Maurice/alpine-server-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Getting started with NFTables - long way to go

Browse Source
This commit is contained in:
Maurice
2025-09-29 15:52:06 +02:00
parent aea521cba4
commit 20dd97aafa
8 changed files with 92 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
installation/basic.sh
View File

@@ -14,4 +14,6 @@ EOF
# Allow local.d services # Allow local.d services
rc-update add local default rc-update add local default
rc-service local start rc-service local start
rc-update add sysctl

1
services/caddy/config/Caddyfile
View File

@@ -56,6 +56,7 @@
Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
Referrer-Policy: same-origin Referrer-Policy: same-origin
-Server -Server
-X-Powered-By
} }
} }

58
services/firewall/firewall.nft Normal file
View File

@@ -0,0 +1,58 @@
flush ruleset
define wan = eth0
define vpn = wg0
define vpn_net = 10.0.0.0/24
define lan_net = 192.168.2.0/24
# Without the nd-* ones ipv6 will not work.
define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }
table inet firewall {
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard VPN traffic to LAN subnet
oifname $wan ip saddr $vpn_net masquerade
}
chain incoming {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
type filter hook input priority 0; policy drop;
ct state invalid drop # early drop of invalid packets
ct state {established, related} accept # allow established/related connections
iif lo accept # allow traffic from loopback interface
# Limit and accept ICMP packets
ip protocol icmp icmp type @allowed_icmp limit rate 1/second burst 5 packets accept
ip6 nexthdr icmpv6 icmpv6 type @allowed_icmpv6 limit rate 1/second burst 5 packets accept
# Rules for all interfaces
tcp dport { 80, 443 } accept # Allow http and https for all interfaces
udp dport 443 accept # Allow quic (http/3) for all interfaces
# Rules for WAN interface only
iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute
iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN
# Rules for VPN interface only
iifname $vpn udp dport 53 accept # Allow DNS traffic from VPN
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state invalid drop # early drop of invalid packets
ct state {established, related} accept # allow established/related connections
iifname $vpn oifname $wan accept # Allow VPN traffic to access WAN
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
}

5
services/firewall/global.policy.json
View File

@@ -5,9 +5,12 @@
"VPN": { "iface": "wg0" } "VPN": { "iface": "wg0" }
}, },
"policy": [ "policy": [
{ "in": "VPN", "action": "accept" },
{ "out": "VPN", "action": "accept" }, { "out": "VPN", "action": "accept" },
{ "in": "VPN", "action": "drop" },
{ "in": "WAN", "action": "drop" }, { "in": "WAN", "action": "drop" },
{ "action": "reject" } { "action": "reject" }
],
"snat": [
{ "out": "WAN", "src": "10.0.0.1/24" }
] ]
} }

14
services/firewall/reset-firewall.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Wireguard
# iptables -A FORWARD -i wg0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

4
services/wireguard/install.sh
View File

@@ -12,8 +12,8 @@ cat <<EOF > /etc/wireguard/wg0.conf
PrivateKey = $(cat /etc/wireguard/server_priv.key) PrivateKey = $(cat /etc/wireguard/server_priv.key)
Address = 10.0.0.1/24 # Server has IP in the wg network Address = 10.0.0.1/24 # Server has IP in the wg network
ListenPort = 51820 ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF EOF
# Enable IP forwarding, persistent # Enable IP forwarding, persistent

1
services/wireguard/vpn_traffic.policy.json
View File

@@ -3,7 +3,6 @@
"filter": [ "filter": [
{ {
"in": "VPN", "in": "VPN",
"out": "_fw",
"service": [ "ssh", "dns", "ping", "http", "https" ], "service": [ "ssh", "dns", "ping", "http", "https" ],
"action": "accept", "action": "accept",
"src": "10.0.0.1/24" "src": "10.0.0.1/24"

11
todo.txt
View File

@@ -1,3 +1,12 @@
backup(), restore() backup(), restore()
Volume labels (label) Volume labels (label)
Switch to NFTables or UFW.
Firewall:
- Block all traffic by default
- Allow outgoing (wan) http,https,dns,ssh,ntp,ping
- Allow incoming (wan) http,https,ssh,wireguard
- Allow wireguard traffic to lan (so access for instance 192.168.2.x) and wan (access the internet),
BUT only http,https,ping,dns