-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnft.elly.soekris.v4.sh
executable file
·460 lines (291 loc) · 9.47 KB
/
nft.elly.soekris.v4.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
#! /usr/bin/nft -f
#
# last modified 2017.06.04
#
set -o nounset
set -o errexit
#set -o noclobber
set -o noglob
define world = enp5s0
define media = enp6s0
#define buero = enp10s0
define gwlan = enp11s0
define wlan = wlp13s0
#define gwlan = wlp14s0
#define int_ifs = { $world $media $buero $kvms $wlan $gwlan }
#filter input iif $int_ifs accept
# nics:
#
# enp5s0 = internet
# enp6s0 = media
# enp10s0 = buero
# enp11s0 = kvms
# wlp13s0 = wlan
# wlp14s0 = gwlan
# tun1 = ziont
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# invalid connections
ct state invalid drop
# loopback interface
iif lo accept
# established/related connections
ct state {established, related} accept
# incoming inet trafic
iif $world ip protocol tcp goto my_world_tcpv4
iif $world ip protocol udp goto my_world_udpv4
iif $world ip protocol icmp goto my_world_icmpv4
iif $media ip protocol tcp goto my_media_tcpv4
iif $media ip protocol udp goto my_media_udpv4
iif $media ip protocol icmp goto my_media_icmpv4
iif $buero ip protocol tcp goto my_buero_tcpv4
iif $buero ip protocol udp goto my_buero_udpv4
iif $buero ip protocol icmp goto my_buero_icmpv4
iif $kvms ip protocol tcp goto my_kvms_tcpv4
iif $kvms ip protocol udp goto my_kvms_udpv4
iif $kvms ip protocol icmp goto my_kvms_icmpv4
iif $wlan ip protocol tcp goto my_wlan_tcpv4
iif $wlan ip protocol udp goto my_wlan_udpv4
iif $wlan ip protocol icmp goto my_wlan_icmpv4
iif $gwlan ip protocol tcp goto my_gwlan_tcpv4
iif $gwlan ip protocol udp goto my_gwlan_udpv4
iif $gwlan ip protocol icmp goto my_gwlan_icmpv4
iif tun1 ip protocol tcp goto my_ziont_tcpv4
iif tun1 ip protocol udp goto my_ziont_udpv4
iif tun1 ip protocol icmp goto my_ziont_icmpv4
}
chain my_world_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: openvpn, sshd
iif $world tcp dport { 1195, 23235 } accept
}
chain my_world_udpv4 {
}
chain my_world_icmpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
iif $world icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $world limit rate 10/second counter accept
}
chain my_media_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid,tor,sec
iif $media tcp dport { 53,67,68,123,3128,9060,23235 } accept
}
chain my_media_udpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iif $media tcp dport { 53,67,68,123 } accept
}
chain my_media_icmpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
iif $media icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $media limit rate 10/second counter accept
}
chain my_buero_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid
iif $buero tcp dport { 53,67,68,123,3128,23235 } accept
}
chain my_buero_udpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iif $buero tcp dport { 53,67,68,123 } accept
}
chain my_buero_icmpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
iif $buero icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $buero limit rate 5/second counter accept
}
chain my_kvms_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid
iif $kvms tcp dport { 53,67,68,123,3128 } accept
}
chain my_kvms_udpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iif $kvms tcp dport { 53,67,68,123 } accept
}
chain my_kvms_icmpv4 {
iif $kvms icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $kvms limit rate 3/second counter accept
}
chain my_wlan_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid,tor,sec
iif $wlan tcp dport { 53,67,68,123,3128,9061,23235 } accept
}
chain my_wlan_udpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iif $wlan tcp dport { 53,67,68,123 } accept
}
chain my_wlan_icmpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
iif $wlan icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $wlan limit rate 3/second counter accept
}
chain my_gwlan_tcpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid,tor,sec
iif $gwlan tcp dport { 53,67,68,123,3128,9061 } accept
}
chain my_gwlan_udpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iif $gwlan tcp dport { 53,67,68,123 } accept
}
chain my_gwlan_icmpv4 {
# invalid connections
#ct state invalid drop
# loopback interface
#iif lo accept
# established/related connections
#ct state {established, related} accept
iif $gwlan icmp type { echo-request, echo-reply, destination-unreachable, parameter-problem } counter accept
iif $gwlan limit rate 3/second counter accept
}
chain output {
type filter hook output priority 0; policy accept;
# invalid connections
#ct state invalid drop
# loopback interface
oif lo accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# invalid connections
ct state invalid drop
ct state {established, related} accept
#iif $media oif $buero accept
#iif $media oif $kvms accept
#iif $media oif $wlan accept
#iif $media oif tun1 accept
#iif $media oif $world accept
iif $buero oif $media accept
iif $wlan oif $media accept
iif tun1 oif $world accept
iif $buero oif $world accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -150;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif $world masquerade
# snat
#ip saddr 192.168.77.0/24 oif $world snat 1.2.3.4
#ip saddr 192.168.88.0/24 oif $world snat 1.2.3.4
#ip saddr 192.168.99.0/24 oif $world snat 1.2.3.4
}
}