--- /dev/null
+#!/usr/sbin/nft -f
+
+
+################################
+# interface definitions
+################################
+
+# internal interface
+define INTERNAL_IF = ifg
+
+# loopback interface
+define LOOPBACK_IF = lo
+
+# perimeter interface
+define PERIMETER_IF = eth0
+
+################################
+# address definitions
+################################
+
+# loopback address
+define LOOPBACK_IP = 127.0.0.1
+
+# public addresses
+define PUBLIC_EFG_IP = 194.149.40.146
+define PUBLIC_NS_IP = 194.149.40.147
+define PUBLIC_VPN_IP = 194.149.40.148
+define PUBLIC_WS_IP = 194.149.40.149
+define PUBLIC_IP_150 = 194.149.40.150
+define PUBLIC_MINECRAFT_IP = 194.149.40.151
+define PUBLIC_IP_152 = 194.149.40.152
+define PUBLIC_IP_153 = 194.149.40.153
+define PUBLIC_IP_154 = 194.149.40.154
+define PUBLIC_IP_155 = 194.149.40.155
+define PUBLIC_IP_156 = 194.149.40.156
+define PUBLIC_RX300_IP = 194.149.40.157
+define PUBLIC_DL360E_IP = 194.149.40.158
+
+define PUBLIC_IP_194 = 84.2.25.194
+define PUBLIC_IP_195 = 84.2.25.195
+define PUBLIC_IP_196 = 84.2.25.196
+define PUBLIC_IP_197 = 84.2.25.197
+define PUBLIC_IP_198 = 84.2.25.198
+define PUBLIC_IP_199 = 84.2.25.199
+define PUBLIC_IP_200 = 84.2.25.200
+define PUBLIC_IP_201 = 84.2.25.201
+define PUBLIC_IP_202 = 84.2.25.202
+define PUBLIC_IP_203 = 84.2.25.203
+define PUBLIC_IP_204 = 84.2.25.204
+define PUBLIC_IP_205 = 84.2.25.205
+define PUBLIC_IP_206 = 84.2.25.206
+
+# efg address (perimeter network)
+define EFG_PERIMETER_IP = 192.168.173.254
+
+# service address (perimeter network)
+#define SVC_PERIMETER_IP = 192.168.173.253
+
+# transfer web server address (perimeter network)
+define XFR_PERIMETER_IP = 192.168.173.251
+
+# subversion address (perimeter network)
+#define SVN_PERIMETER_IP = 192.168.173.250
+
+# web server address (perimeter network)
+define WS_PERIMETER_IP = 192.168.173.249
+
+# perimeter name server address (perimeter network)
+define PNS_PERIMETER_IP = 192.168.173.174
+
+# external name server address (perimeter network)
+define ENS_PERIMETER_IP = 192.168.173.64
+
+# ifg address (perimeter network)
+define IFG_PERIMETER_IP = 192.168.173.1
+
+# ifg addresses (internal network)
+define IFG_USR_IP = 10.228.109.254
+define IFG_SR_IP = 192.168.42.254
+define IFG_IN_IP = 192.168.43.254
+
+# dvredmine address (internal network)
+define DVREDMINE_INTERNAL_IP = 10.228.62.193
+
+# minicrm address (internal network)
+define MINICRM_INTERNAL_IP = 10.228.109.133
+
+# store address (internal network)
+define STORE_INTERNAL_IP = 10.228.109.250
+
+# service address (internal network)
+define SVC_INTERNAL_IP = 10.228.109.253
+
+# vpn address (internal network)
+define VPN_INTERNAL_IP = 10.228.109.236
+
+# primary name server address (internal network)
+define PNS_INTERNAL_IP = 10.228.109.174
+
+# internal name server address (internal network)
+define INS_INTERNAL_IP = 10.228.109.104
+
+# worksheet address (internal network)
+define WORKSHEET_SR_IP = 192.168.42.248
+
+################################
+# network definitions
+################################
+
+# internal networks
+define USR_NET = 10.228.0.0/16
+define SR_NET = 192.168.42.0/24
+define IN_NET = 192.168.43.0/24
+define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET }
+
+# perimeter network
+define PERIMETER_NET = 192.168.173.0/24
+
+# vpn client network
+define VPN_NET = 172.16.223.0/24
+
+# peep-bo network
+define PEEP_BO_NET = 10.162.104.0/24
+
+################################
+# port definitions
+################################
+
+#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define WS_PORTS = { 80, 443 }
+
+
+################################
+# reset nftables
+################################
+
+create table inet ifg_filter
+create table ip ifg_nat
+
+create chain inet ifg_filter input { type filter hook input priority 0; policy drop; }
+create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; }
+create chain inet ifg_filter output { type filter hook output priority 0; policy drop; }
+create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
+
+
+################################
+# NAT prerouting rules
+################################
+
+add rule ip ifg_nat prerouting \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \
+ ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IP
+
+
+################################
+# FILTER input rules
+################################
+
+add rule inet ifg_filter input \
+ ct state established \
+ ip protocol udp \
+ iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \
+ ip daddr $IFG_USR_IP udp dport 1024-65535 \
+ counter accept comment "DNS replies"
+
+add rule inet ifg_filter input \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet ifg_filter input \
+ counter log prefix "INPUT"
+
+
+################################
+# FILTER forward rules
+################################
+
+add rule inet ifg_filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF \
+ oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \
+ counter accept comment "Established sessions"
+
+add rule inet ifg_filter forward \
+ iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \
+ oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
+ counter accept comment "Internet access"
+
+add rule inet ifg_filter forward \
+ ct state new, established \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ counter accept comment "Webserver access"
+
+add rule inet ifg_filter forward \
+ ct state new \
+ ip protocol udp \
+ iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \
+ counter accept comment "DNS zone notification"
+
+add rule inet ifg_filter forward \
+ ct state new \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \
+ counter accept comment "DNS zone transfer requests"
+
+add rule inet ifg_filter forward \
+ ct state established \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ counter accept comment "DNS zone transfer replies"
+
+add rule inet ifg_filter forward \
+ ip protocol udp \
+ iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+ counter accept comment "Incoming VPN traffic"
+
+add rule inet ifg_filter forward \
+ iifname $INTERNAL_IF \
+ oifname $INTERNAL_IF \
+ counter accept comment "Internal traffic"
+
+add rule inet ifg_filter forward \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \
+ counter accept comment "Redmine requests"
+
+add rule inet ifg_filter forward \
+ ct state established \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ counter accept comment "Redmine replies"
+
+add rule inet ifg_filter forward \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \
+ counter accept comment "MiniCRM requests"
+
+add rule inet ifg_filter forward \
+ ct state established \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ counter accept comment "MiniCRM replies"
+
+add rule inet ifg_filter forward \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \
+ counter accept comment "Worksheet requests"
+
+add rule inet ifg_filter forward \
+ ct state established \
+ ip protocol tcp \
+ iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ counter accept comment "Worksheet replies"
+
+add rule inet ifg_filter forward \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet ifg_filter forward \
+ counter log prefix "FORWARD"
+
+
+################################
+# FILTER output rules
+################################
+
+add rule inet ifg_filter output \
+ ct state new \
+ ip protocol udp \
+ ip saddr $IFG_USR_IP udp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \
+ counter accept comment "DNS requests"
+
+add rule inet ifg_filter output \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet ifg_filter output \
+ counter log prefix "OUTPUT"
https://git.useribm.hu / user-lxc.git / commitdiff