Skip to content

Instantly share code, notes, and snippets.

@firefish5000
Last active May 6, 2017 06:36
Show Gist options
  • Save firefish5000/22519a92e96a66320dd786d37dcb0690 to your computer and use it in GitHub Desktop.
Save firefish5000/22519a92e96a66320dd786d37dcb0690 to your computer and use it in GitHub Desktop.
Funtoo. Using Delegated prefix with a static host. Automaticly add dynamic ipv6 prefix to an nft intranet set
#!/bin/sh
#/etc/netif.d/interface-tokenized-nft
# Replace the command 'ip -6 addr show up' with 'ip -6 addr show scope link up' to only add link local
# addresses, 'ip -6 addr show scope global up' to only add global addresses.
netif_pre_up() {
local count=-1
local label
local bcast
for ipnm in $ipaddr $ipaddrs; do
if [ $count -ge 0 ]
then
label=$interface:$count
else
label=""
fi
if [ -n "$(if_ipv4 $ipnm)" ]
then
bcast="broadcast $(get_option "$ipnm" broadcast +)"
else
bcast=""
fi
if [ -z "$label" ]
then
ip addr add $(get_ipnm_part "$ipnm") $bcast \
dev $interface || die "Couldn't add $ipnm to $interface"
else
ip addr add $(get_ipnm_part "$ipnm") $bcast \
label $label dev $interface || die "Couldn't add $ipnm to $interface"
fi
count=$(( $count + 1 ))
done
if [ -n "$ip6token" ]
then
try ip token set "$ip6token" dev "$interface"
fi
}
netif_nft_intranet_6_set_add() {
# intra_6 set, intranet for ipv6.
# If statefull DHCPv6 is used, add this to the
# DHCP client's hooks instead.
try nft flush set "inet filter intra_6"
{ # Try to wait for SLAAC to complete,
# we may need to loop, especialy if
# dynamic changes are possible
# Try to open ports asap
for SLEEP in {1..5}; do
sleep 1;
try nft add element "inet filter $1 {$(ip -6 addr show up | awk '$1=/inet6/{printf "%s,",$2}')}"
done
# Slightly longer wait, in case of slow network
for SLEEP in {1..5}; do
sleep "$SLEEP";
try nft add element "inet filter $1 {$(ip -6 addr show up | awk '$1=/inet6/{printf "%s,",$2}')}"
done
} &
}
netif_nft_intranet_6_set_del() {
try nft flush set "inet filter $1"
}
netif_post_up() {
if [[ -n "$nft_intranet_6" ]]
then
netif_nft_intranet_6_set_add "$nft_intranet_6"
fi
}
netif_post_down() {
if [[ -n "$nft_intranet_6" ]]
then
netif_nft_intranet_6_set_del "$nft_intranet_6"
fi
try ip token del dev "$interface"
}
#/etc/conf.d/netif.enp0s1
template="interface-tokenized-nft"
ip6token="::53/64"
# If you need ipv6 routes, add them here
#routes="2000::/3 via fe80::1 dev enp0s1"
# Have ipv6 networks be automaticly added to the nft intranet set
# Remember to create the set beforehand.
# Use the set in your nftables to restrict access to some services
# to only hosts in your network
nft_intranet_6="intra_6"
#!/sbin/nft -f
# flush chains, keep sets
flush chain inet filter input
flush chain inet filter output
flush chain inet filter VPN
flush chain inet filter Samba
flush chain inet filter DLNA
flush chain inet filter Intra_Services
define intra_4 = 192.168.1.0/24
table inet filter {
set intra_6 {
type ipv6_addr; flags interval;
}
set swatch_friends_v4 {
type ipv4_addr
}
set swatch_friends_v6 {
type ipv6_addr;
}
set swatch_rejects_v4 {
type ipv4_addr; flags interval;
}
set swatch_rejects_v6 {
type ipv6_addr; flags interval;
}
#flush chain input
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "drop invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iifname lo accept comment "accept loopback"
iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
jump swatch comment "Allow previously authenticated hosts and Block previously malicious hosts"
ip6 saddr != @intra_6 icmpv6 type {echo-request, echo-reply} drop comment "Drop non-intranet ping"
ip6 nexthdr icmpv6 accept
tcp dport 22 counter accept comment "accept SSH"
ip saddr $intra_4 jump Intra_Services comment "Allow Local network services through."
ip6 saddr @intra_6 jump Intra_Services comment "Allow Local network services through."
tcp dport {80,443} accept comment "Allow access to webserver"
jump VPN comment "Let VPN connections in"
counter comment "count dropped packets"
}
chain swatch {
ip saddr @swatch_friends_v4 return comment "Let friends bypass swatch"
ip6 saddr @swatch_friends_v6 return comment "Let friends bypass swatch"
ip saddr @swatch_rejects_v4 drop comment "Reject malicous hosts"
ip6 saddr @swatch_rejects_v6 drop comment "Reject malicous hosts"
}
chain Intra_Services {
# Only send local ip/ipv6 here. Do not send everything here and add reject rules. Just in
# case something other than ip/ip6 manages to emerge in our network in the future.
jump DLNA comment "Allow local DLNA"
jump Samba comment "Allow local access to Samba"
tcp dport 53 counter accept comment "accept internal DNS"
udp dport 53 counter accept comment "accept internal DNS"
}
chain DLNA {
tcp dport {5001,65530} accept comment "Allow Local DLNA"
udp dport 1900 accept comment "Allow Local DLNA"
}
#flush chain VPN
chain VPN {
ip protocol esp accept comment "Allow IPSEC-ESP"
ip6 nexthdr esp accept comment "Allow IPSEC-ESP"
udp dport 500 accept comment "Allow IPSEC-IKE"
udp dport 4500 accept comment "Allow IKEv2 NAT Transversal"
}
#flush chain Samba
chain Samba {
tcp dport 88 accept comment "Allow Kerbos"
udp dport 88 accept comment "Allow Kerbos"
tcp dport 135 accept comment "Allow End Point Mapper (DCE/RPC Locator Service)"
udp dport 137 accept comment "NetBIOS Name Service"
udp dport 138 accept comment "NetBIOS Datagram"
tcp dport 139 accept comment "NetBIOS Session"
tcp dport 389 accept comment "LDAP"
udp dport 389 accept comment "LDAP"
tcp dport 445 accept comment "SMB"
tcp dport 464 accept comment "Kerbos kpasswd"
udp dport 464 accept comment "Kerbos kpasswd"
tcp dport 636 accept comment "LDAPS"
tcp dport 1024-5000 accept comment "Dynamic RPC Ports"
tcp dport 3268 accept comment "Global Catalog"
tcp dport 3269 accept comment "Global Catalog SSL"
}
#flush chain output
chain output {
type filter hook output priority 0;
policy accept;
meta skuid nobody drop comment "Nobody is safe now"
meta skuid root drop comment "No root services"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment