diff --git a/services/firewall/global.policy.json b/services/firewall/global.policy.json deleted file mode 100644 index beadb53..0000000 --- a/services/firewall/global.policy.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "description": "Restrict all internet access", - "zone": { - "WAN": { "iface": "eth0" }, - "VPN": { "iface": "wg0" } - }, - "policy": [ - { "out": "VPN", "action": "accept" }, - { "in": "VPN", "action": "drop" }, - { "in": "WAN", "action": "drop" }, - { "action": "reject" } - ], - "snat": [ - { "out": "WAN", "src": "10.0.0.1/24" } - ] -} \ No newline at end of file diff --git a/services/firewall/icmp.policy.json b/services/firewall/icmp.policy.json deleted file mode 100644 index 1436f7e..0000000 --- a/services/firewall/icmp.policy.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "description": "Allow ping-pong", - "filter": [ - { - "in": "WAN", - "out": "_fw", - "service": "ping", - "action": "accept", - "flow-limit": { "count": 10, "interval": 6 } - } - ] -} \ No newline at end of file diff --git a/services/firewall/outgoing.policy.json b/services/firewall/outgoing.policy.json deleted file mode 100644 index 1e45c66..0000000 --- a/services/firewall/outgoing.policy.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping", - "filter": [ - { - "in": "_fw", - "out": "WAN", - "service": ["http", "https", "dns", "ssh", "ntp", "ping"], - "action": "accept" - } - ] -} \ No newline at end of file diff --git a/services/firewall/config/firewall.nft b/services/firewall/rules.nft similarity index 66% rename from services/firewall/config/firewall.nft rename to services/firewall/rules.nft index 11dc278..0e87c69 100644 --- a/services/firewall/config/firewall.nft +++ b/services/firewall/rules.nft @@ -5,10 +5,33 @@ define vpn = wg0 define vpn_net = 10.0.0.0/24 define lan_net = 192.168.2.0/24 -# Without the nd-* ones ipv6 will not work. -define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } -define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } +define icmpv4 = { + echo-reply, # type 0 / ping + echo-request, # type 8 / ping + destination-unreachable, # type 3 + time-exceeded, # type 11 + parameter-problem, # type 12 +} +define icmpv6_basic = { + # Basic + echo-reply, # type 129 / ping + echo-request, # type 128 / ping + destination-unreachable, # type 1 + packet-too-big, # type 2 + time-exceeded, # type 3 + parameter-problem # type 4 +} + +define icmpv6_slaac = { + # SLAAC + nd-router-solicit, # type 133 + nd-router-advert, # type 134 + nd-neighbor-solicit, # type 135 + nd-neighbor-advert # type 136 +} + +# Clients that are allowed to access the LAN network define lan_clients = { 10.0.0.3 } table inet firewall { @@ -31,18 +54,21 @@ table inet firewall { # Limit and accept ICMP packets ip protocol icmp icmp type $allowed_icmp limit rate 1/second burst 5 packets accept - ip6 nexthdr icmpv6 icmpv6 type $allowed_icmpv6 limit rate 1/second burst 5 packets accept + ip6 nexthdr icmpv6 icmpv6 type $icmpv6_basic limit rate 1/second burst 5 packets accept + ip6 nexthdr icmpv6 icmpv6 type $icmpv6_slaac hoplimit 255 accept # Rules for all interfaces tcp dport { 80, 443 } accept # Allow http and https for all interfaces udp dport 443 accept # Allow quic (http/3) for all interfaces + ip saddr $lan_net tcp dport 22 accept # Allow SSH from LAN network + # Rules for WAN interface only - iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute + # iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute from WAN iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN # Rules for VPN interface only - iifname $vpn udp dport 53 accept # Allow DNS traffic from VPN + iifname $vpn tcp dport 22 accept # Allow SSH from VPN } chain forward { @@ -53,7 +79,7 @@ table inet firewall { iifname $vpn ip saddr $lan_clients ip daddr $lan_net accept # Allow specific clients to access the LAN network iifname $vpn ip daddr $lan_net drop # Block all other VPN clients from accessing the LAN network - + iifname $vpn oifname $wan accept # Allow VPN traffic to access WAN } diff --git a/services/firewall/update.sh b/services/firewall/update.sh new file mode 100644 index 0000000..a1c6205 --- /dev/null +++ b/services/firewall/update.sh @@ -0,0 +1,5 @@ +#!/bin/sh +ln -sf ./rules.nft /etc/nftables.d/firewall.nft + +echo "Reloading firewall rules..." +nft -f /etc/nftables.d/firewall.nft \ No newline at end of file diff --git a/services/ssh/ssh.policy.json b/services/ssh/ssh.policy.json deleted file mode 100644 index 98092a3..0000000 --- a/services/ssh/ssh.policy.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "description": "Allow limited incoming SSH access (TCP/22)", - "filter": [ - { - "in": "WAN", - "out": "_fw", - "service": "ssh", - "action": "accept", - "conn-limit": { "count": 3, "interval": 30 } - } - ] -} \ No newline at end of file diff --git a/services/wireguard/install.sh b/services/wireguard/install.sh index 500f3c4..85c73d7 100644 --- a/services/wireguard/install.sh +++ b/services/wireguard/install.sh @@ -12,8 +12,6 @@ cat < /etc/wireguard/wg0.conf PrivateKey = $(cat /etc/wireguard/server_priv.key) Address = 10.0.0.1/24 # Server has IP in the wg network ListenPort = 51820 -#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE EOF # Enable IP forwarding, persistent diff --git a/services/wireguard/vpn_traffic.policy.json b/services/wireguard/vpn_traffic.policy.json deleted file mode 100644 index 73e3512..0000000 --- a/services/wireguard/vpn_traffic.policy.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "description": "Allow VPN traffic through Wireguard interface", - "filter": [ - { - "in": "VPN", - "service": [ "ssh", "dns", "ping", "http", "https" ], - "action": "accept", - "src": "10.0.0.1/24" - } - ] -} \ No newline at end of file diff --git a/services/wireguard/wireguard.policy.json b/services/wireguard/wireguard.policy.json deleted file mode 100644 index d976937..0000000 --- a/services/wireguard/wireguard.policy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "description": "Allow Wireguard server access from the internet", - "service": { - "wireguard": { "port": 51820, "proto": "udp" } - }, - "filter": [ - { - "in": "WAN", - "out": "_fw", - "service": "wireguard", - "action": "accept" - } - ] -} \ No newline at end of file diff --git a/update.sh b/update.sh index a5b91e2..20e22a6 100644 --- a/update.sh +++ b/update.sh @@ -20,16 +20,15 @@ for service in "./services"/*/; do source ./update.sh fi - # Symlink and activate each *.policy.json - for policy in *.policy.json; do - [ -e "$policy" ] || continue - POLICY_NAME="${policy%.policy.json}" - ln -sf "./$policy" "/etc/awall/optional/$POLICY_NAME.json" - awall enable "$POLICY_NAME" + # Symlink all caddy configs + for caddyfile in *.caddy; do + [ -e "$caddyfile" ] || continue + CADDY_NAME="${caddyfile%.caddy}" + ln -sf "./$caddyfile" "/etc/caddy/$CADDY_NAME" done cd "$base_dir" done -echo "Activating firewall..." -awall activate \ No newline at end of file +echo "Restarting caddy..." +rc-service caddy restart \ No newline at end of file