth_iface = enp1s0
-define wg_iface = wg0
-define wg_port = 51820
-define dns_port = 53
-define srt_input_udp_port = 60001
-define srt_output_port = 60000
-define srb2kart_port = 5029
-define syncthing_port = 22000
-define syncthing_gui_port = 8384
-
-table inet filter {
- chain input_ipv4 {
- # accepting ping (icmp-echo-request) for diagnostic purposes.
- # However, it also lets probes discover this host is alive.
- # This sample accepts them within a certain rate limit:
- icmp type echo-request limit rate 5/second accept
- }
-
- chain input_ipv6 {
- # accept neighbour discovery otherwise connectivity breaks
- icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
-
- # accepting ping (icmpv6-echo-request) for diagnostic purposes.
- # However, it also lets probes discover this host is alive.
- # This sample accepts them within a certain rate limit:
- icmpv6 type echo-request limit rate 5/second accept
- }
-
- chain input_world {
- udp dport {
- $wg_port
- } accept
- }
-
- chain input_vpn {
- # TODO: Should we limit source address space?
- #
- # ip saddr 10.8.0.0/32
-
- # Allow VPN to use DNS.
- tcp dport {
- $dns_port,
- $syncthing_port,
- $syncthing_gui_port,
- } accept
-
- udp dport {
- $dns_port,
- $srt_input_udp_port,
- $syncthing_port,
- } accept
- }
-
- chain input {
- # By default, drop all traffic unless it meets a filter
- # criteria specified by the rules that follow below.
- type filter hook input priority 0; policy drop;
-
- # Allow traffic from established and related packets, drop invalid
- ct state vmap { established : accept, related : accept, invalid : drop }
-
- # Jump to chain according to layer 3 protocol using a verdict map
- meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
-
- # Allow traffic for/from both the world and VPN.
- tcp dport {
- ssh,
- http,
- https,
- } accept
-
- udp dport {
- $srt_output_port,
- $srb2kart_port,
- } accept
-
- # allow loopback traffic, anything else jump to chain for further evaluation
- iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
-
- # Uncomment to enable logging of denied input traffic
- # log prefix "[nftables] input Denied: " counter drop
-
- # Reject with polite "port unreachable" icmp response
- reject
- }
-
- chain forward {
- # Drop everything (assumes this device is not a router)
- # type filter hook forward priority filter;
- type filter hook forward priority 0; policy drop;
-
- # Forward all icmp/icmpv6 packets
- meta l4proto { icmp, ipv6-icmp } accept
-
- # Allow traffic from established and related packets, drop invalid
- ct state vmap { established : accept, related : accept, invalid : drop }
-
- # Forward traffic within the VPN and between it and the outside world.
- iifname $wg_iface oifname $wg_iface counter accept;
- iifname $wg_iface oifname $eth_iface counter accept;
- iifname $eth_iface oifname $eth_iface counter accept;
-
- # Reject with polite "host unreachable" icmp response
- reject with icmpx type host-unreachable
- }
-
- chain prerouting {
- type nat hook prerouting priority 0;
- }
-
- chain postrouting {
- type nat hook postrouting priority 100; policy accept;
- # Masquerade all packets from WireGuard VPN to the outside world.
- iifname $wg_iface oifname $eth_iface masquerade
- }
-
- # no need to define output chain, default policy is accept if undefined.
-}