Firewall

#!/bin/bash

WAN_IF=eth0
SERVER_IP=xxx.xxx.xxx.xxx

SSH_PORT=1337
WHITELIST_SSH="xxx.xxx.xxx.xxx/16, 185.195.25.207/32"
WHITELIST_ICMP="xxx.xxx.xxx.xxx/32, xxx.xxx.xxx.xxx/16"

DOCKER_IF=user0

#---------------Starting Point----------------------------------------------------------
nft flush ruleset
nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0 \; policy accept \;  }
nft add chain ip filter FORWARD { type filter hook forward priority 0 \; policy accept \;  }
nft add chain ip filter OUTPUT { type filter hook output priority 0 \; policy accept \;  }
#--------------Type filter INPUT Chain--------------------------------------------------

#enable loopback intarface
nft add rule ip filter INPUT iifname "lo" counter accept

#drop invalid packets
nft add rule ip filter INPUT ct state invalid counter drop

#enable connections initiated by server
nft add rule ip filter INPUT ct state related,established counter accept

#enable network
#nft add rule ip filter INPUT iifname "eth0" ip saddr 192.168.0.0/16 counter accept

#---------------------------------------------------------------------------------------
#ssh
#enable ssh on custom port 1337
nft add rule ip filter INPUT ip saddr { $WHITELIST_SSH } tcp dport $SSH_PORT counter accept

#enable ssh to saddr only from specified mac addr
#nft add rule ip filter INPUT ip saddr 192.168.8.235/32 ether saddr 44:85:00:8e:42:84 tcp dport 22 counter accept

#---------------------------------------------------------------------------------------
#Services
#
#enable dns
#nft add rule ip filter INPUT ip protocol udp dport 53 counter accept
nft add rule ip filter INPUT udp dport 53 counter accept

#enable ntp global
nft add rule ip filter INPUT udp dport 123 counter accept

#enable ntp only for network 192.168.8.0/24
#nft add rule ip filter INPUT ip saddr 192.168.8.0/24 udp dport 137 counter accept

#enable http https 80, 443
#nft add rule ip filter INPUT ip saddr 192.168.8.0/24 tcp dport {80, 443} counter accept
nft add rule ip filter INPUT ip protocol tcp tcp dport {80, 443} counter accept
nft add rule ip filter INPUT ip protocol tcp tcp dport { 8080 } counter accept

#---------------------------------------------------------------------------------------
#ICMP

#enable icmp
#nft add rule ip filter INPUT ip protocol icmp counter log prefix \"ICMP_TRACE\"
nft add rule ip filter INPUT ip saddr { $WHITELIST_ICMP} ip protocol icmp counter accept
nft add rule ip filter INPUT ip protocol icmp drop

#enable icmp at specified time only
#nft add rule ip filter INPUT ip protocol icmp meta hour "08:13"-"08:14" counter accept

#enable max ping packet length = 64 bytes (64 + 28 icmp packet payload = 92 bytes for incoming ping 64 byte)
#nft add rule ip filter INPUT icmp type echo-request meta length 93-65535 counter drop
#nft add rule ip filter INPUT ip protocol icmp counter accept

#rate limit icmp packets 10 per minute
#nft add rule ip filter INPUT ip protocol icmp limit rate 10/minute burst 5 packets counter accept

#rate limit icmp packets 10 per second
#nft add rule ip filter INPUT ip protocol icmp limit rate 10/second burst 5 packets counter accept

#---------------------------------------------------------------------------------------
#testing

# Allow outgoing from my custom Docker network
#nft add rule ip filter INPUT iifname $DOCKER_IF accept

#---------------------------------------------------------------------------------------
#EXIT RULE
# block all other traffic
nft add rule ip filter INPUT counter drop
#------------------------------INPUT--END-----------------------------------------------