From 643ae65d999204cd16dc77858ae230f5a745a1d7 Mon Sep 17 00:00:00 2001 From: inference Date: Wed, 2 Jul 2025 03:48:59 +0000 Subject: [PATCH] add(nft): firewall configuration --- za-00-00/nftables-rule.sh | 349 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 349 insertions(+) create mode 100644 za-00-00/nftables-rule.sh diff --git a/za-00-00/nftables-rule.sh b/za-00-00/nftables-rule.sh new file mode 100644 index 0000000..137b9f6 --- /dev/null +++ b/za-00-00/nftables-rule.sh @@ -0,0 +1,349 @@ +#!/bin/bash + +# Inferencium - ZA-00-00 +# nftables - Configuration +# Version: 0.1.0 + +# Copyright 2025 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + + +# Variable +## nftables path +nft="/usr/sbin/nft"; +## Interface +lan=enp16s0 +wan=enp41s0 +lan_net=10.0.0.0/24 + +## IP address - LAN +xb_00_01=10.0.0.21 + +## IP address - WAN +inf=185.241.226.159 + +## Port +ssh=22 +domain=53 +domains=853 +http=80 +https=443 +rtmp=1935 +xmpp0=3478 +xmpp1=5222 +xmpp_s2s=5269 +xmpp3=5349 +xmpp_https=5443 +murmur=64738 +wg=51820 + + +${nft} flush ruleset; +${nft} add table inet table_base; +${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}" +${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}" +${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}" +${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}" +${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}" + + +# Drop +## Drop IP address ranges reserved for LAN +${nft} add rule inet table_base filter_input \ + iifname ${wan} \ + ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ + drop; + +## Drop invalid packets +${nft} add rule inet table_base filter_input \ + ct state invalid \ + drop; + + +# Accept +## localhost +${nft} add rule inet table_base filter_input \ + iifname lo \ + ct state new,established,related \ + accept; + +## ICMP +${nft} add rule inet table_base filter_input \ + ip protocol icmp \ + accept; + +## LAN packets +${nft} add rule inet table_base filter_input \ + iifname ${lan} \ + ip saddr ${lan_net} \ + ct state new,established,related \ + accept; + +## WAN packets +${nft} add rule inet table_base filter_input \ + iifname ${wan} \ + ct state established,related \ + accept; + +# SSH +${nft} add rule inet table_base filter_input \ + iifname ${lan} \ + ip protocol tcp \ + tcp dport ${ssh} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${ssh} \ + dnat to ${xb_00_01}:${ssh}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${ssh} \ + snat to ${inf}:${ssh}; + + +# DNS +${nft} add rule inet table_base filter_input \ + ip protocol tcp tcp \ + dport ${domain} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp udp \ + dport ${domain} \ + ct state new \ + accept; + + +# DNS Secure +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${domains} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${domains} \ + ct state new \ + accept; + + +# HTTP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${http} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${http} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${http} \ + dnat to ${xb_00_01}:${http}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${http} \ + snat to ${inf}:${http}; + + +# HTTPS +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${https} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${https} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${https} \ + dnat to ${xb_00_01}:${https}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${https} \ + snat to ${inf}:${https}; + + +# RTMP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${rtmp} \ + ct state new,established \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${rtmp} \ + ct state new,established \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${rtmp} \ + dnat to ${xb_00_01}:${rtmp}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${rtmp} \ + snat to ${inf}:${rtmp}; + + +# XMPP +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp0} \ + dnat to ${xb_00_01}:${xmpp0}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp1} \ + dnat to ${xb_00_01}:${xmpp1}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp_s2s} \ + dnat to ${xb_00_01}:${xmpp_s2s}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp3} \ + dnat to ${xb_00_01}:${xmpp3}; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip daddr ${inf} \ + tcp dport ${xmpp_https} \ + dnat to ${xb_00_01}:${xmpp_https}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp0} \ + snat to ${inf}:${xmpp0}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp1} \ + snat to ${inf}:${xmpp1}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp_s2s} \ + snat to ${inf}:${xmpp_s2s}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp3} \ + snat to ${inf}:${xmpp3}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${xmpp_https} \ + snat to ${inf}:${xmpp_https}; + + +# Murmur +${nft} add rule inet table_base filter_input \ + ip protocol tcp \ + tcp dport ${murmur} \ + ct state new \ + accept; + +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${murmur} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip saddr ${inf} \ + tcp dport ${murmur} \ + dnat to ${xb_00_01}:${murmur}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${murmur} \ + snat to ${inf}:${murmur}; + + +# WireGuard +${nft} add rule inet table_base filter_input \ + ip protocol udp \ + udp dport ${wg} \ + ct state new \ + accept; + +${nft} add rule inet table_base nat_pre \ + iifname ${wan} \ + ip saddr ${inf} \ + tcp dport ${wg} \ + dnat to ${xb_00_01}:${wg}; + +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${xb_00_01} \ + tcp sport ${wg} \ + snat to ${inf}:${wg}; + + +# NAT +${nft} add rule inet table_base nat_post \ + oifname ${wan} \ + ip saddr ${lan_net} \ + snat to ${inf} + + +# Default policy +${nft} add rule inet table_base filter_input drop; +${nft} add rule inet table_base filter_forward accept; +${nft} add rule inet table_base filter_output accept; + + +# Save policy +/etc/init.d/nftables save;