ctucx.git: nixfiles

ctucx' nixfiles

path: /configurations/nixos/configure/router/ruleset.nft 2.12 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
flush ruleset

table inet firewall {
	chain inbound {
		# By default, drop all traffic unless it meets a filter
		# criteria specified by the rules that follow below.
		type filter hook input priority 0;
		policy drop;

		# Allow traffic from established and related packets.
		ct state established,related accept

		# Drop invalid packets.
		ct state invalid drop

		# Allow local connections.
		iifname lo accept
		iifname brlan accept

		# Allow all ICMP and IGMP traffic, but enforce a rate limit
		# to help prevent some types of flood attacks.
		ip  protocol icmp      limit rate 5/second accept
		ip  protocol igmp      limit rate 5/second accept
		ip6 nexthdr  ipv6-icmp limit rate 5/second accept

		# required for dhcp-pd to work!
		udp dport dhcpv6-client accept

		# Allow some ports
		tcp dport ssh    accept
		tcp dport http   accept
		tcp dport https  accept
		tcp dport 8443   accept comment "step-ca"
		tcp dport 22000  accept comment "syncthing"
		udp dport 21027  accept comment "syncthing"
	}

	chain forward {
		# By default, drop all traffic unless it meets a filter
		type filter hook forward priority 0;
		policy drop;

		tcp flags syn tcp option maxseg size set rt mtu

		# Allow traffic from established and related packets.
		ct state established,related accept

		# Drop invalid packets.
		ct state invalid drop

		# local clients can do whatever
		iifname brlan accept

		# Allow all ICMP and IGMP traffic, but enforce a rate limit
		# to help prevent some types of flood attacks.
		ip  protocol icmp      limit rate 5/second accept
		ip  protocol igmp      limit rate 5/second accept
		ip6 nexthdr  ipv6-icmp limit rate 5/second accept

		# drop incomming netbios traffic
		tcp dport {139, 445} counter drop comment "silently drop NetBios"
		udp dport {137, 138} counter drop comment "silently drop NetBios"
	}

	chain outbound {
		# Allow all outbound traffic
		type filter hook output priority 0
		policy accept
	}
}

table ip nat {
	chain prerouting {
		type nat hook prerouting priority -100
		policy accept
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip saddr 10.0.0.0/8 masquerade;
	}
}