-
-
Save anonymous/9ad2f0da766a281faed563dc89528510 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /nix/store/lpk84rsbha199vm3k54498lqv2jswqj8-bash-4.4-p5/bin/bash -e | |
| # Helper command to manipulate both the IPv4 and IPv6 tables. | |
| ip46tables() { | |
| iptables -w "$@" | |
| ip6tables -w "$@" | |
| } | |
| # Flush the old firewall rules. !!! Ideally, updating the | |
| # firewall would be atomic. Apparently that's possible | |
| # with iptables-restore. | |
| ip46tables -D INPUT -j nixos-fw 2> /dev/null || true | |
| for chain in nixos-fw nixos-fw-accept nixos-fw-log-refuse nixos-fw-refuse; do | |
| ip46tables -F "$chain" 2> /dev/null || true | |
| ip46tables -X "$chain" 2> /dev/null || true | |
| done | |
| # The "nixos-fw-accept" chain just accepts packets. | |
| ip46tables -N nixos-fw-accept | |
| ip46tables -A nixos-fw-accept -j ACCEPT | |
| # The "nixos-fw-refuse" chain rejects or drops packets. | |
| ip46tables -N nixos-fw-refuse | |
| ip46tables -A nixos-fw-refuse -j DROP | |
| # The "nixos-fw-log-refuse" chain performs logging, then | |
| # jumps to the "nixos-fw-refuse" chain. | |
| ip46tables -N nixos-fw-log-refuse | |
| ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " | |
| ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse | |
| ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse | |
| # The "nixos-fw" chain does the actual work. | |
| ip46tables -N nixos-fw | |
| # Clean up rpfilter rules | |
| ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true | |
| ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true | |
| ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true | |
| # Perform a reverse-path test to refuse spoofers | |
| # For now, we just drop, as the raw table doesn't have a log-refuse yet | |
| ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true | |
| ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter -j RETURN | |
| # Allows this host to act as a DHCPv4 server | |
| iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN | |
| ip46tables -t raw -A nixos-fw-rpfilter -j DROP | |
| ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter | |
| # Accept all traffic on the trusted interfaces. | |
| ip46tables -A nixos-fw -i lo -j nixos-fw-accept | |
| # Accept packets from established or related connections. | |
| ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept | |
| # Accept connections to the allowed TCP ports. | |
| ip46tables -A nixos-fw -p tcp --dport 110 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 22 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 110 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 80 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 443 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 53 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 1194 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p tcp --dport 995 -j nixos-fw-accept | |
| # Accept connections to the allowed TCP port ranges. | |
| # Accept packets on the allowed UDP ports. | |
| ip46tables -A nixos-fw -p udp --dport 53 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p udp --dport 88 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p udp --dport 1194 -j nixos-fw-accept | |
| ip46tables -A nixos-fw -p udp --dport 995 -j nixos-fw-accept | |
| # Accept packets on the allowed UDP port ranges. | |
| ip46tables -A nixos-fw -p udp --dport 60000:61000 -j nixos-fw-accept | |
| # Accept IPv4 multicast. Not a big security risk since | |
| # probably nobody is listening anyway. | |
| #iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept | |
| # Optionally respond to ICMPv4 pings. | |
| iptables -w -A nixos-fw -p icmp --icmp-type echo-request -j nixos-fw-accept | |
| # Accept all ICMPv6 messages except redirects and node | |
| # information queries (type 139). See RFC 4890, section | |
| # 4.4. | |
| ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP | |
| ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP | |
| ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept | |
| # Allow this host to act as a DHCPv6 client | |
| ip6tables -A nixos-fw -d fe80::/64 -p udp --dport 546 -j nixos-fw-accept | |
| iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true | |
| iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true | |
| iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true | |
| iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true | |
| iptables -w -t nat -F nixos-nat-post 2>/dev/null || true | |
| iptables -w -t nat -X nixos-nat-post 2>/dev/null || true | |
| # Create subchain where we store rules | |
| iptables -w -t nat -N nixos-nat-pre | |
| iptables -w -t nat -N nixos-nat-post | |
| # We can't match on incoming interface in POSTROUTING, so | |
| # mark packets coming from the external interfaces. | |
| # NAT the marked packets. | |
| # NAT packets coming from the internal IPs. | |
| iptables -w -t nat -A nixos-nat-post \ | |
| -s '10.8.0.254/32' -o enp0s20f0 -j SNAT --to-source 51.15.12.171 | |
| # NAT from external ports to internal ports. | |
| # Append our chains to the nat tables | |
| iptables -w -t nat -A PREROUTING -j nixos-nat-pre | |
| iptables -w -t nat -A POSTROUTING -j nixos-nat-post | |
| # Reject/drop everything else. | |
| ip46tables -A nixos-fw -j nixos-fw-log-refuse | |
| # Enable the firewall. | |
| ip46tables -A INPUT -j nixos-fw | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment