Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Ale.nft —

Questo è lo script vero e proprio che contiene tutte le regole del firewall e che viene invocato da ale401.sh

N.B.

NON ci sono a capo ogni riga è unica gli a capo qui sono dati dalla formattazione del testo.

N.M.B.
per poter usare la famiglia inet su nat è obbligatorio, mandatorio, necessario e continuate sino allo sfinimento usare un kernel >= di 5.2

#!/usr/sbin/nft -f

### in teoria lo shebang di nftables non servirebbe visto che viene invocato dallo script ###bash pero’ ho preferito metterlo comunque se mai dovessi usare un altro metodo per ###lanciarlo in futuro.

include “/usr/local/bin/vars”
include “/usr/local/bin/definitions”
flush ruleset

add table netdev noddos
add table inet firewall
add table inet fw-nat
add table inet fail2ban
add chain netdev noddos INGRESS { type filter hook ingress device eth0 priority -500; }
add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
add chain inet firewall IPS { type filter hook forward priority 10; }
### https://wiki.meurisse.org/wiki/Fail2Ban
add chain inet fail2ban input { type filter hook input priority 100; }
add chain inet fw-nat PREROUTING { type nat hook prerouting priority -100; }
add chain inet fw-nat POSTROUTING { type nat hook postrouting priority 100; }

add rule netdev noddos INGRESS ip frag-off & 0x1fff != 0 counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
add rule netdev noddos INGRESS tcp flags & (syn|rst) == syn|rst counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn) == fin|syn counter drop
add rule netdev noddos INGRESS tcp flags & (fin|ack) == fin counter drop
add rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
add rule netdev noddos INGRESS tcp flags syn tcp option maxseg size 1-536 counter drop
add rule netdev noddos INGRESS iif $EXTIF ip saddr {$GOOD_BOYS} counter accept
add rule netdev noddos INGRESS iif $EXTIF ip saddr {$RESERVED_NET} counter drop

add rule inet fw-nat PREROUTING tcp flags & (fin|syn|rst|ack) != syn ct state new  counter drop
add rule inet fw-nat PREROUTING ct state invalid counter drop
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport { 775, 1194 } counter dnat to $CHIMERA

add rule inet firewall INPUT ct state { established, related } counter accept
add rule inet firewall INPUT ct state invalid  counter drop
add rule inet firewall INPUT iif $LO accept
###ssh
add rule inet firewall INPUT tcp dport 1922 ct state new counter accept
###heartbeat
add rule inet firewall INPUT ip saddr $SANGIORGIO udp dport 694 ct state new counter accept
add rule inet firewall INPUT ip saddr $LAN icmp type echo-request limit rate 1/second counter accept
add rule inet firewall INPUT log prefix “[nftables] Input Denied: ” flags all counter drop

add rule inet firewall FORWARD ct state { established, related } counter accept
add rule inet firewall FORWARD ct state invalid counter drop
add rule inet firewall FORWARD iif $INTIF oif $EXTIF ip saddr $LAN icmp type echo-request counter accept
add rule inet firewall FORWARD iif $EXTIF  oif $INTIF ip daddr $LAN icmp type echo-request counter accept
###VPN
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new counter accept
add rule inet firewall FORWARD iif $INTIF oif $EXTIF ct state { new, established, related } counter accept
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ct state { established, related } counter accept
add rule inet firewall IPS queue num 0
add rule inet firewall FORWARD iif $EXTIF oif $INTIF counter drop
add rule inet firewall OUTPUT ct state { new, established, related } counter accept
add rule inet firewall OUTPUT ct state invalid drop
add rule inet firewall OUTPUT iif $LO accept
add rule inet fw-nat POSTROUTING ct state invalid counter drop
add rule inet fw-nat POSTROUTING masquerade

 

 

 

 

Tagged with: | | | | |

Categorised as: firewall | Linux | Networking | Work

Comments are disabled on this post

Comments are closed.

Hide picture