Getting started with NFTables - long way to go

2025-09-29 15:52:06 +02:00
parent aea521cba4
commit 20dd97aafa
8 changed files with 92 additions and 6 deletions
--- a/installation/basic.sh
+++ b/installation/basic.sh
@@ -14,4 +14,6 @@ EOF

 # Allow local.d services
 rc-update add local default
-rc-service local start
+rc-service local start
+
+rc-update add sysctl
--- a/services/caddy/config/Caddyfile
+++ b/services/caddy/config/Caddyfile
@@ -56,6 +56,7 @@
 		Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
 		Referrer-Policy: same-origin
 		-Server
+		-X-Powered-By
 	}
 }

--- a/services/firewall/firewall.nft
+++ b/services/firewall/firewall.nft
@@ -0,0 +1,58 @@
+flush ruleset
+
+define wan = eth0
+define vpn = wg0
+define vpn_net = 10.0.0.0/24
+define lan_net = 192.168.2.0/24
+
+# Without the nd-* ones ipv6 will not work.
+define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
+define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }
+
+table inet firewall {
+  chain postrouting {
+    type nat hook postrouting priority 100;
+
+    # Masquerade WireGuard VPN traffic to LAN subnet
+    oifname $wan ip saddr $vpn_net masquerade
+  }
+
+  chain incoming {
+    # This line set what traffic the chain will handle, the priority and default policy.
+    # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
+	type filter hook input priority 0; policy drop;
+    
+	ct state invalid drop                                 # early drop of invalid packets
+	ct state {established, related} accept                # allow established/related connections
+	
+    iif lo accept                                         # allow traffic from loopback interface
+
+	# Limit and accept ICMP packets
+    ip protocol icmp icmp type @allowed_icmp limit rate 1/second burst 5 packets accept
+    ip6 nexthdr icmpv6 icmpv6 type @allowed_icmpv6 limit rate 1/second burst 5 packets accept
+
+    # Rules for all interfaces
+    tcp dport { 80, 443 } accept                          # Allow http and https for all interfaces
+    udp dport 443 accept                                  # Allow quic (http/3) for all interfaces
+
+    # Rules for WAN interface only
+    iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute
+    iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN
+
+    # Rules for VPN interface only
+    iifname $vpn udp dport 53 accept                      # Allow DNS traffic from VPN
+  }
+
+  chain forward {
+    type filter hook forward priority 0; policy drop;
+
+    ct state invalid drop                                 # early drop of invalid packets
+    ct state {established, related} accept                # allow established/related connections
+
+    iifname $vpn oifname $wan accept                      # Allow VPN traffic to access WAN
+  }
+
+  chain outgoing {
+	type filter hook output priority 0; policy accept;
+  }
+}
--- a/services/firewall/global.policy.json
+++ b/services/firewall/global.policy.json
@@ -5,9 +5,12 @@
        "VPN": { "iface": "wg0" }
    },
    "policy": [
-        { "in": "VPN", "action": "accept" },
        { "out": "VPN", "action": "accept" },
+        { "in": "VPN", "action": "drop" },
        { "in": "WAN", "action": "drop" },
        { "action": "reject" }
+    ],
+    "snat": [
+        { "out": "WAN", "src": "10.0.0.1/24" }
    ]
 }
--- a/services/firewall/reset-firewall.sh
+++ b/services/firewall/reset-firewall.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+
+# Wireguard
+# iptables -A FORWARD -i wg0 -j ACCEPT
+# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--- a/services/wireguard/install.sh
+++ b/services/wireguard/install.sh
@@ -12,8 +12,8 @@ cat <<EOF > /etc/wireguard/wg0.conf
 PrivateKey = $(cat /etc/wireguard/server_priv.key)
 Address = 10.0.0.1/24 # Server has IP in the wg network
 ListenPort = 51820
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 EOF

 # Enable IP forwarding, persistent
--- a/services/wireguard/vpn_traffic.policy.json
+++ b/services/wireguard/vpn_traffic.policy.json
@@ -3,7 +3,6 @@
    "filter": [
        {
            "in": "VPN",
-            "out": "_fw",
            "service": [ "ssh", "dns", "ping", "http", "https" ],
            "action": "accept",
            "src": "10.0.0.1/24"
--- a/todo.txt
+++ b/todo.txt
@@ -1,3 +1,12 @@
 backup(), restore()

-Volume labels (label)
+Volume labels (label)
+
+Switch to NFTables or UFW.
+
+Firewall:
+- Block all traffic by default
+- Allow outgoing (wan) http,https,dns,ssh,ntp,ping
+- Allow incoming (wan) http,https,ssh,wireguard
+- Allow wireguard traffic to lan (so access for instance 192.168.2.x) and wan (access the internet),
+BUT only http,https,ping,dns