150 lines
4.1 KiB
Plaintext
150 lines
4.1 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
# vim: set ts=4 sw=4:
|
|
# You can find examples in /usr/share/nftables/.
|
|
|
|
define ra_prefix = 2a01:e0a:518:830::/64
|
|
define ra_prefix_max = 2a01:e0a:518:830::/56
|
|
|
|
define masr_prefix = 2a01:e0a:2b:2250::/64
|
|
define masr_ouaset = 2a01:e0a:2b:2250::b
|
|
define masr_rhakotis = 2a01:e0a:2b:2250::c
|
|
|
|
define serekh_ankh_prefix = 2a01:cb05:4bd:5000::/64
|
|
define serekh_ankh = 2a01:cb05:4bd:5000::d
|
|
|
|
define serekh_prefix = fd42:507b:9d4d:71ea::/64
|
|
|
|
define logger_host = geb.ra.nemunai.re
|
|
define ntp_host = geb.ra.nemunai.re
|
|
|
|
# Clear all prior state
|
|
flush ruleset
|
|
|
|
table ip nat {
|
|
chain prerouting {
|
|
type nat hook prerouting priority 0; policy accept;
|
|
ip daddr 82.64.151.41 tcp dport ssh dnat 192.168.0.52:22
|
|
ip daddr 82.64.151.41 tcp dport imaps dnat 192.168.0.3:imaps
|
|
ip daddr 82.64.151.41 tcp dport pop3s dnat 192.168.0.3:pop3s
|
|
ip daddr 82.64.151.41 tcp dport 2772 dnat 192.168.0.250:2772
|
|
ip daddr 192.168.0.2 tcp dport 2772 dnat 192.168.0.250:2772
|
|
ip daddr 82.64.151.41 tcp dport 3478 dnat 192.168.0.54:3478
|
|
ip daddr 82.64.151.41 udp dport 3478 dnat 192.168.0.54:3478
|
|
ip daddr 82.64.151.41 tcp dport 6224 dnat 192.168.0.4:22
|
|
}
|
|
|
|
chain postrouting {
|
|
type nat hook postrouting priority 0; policy accept;
|
|
ip daddr 192.168.0.52 tcp dport ssh masquerade
|
|
ip daddr 192.168.0.4 tcp dport imaps masquerade
|
|
ip daddr 192.168.0.250 tcp dport 2772 masquerade
|
|
ip daddr 192.168.0.54 tcp dport 3478 masquerade
|
|
ip daddr 192.168.0.54 udp dport 3478 masquerade
|
|
ip daddr 192.168.0.4 tcp dport ssh masquerade
|
|
}
|
|
}
|
|
|
|
table ip6 nat {
|
|
chain prerouting {
|
|
type nat hook prerouting priority 0; policy accept;
|
|
#tcp dport ssh dnat sekhmet2.ra.nemunai.re:22
|
|
#tcp dport 8448 dnat rhakotis.masr.nemunai.re:8448
|
|
}
|
|
|
|
chain postrouting {
|
|
type nat hook postrouting priority 0; policy accept;
|
|
ip6 daddr sekhmet2.ra.nemunai.re tcp dport 22 masquerade
|
|
#ip6 daddr rhakotis.masr.nemunai.re tcp dport 8448 masquerade
|
|
}
|
|
}
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
iifname lo accept \
|
|
comment "Accept any localhost traffic"
|
|
|
|
ct state { established, related } accept \
|
|
comment "Accept traffic originated from us"
|
|
|
|
ct state invalid drop \
|
|
comment "Drop invalid connections"
|
|
|
|
tcp dport 113 reject with icmpx type port-unreachable \
|
|
comment "Reject AUTH to make it fail fast"
|
|
|
|
# ICMPv4
|
|
|
|
ip protocol icmp icmp type {
|
|
echo-reply, # type 0
|
|
destination-unreachable, # type 3
|
|
echo-request, # type 8
|
|
time-exceeded, # type 11
|
|
parameter-problem, # type 12
|
|
} accept \
|
|
comment "Accept ICMP"
|
|
|
|
# ICMPv6
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
destination-unreachable, # type 1
|
|
packet-too-big, # type 2
|
|
time-exceeded, # type 3
|
|
parameter-problem, # type 4
|
|
echo-request, # type 128
|
|
echo-reply, # type 129
|
|
} accept \
|
|
comment "Accept basic IPv6 functionality"
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
nd-router-solicit, # type 133
|
|
nd-router-advert, # type 134
|
|
nd-neighbor-solicit, # type 135
|
|
nd-neighbor-advert, # type 136
|
|
} ip6 hoplimit 255 accept \
|
|
comment "Allow IPv6 SLAAC"
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
mld-listener-query, # type 130
|
|
mld-listener-report, # type 131
|
|
mld-listener-reduction, # type 132
|
|
mld2-listener-report, # type 143
|
|
} ip6 saddr fe80::/10 accept \
|
|
comment "Allow IPv6 multicast listener discovery on link-local"
|
|
|
|
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
|
|
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
|
|
|
|
udp sport domain accept
|
|
udp dport domain accept
|
|
|
|
counter log prefix "Filtered INPUT "
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
ct state invalid counter log prefix "Filtered INVALID FORWARD " drop
|
|
ct state { established, related } accept
|
|
|
|
ip daddr . tcp dport { \
|
|
192.168.0.52 . ssh, \
|
|
192.168.0.3 . imaps, \
|
|
192.168.0.52 . 3478, \
|
|
192.168.0.4 . ssh \
|
|
} accept
|
|
|
|
counter log prefix "Filtered FORWARD "
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|
|
|
|
# The state of stateful objects saved on the nftables service stop.
|
|
include "/var/lib/nftables/*.nft"
|
|
|
|
# Rules
|
|
include "/etc/nftables.d/*.nft"
|