aboutsummaryrefslogtreecommitdiffstats
path: root/files/etc
diff options
context:
space:
mode:
Diffstat (limited to 'files/etc')
-rw-r--r--files/etc/nftables.conf122
1 files changed, 122 insertions, 0 deletions
diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf
new file mode 100644
index 0000000..aa9f5c4
--- /dev/null
+++ b/files/etc/nftables.conf
@@ -0,0 +1,122 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define eth_iface = enp1s0
+define wg_iface = wg0
+define wg_port = 51820
+define dns_port = 53
+define srt_input_udp_port = 60001
+define srt_output_port = 60000
+define srb2kart_port = 5029
+define syncthing_port = 22000
+define syncthing_gui_port = 8384
+
+table inet filter {
+ chain input_ipv4 {
+ # accepting ping (icmp-echo-request) for diagnostic purposes.
+ # However, it also lets probes discover this host is alive.
+ # This sample accepts them within a certain rate limit:
+ icmp type echo-request limit rate 5/second accept
+ }
+
+ chain input_ipv6 {
+ # accept neighbour discovery otherwise connectivity breaks
+ icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+
+ # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+ # However, it also lets probes discover this host is alive.
+ # This sample accepts them within a certain rate limit:
+ icmpv6 type echo-request limit rate 5/second accept
+ }
+
+ chain input_world {
+ udp dport {
+ $wg_port
+ } accept
+ }
+
+ chain input_vpn {
+ # TODO: Should we limit source address space?
+ #
+ # ip saddr 10.8.0.0/32
+
+ # Allow VPN to use DNS.
+ tcp dport {
+ $dns_port
+ $syncthing_port,
+ $syncthing_gui_port,
+ } accept
+
+ udp dport {
+ $dns_port,
+ $srt_input_udp_port,
+ $syncthing_port,
+ } accept
+ }
+
+ chain input {
+ # By default, drop all traffic unless it meets a filter
+ # criteria specified by the rules that follow below.
+ type filter hook input priority 0; policy drop;
+
+ # Allow traffic from established and related packets, drop invalid
+ ct state vmap { established : accept, related : accept, invalid : drop }
+
+ # Jump to chain according to layer 3 protocol using a verdict map
+ meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
+
+ # Allow traffic for/from both the world and VPN.
+ tcp dport {
+ ssh,
+ http,
+ https,
+ } accept
+
+ udp dport {
+ $srt_output_port,
+ $srb2kart_port,
+ } accept
+
+ # allow loopback traffic, anything else jump to chain for further evaluation
+ iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
+
+ # Uncomment to enable logging of denied input traffic
+ # log prefix "[nftables] input Denied: " counter drop
+
+ # Reject with polite "port unreachable" icmp response
+ reject
+ }
+
+ chain forward {
+ # Drop everything (assumes this device is not a router)
+ # type filter hook forward priority filter;
+ type filter hook forward priority 0; policy drop;
+
+ # Forward all icmp/icmpv6 packets
+ meta l4proto { icmp, ipv6-icmp } accept
+
+ # Allow traffic from established and related packets, drop invalid
+ ct state vmap { established : accept, related : accept, invalid : drop }
+
+ # Forward traffic within the VPN and between it and the outside world.
+ iifname $wg_iface oifname $wg_iface counter accept;
+ iifname $wg_iface oifname $eth_iface counter accept;
+ iifname $eth_iface oifname $eth_iface counter accept;
+
+ # Reject with polite "host unreachable" icmp response
+ reject with icmpx type host-unreachable
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority 0;
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100; policy accept;
+ # Masquerade all packets from WireGuard VPN to the outside world.
+ iifname $wg_iface oifname $eth_iface masquerade
+ }
+
+ # no need to define output chain, default policy is accept if undefined.
+}