-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnftables.sh
executable file
·147 lines (122 loc) · 4.95 KB
/
nftables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/usr/bin/env bash
set -o errexit -o noclobber -o nounset -o pipefail
rm --force --verbose /etc/nftables.conf
cat << 'EONFT' > /etc/nftables.conf
#!/usr/bin/env nft -f
#╔═════════════════════════════════════════════════════╗
#║ Diagram of Netfilter Hook Locations ║
#║ ‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾ ║
#║ Local Process ║
#║ ▲ ▼ ║
#║ Input Output ║
#║ ▲ ▼ ║
#║ Net─►Prerouting─►Routing─►Forward─►Postrouting─►Net ║
#╚═════════════════════════════════════════════════════╝
# Clear all rules.
flush ruleset
# Create an IPv4+IPv6 table called "firewall"
table inet firewall {
# Define interval sets
# set input_allowed_source_addrs {
# type ipv4_addr
# flags interval
# elements = {
# 192.168.200.0/24,
# 192.168.300.123/32
# }
# }
#
# set input_allowed_source_6addrs {
# type ipv6_addr
# flags interval
# elements = {
# fdab:cdef:abcd::/64,
# fdab:cdef:abcd:1::/64
# }
# }
#
# set input_allowed_destination_ports {
# type inet_service
# flags interval
# elements = {
# 1234,
# 2345
# }
# }
# Create base chain called "fw_input". This is a base chain because it has a type, hook, and priority.
chain fw_input {
# Designates this chain as a type:filter with a hook:input.
# The priority determines when the hook is activated. The priority can be negative, but should be kept at the value "filter".
# The policy drops all packets not accepted by this chain ruleset.
type filter hook input priority filter
policy drop
# Note: For optimal performance, accept the most common traffic earlier.
# Conntrack: Accept packets that have an established or related state. Very common.
ct state established,related accept
# Accept loopback packets. Use iifname for interfaces that may change.
iif lo accept
# Example: Accept private ips for SSH
# ip saddr {10.0.0.0/8,172.16.0.0/12,192.168.0.0/16} tcp dport ssh accept
# ip6 saddr fc00::/7 tcp dport ssh accept
# Example: Accept private ips for DNS
# ip saddr {10.0.0.0/8,172.16.0.0/12,192.168.0.0/16} udp dport 53 accept
# ip6 saddr fc00::/7 udp dport 53 accept
# ip6 saddr @input_allowed_source_addrs tcp dport @input_allowed_destination_ports accept
# ip6 saddr @input_allowed_source_addrs udp dport @input_allowed_destination_ports accept
# ip6 saddr @input_allowed_source_6addrs tcp dport @input_allowed_destination_ports accept
# ip6 saddr @input_allowed_source_6addrs udp dport @input_allowed_destination_ports accept
# Accept pings at a limited rate.
icmp type echo-request limit rate 5/second accept
# Accept ipv6 pings at a limited rate.
icmpv6 type echo-request limit rate 5/second accept
# IPv6 neighbor discovery works over ICMPv6
icmpv6 type {nd-neighbor-solicit,nd-router-advert,nd-neighbor-advert} accept
# Conntrack: Drop packets with an invalid state. Uncommon.
ct state invalid drop
# Log dropped packets
# log prefix "[nftables] Dropped by firewall: "
# counter
}
chain fw_preroute {
type nat hook prerouting priority filter
policy accept
}
chain fw_forward {
type filter hook forward priority filter
# No ip forwarding
policy drop
}
# Egress safelisting
# set output_allow_dest_addrs {
# type ipv4_addr
# flags interval
# elements = {
# 192.168.0.0/24,
# 10.0.0.0/8
# }
# }
# set output_allow_dest_6addrs {
# type ipv6_addr
# flags interval
# elements = {
# }
# }
# chain fw_output {
# type filter hook output priority filter
# policy drop
# ip daddr @output_allow_dest_addrs accept
# ip6 daddr @output_allow_dest_6addrs accept
# log prefix "[nftables] Dropped by firewall whitelist: " counter drop
# }
# Egress blocklisting
# nft add rule inet firewall fw_output ip daddr 192.168.2.0/32 drop
# chain fw_output {
# type filter hook output priority filter
# policy accept
# }
}
EONFT
echo 'Wrote /etc/nftables.conf'
chmod --changes 700 /etc/nftables.conf
echo 'Make sure to disable, stop, and flush iptables; and enable and restart nftables'
echo 'Confirm ruleset is active with: nft list ruleset'