zaphyra's git: nixfiles

zaphyra and void's nixfiles

path: /resources/zaphyra/routerRuleset.nft 2.87 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 flush ruleset

table inet firewall {
        chain inbound {
                # By default, drop all traffic unless it meets a filter
                # criteria specified by the rules that follow below.
                type filter hook input priority 0;
                policy drop;

                # Allow traffic from established and related packets.
                ct state established,related accept

                # Drop invalid packets.
                ct state invalid drop

                # Allow local connections.
                iifname lo accept
                iifname brlan accept

                # Allow all ICMP and IGMP traffic, but enforce a rate limit
                # to help prevent some types of flood attacks.
                ip  protocol icmp      limit rate 5/second accept
                ip  protocol igmp      limit rate 5/second accept
                ip6 nexthdr  ipv6-icmp limit rate 5/second accept

                # required for dhcp-pd to work!
                udp dport dhcpv6-client accept

                # Allow some ports
                tcp dport ssh    accept
                tcp dport http   accept
                tcp dport https  accept
                tcp dport 8443   accept comment "step-ca"
                tcp dport 22000  accept comment "syncthing"
                udp dport 21027  accept comment "syncthing"
        }

        chain forward {
                # By default, drop all traffic unless it meets a filter
                type filter hook forward priority 0;
                policy drop;

                tcp flags syn tcp option maxseg size set rt mtu

                # Allow traffic from established and related packets.
                ct state established,related accept

                # Drop invalid packets.
                ct state invalid drop

                # local clients can do whatever
                iifname brlan accept

                # Allow all ICMP and IGMP traffic, but enforce a rate limit
                # to help prevent some types of flood attacks.
                ip  protocol icmp      limit rate 5/second accept
                ip  protocol igmp      limit rate 5/second accept
                ip6 nexthdr  ipv6-icmp limit rate 5/second accept

                # drop incomming netbios traffic
                tcp dport {139, 445} counter drop comment "silently drop NetBios"
                udp dport {137, 138} counter drop comment "silently drop NetBios"
        }

        chain outbound {
                # Allow all outbound traffic
                type filter hook output priority 0
                policy accept
        }
}

table ip nat {
        chain prerouting {
                type nat hook prerouting priority -100
                policy accept
        }

        chain postrouting {
                type nat hook postrouting priority srcnat + 1; policy accept;
                ip saddr 10.0.0.0/8 masquerade;
        }
}