#!/usr/sbin/nft -fflush rulesetdefine IPv4_BOGONS = { 0.0.0.0/8, 10.

1. #!/usr/sbin/nft -f
2.  
3. flush ruleset
4.  
5. define IPv4_BOGONS = {
6. 0.0.0.0/8,
7. 10.0.0.0/8,
8. 100.64.0.0/10,
9. 127.0.0.0/8,
10. 169.254.0.0/16,
11. 172.16.0.0/12,
12. 192.0.0.0/24,
13. 192.0.2.0/24,
14. 192.168.0.0/16,
15. 198.18.0.0/15,
16. 198.51.100.0/24,
17. 203.0.113.0/24,
18. 224.0.0.0/3
19. }
20.  
21. define RFC1918_Local = {
22. 192.168.0.0/16,
23. 172.16.0.0/12,
24. 10.0.0.0/8
25. }
26.  
27. define Allowed_DNS = {
28. 9.9.9.11
29. }
30. define INTERNAL_DNS_PROXIES = {
31. 172.20.10.9,
32. 172.20.20.9,
33. 172.20.30.9,
34. 172.20.40.9
35. }
36.  
37. define VL10_USER_NET = {
38. 192.168.10.128/26
39. }
40. define VL20_USER_NET = {
41. 192.168.20.128/26
42. }
43. define VL30_USER_NET = {
44. 192.168.30.128/26
45. }
46. define VL40_USER_NET = {
47. 192.168.40.128/26
48. }
49. define VL90_USER_NET = {
50. 192.168.90.128/26
51. }
52. define VL90_CORE_NET = {
53. 192.168.90.4/32
54. }
55.  
56. define DOCKER_BRIDGES = {
57. 172.18.0.0/16, #default
58. 172.20.0.0/16 #custom
59. }
60.  
61.  
62. #Refs:
63. #https://blog.samuel.domains/blog/security/nftables-hardening-rules-and-good-practices
64.  
65. table bridge nat {
66. chain prerouting {
67. type filter hook forward priority -300; policy accept;
68.  
69. meta nftrace set 1;
70. }
71. }
72.  
73. table bridge filter {
74. chain input {
75. type filter hook forward priority -200; policy drop;
76.  
77. ether type 0x0806 accept;
78.  
79. #Allow communication between the DNS server and the DNS proxies.
80. ip saddr 172.20.10.5 ip daddr 172.20.10.9 udp dport 5353 ct state { new } accept;
81. ip daddr 172.20.10.5 ip saddr 172.20.10.9 udp sport 5353 ct state { established } accept;
82.  
83. ip saddr 172.20.20.5 ip daddr 172.20.20.9 udp dport 5353 ct state { new } accept;
84. ip daddr 172.20.20.5 ip saddr 172.20.20.9 udp sport 5353 ct state { established } accept;
85.  
86. ip saddr 172.20.30.5 ip daddr 172.20.30.9 udp dport 5353 ct state { new } accept;
87. ip daddr 172.20.30.5 ip saddr 172.20.30.9 udp sport 5353 ct state { established } accept;
88.  
89. ip saddr 172.20.40.5 ip daddr 172.20.40.9 udp dport 5353 ct state { new } accept;
90. ip daddr 172.20.40.5 ip saddr 172.20.40.9 udp sport 5353 ct state { established } accept;
91.  
92. meta nftrace set 1;
93.  
94. }
95.  
96. chain forward {
97. type filter hook forward priority -200; policy drop;
98.  
99. ether type 0x0806 accept;
100.  
101. ip saddr 172.20.10.5 ip daddr 172.20.10.9 udp dport 5353 ct state { new } accept;
102. ip daddr 172.20.10.5 ip saddr 172.20.10.9 udp sport 5353 ct state { established } accept;
103.  
104. ip saddr 172.20.20.5 ip daddr 172.20.20.9 udp dport 5353 ct state { new } accept;
105. ip daddr 172.20.20.5 ip saddr 172.20.20.9 udp sport 5353 ct state { established } accept;
106.  
107. ip saddr 172.20.30.5 ip daddr 172.20.30.9 udp dport 5353 ct state { new } accept;
108. ip daddr 172.20.30.5 ip saddr 172.20.30.9 udp sport 5353 ct state { established } accept;
109.  
110. ip saddr 172.20.40.5 ip daddr 172.20.40.9 udp dport 5353 ct state { new } accept;
111. ip daddr 172.20.40.5 ip saddr 172.20.40.9 udp sport 5353 ct state { established } accept;
112.  
113. meta nftrace set 1;
114. }
115.  
116. chain postrouting {
117. type filter hook forward priority 300; policy accept;
118.  
119. meta nftrace set 1;
120. }
121. }
122.  
123.  
124. table inet filter {
125. chain input {
126. type filter hook input priority 0; policy drop;
127.  
128.  
129. #Packets from a Docker container bridged network to the bridge gateway
130. # go to the input chain.
131.  
132. #Allow ARP.
133. ether type 0x0806 accept;
134.  
135. #Allow SSH
136. ip saddr $VL90_USER_NET tcp dport 22 ct state { new, established } accept;
137.  
138. #Internet repies. What's the ethertype? 0x0800 doesn't match.
139. ip saddr != $RFC1918_Local ct state established accept;
140.  
141. }
142.  
143.  
144. chain forward {
145. type filter hook forward priority 0; policy drop;
146.  
147. meta nftrace set 1
148.  
149.  
150. ether type 0x0806 accept;
151.  
152. ##### DNS #####
153. #dnsproxy to internet. Encrypted so don't send to IPS.
154. ether type 0x0800 ip saddr $INTERNAL_DNS_PROXIES ip daddr $Allowed_DNS udp dport 8443 ct state new ip length <= 400 accept;
155.  
156. #Internet to dnsproxy. Encrypted so don't send to IPS.
157. ip saddr $Allowed_DNS ip daddr $INTERNAL_DNS_PROXIES udp sport 8443 ct state established accept;
158.  
159. #Initial DNS query.
160. ether type 0x0800 ip saddr $VL10_USER_NET ip daddr 172.20.10.5 udp dport 5300 accept;
161. ether type 0x0800 ip saddr $VL20_USER_NET ip daddr 172.20.20.5 udp dport 5300 accept;
162. ether type 0x0800 ip saddr $VL30_USER_NET ip daddr 172.20.30.5 udp dport 5300 accept;
163. ether type 0x0800 ip saddr $VL40_USER_NET ip daddr 172.20.40.5 udp dport 5300 accept;
164.  
165. #DNS proxies to internet.
166. ether type 0x0800 ip saddr $INTERNAL_DNS_PROXIES ip daddr $Allowed_DNS udp dport 8443 accept;
167.  
168. #Internet to DNS proxies.
169. ip daddr $INTERNAL_DNS_PROXIES ip saddr $Allowed_DNS udp sport 8443 accept;
170.  
171. #DNS replies.
172. ether type 0x0800 ip daddr $VL10_USER_NET ip saddr 172.20.10.5 udp sport 5300 accept;
173. ether type 0x0800 ip daddr $VL20_USER_NET ip saddr 172.20.20.5 udp sport 5300 accept;
174. ether type 0x0800 ip daddr $VL30_USER_NET ip saddr 172.20.30.5 udp sport 5300 accept;
175. ether type 0x0800 ip daddr $VL40_USER_NET ip saddr 172.20.40.5 udp sport 5300 accept;
176.  
177.  
178. #Allow generic internet access.
179. #Don't pass these to an IPS as there is too much which would not be scanned and still take up CPU time.
180. ether type 0x0800 ip saddr $VL10_USER_NET ip daddr != $RFC1918_Local ct state {new, established} accept;
181. ether type 0x0800 ip saddr $VL20_USER_NET ip daddr != $RFC1918_Local ct state {new, established} accept;
182. ether type 0x0800 ip saddr $VL30_USER_NET ip daddr != $RFC1918_Local ct state {new, established} accept;
183. ether type 0x0800 ip saddr $VL40_USER_NET ip daddr != $RFC1918_Local ct state {new, established} accept;
184.  
185. #What's the ethertype along here?
186. ip saddr != $RFC1918_Local ip daddr $VL10_USER_NET ct state established accept;
187. ip saddr != $RFC1918_Local ip daddr $VL20_USER_NET ct state established accept;
188. ip saddr != $RFC1918_Local ip daddr $VL30_USER_NET ct state established accept;
189. ip saddr != $RFC1918_Local ip daddr $VL40_USER_NET ct state established accept;
190.  
191. }
192. chain output {
193. type filter hook output priority 0; policy accept;
194.  
195.  
196. }
197. }
198.  
199. table inet nat {
200. chain prerouting {
201. type nat hook prerouting priority -100; policy accept;
202.  
203. meta nftrace set 1
204.  
205. #DNS in Docker bridge.
206. ip saddr $VL10_USER_NET ip daddr 192.168.10.4 udp dport { 53 } dnat to 172.20.10.5:5300;
207. ip saddr $VL20_USER_NET ip daddr 192.168.20.4 udp dport { 53 } dnat to 172.20.20.5:5300;
208. ip saddr $VL30_USER_NET ip daddr 192.168.30.4 udp dport { 53 } dnat to 172.20.30.5:5300;
209. ip saddr $VL40_USER_NET ip daddr 192.168.40.4 udp dport { 53 } dnat to 172.20.40.5:5300;
210. }
211.  
212. chain postrouting {
213. type nat hook postrouting priority 100; policy accept;
214.  
215. meta nftrace set 1
216.  
217. oifname "ppp0" masquerade;
218. iifname "br-3e4d90a574de" masquerade;
219. }
220. }
221.  
222. table inet mangle {
223. chain prerouting {
224. type filter hook prerouting priority -150;
225.  
226. meta nftrace set 1
227.  
228. # CT INVALID
229. ct state invalid counter drop
230.  
231. # TCP SYN (CT NEW)
232. tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
233.  
234. #Block all unsolicited
235. ip saddr != $IPv4_BOGONS ct state new drop
236. }
237.  
238. chain forward {
239. type filter hook forward priority mangle; policy accept;
240. #Seems to fix the website timeout issue.
241. #https://unix.stackexchange.com/questions/672742/why-mss-clamping-in-iptables-nft-seems-to-take-no-effect-in-nftables
242. meta l4proto tcp tcp flags & (syn|rst) == syn counter packets 0 bytes 0 tcp option maxseg size set rt mtu
243. }
244. }
245.  
246.  
247. table netdev filterearly_wan {
248. chain ingress {
249. type filter hook ingress device enx7cc2c643f225 priority -500; policy accept;
250.  
251. #Drop fragmented packets.
252. ip frag-off & 0x1fff != 0 counter drop
253.  
254. # TCP XMAS
255. tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
256.  
257. # TCP NULL
258. tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
259.  
260. # TCP MSS
261. tcp flags syn tcp option maxseg size 1-536 counter drop
262.  
263. #Filter BOGONS. This will also filter out spoofed local addresses.
264. ip saddr $IPv4_BOGONS counter drop
265.  
266.  
267. }
268. }
269.  
270. table netdev filterearly_lan {
271. chain ingress {
272. type filter hook ingress device enp1s0 priority -500; policy drop;
273.  
274. #meta nftrace set 1
275.  
276. #Traffic coming in here must be VLAN tagged.
277. ether type 0x0800 drop;
278.  
279. ether type 0x8100 vlan type arp accept; #ARP
280.  
281.  
282.  
283. #Must perform Docker filtering here.
284. ## DNS ##
285. #Allow access to the DNS servers in Docker.
286. ether type 0x8100 vlan id 10 ip saddr $VL10_USER_NET ip daddr 192.168.10.4 udp dport 53 accept;
287. ether type 0x8100 vlan id 20 ip saddr $VL20_USER_NET ip daddr 192.168.20.4 udp dport 53 accept;
288. ether type 0x8100 vlan id 30 ip saddr $VL30_USER_NET ip daddr 192.168.30.4 udp dport 53 accept;
289. ether type 0x8100 vlan id 40 ip saddr $VL40_USER_NET ip daddr 192.168.40.4 udp dport 53 accept;
290.  
291.  
292. #Must go through internal DNS server(s).
293. ether type 0x8100 vlan id 10 ip saddr $VL10_USER_NET ip daddr != 192.168.10.4 udp dport 53 drop;
294. ether type 0x8100 vlan id 20 ip saddr $VL20_USER_NET ip daddr != 192.168.20.4 udp dport 53 drop;
295. ether type 0x8100 vlan id 30 ip saddr $VL30_USER_NET ip daddr != 192.168.30.4 udp dport 53 drop;
296. ether type 0x8100 vlan id 40 ip saddr $VL40_USER_NET ip daddr != 192.168.40.4 udp dport 53 drop;
297.  
298.  
299.  
300. ## DHCP ##
301. #DISCOVER
302. ether type 0x8100 ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 ip length <= 590 accept;
303.  
304. #OFFER controlled by EGRESS
305.  
306. #RELEASE
307. ether type 0x8100 vlan id 10 ip saddr 192.168.10.0/24 ip daddr 192.168.10.6 udp sport 68 udp dport 67 ip length <= 590 accept;
308. ether type 0x8100 vlan id 20 ip saddr 192.168.20.0/24 ip daddr 192.168.20.6 udp sport 68 udp dport 67 ip length <= 590 accept;
309. ether type 0x8100 vlan id 30 ip saddr 192.168.30.0/24 ip daddr 192.168.30.6 udp sport 68 udp dport 67 ip length <= 590 accept;
310. ether type 0x8100 vlan id 40 ip saddr 192.168.40.0/24 ip daddr 192.168.40.6 udp sport 68 udp dport 67 ip length <= 590 accept;
311.  
312.  
313. #Allow internet, but filter at FORWARD.
314. ether type 0x8100 vlan id 10 ip saddr $VL10_USER_NET ip daddr != $RFC1918_Local accept;
315. ether type 0x8100 vlan id 20 ip saddr $VL20_USER_NET ip daddr != $RFC1918_Local accept;
316. ether type 0x8100 vlan id 30 ip saddr $VL30_USER_NET ip daddr != $RFC1918_Local accept;
317. ether type 0x8100 vlan id 40 ip saddr $VL40_USER_NET ip daddr != $RFC1918_Local accept;
318.  
319. #Only LAN traffic on VL90 (management)
320. ether type 0x8100 vlan id 90 ip saddr $VL90_USER_NET ip daddr $VL90_CORE_NET accept;
321.  
322.  
323. }
324. }
325.