Nftables to go

services/firewall/global.policy.json

@@ -1,16 +0,0 @@
-{
-    "description": "Restrict all internet access",
-    "zone": {
-        "WAN": { "iface": "eth0" },
-        "VPN": { "iface": "wg0" }
-    },
-    "policy": [
-        { "out": "VPN", "action": "accept" },
-        { "in": "VPN", "action": "drop" },
-        { "in": "WAN", "action": "drop" },
-        { "action": "reject" }
-    ],
-    "snat": [
-        { "out": "WAN", "src": "10.0.0.1/24" }
-    ]
-}

services/firewall/icmp.policy.json

@@ -1,12 +0,0 @@
-{
-    "description": "Allow ping-pong",
-    "filter": [
-        {
-            "in": "WAN",
-            "out": "_fw",
-            "service": "ping",
-            "action": "accept",
-            "flow-limit": { "count": 10, "interval": 6 }
-        }
-    ]
-}

services/firewall/outgoing.policy.json

@@ -1,11 +0,0 @@
-{
-    "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping",
-    "filter": [
-        {
-            "in": "_fw",
-            "out": "WAN",
-            "service": ["http", "https", "dns", "ssh", "ntp", "ping"],
-            "action": "accept"
-        }
-    ]
-}

services/firewall/rules.nft

@@ -5,10 +5,33 @@ define vpn = wg0
 define vpn_net = 10.0.0.0/24
 define lan_net = 192.168.2.0/24
 
-# Without the nd-* ones ipv6 will not work.
-define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
-define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }
+define icmpv4 = {
+  echo-reply, # type 0 / ping
+  echo-request, # type 8 / ping
+  destination-unreachable, # type 3
+  time-exceeded, # type 11
+  parameter-problem, # type 12
+}
 
+define icmpv6_basic = { 
+  # Basic
+  echo-reply, # type 129 / ping
+  echo-request, # type 128 / ping
+  destination-unreachable, # type 1
+  packet-too-big, # type 2
+  time-exceeded, # type 3
+  parameter-problem # type 4
+}
+
+define icmpv6_slaac = {
+  # SLAAC
+  nd-router-solicit, # type 133
+  nd-router-advert, # type 134
+  nd-neighbor-solicit, # type 135
+  nd-neighbor-advert # type 136
+}
+
+# Clients that are allowed to access the LAN network
 define lan_clients = { 10.0.0.3 }
 
 table inet firewall {
@@ -31,18 +54,21 @@ table inet firewall {
 
     # Limit and accept ICMP packets
     ip protocol icmp icmp type $allowed_icmp limit rate 1/second burst 5 packets accept
-    ip6 nexthdr icmpv6 icmpv6 type $allowed_icmpv6 limit rate 1/second burst 5 packets accept
+    ip6 nexthdr icmpv6 icmpv6 type $icmpv6_basic limit rate 1/second burst 5 packets accept
+    ip6 nexthdr icmpv6 icmpv6 type $icmpv6_slaac hoplimit 255 accept
 
     # Rules for all interfaces
     tcp dport { 80, 443 } accept                          # Allow http and https for all interfaces
     udp dport 443 accept                                  # Allow quic (http/3) for all interfaces
 
+    ip saddr $lan_net tcp dport 22 accept                 # Allow SSH from LAN network
+
     # Rules for WAN interface only
-    iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute
+    # iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute from WAN
     iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN
 
     # Rules for VPN interface only
-    iifname $vpn udp dport 53 accept                      # Allow DNS traffic from VPN
+    iifname $vpn tcp dport 22 accept                      # Allow SSH from VPN
   }
 
   chain forward {
@@ -53,7 +79,7 @@ table inet firewall {
 
     iifname $vpn ip saddr $lan_clients ip daddr $lan_net accept # Allow specific clients to access the LAN network
     iifname $vpn ip daddr $lan_net drop                   # Block all other VPN clients from accessing the LAN network 
-    
+  
     iifname $vpn oifname $wan accept                      # Allow VPN traffic to access WAN
   }
 

services/firewall/update.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+ln -sf ./rules.nft /etc/nftables.d/firewall.nft
+
+echo "Reloading firewall rules..."
+nft -f /etc/nftables.d/firewall.nft

services/ssh/ssh.policy.json

@@ -1,12 +0,0 @@
-{
-    "description": "Allow limited incoming SSH access (TCP/22)",
-    "filter": [
-        {
-            "in": "WAN",
-            "out": "_fw",
-            "service": "ssh",
-            "action": "accept",
-	        "conn-limit": { "count": 3, "interval": 30 }
-        }
-    ]
-}

services/wireguard/install.sh

@@ -12,8 +12,6 @@ cat <<EOF > /etc/wireguard/wg0.conf
 PrivateKey = $(cat /etc/wireguard/server_priv.key)
 Address = 10.0.0.1/24 # Server has IP in the wg network
 ListenPort = 51820
-#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 EOF
 
 # Enable IP forwarding, persistent

services/wireguard/vpn_traffic.policy.json

@@ -1,11 +0,0 @@
-{
-    "description": "Allow VPN traffic through Wireguard interface",
-    "filter": [
-        {
-            "in": "VPN",
-            "service": [ "ssh", "dns", "ping", "http", "https" ],
-            "action": "accept",
-            "src": "10.0.0.1/24"
-        }
-    ]
-}

services/wireguard/wireguard.policy.json

@@ -1,14 +0,0 @@
-{
-    "description": "Allow Wireguard server access from the internet",
-    "service": {
-        "wireguard": { "port": 51820, "proto": "udp" }
-    },
-    "filter": [
-        {
-            "in": "WAN",
-            "out": "_fw",
-            "service": "wireguard",
-            "action": "accept"
-        }
-    ]
-}