Strykar/server_nftables.sh

## server_nftables.sh
#!/usr/sbin/nft -f
## vim: ft=pf
flush ruleset

define wan = eth0
define cjd = tun0
define wg_int = wg0
define vpn_gw = 192.168.10.1
define vpn_net = 192.168.10.0/24
define proto_allow = { ah, esp, igmp, ipv6 }
define udp_allow = { 179, 8835, 8935, 9090, 9091, 9092, 31337-31338, 60000-60100 }
define tcp_allow = { 22, 80, 179, 443, 3000, 6666, 6667, 6670, 6697, 8935, 9090, 9091, 9092, 31337 }

#table ip raw	{
#		chain PREROUTING {
#		type filter hook prerouting priority raw; policy accept;
#		iifname != $wg_int ip daddr $vpn_gw fib saddr type != local drop comment "Bloody sketchy Wireguard traffic, inspect me!!"
#		}

#		chain OUTPUT {
#		type filter hook output priority raw; policy accept;
#		}
#}

#"table inet_filter" implies "table ip inet_filter"
table inet filter {
		ct helper ftp-standard {
		type "ftp" protocol tcp;
		}

set wg_ifnames {
		type ifname
		elements = { $wg_int }
		}

		chain INPUT {
		type filter hook input priority 0; policy drop;
		jump FWKNOP_INPUT
		tcp dport 22 jump fail2ban_root comment "Let Fail2Ban decide if you shall not pass"
		iif lo accept comment "In localhost we trust"

		ct state invalid drop comment "Connection tracking state invalid, dropped!"
		ct state established,related accept comment "In traffic we originate, we trust"

		meta l4proto ipv6-icmp icmpv6 type { echo-request, destination-unreachable, \
		packet-too-big, time-exceeded, parameter-problem, \
		mld-listener-query, mld-listener-report, mld-listener-reduction, \
		nd-router-solicit, nd-router-advert, nd-neighbor-solicit, \
		nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, \
		mld2-listener-report } accept comment "Accept ICMPv6"
		meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "Dropped - ICMPv6 ping flood!"
		meta l4proto icmp icmp type { echo-request, destination-unreachable, \
		router-solicitation, router-advertisement, time-exceeded, \
		parameter-problem } accept comment "Accept ICMPv4"
		meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "Dropped - ICMPv4 ping flood!"
		iifname $cjd meta l4proto ipv6-icmp accept comment "Accept cjdns ICMPv6 over tun0"

		ip protocol $proto_allow comment "Allowed Protocol list"
		iifname @wg_ifnames ct state new accept comment "New Wireguard connection accepted"

		tcp dport $tcp_allow accept comment "Port in allowed TCP range"
		udp dport $udp_allow accept comment "Port in allowed UDP range"

		ct state new tcp dport 21 ct helper set "ftp-standard"
		tcp dport 21 ct state established,new accept comment "ftps-standard"
                tcp dport 20 ct state established,related accept comment "ftps-standard"
                tcp dport 50000-50100 ct state established,related accept comment "ftps-standard"
		}

		chain FORWARD {
		type filter hook forward priority filter; policy drop;
		mark 1 accept comment "Docker forward"
		ct state established,related accept comment "In traffic we forward, we trust"
		iifname @wg_ifnames oifname $wan ct state new accept comment "Wireguard connection forwarded"
		}

		chain OUTPUT {
		type filter hook output priority filter; policy accept;
		}

		chain FWKNOP_INPUT {
		}

		chain f2b-sshd {
		return
		}

		chain fail2ban_root {
		tcp dport 22 jump f2b-sshd comment "Fail2Ban, the SSH gatekeeper"
		return
		}
}

table ip nat {
		chain PREROUTING {
		type nat hook prerouting priority 0;
		}

		chain POSTROUTING {
		type nat hook postrouting priority 100;
		ip saddr $vpn_net oifname $wan masquerade
		}
}
include "/home/strykar/myruleset.nft"
	#!/usr/sbin/nft -f
	## vim: ft=pf
	flush ruleset

	define wan = eth0
	define cjd = tun0
	define wg_int = wg0
	define vpn_gw = 192.168.10.1
	define vpn_net = 192.168.10.0/24
	define proto_allow = { ah, esp, igmp, ipv6 }
	define udp_allow = { 179, 8835, 8935, 9090, 9091, 9092, 31337-31338, 60000-60100 }
	define tcp_allow = { 22, 80, 179, 443, 3000, 6666, 6667, 6670, 6697, 8935, 9090, 9091, 9092, 31337 }

	#table ip raw {
	# chain PREROUTING {
	# type filter hook prerouting priority raw; policy accept;
	# iifname != $wg_int ip daddr $vpn_gw fib saddr type != local drop comment "Bloody sketchy Wireguard traffic, inspect me!!"
	# }

	# chain OUTPUT {
	# type filter hook output priority raw; policy accept;
	# }
	#}

	#"table inet_filter" implies "table ip inet_filter"
	table inet filter {
	ct helper ftp-standard {
	type "ftp" protocol tcp;
	}

	set wg_ifnames {
	type ifname
	elements = { $wg_int }
	}

	chain INPUT {
	type filter hook input priority 0; policy drop;
	jump FWKNOP_INPUT
	tcp dport 22 jump fail2ban_root comment "Let Fail2Ban decide if you shall not pass"
	iif lo accept comment "In localhost we trust"

	ct state invalid drop comment "Connection tracking state invalid, dropped!"
	ct state established,related accept comment "In traffic we originate, we trust"

	meta l4proto ipv6-icmp icmpv6 type { echo-request, destination-unreachable, \
	packet-too-big, time-exceeded, parameter-problem, \
	mld-listener-query, mld-listener-report, mld-listener-reduction, \
	nd-router-solicit, nd-router-advert, nd-neighbor-solicit, \
	nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, \
	mld2-listener-report } accept comment "Accept ICMPv6"
	meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "Dropped - ICMPv6 ping flood!"
	meta l4proto icmp icmp type { echo-request, destination-unreachable, \
	router-solicitation, router-advertisement, time-exceeded, \
	parameter-problem } accept comment "Accept ICMPv4"
	meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "Dropped - ICMPv4 ping flood!"
	iifname $cjd meta l4proto ipv6-icmp accept comment "Accept cjdns ICMPv6 over tun0"

	ip protocol $proto_allow comment "Allowed Protocol list"
	iifname @wg_ifnames ct state new accept comment "New Wireguard connection accepted"

	tcp dport $tcp_allow accept comment "Port in allowed TCP range"
	udp dport $udp_allow accept comment "Port in allowed UDP range"

	ct state new tcp dport 21 ct helper set "ftp-standard"
	tcp dport 21 ct state established,new accept comment "ftps-standard"
	tcp dport 20 ct state established,related accept comment "ftps-standard"
	tcp dport 50000-50100 ct state established,related accept comment "ftps-standard"
	}

	chain FORWARD {
	type filter hook forward priority filter; policy drop;
	mark 1 accept comment "Docker forward"
	ct state established,related accept comment "In traffic we forward, we trust"
	iifname @wg_ifnames oifname $wan ct state new accept comment "Wireguard connection forwarded"
	}

	chain OUTPUT {
	type filter hook output priority filter; policy accept;
	}

	chain FWKNOP_INPUT {
	}

	chain f2b-sshd {
	return
	}

	chain fail2ban_root {
	tcp dport 22 jump f2b-sshd comment "Fail2Ban, the SSH gatekeeper"
	return
	}
	}

	table ip nat {
	chain PREROUTING {
	type nat hook prerouting priority 0;
	}

	chain POSTROUTING {
	type nat hook postrouting priority 100;
	ip saddr $vpn_net oifname $wan masquerade
	}
	}
	include "/home/strykar/myruleset.nft"