From 7e86c9394156e76cb5b5cc885726383b7c76db20 Mon Sep 17 00:00:00 2001 From: philoctetes409bc Date: Sat, 28 Nov 2020 04:56:51 -0500 Subject: [PATCH] update nftables --- host/nftables/nftables.exterior.rules | 62 +++++++++++++++++++++++++++ host/nftables/nftables.rules | 34 --------------- host/nftables/nftables.top_site.rules | 56 ++++++++++++++++++++++++ 3 files changed, 118 insertions(+), 34 deletions(-) create mode 100644 host/nftables/nftables.exterior.rules delete mode 100644 host/nftables/nftables.rules create mode 100644 host/nftables/nftables.top_site.rules diff --git a/host/nftables/nftables.exterior.rules b/host/nftables/nftables.exterior.rules new file mode 100644 index 0000000..08a173c --- /dev/null +++ b/host/nftables/nftables.exterior.rules @@ -0,0 +1,62 @@ +table ip hybrid { + chain POSTROUTING { + type nat hook postrouting priority 0; policy accept; + oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients"; + } + + chain PREROUTING { + iif "WAN" tcp dport { 6667, 6697 } counter dnat 100.64.48.10 comment "general access leaf"; + iif "WAN" tcp dport { 6668, 6698 } counter dnat 100.64.48.18 comment "proxy dmz access leaf"; + iif "WAN" tcp dport { 7777 } counter dnat 100.64.48.14:6667 comment "edge uplink hub"; + iif "WAN" tcp dport { 7797 } counter dnat 100.64.48.14:6697 comment "TLS edge uplink hub"; + iif "WAN" tcp dport { 6666 } counter dnat 100.64.48.22:6667 comment "oper bouncer"; + iif "WAN" tcp dport { 6696 } counter dnat 100.64.48.22:6667 comment "TLS oper bouncer"; + } +} + + table inet filter { + chain INVALID { + limit rate 2/second burst 3 packets counter log prefix "NFBAD: " comment "invalid logged"; + counter drop comment "invalid dropped"; + } + + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on INPUT chain"; + iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "anything in via loop-back"; + ct state {established, related} counter accept comment "related/established in to docker host"; + tcp dport 22 counter accept comment "SSH to host"; + udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)"; + limit rate 15/second burst 3 packets counter log prefix "NF_IN: " comment "input unmatched log"; + counter drop comment "input dropped"; + } + + chain ct_fwd { + ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress"; + ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed"; + ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress"; + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on FORWARD chain"; + ct state { established, related } jump ct_fwd comment "jump to CT forward chain"; + ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)"; + ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)"; + ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)"; + ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed"; + ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)"; + ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)"; + limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log"; + counter drop comment "forward dropped"; + } + + chain output { + type filter hook output priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain"; + udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)"; + oifname "WAN" counter accept comment "* via default interface"; + limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log"; + counter drop comment "output dropped"; + } +} diff --git a/host/nftables/nftables.rules b/host/nftables/nftables.rules deleted file mode 100644 index cb046e2..0000000 --- a/host/nftables/nftables.rules +++ /dev/null @@ -1,34 +0,0 @@ -table inet hybrid { - chain POSTROUTING { - type nat hook postrouting priority 0; policy accept; - oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients" - } - - chain input { - type filter hook input priority 0; policy accept; - ct state {established, related} counter accept comment "related/established in to docker host"; - udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)"; - } - - chain ct_fwd { - ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress"; - ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed"; - ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress"; - } - - chain forward { - type filter hook forward priority 0; policy accept; - ct state {established, related} jump ct_fwd; - ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)"; - ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)"; - ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)"; - ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed"; - ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)"; - ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)"; - } - - chain output { - type filter hook output priority 0; policy accept; - udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)"; - } -} diff --git a/host/nftables/nftables.top_site.rules b/host/nftables/nftables.top_site.rules new file mode 100644 index 0000000..1ed08c9 --- /dev/null +++ b/host/nftables/nftables.top_site.rules @@ -0,0 +1,56 @@ +table ip hybrid { + chain POSTROUTING { + type nat hook postrouting priority 0; policy accept; + oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients"; + } + + chain PREROUTING { + } +} + + table inet filter { + chain INVALID { + limit rate 2/second burst 3 packets counter log prefix "NFBAD: " comment "invalid logged"; + counter drop comment "invalid dropped"; + } + + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on INPUT chain"; + iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "anything in via loop-back"; + ct state {established, related} counter accept comment "related/established in to docker host"; + tcp dport 22 counter accept comment "SSH to host"; + udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)"; + limit rate 15/second burst 3 packets counter log prefix "NF_IN: " comment "input unmatched log"; + counter drop comment "input dropped"; + } + + chain ct_fwd { + ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to egress"; + ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "internally-routed response to null-routed"; + ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "any & !partition response to egress"; + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on FORWARD chain"; + ct state { established, related } jump ct_fwd comment "jump to CT forward chain"; + ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)"; + ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)"; + ip saddr 100.64.0.0/20 ip daddr 100.64.16.0/20 counter accept comment "null-routed (100.64.0.0/20) to internally-routed (10.64.16.0/20)"; + ip saddr 100.64.0.0/20 counter drop comment "null-routed (100.64.0.0/20) are null-routed"; + ip daddr 100.64.64.0/20 counter drop comment "do not forward to general-purpose (100.64.64.0/20)"; + ip saddr 100.64.64.0/20 counter drop comment "do not forward from general-purpose (100.64.64.0/20)"; + limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log"; + counter drop comment "forward dropped"; + } + + chain output { + type filter hook output priority 0; policy drop; + ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain"; + udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)"; + oifname "WAN" counter accept comment "* via default interface"; + limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log"; + counter drop comment "output dropped"; + } +}