Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nftables router
# http://kangran.su/~nnz/pub/nf-doc/nftables/nft.html
# http://wiki.nftables.org/wiki-nftables/index.php/Main_Page
define external = eth0
define internal = eth1
define dhcp_range = 192.168.1
# Clean out the current ruleset
flush ruleset
table firewall {
set blacklist {
type ipv4_addr
}
set tcp_open_ports {
type inet_service
elements = {
ssh
}
}
set udp_open_ports {
type inet_service
}
chain incoming {
type filter hook input priority 0
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# bad tcp -> avoid network scanning:
tcp flags & (fin|syn) == (fin|syn) drop
tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# no ping floods:
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
# drop connections from blacklisted addresses
ip saddr @blacklist drop
# accept input from loopback and internal interfaces
iif { lo, $internal } accept
# avoid brute force on ssh:
tcp dport ssh limit rate 15/minute accept
# allow open tcp ports
tcp dport @tcp_open_ports accept
# allow open udp ports
udp dport @udp_open_ports accept
reject
}
chain forwarding {
type filter hook forward priority 0
iif $external oif $internal ct state established,related accept
iif $internal oif $external accept
}
chain outgoing {
type filter hook output priority 0
}
}
table nat {
map tcp_forwarding {
type inet_service : ipv4_addr
}
map udp_forwarding {
type inet_service : ipv4_addr
}
chain prerouting {
type nat hook prerouting priority 0
}
chain postrouting {
type nat hook postrouting priority 0
oif $external masquerade
}
}
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = '2'
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
# All Vagrant configuration is done here. The most common configuration
# options are documented and commented below. For a complete reference,
# please see the online documentation at vagrantup.com.
# Every Vagrant virtual environment requires a box to build off of.
config.vm.box = 'archlinux64'
config.vm.define 'client' do |client|
client.vm.network :private_network, ip: '192.168.33.100', auto_config: false
end
config.vm.define "router", primary: true do |router|
router.vm.network :private_network, ip: '192.168.33.1', auto_config: false
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.