diff --git a/services/firewall/firewall.nft b/services/firewall/config/firewall.nft similarity index 73% rename from services/firewall/firewall.nft rename to services/firewall/config/firewall.nft index f2dda96..11dc278 100644 --- a/services/firewall/firewall.nft +++ b/services/firewall/config/firewall.nft @@ -9,6 +9,8 @@ define lan_net = 192.168.2.0/24 define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } +define lan_clients = { 10.0.0.3 } + table inet firewall { chain postrouting { type nat hook postrouting priority 100; @@ -20,16 +22,16 @@ table inet firewall { chain incoming { # This line set what traffic the chain will handle, the priority and default policy. # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run. - type filter hook input priority 0; policy drop; - - ct state invalid drop # early drop of invalid packets - ct state {established, related} accept # allow established/related connections - + type filter hook input priority 0; policy drop; + + ct state invalid drop # early drop of invalid packets + ct state {established, related} accept # allow established/related connections + iif lo accept # allow traffic from loopback interface - # Limit and accept ICMP packets - ip protocol icmp icmp type @allowed_icmp limit rate 1/second burst 5 packets accept - ip6 nexthdr icmpv6 icmpv6 type @allowed_icmpv6 limit rate 1/second burst 5 packets accept + # Limit and accept ICMP packets + ip protocol icmp icmp type $allowed_icmp limit rate 1/second burst 5 packets accept + ip6 nexthdr icmpv6 icmpv6 type $allowed_icmpv6 limit rate 1/second burst 5 packets accept # Rules for all interfaces tcp dport { 80, 443 } accept # Allow http and https for all interfaces @@ -49,10 +51,13 @@ table inet firewall { ct state invalid drop # early drop of invalid packets ct state {established, related} accept # allow established/related connections + iifname $vpn ip saddr $lan_clients ip daddr $lan_net accept # Allow specific clients to access the LAN network + iifname $vpn ip daddr $lan_net drop # Block all other VPN clients from accessing the LAN network + iifname $vpn oifname $wan accept # Allow VPN traffic to access WAN } chain outgoing { - type filter hook output priority 0; policy accept; + type filter hook output priority 0; policy accept; } } \ No newline at end of file diff --git a/services/firewall/install.sh b/services/firewall/install.sh index f8cb4e9..f9c81dd 100644 --- a/services/firewall/install.sh +++ b/services/firewall/install.sh @@ -1,21 +1,6 @@ #!/bin/sh echo "Setting up firewall..." -apk add -u awall # important -u flag! -apk add ip6tables iptables -modprobe -v ip_tables -modprobe -v ip6_tables -#modprobe -v iptable_nat #if NAT is used - -# Register services -rc-update add iptables -rc-update add ip6tables -rc-service iptables start -rc-service ip6tables start - -# In the global policy, LAN rules are omitted, as we are behind a NAT router. -# If not, add this to global.policy.json: -# "LAN": { "iface": "eth1" }, -# ... -# { "in": "LAN", "action": "accept" }, -# { "out": "LAN", "action": "accept" }, \ No newline at end of file +apk add nftables +rc-update add nftables boot +rc-service nftables start \ No newline at end of file diff --git a/services/wireguard/install.sh b/services/wireguard/install.sh index 920ecb6..500f3c4 100644 --- a/services/wireguard/install.sh +++ b/services/wireguard/install.sh @@ -18,6 +18,7 @@ EOF # Enable IP forwarding, persistent echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf +echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/ip_forward.conf sysctl -p /etc/sysctl.d/ip_forward.conf # Auto-start Wireguard on boot