{"id":1808,"date":"2020-09-23T13:15:47","date_gmt":"2020-09-23T11:15:47","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1808"},"modified":"2023-06-22T15:46:44","modified_gmt":"2023-06-22T13:46:44","slug":"ale-nft","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1808","title":{"rendered":"Ale.nft"},"content":{"rendered":"

Questo \u00e8 lo script vero e proprio che contiene tutte le regole del firewall e che viene invocato da ale401.sh<\/p>\n

N.B.<\/p>\n

NON ci sono a capo ogni riga \u00e8 unica gli a capo qui sono dati dalla formattazione del testo.<\/p>\n

N.M.B.
\nper poter usare la famiglia inet su nat \u00e8 obbligatorio, mandatorio, necessario e continuate sino allo sfinimento usare un kernel >= di 5.2<\/p>\n

#!\/usr\/sbin\/nft -f<\/p>\n

### in teoria lo shebang di nftables non servirebbe visto che viene invocato dallo script ###bash pero’ ho preferito metterlo comunque se mai dovessi usare un altro metodo per ###lanciarlo in futuro.<\/p>\n

include “\/usr\/local\/bin\/vars”
\ninclude “\/usr\/local\/bin\/definitions”
\nflush ruleset<\/p>\n

add table netdev noddos
\nadd table inet firewall
\nadd table inet fw-nat
\nadd table inet fail2ban
\nadd chain netdev noddos INGRESS { type filter hook ingress device eth0 priority -500; }
\nadd chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
\nadd chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
\nadd chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
\nadd chain inet firewall IPS { type filter hook forward priority 10; }
\n### https:\/\/wiki.meurisse.org\/wiki\/Fail2Ban
\nadd chain inet fail2ban input { type filter hook input priority 100; }
\nadd chain inet fw-nat PREROUTING { type nat hook prerouting priority -100; }
\nadd chain inet fw-nat POSTROUTING { type nat hook postrouting priority 100; }<\/p>\n

add rule netdev noddos INGRESS ip frag-off & 0x1fff != 0 counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
\nadd rule netdev noddos INGRESS tcp flags & (syn|rst) == syn|rst counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn) == fin|syn counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|ack) == fin counter drop
\nadd rule netdev noddos INGRESS tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
\nadd rule netdev noddos INGRESS tcp flags syn tcp option maxseg size 1-536 counter drop
\nadd rule netdev noddos INGRESS iif $EXTIF ip saddr {$GOOD_BOYS} counter accept
\nadd rule netdev noddos INGRESS iif $EXTIF ip saddr {$RESERVED_NET} counter drop<\/p>\n

add rule inet fw-nat PREROUTING tcp flags & (fin|syn|rst|ack) != syn ct state new \u00a0counter drop
\nadd rule inet fw-nat PREROUTING ct state invalid counter drop
\nadd rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport { 775, 1194 } counter dnat to $CHIMERA<\/p>\n

add rule inet firewall INPUT ct state { established, related } counter accept
\nadd rule inet firewall INPUT ct state invalid \u00a0counter drop
\nadd rule inet firewall INPUT iif $LO accept
\n###ssh
\nadd rule inet firewall INPUT tcp dport 1922 ct state new counter accept
\n###heartbeat
\nadd rule inet firewall INPUT ip saddr $SANGIORGIO udp dport 694 ct state new counter accept
\nadd rule inet firewall INPUT ip saddr $LAN icmp type echo-request limit rate 1\/second counter accept
\nadd rule inet firewall INPUT log prefix “[nftables] Input Denied: ” flags all counter drop<\/p>\n

add rule inet firewall FORWARD ct state { established, related } counter accept
\nadd rule inet firewall FORWARD ct state invalid counter drop
\nadd rule inet firewall FORWARD iif $INTIF oif $EXTIF ip saddr $LAN icmp type echo-request counter accept
\nadd rule inet firewall FORWARD iif $EXTIF \u00a0oif $INTIF ip daddr $LAN icmp type echo-request counter accept
\n###VPN
\nadd rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new counter accept
\nadd rule inet firewall FORWARD iif $INTIF oif $EXTIF ct state { new, established, related } counter accept
\nadd rule inet firewall FORWARD iif $EXTIF oif $INTIF ct state { established, related } counter accept
\nadd rule inet firewall IPS queue num 0
\nadd rule inet firewall FORWARD iif $EXTIF oif $INTIF counter drop
\nadd rule inet firewall OUTPUT ct state { new, established, related } counter accept
\nadd rule inet firewall OUTPUT ct state invalid drop
\nadd rule inet firewall OUTPUT iif $LO accept
\nadd rule inet fw-nat POSTROUTING ct state invalid counter drop
\nadd rule inet fw-nat POSTROUTING masquerade<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Questo \u00e8 lo script vero e proprio che contiene tutte le regole del firewall e che viene invocato da ale401.sh N.B. NON ci sono a capo ogni riga \u00e8 unica gli a capo qui sono dati dalla formattazione del testo. N.M.B. per poter usare la famiglia inet su nat \u00e8 obbligatorio, mandatorio, necessario e continuate […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[109,8,14,6],"tags":[188,180,108,189,25,187],"class_list":["post-1808","post","type-post","status-publish","format-standard","hentry","category-firewall","category-linux","category-networking","category-work","tag-chains","tag-nftables","tag-packet-filtering","tag-rules","tag-script-2","tag-tables"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1808"}],"version-history":[{"count":13,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1808\/revisions"}],"predecessor-version":[{"id":2431,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1808\/revisions\/2431"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1808"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}