199 lines
5.2 KiB
Text
199 lines
5.2 KiB
Text
#!/usr/bin/env nft -f
|
|
|
|
table inet fw {
|
|
include "./conf.def"
|
|
|
|
# invalid packets
|
|
counter ct-invalid { packets 0 bytes 0 }
|
|
# !(tcp|udp) protocol packets dropped
|
|
counter catchall { packets 0 bytes 0 }
|
|
# iifgroup != IIFGROUP_ETHERNET | IIFGROUP_VPN
|
|
counter iif-other { packets 0 bytes 0 }
|
|
# non-unicast
|
|
counter non-unicast { packets 0 bytes 0 }
|
|
# no reverse path
|
|
counter no-reverse-path { packets 0 bytes 0 }
|
|
# ipv6 type 0 routing headers
|
|
counter type0-header { packets 0 bytes 0 }
|
|
# dropped icmp packets
|
|
counter unwanted-icmp { packets 0 bytes 0 }
|
|
counter unwanted-icmpv6 { packets 0 bytes 0 }
|
|
# reject total
|
|
counter reject-total { packets 0 bytes 0 }
|
|
# dropped total
|
|
counter drop-total { packets 0 bytes 0 }
|
|
|
|
set set_private_net4 {
|
|
type ipv4_addr
|
|
flags constant,interval
|
|
elements = $SET_PRIVATE_NETS_V4
|
|
}
|
|
|
|
set set_private_net6 {
|
|
type ipv6_addr
|
|
flags constant,interval
|
|
elements = $SET_PRIVATE_NETS_V6
|
|
}
|
|
|
|
set set_icmpv4 {
|
|
type icmp_type
|
|
flags constant
|
|
elements = $SET_ALLOW_ICMP_V4
|
|
}
|
|
|
|
set set_icmpv6 {
|
|
type icmpv6_type
|
|
flags constant
|
|
elements = $SET_ALLOW_ICMP_V6
|
|
}
|
|
|
|
chain iif-dispatch {
|
|
type filter hook input priority filter; policy drop;
|
|
iif "lo" accept
|
|
jump ct-state-filter
|
|
iifgroup vmap {
|
|
$IIFGROUP_ETHERNET : goto input-zone-dispatch,
|
|
$IIFGROUP_VPN : goto vpn
|
|
}
|
|
# basic filtering of unhandled iifgroups
|
|
counter name "iif-other" jump proto-filter
|
|
goto reject-verdict
|
|
}
|
|
|
|
chain input-zone-dispatch {
|
|
ip saddr @set_private_net4 goto private
|
|
ip6 saddr @set_private_net6 goto private
|
|
goto public
|
|
}
|
|
|
|
chain icmp-dispatch {
|
|
ip6 nexthdr ipv6-icmp goto icmpv6-filter
|
|
ip protocol icmp goto icmpv4-filter
|
|
}
|
|
|
|
chain proto-filter {
|
|
jump icmp-dispatch
|
|
ip protocol igmp goto log-drop
|
|
# drop unsolicited broadcast/multicast
|
|
meta pkttype { broadcast, multicast } counter name "non-unicast" goto log-drop
|
|
# disallow ipv6 type 0 routing headers
|
|
rt type 0 counter name "type0-header" goto log6-reject-addr-unreachable
|
|
}
|
|
|
|
chain ct-state-filter {
|
|
# stateful filtering and packet fastpath
|
|
ct state established,related accept
|
|
ct state invalid counter name "ct-invalid" goto log-drop
|
|
}
|
|
|
|
chain rp-filter {
|
|
# reverse path filter for ipv6
|
|
type filter hook prerouting priority raw; policy drop;
|
|
fib saddr . iif oif exists accept
|
|
counter name "no-reverse-path" goto log-drop
|
|
}
|
|
|
|
chain icmpv6-filter {
|
|
# allow configured types
|
|
icmpv6 type @set_icmpv6 accept
|
|
# and all essential types according to rfc4890
|
|
jump rfc4890
|
|
counter name "unwanted-icmpv6" goto log-drop
|
|
}
|
|
|
|
chain icmpv4-filter {
|
|
icmp type @set_icmpv4 accept
|
|
counter name "unwanted-icmp" goto log-drop
|
|
}
|
|
|
|
chain rfc4890 {
|
|
# https://tools.ietf.org/html/rfc4890
|
|
# https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template
|
|
|
|
# allow basic IPv6 functionality.
|
|
icmpv6 type {
|
|
destination-unreachable,
|
|
packet-too-big,
|
|
time-exceeded,
|
|
parameter-problem,
|
|
echo-request,
|
|
echo-reply
|
|
} accept;
|
|
|
|
# allow auto configuration support.
|
|
icmpv6 type {
|
|
nd-neighbor-solicit,
|
|
nd-neighbor-advert,
|
|
nd-router-advert,
|
|
nd-router-solicit
|
|
} ip6 hoplimit 255 accept;
|
|
|
|
# allow multicast listener discovery on link-local addresses.
|
|
icmpv6 type {
|
|
mld-listener-query,
|
|
mld-listener-report,
|
|
mld-listener-reduction
|
|
} ip6 saddr $NET_V6_LINK_LOCAL accept;
|
|
|
|
# allow multicast router discovery messages on link-local
|
|
# addresses (hop limit 1).
|
|
icmpv6 type {
|
|
nd-router-advert,
|
|
nd-router-solicit
|
|
} ip6 hoplimit 1 ip6 saddr $NET_V6_LINK_LOCAL accept;
|
|
}
|
|
|
|
chain reject-verdict {
|
|
meta l4proto vmap {
|
|
udp : goto logx-reject-port-unreachable,
|
|
tcp : goto logx-reject-tcp-reset
|
|
}
|
|
counter name "catchall" goto logx-reject-port-unreachable
|
|
}
|
|
|
|
chain log-reject {
|
|
# if called, the subsequent rules *must* include an absolute reject verdict
|
|
# this allows specifying a reject method on return
|
|
counter name "reject-total" comment "total packets rejected"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "sfw (reject): " level debug flags ip options
|
|
}
|
|
|
|
chain log-drop {
|
|
counter name "drop-total" comment "total packets dropped"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "sfw (drop): " level debug flags ip options
|
|
drop comment "drop packet"
|
|
# end of rule traversal
|
|
}
|
|
|
|
chain log6-reject-addr-unreachable {
|
|
jump log-reject
|
|
reject with icmpv6 type addr-unreachable comment "icmpv6 addr-unreachable"
|
|
# end of rule traversal
|
|
}
|
|
|
|
chain logx-reject-port-unreachable {
|
|
jump log-reject
|
|
reject comment "icmpx port-unreachable"
|
|
# end of rule traversal
|
|
}
|
|
|
|
chain logx-reject-tcp-reset {
|
|
jump log-reject
|
|
reject with tcp reset comment "icmpx tcp reset"
|
|
# end of rule traversal
|
|
}
|
|
|
|
chain vpn-zone-svc { include "./services.d/vpn/*.nft"; }
|
|
chain private-zone-svc { include "./services.d/private/*.nft"; }
|
|
chain public-zone-svc { include "./services.d/public/*.nft"; }
|
|
chain forward-zone-svc { include "./services.d/forward/*.nft"; }
|
|
chain output-zone-svc { include "./services.d/output/*.nft"; }
|
|
|
|
include "./zones/vpn.nft"
|
|
include "./zones/private.nft"
|
|
include "./zones/public.nft"
|
|
include "./zones/forward.nft"
|
|
include "./zones/output.nft"
|
|
}
|