From 9ee4a01370e1f5453cf83a6708daefe46c68ec41 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Wed, 19 May 2021 11:52:43 +0200 Subject: [PATCH] Updated ifg.in (nftables ipv6 update). --- sources/ifg.in/firstboot/nftables.config | 220 ++++++++++++----------- 1 file changed, 115 insertions(+), 105 deletions(-) diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config index 71835a1..358dfe7 100644 --- a/sources/ifg.in/firstboot/nftables.config +++ b/sources/ifg.in/firstboot/nftables.config @@ -19,94 +19,94 @@ define PERIMETER_IF = eth1 ################################ # loopback address -define LOOPBACK_IP = 127.0.0.1 +define LOOPBACK_IPV4 = 127.0.0.1 # public addresses -define PUBLIC_EFG_IP = 37.220.137.97 -define PUBLIC_MX_IP = 37.220.137.98 -define PUBLIC_NS_IP = 37.220.137.99 -define PUBLIC_VPN_IP = 37.220.137.100 -define PUBLIC_WS_IP = 37.220.137.101 -define PUBLIC_MINECRAFT_IP = 37.220.137.102 -define PUBLIC_IP_103 = 37.220.137.103 -define PUBLIC_IP_104 = 37.220.137.104 -define PUBLIC_IP_105 = 37.220.137.105 -define PUBLIC_IP_106 = 37.220.137.106 -define PUBLIC_IP_107 = 37.220.137.107 -define PUBLIC_DL360E_IP = 37.220.137.108 -define PUBLIC_DL380E_IP = 37.220.137.109 +define PUBLIC_EFG_IPV4 = 37.220.137.97 +define PUBLIC_MX_IPV4 = 37.220.137.98 +define PUBLIC_NS_IPV4 = 37.220.137.99 +define PUBLIC_VPN_IPV4 = 37.220.137.100 +define PUBLIC_WS_IPV4 = 37.220.137.101 +define PUBLIC_MINECRAFT_IPV4 = 37.220.137.102 +define PUBLIC_IPV4_103 = 37.220.137.103 +define PUBLIC_IPV4_104 = 37.220.137.104 +define PUBLIC_IPV4_105 = 37.220.137.105 +define PUBLIC_IPV4_106 = 37.220.137.106 +define PUBLIC_IPV4_107 = 37.220.137.107 +define PUBLIC_DL360E_IPV4 = 37.220.137.108 +define PUBLIC_DL380E_IPV4 = 37.220.137.109 # efg address (perimeter network) -define EFG_PERIMETER_IP = 192.168.173.254 +define EFG_PERIMETER_IPV4 = 192.168.173.254 # service address (perimeter network) -#define SVC_PERIMETER_IP = 192.168.173.253 +#define SVC_PERIMETER_IPV4 = 192.168.173.253 # transfer web server address (perimeter network) -define XFR_PERIMETER_IP = 192.168.173.251 +define XFR_PERIMETER_IPV4 = 192.168.173.251 # subversion address (perimeter network) -#define SVN_PERIMETER_IP = 192.168.173.250 +#define SVN_PERIMETER_IPV4 = 192.168.173.250 # web server address (perimeter network) -define WS_PERIMETER_IP = 192.168.173.249 +define WS_PERIMETER_IPV4 = 192.168.173.249 # perimeter name server address (perimeter network) -define PNS_PERIMETER_IP = 192.168.173.174 +define PNS_PERIMETER_IPV4 = 192.168.173.174 # external name server address (perimeter network) -define ENS_PERIMETER_IP = 192.168.173.64 +define ENS_PERIMETER_IPV4 = 192.168.173.64 # ifg address (perimeter network) -define IFG_PERIMETER_IP = 192.168.173.1 +define IFG_PERIMETER_IPV4 = 192.168.173.1 # ifg addresses (internal network) -define IFG_INTERNAL_IP = 10.228.109.254 +define IFG_INTERNAL_IPV4 = 10.228.109.254 define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe -define IFG_SR_IP = 192.168.42.254 -define IFG_IN_IP = 192.168.43.254 +define IFG_SR_IPV4 = 192.168.42.254 +define IFG_IN_IPV4 = 192.168.43.254 # dvredmine address (internal network) -define DVREDMINE_INTERNAL_IP = 10.228.62.193 +define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193 # minicrm address (internal network) -define MINICRM_INTERNAL_IP = 10.228.109.133 +define MINICRM_INTERNAL_IPV4 = 10.228.109.133 # store address (internal network) -define STORE_INTERNAL_IP = 10.228.109.250 +define STORE_INTERNAL_IPV4 = 10.228.109.250 define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68 # service address (internal network) -define SVC_INTERNAL_IP = 10.228.109.253 +define SVC_INTERNAL_IPV4 = 10.228.109.253 define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd # vpn address (internal network) -define VPN_INTERNAL_IP = 10.228.109.236 +define VPN_INTERNAL_IPV4 = 10.228.109.236 # primary name server address (internal network) -define PNS_INTERNAL_IP = 10.228.109.174 +define PNS_INTERNAL_IPV4 = 10.228.109.174 # internal name server address (internal network) -define INS_INTERNAL_IP = 10.228.109.104 +define INS_INTERNAL_IPV4 = 10.228.109.104 define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68 # worksheet address (internal network) -define WORKSHEET_SR_IP = 192.168.42.248 +define WORKSHEET_SR_IPV4 = 192.168.42.248 ################################ # network definitions ################################ # internal networks -define INTERNAL_NET = 10.228.0.0/16 -define INTERNAL_NET_IPV6 = 2a02:d400:0000:f268::/64 -define SR_NET = 192.168.42.0/24 -define IN_NET = 192.168.43.0/24 -define INTERNAL_NETS = { $INTERNAL_NET, $SR_NET, $IN_NET } +define INTERNAL_IPV4_NET = 10.228.0.0/16 +define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64 +define SR_IPV4_NET = 192.168.42.0/24 +define IN_IPV4_NET = 192.168.43.0/24 +define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET } # perimeter network define PERIMETER_NET = 192.168.173.0/24 -define PERIMETER_NET_IPV6 = 2a02:d400:0000:f2ad::/64 +define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64 # vpn client network define VPN_NET = 172.16.223.0/24 @@ -126,13 +126,17 @@ define WS_PORTS = { 80, 443 } # reset nftables ################################ -create table inet ifg_filter +create table ip ifg_filter create table ip ifg_nat +create table ip6 ifg_filter -create chain inet ifg_filter input { type filter hook input priority 0; policy drop; } -create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; } -create chain inet ifg_filter output { type filter hook output priority 0; policy drop; } +create chain ip ifg_filter input { type filter hook input priority 0; policy drop; } +create chain ip ifg_filter forward { type filter hook forward priority 0; policy drop; } +create chain ip ifg_filter output { type filter hook output priority 0; policy drop; } create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; } +create chain ip6 ifg_filter input { type filter hook input priority 0; policy drop; } +create chain ip6 ifg_filter forward { type filter hook forward priority 0; policy drop; } +create chain ip6 ifg_filter output { type filter hook output priority 0; policy drop; } ################################ @@ -141,31 +145,31 @@ create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy add rule ip ifg_nat prerouting \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ - ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ - counter dnat $WS_PERIMETER_IP comment "Webserver access" + iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ + ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IPV4 comment "Webserver access" ################################ # FILTER input rules ################################ -add rule inet ifg_filter input \ +add rule ip ifg_filter input \ ct state established \ ip protocol udp \ - iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \ - ip daddr $IFG_INTERNAL_IP udp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp sport 53 \ + ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule inet ifg_filter input \ +add rule ip6 ifg_filter input \ ct state established \ iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \ ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule inet ifg_filter input \ +add rule ip ifg_filter input \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet ifg_filter input \ +add rule ip6 ifg_filter input \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -183,11 +187,13 @@ add rule inet ifg_filter input \ time-exceeded } \ counter accept comment "ICMPv6" -add rule inet ifg_filter input \ +add rule ip ifg_filter input \ ip protocol gre \ counter accept comment "GRE" -add rule inet ifg_filter input \ +add rule ip ifg_filter input \ + counter log prefix "INPUT" +add rule ip6 ifg_filter input \ counter log prefix "INPUT" @@ -195,108 +201,108 @@ add rule inet ifg_filter input \ # FILTER forward rules ################################ -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state established, related \ iifname $PERIMETER_IF \ - oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \ + oifname $INTERNAL_IF ip daddr $INTERNAL_IPV4_NETS \ counter accept comment "Established sessions" -add rule inet ifg_filter forward \ +add rule ip6 ifg_filter forward \ ct state established, related \ iifname $PERIMETER_IF \ - oifname $INTERNAL_IF ip6 daddr $INTERNAL_NET_IPV6 \ + oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \ counter accept comment "Established sessions" -add rule inet ifg_filter forward \ - iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ +add rule ip ifg_filter forward \ + iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \ oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ counter accept comment "Internet access" -add rule inet ifg_filter forward \ - iifname $INTERNAL_IF ip6 saddr $INTERNAL_NET_IPV6 \ +add rule ip6 ifg_filter forward \ + iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \ oifname $PERIMETER_IF \ counter accept comment "Internet access" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state new, established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ counter accept comment "Webserver access" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state new \ ip protocol udp \ - iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \ counter accept comment "DNS zone notification" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state new \ ip protocol tcp \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IPV4 tcp dport 53 \ counter accept comment "DNS zone transfer requests" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ip protocol udp \ iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ iifname $INTERNAL_IF \ oifname $INTERNAL_IF \ counter accept comment "Internal traffic" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ip protocol tcp \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \ counter accept comment "Redmine requests" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Redmine replies" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ip protocol tcp \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \ counter accept comment "MiniCRM requests" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "MiniCRM replies" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ip protocol tcp \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \ counter accept comment "Worksheet requests" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Worksheet replies" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet ifg_filter forward \ +add rule ip6 ifg_filter forward \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -314,7 +320,9 @@ add rule inet ifg_filter forward \ time-exceeded } \ counter accept comment "ICMPv6" -add rule inet ifg_filter forward \ +add rule ip ifg_filter forward \ + counter log prefix "FORWARD" +add rule ip6 ifg_filter forward \ counter log prefix "FORWARD" @@ -322,22 +330,22 @@ add rule inet ifg_filter forward \ # FILTER output rules ################################ -add rule inet ifg_filter output \ +add rule ip ifg_filter output \ ct state new \ ip protocol udp \ - ip saddr $IFG_INTERNAL_IP udp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \ + ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp dport 53 \ counter accept comment "DNS requests" -add rule inet ifg_filter output \ +add rule ip6 ifg_filter output \ ct state new \ ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \ oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \ counter accept comment "DNS requests" -add rule inet ifg_filter output \ +add rule ip ifg_filter output \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet ifg_filter output \ +add rule ip6 ifg_filter output \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -355,5 +363,7 @@ add rule inet ifg_filter output \ time-exceeded } \ counter accept comment "ICMPv6" -add rule inet ifg_filter output \ +add rule ip ifg_filter output \ + counter log prefix "OUTPUT" +add rule ip6 ifg_filter output \ counter log prefix "OUTPUT" -- 2.54.0