-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnft.elly.soekris.v6.sh
398 lines (253 loc) · 9.33 KB
/
nft.elly.soekris.v6.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
#!/usr/bin/nft -f
#
# last modified 2017.06.04
#
set -o nounset
set -o errexit
#set -o noclobber
set -o noglob
define world = enp5s0
define media = enp6s0
#define buero = enp10s0
define gwlan = enp11s0
define wlan = wlp13s0
#define int_ifs = { $int_if1, $int_if2 }
#filter input iifname $int_ifs accept
# nics:
#
# enp5s0 = internet
# enp6s0 = lan
# enp10s0 = buero
# enp11s0 = kvms
# wlp13s0 = wlan
# tun1 = ziont
# hipv6 = TUNB6
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# established/related connections
ct state {established, related} accept
# incoming inet trafic
iifname $world ip protocol tcp goto my_world_tcpv6
iifname $world ip protocol udp goto my_world_udpv6
iifname $world ip protocol icmpv6 goto my_world_icmpv6
iifname $lan ip protocol tcp goto my_lan_tcpv6
iifname $lan ip protocol udp goto my_lan_udpv6
iifname $lan ip protocol icmpv6 goto my_lan_icmpv6
iifname $buero ip protocol tcp goto my_gwlan_tcpv6
iifname $buero ip protocol udp goto my_gwlan_udpv6
iifname $buero ip protocol icmpv6 goto my_gwlan_icmpv6
iifname $kvms ip protocol tcp goto my_kvms_tcpv6
iifname $kvms ip protocol udp goto my_kvms_udpv6
iifname $kvms ip protocol icmpv6 goto my_kvms_icmpv6
iifname $wlan ip protocol tcp goto my_wlan_tcpv6
iifname $wlan ip protocol udp goto my_wlan_udpv6
iifname $wlan ip protocol icmpv6 goto my_wlan_icmpv6
iifname tun1 ip protocol tcp goto my_ziont_tcpv6
iifname tun1 ip protocol udp goto my_ziont_udpv6
iifname tun1 ip protocol icmpv6 goto my_ziont_icmpv6
iifname hipv6 ip protocol tcp goto my_hipv6_tcpv6
iifname hipv6 ip protocol udp goto my_hipv6_udpv6
iifname hipv6 ip protocol icmpv6 goto my_hipv6_icmpv6
}
chain my_world_tcpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: sec
iifname $world tcp dport { 23235 } accept
}
chain my_world_udpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
}
chain my_world_icmpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
iifname $world icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, 141, 142, 151, 152, 153 } counter accept
iifname $world limit rate 10/second counter accept
}
chain my_lan_tcpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid,tor,sec
iifname $lan tcp dport { 53,67,68,123,3128,9060,23235 } accept
}
chain my_lan_udpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iifname $lan tcp dport { 53,67,68,123 } accept
}
chain my_lan_icmpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
iifname $lan icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, 141, 142, 151, 152, 153 } counter accept
iifname $lan limit rate 10/second counter accept
}
chain my_gwlan_tcpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid
iifname $buero tcp dport { 53,67,68,123,3128 } accept
}
chain my_gwlan_udpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iifname $buero tcp dport { 53,67,68,123 } accept
}
chain my_gwlan_icmpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
iifname $buero icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, 141, 142, 151, 152, 153 } counter accept
iifname $buero limit rate 3/second counter accept
}
chain my_kvms_tcpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid
iifname $kvms tcp dport { 53,67,68,123,3128 } accept
}
chain my_kvms_udpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iifname $kvms tcp dport { 53,67,68,123 } accept
}
chain my_kvms_icmpv6 {
iifname $kvms icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, 141, 142, 151, 152, 153 } counter accept
iifname $kvms limit rate 3/second counter accept
}
chain my_wlan_tcpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# bad tcp -> avoid network scanning:
#tcp flags & (fin|syn) == (fin|syn) drop
#tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop
#tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# open tcp ports: dns,dhcp,ntp,squid,tor,sec
iifname $wlan tcp dport { 53,67,68,123,3128,9061,23235 } accept
}
chain my_wlan_udpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
# open tcp ports: dns,dhcp,ntp
iifname $wlan tcp dport { 53,67,68,123 } accept
}
chain my_wlan_icmpv6 {
# invalid connections
#ct state invalid drop
# loopback interface
#iifname lo accept
# established/related connections
#ct state {established, related} accept
iifname $wlan icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, 141, 142, 151, 152, 153 } counter accept
iifname $wlan limit rate 3/second counter accept
}
chain output {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
# invalid connections
ct state invalid drop
#ct state {established, related} accept
iifname $lan oifname $buero accept
iifname $lan oifname $kvms accept
iifname $lan oifname $wlan accept
iifname $lan oifname tun1 accept
iifname $wlan oifname $lan accept
iifname $wlan oifname $kvms accept
iifname $wlan oifname tun1 accept
iifname tun1 oifname $lan accept
iifname tun1 oifname $wlan accept
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority -150;
}
chain postrouting {
type nat hook postrouting priority -150; policy accept;
oifname $world masquerade
oifname hipv6 masquerade
}
}