-
Notifications
You must be signed in to change notification settings - Fork 1
/
nftables.conf
executable file
·124 lines (98 loc) · 3.07 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/sbin/nft --includepath "/etc/nftables.d" -f
# This is the main configuration script frow where everything is loaded
##########
# DEVICES
##########
# todo: clean this
define dev_svc = enp1s2
define dev_mgmt = eno1
define dev_nat = enp1s2
define dev_wan = eno1
define dev_bridges = lxcbr0
# define dev_whitelist = eno1
##########
# IPS
##########
# trusted ips from wich rules are relaxed
# for icmp, icmpv6, port only opened on whitelisted ips
# see rules in the input_whitelist chain
define ip_whitelist = { 192.168.2.0/24, 10.247.88.0/16, 172.26.31.0/16 }
define ip6_whitelist = fc00::/7
##########
# PORTS
##########
# ssh port (new connections will be limited to prevent brute force attempts)
# change to port or list of ports your deamon is listening on
define ports_ssh = 22
define ports_dns = 53
define ports_mdns = 5353
# fixme: level of variable nesting
# dhcp client (dport 68 and 546)
define ports_dhcp_client = {bootpc, dhcpv6-client}
# dhcp server (sport 67 and 547)
define ports_dhcp_server = {bootps, dhcpv6-server}
define ports_mosh = 60000-61000
# synergy 24800/tcp
# collectd 25826/udp
# netbios- session service 139/tcp
# in ports world accessible
# those ports are useless as they get evaluated in rules much before
# they avoid empty vars errors for now
define ports_tcp_in = { $ports_ssh }
define ports_udp_in = { $ports_dhcp_server}
# in ports on whitelisted networks
define ports_tcp_in_whitelist = { $ports_tcp_in }
define ports_udp_in_whitelist = {snmp, 25826, $ports_dhcp_server}
# low and high ports ranges
define ports_priv = 0-1023
define ports_unpriv = 1024-65535
# default priviledged ports opened
# list of services allowed in output chain dport
define ports_priv_out = {ftp, ssh, sftp, ntp, rsync, http, https, \
imaps, pop3s, smtp, snmp-trap, ldap, microsoft-ds, ipp, printer}
############
# CONSTANTS
############
# some constant you should not need to change thoses
# ipv4
# unused yet
define ip_brdcast_src = 0.0.0.0
define ip_brdcast_dst = 255.255.255.255
# mainly to check forged ip on public dev
define ip_priv = {10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16}
# ipv6
define ip6_priv = fc00::/7
define ip6_linklocal = fe80::/10
define ip6_multicast = ff00::/8
##########
# TABLES
##########
# always include base chains
# will
# 1- create base filter chains
# 2- ct rules
# 3- allow all outbound dns
# 4- allow tcp_in_ports
# include "02-out.rules"
# add set filter whitelist { type ipv4_addr; }
include "00-base-filter.rules"
# include "01-base-nat.rules"
# check for invalid packets
# ie. :
# * RFC 1918 saddr on public wan iface
# * RFC 4193 saddr on public wan iface FC00::/7
# * packets spoofed with your own ip
# include --includepath "/etc/nftables.d/" "01-invalid.rules"
# outbound traffic
# allow traffic from high ports
# include "02-out.rules"
# inbound traffic
# will:
# 1- accept and limit new ssh connections
# include "03-in.rules"
# include --includepath "/etc/nftables.d/" "07-snat.rules"
# include --includepath "/etc/nftables.d/" "08-dnat.rules"
# always include default policy
# 1- log
# 2- counter
# 3- drop