Last active
May 6, 2017 06:36
-
-
Save firefish5000/22519a92e96a66320dd786d37dcb0690 to your computer and use it in GitHub Desktop.
Funtoo. Using Delegated prefix with a static host. Automaticly add dynamic ipv6 prefix to an nft intranet set
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| #/etc/netif.d/interface-tokenized-nft | |
| # Replace the command 'ip -6 addr show up' with 'ip -6 addr show scope link up' to only add link local | |
| # addresses, 'ip -6 addr show scope global up' to only add global addresses. | |
| netif_pre_up() { | |
| local count=-1 | |
| local label | |
| local bcast | |
| for ipnm in $ipaddr $ipaddrs; do | |
| if [ $count -ge 0 ] | |
| then | |
| label=$interface:$count | |
| else | |
| label="" | |
| fi | |
| if [ -n "$(if_ipv4 $ipnm)" ] | |
| then | |
| bcast="broadcast $(get_option "$ipnm" broadcast +)" | |
| else | |
| bcast="" | |
| fi | |
| if [ -z "$label" ] | |
| then | |
| ip addr add $(get_ipnm_part "$ipnm") $bcast \ | |
| dev $interface || die "Couldn't add $ipnm to $interface" | |
| else | |
| ip addr add $(get_ipnm_part "$ipnm") $bcast \ | |
| label $label dev $interface || die "Couldn't add $ipnm to $interface" | |
| fi | |
| count=$(( $count + 1 )) | |
| done | |
| if [ -n "$ip6token" ] | |
| then | |
| try ip token set "$ip6token" dev "$interface" | |
| fi | |
| } | |
| netif_nft_intranet_6_set_add() { | |
| # intra_6 set, intranet for ipv6. | |
| # If statefull DHCPv6 is used, add this to the | |
| # DHCP client's hooks instead. | |
| try nft flush set "inet filter intra_6" | |
| { # Try to wait for SLAAC to complete, | |
| # we may need to loop, especialy if | |
| # dynamic changes are possible | |
| # Try to open ports asap | |
| for SLEEP in {1..5}; do | |
| sleep 1; | |
| try nft add element "inet filter $1 {$(ip -6 addr show up | awk '$1=/inet6/{printf "%s,",$2}')}" | |
| done | |
| # Slightly longer wait, in case of slow network | |
| for SLEEP in {1..5}; do | |
| sleep "$SLEEP"; | |
| try nft add element "inet filter $1 {$(ip -6 addr show up | awk '$1=/inet6/{printf "%s,",$2}')}" | |
| done | |
| } & | |
| } | |
| netif_nft_intranet_6_set_del() { | |
| try nft flush set "inet filter $1" | |
| } | |
| netif_post_up() { | |
| if [[ -n "$nft_intranet_6" ]] | |
| then | |
| netif_nft_intranet_6_set_add "$nft_intranet_6" | |
| fi | |
| } | |
| netif_post_down() { | |
| if [[ -n "$nft_intranet_6" ]] | |
| then | |
| netif_nft_intranet_6_set_del "$nft_intranet_6" | |
| fi | |
| try ip token del dev "$interface" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/etc/conf.d/netif.enp0s1 | |
| template="interface-tokenized-nft" | |
| ip6token="::53/64" | |
| # If you need ipv6 routes, add them here | |
| #routes="2000::/3 via fe80::1 dev enp0s1" | |
| # Have ipv6 networks be automaticly added to the nft intranet set | |
| # Remember to create the set beforehand. | |
| # Use the set in your nftables to restrict access to some services | |
| # to only hosts in your network | |
| nft_intranet_6="intra_6" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/sbin/nft -f | |
| # flush chains, keep sets | |
| flush chain inet filter input | |
| flush chain inet filter output | |
| flush chain inet filter VPN | |
| flush chain inet filter Samba | |
| flush chain inet filter DLNA | |
| flush chain inet filter Intra_Services | |
| define intra_4 = 192.168.1.0/24 | |
| table inet filter { | |
| set intra_6 { | |
| type ipv6_addr; flags interval; | |
| } | |
| set swatch_friends_v4 { | |
| type ipv4_addr | |
| } | |
| set swatch_friends_v6 { | |
| type ipv6_addr; | |
| } | |
| set swatch_rejects_v4 { | |
| type ipv4_addr; flags interval; | |
| } | |
| set swatch_rejects_v6 { | |
| type ipv6_addr; flags interval; | |
| } | |
| #flush chain input | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "drop invalid packets" | |
| ct state {established, related} counter accept comment "accept all connections related to connections made by us" | |
| iifname lo accept comment "accept loopback" | |
| iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" | |
| iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback" | |
| jump swatch comment "Allow previously authenticated hosts and Block previously malicious hosts" | |
| ip6 saddr != @intra_6 icmpv6 type {echo-request, echo-reply} drop comment "Drop non-intranet ping" | |
| ip6 nexthdr icmpv6 accept | |
| tcp dport 22 counter accept comment "accept SSH" | |
| ip saddr $intra_4 jump Intra_Services comment "Allow Local network services through." | |
| ip6 saddr @intra_6 jump Intra_Services comment "Allow Local network services through." | |
| tcp dport {80,443} accept comment "Allow access to webserver" | |
| jump VPN comment "Let VPN connections in" | |
| counter comment "count dropped packets" | |
| } | |
| chain swatch { | |
| ip saddr @swatch_friends_v4 return comment "Let friends bypass swatch" | |
| ip6 saddr @swatch_friends_v6 return comment "Let friends bypass swatch" | |
| ip saddr @swatch_rejects_v4 drop comment "Reject malicous hosts" | |
| ip6 saddr @swatch_rejects_v6 drop comment "Reject malicous hosts" | |
| } | |
| chain Intra_Services { | |
| # Only send local ip/ipv6 here. Do not send everything here and add reject rules. Just in | |
| # case something other than ip/ip6 manages to emerge in our network in the future. | |
| jump DLNA comment "Allow local DLNA" | |
| jump Samba comment "Allow local access to Samba" | |
| tcp dport 53 counter accept comment "accept internal DNS" | |
| udp dport 53 counter accept comment "accept internal DNS" | |
| } | |
| chain DLNA { | |
| tcp dport {5001,65530} accept comment "Allow Local DLNA" | |
| udp dport 1900 accept comment "Allow Local DLNA" | |
| } | |
| #flush chain VPN | |
| chain VPN { | |
| ip protocol esp accept comment "Allow IPSEC-ESP" | |
| ip6 nexthdr esp accept comment "Allow IPSEC-ESP" | |
| udp dport 500 accept comment "Allow IPSEC-IKE" | |
| udp dport 4500 accept comment "Allow IKEv2 NAT Transversal" | |
| } | |
| #flush chain Samba | |
| chain Samba { | |
| tcp dport 88 accept comment "Allow Kerbos" | |
| udp dport 88 accept comment "Allow Kerbos" | |
| tcp dport 135 accept comment "Allow End Point Mapper (DCE/RPC Locator Service)" | |
| udp dport 137 accept comment "NetBIOS Name Service" | |
| udp dport 138 accept comment "NetBIOS Datagram" | |
| tcp dport 139 accept comment "NetBIOS Session" | |
| tcp dport 389 accept comment "LDAP" | |
| udp dport 389 accept comment "LDAP" | |
| tcp dport 445 accept comment "SMB" | |
| tcp dport 464 accept comment "Kerbos kpasswd" | |
| udp dport 464 accept comment "Kerbos kpasswd" | |
| tcp dport 636 accept comment "LDAPS" | |
| tcp dport 1024-5000 accept comment "Dynamic RPC Ports" | |
| tcp dport 3268 accept comment "Global Catalog" | |
| tcp dport 3269 accept comment "Global Catalog SSL" | |
| } | |
| #flush chain output | |
| chain output { | |
| type filter hook output priority 0; | |
| policy accept; | |
| meta skuid nobody drop comment "Nobody is safe now" | |
| meta skuid root drop comment "No root services" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment