rezo
/
firewall
30
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
1 Branch
0 Tags
130 KiB
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
firewall/nftables.conf

125 lines
3.7 KiB
Raw Permalink Blame History

#!/usr/sbin/nft -I /etc/firewall/config -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Copyright © 2020-2021 Thomas Chevalier <contact@tchevalier.fr>
flush ruleset
include "interfaces.nft"
include "defines_ip.nft"
include "defines_ip6.nft"
include "ddos_mitigation.nft"
include "networks/users.nft"
include "networks/deco.nft"
include "networks/prod.nft"
include "networks/dmz.nft"
include "networks/switchs.nft"
include "networks/federez.nft"
include "networks/renater.nft"
include "networks/nerim.nft"
include "networks/dmz_wireguard.nft"
table inet firewall {
chain prefilter {
type filter hook prerouting priority -150
meta iif vmap {
$if_deco: goto prefilter_deco,
}
}
chain destination_nat {
type nat hook prerouting priority -100
meta iif vmap {
$if_deco: goto dnat_deco,
$if_nerim: goto dnat_nerim,
}
}
chain forward {
type filter hook forward priority 0
policy drop
ct state established,related accept
ct state invalid drop
meta iif lo accept
# Notes from https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
# iif :
# Faster than iifname as it only has to compare a 32-bit unsigned integer instead of a string.
# The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.
# Convention: we check in the to_* chain that jumping from one VLAN to another is allowed.
# Filters on input interfaces. The final decision is not taken in the from_* chain,
# but instead packets return here for further processing. This is why `jump` is used here.
meta iif vmap {
$if_users: jump from_users,
$if_deco: jump from_deco,
$if_prod: jump from_prod,
$if_dmz: jump from_dmz,
$if_switchs: jump from_switchs,
$if_federez: jump from_federez,
$if_renater: jump from_renater,
$if_dmz_wireguard: jump from_dmz_wireguard,
$if_nerim: jump from_nerim,
}
# Filters on output interfaces. Do not return: either drop or accept
# We use goto so we don't return to the calling chain after packets have been processed
meta oif vmap {
$if_users: goto to_users,
$if_deco: goto to_deco,
$if_prod: goto to_prod,
$if_dmz: goto to_dmz,
$if_switchs: goto to_switchs,
$if_federez: goto to_federez,
$if_renater: goto to_renater,
$if_dmz_wireguard: goto to_dmz_wireguard,
$if_nerim: jump from_nerim
}
# This counter should be zero if we correctlty filtered the connections
counter log group 1 prefix "Uncaught traffic:"
}
chain source_nat {
type nat hook postrouting priority 100
meta oif vmap {
$if_nerim: goto snat_nerim,
$if_renater: goto snat_renater,
}
}
chain output {
type filter hook output priority 0
policy accept
}
chain input {
type filter hook input priority 0
policy drop
ct state established,related accept
ct state invalid drop
meta iif $admin_if accept
}
}