Inferencium/cfg
1
0
Fork 0
Code Issues Activity

add(nft): firewall configuration

Browse Source
This commit is contained in:
inference 2025-07-02 04:01:47 +00:00
parent 1fd8661930
commit 291e929851
Signed by: inference
SSH Key Fingerprint: SHA256:/O3c09/4f1lh4zrhFs2qvQEDda6dZbTwG9xEcj8OfWo
1 changed files with 349 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

349
za-00-00/nftables-rule.sh Normal file
View File

@ -0,0 +1,349 @@
#!/bin/bash
# Inferencium - ZA-00-00
# nftables - Configuration
# Version: 1.0.0
# Copyright 2025 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause
# Variable
## nftables path
nft="/usr/sbin/nft"
## Interface
lan="enp16s0"
wan="enp41s0"
lan_net="10.0.0.0/24"
## IP address - LAN
xb_00_01="10.0.0.21"
## IP address - WAN
inf="185.241.226.159"
## Port
ssh="22"
domain="53"
domains="853"
http="80"
https="443"
rtmp="1935"
xmpp0="3478"
xmpp1="5222"
xmpp_s2s="5269"
xmpp3="5349"
xmpp_https="5443"
murmur="64738"
wg="51820"
${nft} flush ruleset;
${nft} add table inet table_base;
${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}"
${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}"
${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}"
${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}"
${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}"
# Drop
## Drop IP address ranges reserved for LAN
${nft} add rule inet table_base filter_input \
iifname ${wan} \
ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
drop;
## Drop invalid packets
${nft} add rule inet table_base filter_input \
ct state invalid \
drop;
# Accept
## localhost
${nft} add rule inet table_base filter_input \
iifname lo \
ct state new,established,related \
accept;
## ICMP
${nft} add rule inet table_base filter_input \
ip protocol icmp \
accept;
## LAN packets
${nft} add rule inet table_base filter_input \
iifname ${lan} \
ip saddr ${lan_net} \
ct state new,established,related \
accept;
## WAN packets
${nft} add rule inet table_base filter_input \
iifname ${wan} \
ct state established,related \
accept;
# SSH
${nft} add rule inet table_base filter_input \
iifname ${lan} \
ip protocol tcp \
tcp dport ${ssh} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${ssh} \
dnat to ${xb_00_01}:${ssh};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${ssh} \
snat to ${inf}:${ssh};
# DNS
${nft} add rule inet table_base filter_input \
ip protocol tcp tcp \
dport ${domain} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp udp \
dport ${domain} \
ct state new \
accept;
# DNS Secure
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${domains} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${domains} \
ct state new \
accept;
# HTTP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${http} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${http} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${http} \
dnat to ${xb_00_01}:${http};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${http} \
snat to ${inf}:${http};
# HTTPS
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${https} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${https} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${https} \
dnat to ${xb_00_01}:${https};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${https} \
snat to ${inf}:${https};
# RTMP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${rtmp} \
ct state new,established \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${rtmp} \
ct state new,established \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${rtmp} \
dnat to ${xb_00_01}:${rtmp};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${rtmp} \
snat to ${inf}:${rtmp};
# XMPP
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp0} \
dnat to ${xb_00_01}:${xmpp0};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp1} \
dnat to ${xb_00_01}:${xmpp1};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp_s2s} \
dnat to ${xb_00_01}:${xmpp_s2s};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp3} \
dnat to ${xb_00_01}:${xmpp3};
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip daddr ${inf} \
tcp dport ${xmpp_https} \
dnat to ${xb_00_01}:${xmpp_https};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp0} \
snat to ${inf}:${xmpp0};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp1} \
snat to ${inf}:${xmpp1};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp_s2s} \
snat to ${inf}:${xmpp_s2s};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp3} \
snat to ${inf}:${xmpp3};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${xmpp_https} \
snat to ${inf}:${xmpp_https};
# Murmur
${nft} add rule inet table_base filter_input \
ip protocol tcp \
tcp dport ${murmur} \
ct state new \
accept;
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${murmur} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip saddr ${inf} \
tcp dport ${murmur} \
dnat to ${xb_00_01}:${murmur};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${murmur} \
snat to ${inf}:${murmur};
# WireGuard
${nft} add rule inet table_base filter_input \
ip protocol udp \
udp dport ${wg} \
ct state new \
accept;
${nft} add rule inet table_base nat_pre \
iifname ${wan} \
ip saddr ${inf} \
tcp dport ${wg} \
dnat to ${xb_00_01}:${wg};
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${xb_00_01} \
tcp sport ${wg} \
snat to ${inf}:${wg};
# NAT
${nft} add rule inet table_base nat_post \
oifname ${wan} \
ip saddr ${lan_net} \
snat to ${inf}
# Default policy
${nft} add rule inet table_base filter_input drop;
${nft} add rule inet table_base filter_forward accept;
${nft} add rule inet table_base filter_output accept;
# Save policy
/etc/init.d/nftables save;