Commit 79faedb4 authored by david's avatar david

Add an nftables firewall exemple.

parent e00ecd01
#!/usr/sbin/nft
# TODO:
# - manage fail2ban
# - manage nat:
# ip . jump ports @dest_ports
# ip @verdict with verdict { ip => jump nat port X-Y}
define internet_iface = eth0
define public_iface = eth1
define server_iface = eth2
define users_iface = eth3
# Not using "flush ruleset" to keep defined sets
flush table arp
flush table bridge
flush table inet
flush table ip
flush table ip6
flush table netdev
table inet nat {
chain prerouting {
type nat hook prerouting priority 0
}
chain postrouting {
type nat hook postrouting priority 0
}
}
table inet filter {
set user_ip_mac {
type ipv4_addr . ether_addr
}
set user_ip6_mac {
type ipv6_addr . ether_addr
}
set public_server_allowed_tcp_in {
type ipv4_addr . inet_service
}
set public_server_allowed_tcp_out {
type ipv4_addr . inet_service
}
set public_server_allowed_udp_in {
type ipv4_addr . inet_service
}
set public_server_allowed_udp_out {
type ipv4_addr . inet_service
}
chain input {
type filter hook input priority 0
policy reject
meta iif $users_iface not ip saddr . ether saddr @user_ip_mac drop
meta iif $users_iface not ip6 saddr . ether saddr @user_ip6_mac drop
ct state established accept
ip tcp dport 22 accept
icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, source-quench } accept
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
}
chain output {
type filter hook output priority 0;
policy reject
meta oif $users_iface not ip saddr . ether saddr @user_ip_mac drop
meta oif $users_iface not ip6 saddr . ether saddr @user_ip6_mac drop
ct state established accept
}
chain forward {
type filter hook forward priority 0;
policy reject
meta iif $users_iface not ip saddr . ether saddr @user_ip_mac drop
meta iif $users_iface not ip6 saddr . ether saddr @user_ip6_mac drop
meta oif $public_iface not ip daddr . tcp dport @public_server_allowed_tcp_in accept
meta iif $public_iface not ip saddr . tcp dport @public_server_allowed_tcp_out accept
meta oif $public_iface not ip daddr . udp dport @public_server_allowed_udp_in accept
meta iif $public_iface not ip saddr . udp dport @public_server_allowed_udp_out accept
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment