Last active
September 13, 2016 20:22
-
-
Save arianon/7b76cb772d37d449dd884bac9874f7fb to your computer and use it in GitHub Desktop.
Simple stateful firewall and Tor transparent proxy (fail-closed), written with the firewall of the future: nftables.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/nft -f | |
| # -*- mode: conf-space; tab-width: 2 -*- | |
| flush ruleset | |
| define local = { 192.168.0.0/16, 127.0.0.0/8 } | |
| # table nat { | |
| # chain output { | |
| # type nat hook output priority 0; | |
| # tcp dport {http, https} skuid == privoxy accept | |
| # tcp dport {http, https} log prefix "PRIVOXY: " redirect to 8118 | |
| # } | |
| # chain postrouting { | |
| # type nat hook postrouting priority 0; | |
| # } | |
| # } | |
| table filter { | |
| chain input { | |
| type filter hook input priority 0; | |
| ct state {established, related} accept | |
| ct state invalid drop | |
| # local/VPN traffic | |
| iifname {lo, tun0} accept | |
| # dhcp | |
| udp sport bootps udp dport bootpc accept | |
| counter log prefix "DROPPED INPUT: " drop | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/nft -f | |
| # -*- mode: conf-space; tab-width: 2; -*- | |
| # vim: set ts=2 sw=2 et: | |
| flush ruleset | |
| define local = { 192.168.0.0/16, 127.0.0.0/8 } | |
| table nat { | |
| chain tor { | |
| ip daddr $local log level warn prefix "ATTEMPTED TO TORIFY LOCAL: " return | |
| udp dport 53 log level debug prefix "TORDNS: " redirect to 53 | |
| ip protocol tcp log level debug prefix "TORIFIED: " redirect to 9040 | |
| } | |
| chain output { | |
| type nat hook output priority 0; | |
| oif != lo skuid != tor jump tor | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 0; | |
| } | |
| } | |
| table filter { | |
| chain input { | |
| type filter hook input priority 0; | |
| ct state {established, related} counter accept | |
| iif == lo accept | |
| ip saddr $local accept | |
| counter log level err prefix "INPUT REJECTED: " reject | |
| } | |
| chain output { | |
| type filter hook output priority 0; | |
| ct state {established, related} counter accept | |
| oif == lo accept | |
| skuid == tor accept | |
| ip daddr $local accept | |
| counter log level err prefix "OUTPUT REJECTED: " reject | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment