From 83f126e8bda434f75b1e1510e10234dfc477e844 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Wed, 9 Mar 2022 13:20:13 +0100 Subject: [PATCH] Updated efg.pm (minor tweaks). --- .../efg.pm/c3d/firstboot/data/nftables.config | 169 ++++++++---------- .../ifg.in/c3d/firstboot/data/nftables.config | 1 - 2 files changed, 73 insertions(+), 97 deletions(-) diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config index 66e3758..a553402 100644 --- a/sources/efg.pm/c3d/firstboot/data/nftables.config +++ b/sources/efg.pm/c3d/firstboot/data/nftables.config @@ -111,54 +111,53 @@ define PEEP_BO_IPV4_NET = 10.162.104.0/24 ################################ #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } -define WS_PORTS = { 80, 443 } ################################ # reset nftables ################################ -create table ip efg_filter -create table ip efg_nat -create table ip6 efg_filter +create table ip efg-filter +create table ip efg-nat +create table ip6 efg-filter -create chain ip efg_filter input { type filter hook input priority 0; policy drop; } -create chain ip efg_filter forward { type filter hook forward priority 0; policy drop; } -create chain ip efg_filter output { type filter hook output priority 0; policy drop; } -create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; } -create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; } -create chain ip6 efg_filter input { type filter hook input priority 0; policy accept; } -create chain ip6 efg_filter forward { type filter hook forward priority 0; policy drop; } -create chain ip6 efg_filter output { type filter hook output priority 0; policy accept; } +create chain ip efg-filter input { type filter hook input priority 0; policy drop; } +create chain ip efg-filter forward { type filter hook forward priority 0; policy drop; } +create chain ip efg-filter output { type filter hook output priority 0; policy drop; } +create chain ip efg-nat prerouting { type nat hook prerouting priority 0; policy accept; } +create chain ip efg-nat postrouting { type nat hook postrouting priority 0; policy accept; } +create chain ip6 efg-filter input { type filter hook input priority 0; policy accept; } +create chain ip6 efg-filter forward { type filter hook forward priority 0; policy drop; } +create chain ip6 efg-filter output { type filter hook output priority 0; policy accept; } ################################ # NAT prerouting rules ################################ -add rule ip efg_nat prerouting \ +add rule ip efg-nat prerouting \ iifname $EXTERNAL_ACE_IF \ ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \ counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic" -#add rule ip efg_nat prerouting \ +#add rule ip efg-nat prerouting \ # iifname $EXTERNAL_ACE_IF \ # ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \ # counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic" -add rule ip efg_nat prerouting \ +add rule ip efg-nat prerouting \ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)" -add rule ip efg_nat prerouting \ +add rule ip efg-nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)" -add rule ip efg_nat prerouting \ +add rule ip efg-nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \ + ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport { http, https } \ counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests" @@ -166,21 +165,21 @@ add rule ip efg_nat prerouting \ # FILTER input rules ################################ -add rule ip efg_filter input \ +add rule ip efg-filter input \ ct state established \ iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \ ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule ip6 efg_filter input \ +add rule ip6 efg-filter input \ ct state established \ iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \ ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule ip efg_filter input \ +add rule ip efg-filter input \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 efg_filter input \ +add rule ip6 efg-filter input \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -198,13 +197,13 @@ add rule ip6 efg_filter input \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip efg_filter input \ +add rule ip efg-filter input \ ip protocol gre \ counter accept comment "GRE" -add rule ip efg_filter input \ +add rule ip efg-filter input \ counter log prefix "INPUT" -add rule ip6 efg_filter input \ +add rule ip6 efg-filter input \ counter log prefix "INPUT" @@ -212,183 +211,161 @@ add rule ip6 efg_filter input \ # FILTER forward rules ################################ -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF \ oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \ counter accept comment "Established sessions (ACE)" -add rule ip6 efg_filter forward \ +add rule ip6 efg-filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF \ oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \ counter accept comment "Established sessions (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF \ oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \ counter accept comment "Established sessions (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \ oifname $EXTERNAL_ACE_IF \ counter accept comment "Internet access (ACE)" -add rule ip6 efg_filter forward \ +add rule ip6 efg-filter forward \ iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \ oifname $EXTERNAL_ACE_IF \ counter accept comment "Internet access (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \ oifname $EXTERNAL_TELEKOM_IF \ counter accept comment "Internet access (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_ACE_IF \ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_TELEKOM_IF \ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \ counter accept comment "Incoming http(s) requests (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \ counter accept comment "Incoming http(s) requests (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ counter accept comment "Outgoing http(s) replies (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ counter accept comment "Outgoing http(s) replies (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \ counter accept comment "Incoming DNS requests/notifications (udp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \ counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \ oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (udp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \ oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (udp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \ counter accept comment "Incoming DNS requests (tcp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \ counter accept comment "Incoming DNS requests (tcp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (tcp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \ oifname $EXTERNAL_ACE_IF udp dport 53 \ counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF udp dport 53 \ counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF udp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \ counter accept comment "Incoming DNS replies (udp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF udp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \ counter accept comment "Incoming DNS replies (udp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ oifname $EXTERNAL_ACE_IF tcp dport 53 \ counter accept comment "Outgoing DNS requests (tcp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \ counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "Incoming DNS replies (tcp) (ACE)" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "Incoming DNS replies (tcp) (TELEKOM)" -add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \ - counter accept comment "Outgoing let's encrypt requests (ACE)" - -add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \ - counter accept comment "Outgoing let's encrypt requests (TELEKOM)" - -add rule ip efg_filter forward \ - ct state established \ - iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Incoming let's encrypt replies (ACE)" - -add rule ip efg_filter forward \ - ct state established \ - iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Incoming let's encrypt replies (TELEKOM)" - -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 efg_filter forward \ +add rule ip6 efg-filter forward \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -406,10 +383,10 @@ add rule ip6 efg_filter forward \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip efg_filter forward \ +add rule ip efg-filter forward \ counter log prefix "FORWARD" -add rule ip6 efg_filter forward \ +add rule ip6 efg-filter forward \ counter log prefix "FORWARD" @@ -417,21 +394,21 @@ add rule ip6 efg_filter forward \ # FILTER output rules ################################ -add rule ip efg_filter output \ +add rule ip efg-filter output \ ct state new \ ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \ counter accept comment "DNS requests" -add rule ip6 efg_filter output \ +add rule ip6 efg-filter output \ ct state new \ ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \ oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \ counter accept comment "DNS requests" -add rule ip efg_filter output \ +add rule ip efg-filter output \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 efg_filter output \ +add rule ip6 efg-filter output \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -449,9 +426,9 @@ add rule ip6 efg_filter output \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip efg_filter output \ +add rule ip efg-filter output \ counter log prefix "OUTPUT" -add rule ip6 efg_filter output \ +add rule ip6 efg-filter output \ counter log prefix "OUTPUT" @@ -459,30 +436,30 @@ add rule ip6 efg_filter output \ # NAT postrouting rules ################################ -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \ counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic" -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \ counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic" -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \ counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing internal traffic (TELEKOM)" -#add rule ip efg_nat postrouting \ +#add rule ip efg-nat postrouting \ # oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \ # counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic" -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \ counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic" -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \ counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic" -add rule ip efg_nat postrouting \ +add rule ip efg-nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \ counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic" diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config index 97f8163..476ca1a 100644 --- a/sources/ifg.in/c3d/firstboot/data/nftables.config +++ b/sources/ifg.in/c3d/firstboot/data/nftables.config @@ -143,7 +143,6 @@ define PEEP_BO_NET = 10.162.104.0/24 ################################ #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } -define FDS_PORTS = { ldap, ldaps } ################################ -- 2.54.0