update nftables

2020-11-28 04:56:51 -05:00 · 2020-11-28 04:56:51 -05:00 · 7e86c93941
commit 7e86c93941
parent 712c87c530
3 changed files with 118 additions and 34 deletions
--- a/host/nftables/nftables.exterior.rules
+++ b/host/nftables/nftables.exterior.rules
@ -0,0 +1,62 @@
+table ip hybrid {
+  chain POSTROUTING {
+    type nat hook postrouting priority 0; policy accept;
+    oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
+  }
+
+  chain PREROUTING {
+    iif "WAN" tcp dport { 6667, 6697 } counter dnat 100.64.48.10      comment "general access leaf";
+    iif "WAN" tcp dport { 6668, 6698 } counter dnat 100.64.48.18      comment "proxy dmz access leaf";
+    iif "WAN" tcp dport { 7777 }       counter dnat 100.64.48.14:6667 comment "edge uplink hub";
+    iif "WAN" tcp dport { 7797 }       counter dnat 100.64.48.14:6697 comment "TLS edge uplink hub";
+    iif "WAN" tcp dport { 6666 }       counter dnat 100.64.48.22:6667 comment "oper bouncer";
+    iif "WAN" tcp dport { 6696 }       counter dnat 100.64.48.22:6667 comment "TLS oper bouncer";
+  }
+}
+
+  table inet filter {
+    chain INVALID {
+    limit rate 2/second burst 3 packets counter log  prefix "NFBAD: " comment "invalid logged";
+                                        counter drop                  comment "invalid dropped";
+  }
+
+  chain input {
+    type filter hook input    priority 0;    policy drop;
+    ct state invalid                                                  counter jump   INVALID              comment "(CT) invalid on INPUT chain";
+    iifname "lo"      ip saddr 127.0.0.0/8    ip daddr 127.0.0.0/8    counter accept                      comment "anything in via loop-back";
+    ct state {established, related} counter accept                                                        comment "related/established in to docker host";
+    tcp dport 22                                                      counter accept                      comment "SSH to host"; 
+    udp sport 53      ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept                      comment "UDP DNS query from egress (100.64.48.0/20)";
+    limit rate 15/second burst 3 packets                              counter        log prefix "NF_IN: " comment "input unmatched log";
+                                                                      counter drop                        comment "input dropped";
+  }
+
+  chain ct_fwd {
+    ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to egress";
+    ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
+    ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept comment "any & !partition response to egress";
+  }
+
+  chain forward {
+    type filter hook forward  priority 0;    policy drop;
+    ct state invalid                                   counter jump   INVALID       comment "(CT) invalid on FORWARD chain";
+    ct state { established, related }                          jump   ct_fwd        comment "jump to CT forward chain";
+    ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept               comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
+    ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept               comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
+    ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept               comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
+    ip saddr 100.64.0.0/20                             counter drop                 comment "null-routed (100.64.0.0/20) are null-routed";
+    ip                         daddr    100.64.64.0/20 counter drop                 comment "do not forward to general-purpose (100.64.64.0/20)";
+    ip saddr 100.64.64.0/20                            counter drop                 comment "do not forward from general-purpose (100.64.64.0/20)";
+    limit rate 15/second burst 3 packets               counter log prefix "NFFWD: " comment "forward unmatched log";
+                                                       counter drop                 comment "forward dropped";
+  }
+
+  chain output {
+    type filter hook output   priority 0;    policy drop;
+    ct state invalid                                             counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
+    udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
+    oifname "WAN"                                                counter accept               comment "* via default interface";
+    limit rate 15/second burst 3 packets                         counter log prefix "NFOUT: " comment "output unmatched log";
+                                                                 counter drop                 comment "output dropped";
+  }
+}
--- a/host/nftables/nftables.rules
+++ b/host/nftables/nftables.rules
@ -1,34 +0,0 @@
-table inet hybrid {
-  chain POSTROUTING {
-                type nat hook postrouting priority 0; policy accept;
-                oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients"
-        }
-
-	chain input {
-          type filter hook input    priority 0;    policy accept;
-          ct state {established, related} counter accept comment "related/established in to docker host";
-          udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)";
-	}
-
-  chain ct_fwd {
-          ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to egress";
-          ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
-          ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept comment "any & !partition response to egress";
-  }
-
-	chain forward {
-          type filter hook forward  priority 0;    policy accept;
-          ct state {established, related}                         jump   ct_fwd;
-          ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
-          ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
-          ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
-          ip saddr 100.64.0.0/20                             counter drop   comment "null-routed (100.64.0.0/20) are null-routed";
-          ip                         daddr    100.64.64.0/20 counter drop   comment "do not forward to general-purpose (100.64.64.0/20)";
-          ip saddr 100.64.64.0/20                            counter drop   comment "do not forward from general-purpose (100.64.64.0/20)";
-	}
-
-	chain output {
-          type filter hook output   priority 0;    policy accept;
-          udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept  comment "UDP DNS query response to egress (100.64.48.0/20)";
-	}
-}
--- a/host/nftables/nftables.top_site.rules
+++ b/host/nftables/nftables.top_site.rules
@ -0,0 +1,56 @@
+table ip hybrid {
+  chain POSTROUTING {
+    type nat hook postrouting priority 0; policy accept;
+    oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
+  }
+
+  chain PREROUTING {
+  }
+}
+
+  table inet filter {
+    chain INVALID {
+    limit rate 2/second burst 3 packets counter log  prefix "NFBAD: " comment "invalid logged";
+                                        counter drop                  comment "invalid dropped";
+  }
+
+  chain input {
+    type filter hook input    priority 0;    policy drop;
+    ct state invalid                                                  counter jump   INVALID              comment "(CT) invalid on INPUT chain";
+    iifname "lo"      ip saddr 127.0.0.0/8    ip daddr 127.0.0.0/8    counter accept                      comment "anything in via loop-back";
+    ct state {established, related} counter accept                                                        comment "related/established in to docker host";
+    tcp dport 22                                                      counter accept                      comment "SSH to host"; 
+    udp sport 53      ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept                      comment "UDP DNS query from egress (100.64.48.0/20)";
+    limit rate 15/second burst 3 packets                              counter        log prefix "NF_IN: " comment "input unmatched log";
+                                                                      counter drop                        comment "input dropped";
+  }
+
+  chain ct_fwd {
+    ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to egress";
+    ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept comment "internally-routed response to null-routed";
+    ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept comment "any & !partition response to egress";
+  }
+
+  chain forward {
+    type filter hook forward  priority 0;    policy drop;
+    ct state invalid                                   counter jump   INVALID       comment "(CT) invalid on FORWARD chain";
+    ct state { established, related }                          jump   ct_fwd        comment "jump to CT forward chain";
+    ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept               comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
+    ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept               comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
+    ip saddr 100.64.0.0/20  ip daddr    100.64.16.0/20 counter accept               comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)";
+    ip saddr 100.64.0.0/20                             counter drop                 comment "null-routed (100.64.0.0/20) are null-routed";
+    ip                         daddr    100.64.64.0/20 counter drop                 comment "do not forward to general-purpose (100.64.64.0/20)";
+    ip saddr 100.64.64.0/20                            counter drop                 comment "do not forward from general-purpose (100.64.64.0/20)";
+    limit rate 15/second burst 3 packets               counter log prefix "NFFWD: " comment "forward unmatched log";
+                                                       counter drop                 comment "forward dropped";
+  }
+
+  chain output {
+    type filter hook output   priority 0;    policy drop;
+    ct state invalid                                             counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
+    udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
+    oifname "WAN"                                                counter accept               comment "* via default interface";
+    limit rate 15/second burst 3 packets                         counter log prefix "NFOUT: " comment "output unmatched log";
+                                                                 counter drop                 comment "output dropped";
+  }
+}