From 13c9b7d82f8723f62c73648b7e29d553f37f0583 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 31 Jan 2022 17:06:53 -0600 Subject: [PATCH] Update firewall --- nftables.conf | 60 +++++++++++---------------------------------------- 1 file changed, 13 insertions(+), 47 deletions(-) diff --git a/nftables.conf b/nftables.conf index 5a1ec74..655c75f 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,13 +1,6 @@ define WAN = wan0 define LAN = lan0 -define ROUTER_TCP_PORTS = { 22 } -define ROUTER_UDP_PORTS = { 546, 53, 67 } -define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 } -# define FACELESS_UDP_PORTS = { } -define DRAGON_TCP_PORTS = { 2221 } -# define DRAGON_UDP_PORTS = { } - table inet filter { chain input { type filter hook input priority filter; policy accept; @@ -17,8 +10,9 @@ table inet filter { ip protocol icmpv6 accept ip protocol icmp accept meta l4proto ipv6-icmp accept - tcp dport $ROUTER_TCP_PORTS accept - udp dport $ROUTER_UDP_PORTS accept + tcp dport { 22 } accept comment "allow ssh to router" + udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" + udp dport { 60000-60009 } accept comment "allow mosh common ports" drop } @@ -44,51 +38,22 @@ table ip nat { # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25 - iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25 - # iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25 - iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25 + # faceless + # allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless + iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25 + # allow mosh + iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25 - iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10 - # iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10 + # allow host ssh + iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10 + # allow mosh iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 + # ourcraft iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244 } } -table ip6 filter { - chain input { - - type nat hook postrouting priority 100; policy accept; - oifname $LAN masquerade - type nat hook postrouting priority 100; policy accept; - oifname $LAN masquerade -prerouting - } - - chain forward { - type nat hook prerouting priority -100; policy accept; - - # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25 - - iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25 - # iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25 - iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25 - - iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10 - # iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10 - iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 - - iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244 - } - - chain output { - } -} - -# the following two blocks were generated by restarting systemd-networkd and -# dumping nftables - # nat ipv4 for lan table ip io.systemd.nat { set masq_saddr { @@ -117,6 +82,7 @@ table ip io.systemd.nat { } } +# nat ipv6 for lan table ip6 io.systemd.nat { set masq_saddr { type ipv6_addr