ctucx.git: nixfiles

ctucx' nixfiles

path: /machines/briefkasten/router/ruleset.nft 2.76 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 flush ruleset

table inet firewall {
    chain inbound {
        # By default, drop all traffic unless it meets a filter
        # criteria specified by the rules that follow below.
        type filter hook input priority 0;
        policy drop;

        # Allow traffic from established and related packets.
        ct state established,related accept

        # Drop invalid packets.
        ct state invalid drop

        # Allow local connections.
        iifname lo accept
        iifname brlan accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 5/second accept
        ip protocol igmp limit rate 5/second accept
        #ip6 protocol ipv6-icmp icmpv6-type redirect drop
        #ip6 protocol ipv6-icmp icmpv6-type 139 drop
        ip6 nexthdr ipv6-icmp limit rate 5/second accept

        # Allow some ports
        tcp dport ssh accept comment "ssh"
        tcp dport domain accept comment "dns (tcp)"
        udp dport domain accept comment "dns (udp)"
        tcp dport http   accept comment "http"
        tcp dport https  accept comment "https"
        tcp dport 22000  accept comment "syncthing"
        udp dport 21027  accept comment "syncthing"
        tcp dport 5201   accept comment "iperf3 (tcp)"
        udp dport 5201   accept comment "iperf3 (udp)"
    }

    chain forward {
        # By default, drop all traffic unless it meets a filter
        type filter hook forward priority 0;
        policy drop;

        tcp flags syn tcp option maxseg size set rt mtu

        # Allow traffic from established and related packets.
        ct state established,related accept

        # Drop invalid packets.
        ct state invalid drop

        # local clients can do whatever
        iifname brlan accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip  protocol icmp limit rate 5/second accept
        ip6 nexthdr  ipv6-icmp limit rate 5/second accept
        ip  protocol igmp limit rate 5/second accept

        # drop incomming netbios traffic
        tcp dport {139, 445} counter drop comment "silently drop NetBios"
        udp dport {137, 138} counter drop comment "silently drop NetBios"

        #make public ips world accessible 
        ip daddr 195.39.246.33/28 accept
    }

    chain outbound {
        # Allow all outbound traffic
        type filter hook output priority 0
        policy accept
    }

}

table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100
        policy accept
    }

    chain postrouting {
        type nat hook postrouting priority 0
        policy accept
        oifname iphone masquerade
        oifname ppp-dtagdsl masquerade
    }
}