add(nft): firewall configuration

za-00-00/nftables-rule.sh

@@ -0,0 +1,349 @@
+#!/bin/bash
+
+# Inferencium - ZA-00-00
+# nftables - Configuration
+# Version: 0.1.0
+
+# Copyright 2025 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+
+# Variable
+## nftables path
+nft="/usr/sbin/nft";
+## Interface
+lan=enp16s0
+wan=enp41s0
+lan_net=10.0.0.0/24
+
+## IP address - LAN
+xb_00_01=10.0.0.21
+
+## IP address - WAN
+inf=185.241.226.159
+
+## Port
+ssh=22
+domain=53
+domains=853
+http=80
+https=443
+rtmp=1935
+xmpp0=3478
+xmpp1=5222
+xmpp_s2s=5269
+xmpp3=5349
+xmpp_https=5443
+murmur=64738
+wg=51820
+
+
+${nft} flush ruleset;
+${nft} add table inet table_base;
+${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}"
+${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}"
+${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}"
+${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}"
+${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}"
+
+
+# Drop
+## Drop IP address ranges reserved for LAN
+${nft} add rule inet table_base filter_input \
+		iifname ${wan} \
+				ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
+						drop;
+
+## Drop invalid packets
+${nft} add rule inet table_base filter_input \
+		ct state invalid \
+				drop;
+
+
+# Accept
+## localhost
+${nft} add rule inet table_base filter_input \
+		iifname lo \
+				ct state new,established,related \
+						accept;
+
+## ICMP
+${nft} add rule inet table_base filter_input \
+		ip protocol icmp \
+				accept;
+
+## LAN packets
+${nft} add rule inet table_base filter_input \
+		iifname ${lan} \
+				ip saddr ${lan_net} \
+						ct state new,established,related \
+								accept;
+
+## WAN packets
+${nft} add rule inet table_base filter_input \
+		iifname ${wan} \
+				ct state established,related \
+						accept;
+
+# SSH
+${nft} add rule inet table_base filter_input \
+		iifname ${lan} \
+				ip protocol tcp \
+						tcp dport ${ssh} \
+								ct state new \
+										accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${ssh} \
+								dnat to ${xb_00_01}:${ssh};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${ssh} \
+								snat to ${inf}:${ssh};
+
+
+# DNS
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp tcp \
+				dport ${domain} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp udp \
+				dport ${domain} \
+						ct state new \
+								accept;
+
+
+# DNS Secure
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport ${domains} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${domains} \
+						ct state new \
+								accept;
+
+
+# HTTP
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport ${http} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${http} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${http} \
+								dnat to ${xb_00_01}:${http};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${http} \
+								snat to ${inf}:${http};
+
+
+# HTTPS
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport ${https} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${https} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${https} \
+								dnat to ${xb_00_01}:${https};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${https} \
+								snat to ${inf}:${https};
+
+
+# RTMP
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport ${rtmp} \
+						ct state new,established \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${rtmp} \
+						ct state new,established \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${rtmp} \
+								dnat to ${xb_00_01}:${rtmp};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${rtmp} \
+								snat to ${inf}:${rtmp};
+
+
+# XMPP
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${xmpp0} \
+								dnat to ${xb_00_01}:${xmpp0};
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${xmpp1} \
+								dnat to ${xb_00_01}:${xmpp1};
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${xmpp_s2s} \
+								dnat to ${xb_00_01}:${xmpp_s2s};
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${xmpp3} \
+								dnat to ${xb_00_01}:${xmpp3};
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip daddr ${inf} \
+						tcp dport ${xmpp_https} \
+								dnat to ${xb_00_01}:${xmpp_https};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${xmpp0} \
+								snat to ${inf}:${xmpp0};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${xmpp1} \
+								snat to ${inf}:${xmpp1};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${xmpp_s2s} \
+								snat to ${inf}:${xmpp_s2s};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${xmpp3} \
+								snat to ${inf}:${xmpp3};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${xmpp_https} \
+								snat to ${inf}:${xmpp_https};
+
+
+# Murmur
+${nft} add rule inet table_base filter_input \
+		ip protocol tcp \
+				tcp dport ${murmur} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${murmur} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip saddr ${inf} \
+						tcp dport ${murmur} \
+								dnat to ${xb_00_01}:${murmur};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${murmur} \
+								snat to ${inf}:${murmur};
+
+
+# WireGuard
+${nft} add rule inet table_base filter_input \
+		ip protocol udp \
+				udp dport ${wg} \
+						ct state new \
+								accept;
+
+${nft} add rule inet table_base nat_pre \
+		iifname ${wan} \
+				ip saddr ${inf} \
+						tcp dport ${wg} \
+								dnat to ${xb_00_01}:${wg};
+
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${xb_00_01} \
+						tcp sport ${wg} \
+								snat to ${inf}:${wg};
+
+
+# NAT
+${nft} add rule inet table_base nat_post \
+		oifname ${wan} \
+				ip saddr ${lan_net} \
+						snat to ${inf}
+
+
+# Default policy
+${nft} add rule inet table_base filter_input drop;
+${nft} add rule inet table_base filter_forward accept;
+${nft} add rule inet table_base filter_output accept;
+
+
+# Save policy
+/etc/init.d/nftables save;