From 291e9298517775dd06b95d4a9b23f41ec7b68101 Mon Sep 17 00:00:00 2001 From: inference Date: Wed, 2 Jul 2025 04:01:47 +0000 Subject: [PATCH] add(nft): firewall configuration --- za-00-00/nftables-rule.sh | 349 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 349 insertions(+) create mode 100644 za-00-00/nftables-rule.sh diff --git a/za-00-00/nftables-rule.sh b/za-00-00/nftables-rule.sh new file mode 100644 index 0000000..0b6495d --- /dev/null +++ b/za-00-00/nftables-rule.sh @@ -0,0 +1,349 @@ +#!/bin/bash + +# Inferencium - ZA-00-00 +# nftables - Configuration +# Version: 1.0.0 + +# Copyright 2025 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + + +# Variable +## nftables path +nft="/usr/sbin/nft" +## Interface +lan="enp16s0" +wan="enp41s0" +lan_net="10.0.0.0/24" + +## IP address - LAN +xb_00_01="10.0.0.21" + +## IP address - WAN +inf="185.241.226.159" + +## Port +ssh="22" +domain="53" +domains="853" +http="80" +https="443" +rtmp="1935" +xmpp0="3478" +xmpp1="5222" +xmpp_s2s="5269" +xmpp3="5349" +xmpp_https="5443" +murmur="64738" +wg="51820" + + +${nft} flush ruleset; +${nft} add table inet table_base; +${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}" +${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}" +${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}" +${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}" +${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}" + + +# Drop +## Drop IP address ranges reserved for LAN +${nft} add rule inet table_base filter_input \ + iifname ${wan} \ + ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ + drop; + +## Drop invalid packets +${nft} add rule inet table_base filter_input \ + ct state invalid \ + drop; + + +# Accept +## localhost +${nft} add rule inet table_base filter_input \ + iifname lo \ + ct state new,established,related \ + accept; + +## ICMP +${nft} add rule inet table_base filter_input \ + ip protocol icmp \ + accept; + +## LAN packets +${nft} add rule inet table_base filter_input \ + iifname ${lan} \ + ip saddr ${lan_net} \ + ct state new,established,related \ + accept; + +## WAN packets +${nft} add rule inet table_base filter_input \ + iifname ${wan} \ + ct state established,related \ + accept; + +# SSH +${nft} add rule inet table_base filter_input \ + iifname ${lan} \ + ip protocol tcp \ + tcp dport ${ssh} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${ssh} \ + dnat to ${xb_00_01}:${ssh}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${ssh} \ + snat to ${inf}:${ssh}; + + +# DNS +${nft} add rule inet table_base filter_input \ + ip protocol tcp tcp \ + dport ${domain} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp udp \ + dport ${domain} \ + ct state new \ + accept; + + +# DNS Secure +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${domains} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${domains} \ + ct state new \ + accept; + + +# HTTP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${http} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${http} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${http} \ + dnat to ${xb_00_01}:${http}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${http} \ + snat to ${inf}:${http}; + + +# HTTPS +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${https} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${https} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${https} \ + dnat to ${xb_00_01}:${https}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${https} \ + snat to ${inf}:${https}; + + +# RTMP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${rtmp} \ + ct state new,established \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${rtmp} \ + ct state new,established \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${rtmp} \ + dnat to ${xb_00_01}:${rtmp}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${rtmp} \ + snat to ${inf}:${rtmp}; + + +# XMPP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp0} \ + dnat to ${xb_00_01}:${xmpp0}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp1} \ + dnat to ${xb_00_01}:${xmpp1}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp_s2s} \ + dnat to ${xb_00_01}:${xmpp_s2s}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp3} \ + dnat to ${xb_00_01}:${xmpp3}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp_https} \ + dnat to ${xb_00_01}:${xmpp_https}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp0} \ + snat to ${inf}:${xmpp0}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp1} \ + snat to ${inf}:${xmpp1}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp_s2s} \ + snat to ${inf}:${xmpp_s2s}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp3} \ + snat to ${inf}:${xmpp3}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp_https} \ + snat to ${inf}:${xmpp_https}; + + +# Murmur +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${murmur} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${murmur} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip saddr ${inf} \ + tcp dport ${murmur} \ + dnat to ${xb_00_01}:${murmur}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${murmur} \ + snat to ${inf}:${murmur}; + + +# WireGuard +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${wg} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip saddr ${inf} \ + tcp dport ${wg} \ + dnat to ${xb_00_01}:${wg}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${wg} \ + snat to ${inf}:${wg}; + + +# NAT +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${lan_net} \ + snat to ${inf} + + +# Default policy +${nft} add rule inet table_base filter_input drop; +${nft} add rule inet table_base filter_forward accept; +${nft} add rule inet table_base filter_output accept; + + +# Save policy +/etc/init.d/nftables save;