agares: use as router
This commit is contained in:
parent
572d813eed
commit
b6d36100b7
SSH key fingerprint:
SHA256:bFAjFH3hR8zRBaJjzQDjc3o4jqoq5EZ87l+KXEjxIz0
13 changed files with 640 additions and 76 deletions
140
nixos/agares/rules.nft
Normal file
140
nixos/agares/rules.nft
Normal file
|
|
@ -0,0 +1,140 @@
|
|||
flush ruleset
|
||||
|
||||
define IF_MGMT = "enp1s0"
|
||||
define IF_FF = "ff.11"
|
||||
define IF_LAN = "lan.10"
|
||||
define IF_WAN = "ppp0"
|
||||
define IF_SRV = "srv.13"
|
||||
|
||||
# Modem uses this for internet uplink via our WAN
|
||||
define IF_MODEM = "enp2s0"
|
||||
|
||||
define IF_ROADW = "roadwarrior"
|
||||
|
||||
table inet filter {
|
||||
# Will give "no such file or directory if hardware does not support flow offloading"
|
||||
# flowtable f {
|
||||
# hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload;
|
||||
# }
|
||||
|
||||
chain input_local {
|
||||
ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop
|
||||
accept comment "Accept traffic to loopback interface"
|
||||
}
|
||||
|
||||
chain input_icmp_untrusted {
|
||||
# Allow ICMP echo
|
||||
ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request"
|
||||
|
||||
# Allow some ICMPv6
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6"
|
||||
}
|
||||
|
||||
chain input_modem {
|
||||
jump input_icmp_untrusted
|
||||
}
|
||||
|
||||
chain input_wan {
|
||||
# DHCPv6 client
|
||||
meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client"
|
||||
|
||||
jump input_icmp_untrusted
|
||||
|
||||
udp dport 51234 accept comment "Wireguard roadwarriors"
|
||||
}
|
||||
|
||||
chain input_lan {
|
||||
counter accept comment "Accept all traffic from LAN"
|
||||
}
|
||||
|
||||
chain input_mgmt {
|
||||
counter accept comment "Accept all traffic from MGMT"
|
||||
}
|
||||
|
||||
chain input_srv {
|
||||
counter accept comment "Accept all traffic from services"
|
||||
}
|
||||
|
||||
chain input_roadw {
|
||||
counter accept comment "Accept all traffic from roadwarriors"
|
||||
}
|
||||
|
||||
chain input_ff {
|
||||
jump input_icmp_untrusted
|
||||
|
||||
# DHCP
|
||||
meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
|
||||
|
||||
# Allow DNS and DHCP from Freifunk
|
||||
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
ct state {established, related} counter accept comment "Accept packets from established and related connections"
|
||||
ct state invalid counter drop comment "Early drop of invalid packets"
|
||||
|
||||
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt }
|
||||
}
|
||||
|
||||
# Only works if hardware flow offloading is available
|
||||
# chain offload {
|
||||
# type filter hook forward priority -100; policy accept;
|
||||
# ip protocol tcp flow add @f
|
||||
# counter packets 0 bytes 0
|
||||
# }
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
# Accept connections tracked by destination NAT
|
||||
ct status dnat counter accept comment "Accept connections tracked by DNAT"
|
||||
|
||||
# TCP options
|
||||
tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information"
|
||||
|
||||
# ICMPv6
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second"
|
||||
meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6"
|
||||
|
||||
# mgmt <-> *
|
||||
iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT"
|
||||
iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior"
|
||||
# drop (instead of reject) everything else to MGMT
|
||||
|
||||
# LAN, ROADW -> * (except mgmt)
|
||||
iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
|
||||
|
||||
# FF -> WAN
|
||||
iifname $IF_FF oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk to WAN"
|
||||
|
||||
# { WAN, SRV } -> { FF, LAN, RW, SRV }
|
||||
iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV"
|
||||
|
||||
# WAN -> SRV
|
||||
iifname $IF_WAN oifname $IF_SRV tcp dport ssh accept comment "Allow all SSH traffic forwarding from WAN to services"
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 100; policy accept;
|
||||
}
|
||||
}
|
||||
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs"
|
||||
}
|
||||
}
|
||||
|
||||
table arp filter {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem"
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue