cfg/za-00-00/nftables-rule.sh

350 lines
7.6 KiB
Bash
Raw Normal View History

2025-07-02 03:54:46 +00:00
#!/bin/bash
# Inferencium - ZA-00-00
# nftables - Configuration
# Version: 1.0.0-beta.1
# Copyright 2025 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause
# Variable
## nftables path
nft="/usr/sbin/nft";
## Interface
lan=enp16s0
wan=enp41s0
lan_net=10.0.0.0/24
## IP address - LAN
xb_00_01=10.0.0.21
## IP address - WAN
inf=185.241.226.159
## Port
ssh=22
domain=53
domains=853
http=80
https=443
rtmp=1935
xmpp0=3478
xmpp1=5222
xmpp_s2s=5269
xmpp3=5349
xmpp_https=5443
murmur=64738
wg=51820
${nft} flush ruleset;
${nft} add table inet table_base;
${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}"
${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}"
${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}"
${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}"
${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}"
# Drop
## Drop IP address ranges reserved for LAN
${nft} add rule inet table_base filter_input \
iifname ${wan} \
ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
drop;
## Drop invalid packets
${nft} add rule inet table_base filter_input \
ct state invalid \
drop;
# Accept
## localhost
${nft} add rule inet table_base filter_input \
iifname lo \
ct state new,established,related \
accept;
## ICMP
${nft} add rule inet table_base filter_input \
ip protocol icmp \
accept;
## LAN packets
${nft} add rule inet table_base filter_input \
iifname ${lan} \
ip saddr ${lan_net} \
ct state new,established,related \
accept;
## WAN packets
${nft} add rule inet table_base filter_input \
iifname ${wan} \
ct state established,related \
accept;
# SSH
${nft} add rule inet table_base filter_input \
iifname ${lan} \
ip protocol tcp \
tcp dport ${ssh} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${ssh} \
dnat to ${xb_00_01}:${ssh};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${ssh} \
snat to ${inf}:${ssh};
# DNS
${nft} add rule inet table_base filter_input \
ip protocol tcp tcp \
dport ${domain} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp udp \
dport ${domain} \
ct state new \
accept;
# DNS Secure
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${domains} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${domains} \
ct state new \
accept;
# HTTP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${http} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${http} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${http} \
dnat to ${xb_00_01}:${http};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${http} \
snat to ${inf}:${http};
# HTTPS
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${https} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${https} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${https} \
dnat to ${xb_00_01}:${https};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${https} \
snat to ${inf}:${https};
# RTMP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${rtmp} \
ct state new,established \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${rtmp} \
ct state new,established \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${rtmp} \
dnat to ${xb_00_01}:${rtmp};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${rtmp} \
snat to ${inf}:${rtmp};
# XMPP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp0} \
dnat to ${xb_00_01}:${xmpp0};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp1} \
dnat to ${xb_00_01}:${xmpp1};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp_s2s} \
dnat to ${xb_00_01}:${xmpp_s2s};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp3} \
dnat to ${xb_00_01}:${xmpp3};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp_https} \
dnat to ${xb_00_01}:${xmpp_https};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp0} \
snat to ${inf}:${xmpp0};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp1} \
snat to ${inf}:${xmpp1};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp_s2s} \
snat to ${inf}:${xmpp_s2s};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp3} \
snat to ${inf}:${xmpp3};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp_https} \
snat to ${inf}:${xmpp_https};
# Murmur
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${murmur} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${murmur} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip saddr ${inf} \
tcp dport ${murmur} \
dnat to ${xb_00_01}:${murmur};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${murmur} \
snat to ${inf}:${murmur};
# WireGuard
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${wg} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip saddr ${inf} \
tcp dport ${wg} \
dnat to ${xb_00_01}:${wg};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${wg} \
snat to ${inf}:${wg};
# NAT
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${lan_net} \
snat to ${inf}
# Default policy
${nft} add rule inet table_base filter_input drop;
${nft} add rule inet table_base filter_forward accept;
${nft} add rule inet table_base filter_output accept;
# Save policy
/etc/init.d/nftables save;