From: Antonio Ospite Date: Fri, 20 Apr 2018 08:47:56 +0000 (+0200) Subject: Initial import X-Git-Url: https://git.ao2.it/config/nftables.git/commitdiff_plain/4fda8eab6d828b61ca4753cb2bc0c232578ffb90?ds=inline Initial import --- 4fda8eab6d828b61ca4753cb2bc0c232578ffb90 diff --git a/nftables-workstation.nft b/nftables-workstation.nft new file mode 100644 index 0000000..3f1f446 --- /dev/null +++ b/nftables-workstation.nft @@ -0,0 +1,134 @@ +#!/usr/sbin/nft -f +# +# nftables ruleset for an End Node acting as a workstation in a LAN. +# +# Copyright (C) 2018 Antonio Ospite +# SPDX-License-Identifier: MIT +# +# Based on: +# https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP.2FIPv6_Firewall +# https://wiki.archlinux.org/index.php/Nftables#Workstation +# https://stosb.com/blog/explaining-my-configs-nftables/ + +flush ruleset + +table inet filter { + + define common_open_ports = { + xmpp-client, + xmpp-server, + 5298, # Link-local XMPP, for backward compatibility, XEP-0174 + } + + set tcp_open_ports { + type inet_service + flags interval + + elements = { + $common_open_ports, + } + } + + set udp_open_ports { + type inet_service + flags interval + + elements = { + $common_open_ports, + } + } + + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + ct state new jump in-new + + iif lo accept + + ip protocol icmp icmp type { + echo-reply, + echo-request, + time-exceeded, + parameter-problem, + destination-unreachable + } accept + + # ICMPv6 configuration based on: + # https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template + ip6 nexthdr ipv6-icmp icmpv6 type { + echo-reply, + echo-request, + time-exceeded, + parameter-problem, + destination-unreachable, + packet-too-big + } accept + + # Allow auto configuration support. + ip6 nexthdr ipv6-icmp icmpv6 type { + nd-router-advert, + nd-router-solicit, + nd-neighbor-advert, + nd-neighbor-solicit + } ip6 hoplimit 255 accept + + # Allow multicast listener discovery on link-local addresses. + ip6 nexthdr ipv6-icmp icmpv6 type { + mld-listener-query, + mld-listener-report, + mld-listener-reduction + } ip6 saddr fe80::/10 accept + + # Allow multicast router discovery messages on link-local addresses (hop limit 1). + ip6 nexthdr ipv6-icmp icmpv6 type { + nd-router-advert, + nd-router-solicit + } ip6 hoplimit 1 ip6 saddr fe80::/10 accept + + # Allow IGMPv3 queries. + ip protocol igmp ip daddr 224.0.0.1 accept + + # Silently drop other incoming broadcast and multicast traffic. + meta pkttype {broadcast, multicast} drop + + limit rate 3/minute burst 10 packets log prefix "[INPUT]: " + counter reject + } + + chain in-new { + # Silently drop DHCPv4 Discover and Request packets from other clients. + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp dport bootps drop + + # Silently drop DHCPv6 from other clients. + ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp sport dhcpv6-client udp dport dhcpv6-server drop + + # mDNS (ZeroConf/Bonjour) + ip daddr 224.0.0.251 udp dport mdns accept + ip6 daddr ff02::fb udp dport mdns accept + + # SSDP: https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol + ip daddr 239.255.255.250 udp dport 1900 accept + ip6 daddr { + ff02::c, + ff05::c, + ff08::c, + ff0e::c + } udp dport 1900 accept + + tcp dport @tcp_open_ports tcp flags & (fin | syn | rst | ack) == syn accept + udp dport @udp_open_ports accept + } + + chain forward { + type filter hook forward priority 0; + limit rate 3/minute burst 10 packets log prefix "[FORWARD]: " + counter reject + } + + chain output { + type filter hook output priority 0; + counter accept + } +}