commit e490ba808107b1569b585b59c5280bf5ee8e5a66
parent 2f8689f34f31fb90cba216053f1e3da8473fa9fd
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 10:54:35 +0100
parent 2f8689f34f31fb90cba216053f1e3da8473fa9fd
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 10:54:35 +0100
nftables: add and update rules
10 files changed, 101 insertions(+), 19 deletions(-)
A
|
86
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config-files/nftables/lollo.nft b/config-files/nftables/lollo.nft @@ -0,0 +1,86 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet firewall { + chain inbound { + # By default, drop all traffic unless it meets a filter + # criteria specified by the rules that follow below. + type filter hook input priority 0; + policy drop; + + # Allow traffic from established and related packets. + ct state established,related accept + + # Drop invalid packets. + ct state invalid drop + + # Allow local connections. + iifname lo accept + iifname brlan accept + + # Allow all ICMP and IGMP traffic, but enforce a rate limit + # to help prevent some types of flood attacks. + ip protocol icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept + ip6 protocol ipv6-icmp icmpv6-type redirect drop + ip6 protocol ipv6-icmp icmpv6-type 139 drop + ip6 nexthdr ipv6-icmp limit rate 5/second accept + + # Allow some ports + tcp dport ssh accept comment "ssh" + tcp dport domain accept comment "dns (tcp)" + udp dport domain accept comment "dns (udp)" + tcp dport http accept comment "http" + tcp dport https accept comment "https" + tcp dport 22000 accept comment "syncthing" + udp dport 21027 accept comment "syncthing" + tcp dport 5201 accept comment "iperf3 (tcp)" + udp dport 5201 accept comment "iperf3 (udp)" + } + + chain forward { + # By default, drop all traffic unless it meets a filter + type filter hook forward priority 0; + policy drop; + + # Allow traffic from established and related packets. + ct state established,related accept + + # Drop invalid packets. + ct state invalid drop + + # local clients can do whatever + iifname brlan accept + + # Allow all ICMP and IGMP traffic, but enforce a rate limit + # to help prevent some types of flood attacks. + ip protocol icmp limit rate 5/second accept + ip6 nexthdr ipv6-icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept + + #make public ips world accessible + daddr 195.39.246.32/28 accept + } + + chain outbound { + # Allow all outbound traffic + type filter hook output priority 0 + policy accept + } + +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority -100 + policy accept + } + + chain postrouting { + type nat hook postrouting priority 0 + policy accept + oifname enp2s0 masquerade + } +} +include "/etc/nftables.d/*.nft"
diff --git a/config-files/nftables/wanderduene.nft b/config-files/nftables/wanderduene.nft @@ -25,9 +25,6 @@ table inet firewall { ip protocol icmp limit rate 5/second accept ip6 nexthdr ipv6-icmp limit rate 5/second accept ip protocol igmp limit rate 5/second accept - - # Allow SSH on port 22. - tcp dport 22 accept } chain forward {
diff --git a/roles/acme-redirect/files/nftables-rule.nft b/roles/acme-redirect/files/nftables-rule.nft @@ -2,7 +2,6 @@ table inet firewall { chain inbound { - # Allow dns on port 53. - tcp dport http accept + tcp dport http accept comment "acme-redirect (http)" } } \ No newline at end of file
diff --git a/roles/acme-redirect/tasks/main.yml b/roles/acme-redirect/tasks/main.yml @@ -161,7 +161,7 @@ state: stopped when: - ansible_service_mgr == "openrc" - - services.acme_redirect.enable is true + - services.acme_redirect.enable is false - name: "[systemd] Disable and stop service: acme-redirect" systemd:
diff --git a/roles/bind/files/nftables-rule.nft b/roles/bind/files/nftables-rule.nft @@ -3,7 +3,7 @@ table inet firewall { chain inbound { # Allow dns on port 53. - tcp dport domain accept - udp dport domain accept + tcp dport domain accept comment "bind (dns)" + udp dport domain accept comment "bind (dns)" } } \ No newline at end of file
diff --git a/roles/frp/templates/nftables-rule.nft.j2 b/roles/frp/templates/nftables-rule.nft.j2 @@ -3,6 +3,6 @@ table inet firewall { chain inbound { # Allow frps on port {{ services.frps.port }}. - tcp dport {{ services.frps.port }} accept + tcp dport {{ services.frps.port }} accept comment "frp server" } } \ No newline at end of file
diff --git a/roles/maddy/files/nftables-rule.nft b/roles/maddy/files/nftables-rule.nft @@ -3,10 +3,10 @@ table inet firewall { chain inbound { # Allow mail stuff. - tcp dport smtp accept - tcp dport submissions accept - tcp dport submission accept - tcp dport imaps accept - tcp dport imap2 accept + tcp dport smtp accept comment "maddy (smtp)" + tcp dport submissions accept comment "maddy (submissions)" + tcp dport submission accept comment "maddy (submission)" + tcp dport imaps accept comment "maddy (imaps)" + tcp dport imap2 accept comment "maddy (imap)" } } \ No newline at end of file
diff --git a/roles/nginx/files/nftables-rule.nft b/roles/nginx/files/nftables-rule.nft @@ -3,7 +3,7 @@ table inet firewall { chain inbound { # Allow http(s). - tcp dport http accept - tcp dport https accept + tcp dport http accept comment "nginx: http" + tcp dport https accept comment "nginx: https" } } \ No newline at end of file
diff --git a/roles/nginx/files/nftables-rule_httpsOnly.nft b/roles/nginx/files/nftables-rule_httpsOnly.nft @@ -3,6 +3,6 @@ table inet firewall { chain inbound { # Allow https. - tcp dport https accept + tcp dport https accept comment "nginx (https)" } } \ No newline at end of file
diff --git a/roles/syncthing/files/nftables-rule.nft b/roles/syncthing/files/nftables-rule.nft @@ -3,7 +3,7 @@ table inet firewall { chain inbound { # Allow syncthing. - tcp dport 22000 accept - udp dport 21027 accept + tcp dport 22000 accept comment "syncthing" + udp dport 21027 accept comment "syncthing" } } \ No newline at end of file